unified2 0.1.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- data/.document +3 -0
- data/.rspec +1 -0
- data/.yardopts +1 -0
- data/ChangeLog.rdoc +9 -0
- data/LICENSE.txt +20 -0
- data/README.rdoc +61 -0
- data/Rakefile +39 -0
- data/example/classification.config +67 -0
- data/example/example.rb +43 -0
- data/example/gen-msg.map +391 -0
- data/example/sid-msg.map +15806 -0
- data/example/unified2 +0 -0
- data/gemspec.yml +14 -0
- data/lib/unified2/classification.rb +14 -0
- data/lib/unified2/construct.rb +54 -0
- data/lib/unified2/core_ext/string.rb +8 -0
- data/lib/unified2/core_ext.rb +1 -0
- data/lib/unified2/event.rb +315 -0
- data/lib/unified2/event_ip4.rb +26 -0
- data/lib/unified2/event_ip6.rb +23 -0
- data/lib/unified2/exceptions/file_not_found.rb +4 -0
- data/lib/unified2/exceptions/file_not_readable.rb +4 -0
- data/lib/unified2/exceptions/unknown_load_type.rb +4 -0
- data/lib/unified2/exceptions.rb +2 -0
- data/lib/unified2/packet.rb +16 -0
- data/lib/unified2/payload.rb +32 -0
- data/lib/unified2/primitive/ipv4.rb +19 -0
- data/lib/unified2/primitive.rb +1 -0
- data/lib/unified2/record_header.rb +10 -0
- data/lib/unified2/sensor.rb +26 -0
- data/lib/unified2/signature.rb +24 -0
- data/lib/unified2/version.rb +4 -0
- data/lib/unified2.rb +206 -0
- data/spec/spec_helper.rb +5 -0
- data/spec/unified2_spec.rb +8 -0
- data/unified2.gemspec +15 -0
- metadata +148 -0
data/.document
ADDED
data/.rspec
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--colour --format documentation
|
data/.yardopts
ADDED
@@ -0,0 +1 @@
|
|
1
|
+
--markup rdoc --title "unified2 Documentation" --protected
|
data/ChangeLog.rdoc
ADDED
data/LICENSE.txt
ADDED
@@ -0,0 +1,20 @@
|
|
1
|
+
Copyright (c) 2011 mephux
|
2
|
+
|
3
|
+
Permission is hereby granted, free of charge, to any person obtaining
|
4
|
+
a copy of this software and associated documentation files (the
|
5
|
+
"Software"), to deal in the Software without restriction, including
|
6
|
+
without limitation the rights to use, copy, modify, merge, publish,
|
7
|
+
distribute, sublicense, and/or sell copies of the Software, and to
|
8
|
+
permit persons to whom the Software is furnished to do so, subject to
|
9
|
+
the following conditions:
|
10
|
+
|
11
|
+
The above copyright notice and this permission notice shall be
|
12
|
+
included in all copies or substantial portions of the Software.
|
13
|
+
|
14
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
15
|
+
EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
16
|
+
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
17
|
+
NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
18
|
+
LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
19
|
+
OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
20
|
+
WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
data/README.rdoc
ADDED
@@ -0,0 +1,61 @@
|
|
1
|
+
= unified2
|
2
|
+
|
3
|
+
* {Homepage}[https://github.com/mephux/unified2]
|
4
|
+
* {Documentation}[https://github.com/mephux/unified2]
|
5
|
+
|
6
|
+
== Description
|
7
|
+
|
8
|
+
A ruby interface for unified2 output. rUnified2 allows you to manipulate unified2 output for custom storage and/or analysis.
|
9
|
+
|
10
|
+
== Features
|
11
|
+
|
12
|
+
* Monitor unified2 logs and manipulate the data.
|
13
|
+
* Modular adaptor support (monogdb, mysql, postgresql, sguil etc..)
|
14
|
+
* Parse unified2 log files
|
15
|
+
* Numerous connivence methods for statistical analysis
|
16
|
+
|
17
|
+
== Examples
|
18
|
+
|
19
|
+
require 'unified2'
|
20
|
+
|
21
|
+
# load rules into memory
|
22
|
+
Unified2.configuration do
|
23
|
+
# Sensor Configurations
|
24
|
+
sensor :id => 1, :name => 'Test Sensor', :interface => 'en1'
|
25
|
+
|
26
|
+
# Load signatures, generators & classifications into memory
|
27
|
+
load :signatures, 'sid-msg.map'
|
28
|
+
load :generators, 'gen-msg.map'
|
29
|
+
load :classifications, 'classification.config'
|
30
|
+
end
|
31
|
+
|
32
|
+
# Unified2#watch
|
33
|
+
# Watch a unified2 file for changes and process the results.
|
34
|
+
Unified2.watch('/var/log/snort/merged.log', :last) do |event|
|
35
|
+
next if event.signature.name.blank?
|
36
|
+
|
37
|
+
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
38
|
+
puts event.payload.dump(:width => 30)
|
39
|
+
puts event.classification.name
|
40
|
+
end
|
41
|
+
|
42
|
+
# Unified2#read
|
43
|
+
# Parse a unified2 file and process the results.
|
44
|
+
Unified2.read('/var/log/snort/merged.log') do |event|
|
45
|
+
puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
46
|
+
end
|
47
|
+
|
48
|
+
== Requirements
|
49
|
+
|
50
|
+
* bindata ~> 1.3.1
|
51
|
+
* hexdump: ~> 0.1.0
|
52
|
+
|
53
|
+
== Install
|
54
|
+
|
55
|
+
$ gem install unified2
|
56
|
+
|
57
|
+
== Copyright
|
58
|
+
|
59
|
+
Copyright (c) 2011 Dustin Willis Webber
|
60
|
+
|
61
|
+
See LICENSE.txt for details.
|
data/Rakefile
ADDED
@@ -0,0 +1,39 @@
|
|
1
|
+
require 'rubygems'
|
2
|
+
require 'rake'
|
3
|
+
|
4
|
+
begin
|
5
|
+
gem 'ore-tasks', '~> 0.5.0'
|
6
|
+
require 'ore/tasks'
|
7
|
+
|
8
|
+
Ore::Tasks.new
|
9
|
+
rescue LoadError => e
|
10
|
+
STDERR.puts e.message
|
11
|
+
STDERR.puts "Run `gem install ore-tasks` to install 'ore/tasks'."
|
12
|
+
end
|
13
|
+
|
14
|
+
begin
|
15
|
+
gem 'rspec', '~> 2.4'
|
16
|
+
require 'rspec/core/rake_task'
|
17
|
+
|
18
|
+
RSpec::Core::RakeTask.new
|
19
|
+
rescue LoadError => e
|
20
|
+
task :spec do
|
21
|
+
abort "Please run `gem install rspec` to install RSpec."
|
22
|
+
end
|
23
|
+
end
|
24
|
+
|
25
|
+
task :test => :spec
|
26
|
+
task :default => :spec
|
27
|
+
|
28
|
+
begin
|
29
|
+
gem 'yard', '~> 0.6.0'
|
30
|
+
require 'yard'
|
31
|
+
|
32
|
+
YARD::Rake::YardocTask.new
|
33
|
+
rescue LoadError => e
|
34
|
+
task :yard do
|
35
|
+
abort "Please run `gem install yard` to install YARD."
|
36
|
+
end
|
37
|
+
end
|
38
|
+
|
39
|
+
task :doc => :yard
|
@@ -0,0 +1,67 @@
|
|
1
|
+
# $Id: classification.config,v 1.4 2010/04/15 19:53:02 mwatchinski Exp $
|
2
|
+
# The following includes information for prioritizing rules
|
3
|
+
#
|
4
|
+
# Each classification includes a shortname, a description, and a default
|
5
|
+
# priority for that classification.
|
6
|
+
#
|
7
|
+
# This allows alerts to be classified and prioritized. You can specify
|
8
|
+
# what priority each classification has. Any rule can override the default
|
9
|
+
# priority for that rule.
|
10
|
+
#
|
11
|
+
# Here are a few example rules:
|
12
|
+
#
|
13
|
+
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
|
14
|
+
# dsize: > 128; classtype:attempted-admin; priority:10;
|
15
|
+
#
|
16
|
+
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
|
17
|
+
# content:"expn root"; nocase; classtype:attempted-recon;)
|
18
|
+
#
|
19
|
+
# The first rule will set its type to "attempted-admin" and override
|
20
|
+
# the default priority for that type to 10.
|
21
|
+
#
|
22
|
+
# The second rule set its type to "attempted-recon" and set its
|
23
|
+
# priority to the default for that type.
|
24
|
+
#
|
25
|
+
|
26
|
+
#
|
27
|
+
# config classification:shortname,short description,priority
|
28
|
+
#
|
29
|
+
|
30
|
+
config classification: not-suspicious,Not Suspicious Traffic,3
|
31
|
+
config classification: unknown,Unknown Traffic,3
|
32
|
+
config classification: bad-unknown,Potentially Bad Traffic, 2
|
33
|
+
config classification: attempted-recon,Attempted Information Leak,2
|
34
|
+
config classification: successful-recon-limited,Information Leak,2
|
35
|
+
config classification: successful-recon-largescale,Large Scale Information Leak,2
|
36
|
+
config classification: attempted-dos,Attempted Denial of Service,2
|
37
|
+
config classification: successful-dos,Denial of Service,2
|
38
|
+
config classification: attempted-user,Attempted User Privilege Gain,1
|
39
|
+
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
|
40
|
+
config classification: successful-user,Successful User Privilege Gain,1
|
41
|
+
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
|
42
|
+
config classification: successful-admin,Successful Administrator Privilege Gain,1
|
43
|
+
|
44
|
+
|
45
|
+
# NEW CLASSIFICATIONS
|
46
|
+
config classification: rpc-portmap-decode,Decode of an RPC Query,2
|
47
|
+
config classification: shellcode-detect,Executable Code was Detected,1
|
48
|
+
config classification: string-detect,A Suspicious String was Detected,3
|
49
|
+
config classification: suspicious-filename-detect,A Suspicious Filename was Detected,2
|
50
|
+
config classification: suspicious-login,An Attempted Login Using a Suspicious Username was Detected,2
|
51
|
+
config classification: system-call-detect,A System Call was Detected,2
|
52
|
+
config classification: tcp-connection,A TCP Connection was Detected,4
|
53
|
+
config classification: trojan-activity,A Network Trojan was Detected, 1
|
54
|
+
config classification: unusual-client-port-connection,A Client was Using an Unusual Port,2
|
55
|
+
config classification: network-scan,Detection of a Network Scan,3
|
56
|
+
config classification: denial-of-service,Detection of a Denial of Service Attack,2
|
57
|
+
config classification: non-standard-protocol,Detection of a Non-Standard Protocol or Event,2
|
58
|
+
config classification: protocol-command-decode,Generic Protocol Command Decode,3
|
59
|
+
config classification: web-application-activity,Access to a Potentially Vulnerable Web Application,2
|
60
|
+
config classification: web-application-attack,Web Application Attack,1
|
61
|
+
config classification: misc-activity,Misc activity,3
|
62
|
+
config classification: misc-attack,Misc Attack,2
|
63
|
+
config classification: icmp-event,Generic ICMP event,3
|
64
|
+
config classification: inappropriate-content,Inappropriate Content was Detected,1
|
65
|
+
config classification: policy-violation,Potential Corporate Privacy Violation,1
|
66
|
+
config classification: default-login-attempt,Attempt to Login By a Default Username and Password,2
|
67
|
+
config classification: sdf,Sensitive Data was Transmitted Across the Network,2
|
data/example/example.rb
ADDED
@@ -0,0 +1,43 @@
|
|
1
|
+
$:.unshift File.join(File.dirname(__FILE__), "..", "lib")
|
2
|
+
require 'unified2'
|
3
|
+
require 'pp'
|
4
|
+
|
5
|
+
# Unified2 Configuration
|
6
|
+
Unified2.configuration do
|
7
|
+
# Sensor Configurations
|
8
|
+
sensor :id => 200, :name => 'Hello Sensor', :interface => 'en1'
|
9
|
+
|
10
|
+
# Load signatures, generators & classifications into memory
|
11
|
+
load :signatures, 'sid-msg.map'
|
12
|
+
load :generators, 'gen-msg.map'
|
13
|
+
load :classifications, 'classification.config'
|
14
|
+
end
|
15
|
+
|
16
|
+
# Unified2#watch will continuously monitor
|
17
|
+
# the unified output for modifications and
|
18
|
+
# process the data accordingly.
|
19
|
+
|
20
|
+
Unified2.watch('unified2', 1) do |event|
|
21
|
+
next if event.signature.blank?
|
22
|
+
|
23
|
+
puts event.signature.name
|
24
|
+
|
25
|
+
# puts "#{event.sensor.name} #{event.timestamp} || #{event.source_port} #{event.destination_port} | #{event.protocol}"
|
26
|
+
|
27
|
+
# #{event.source_port} #{event.destination_port}
|
28
|
+
# puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
29
|
+
# {event.generator_id} || #{event.signature.id}
|
30
|
+
end
|
31
|
+
|
32
|
+
# Unified2#read will parse the supplied
|
33
|
+
# unified2 output and return records untill EOF.
|
34
|
+
|
35
|
+
# @signatures = []
|
36
|
+
# Unified2.watch('unified2', 101) do |event|
|
37
|
+
# next if event.signature.name.blank?
|
38
|
+
# next if @signatures.include?(event.signature.id)
|
39
|
+
#
|
40
|
+
# @signatures.push event.signature.id
|
41
|
+
#
|
42
|
+
# puts "#{event.id} | #{event.ip_destination} | #{event.ip_source} | #{event.signature.name}"
|
43
|
+
# end
|
data/example/gen-msg.map
ADDED
@@ -0,0 +1,391 @@
|
|
1
|
+
# $Id: gen-msg.map,v 1.10 2010/07/07 15:51:00 nhoughton Exp $
|
2
|
+
# GENERATORS -> msg map
|
3
|
+
# Format: generatorid || alertid || MSG
|
4
|
+
|
5
|
+
1 || 1 || snort general alert
|
6
|
+
2 || 1 || tag: Tagged Packet
|
7
|
+
3 || 1 || snort dynamic alert
|
8
|
+
100 || 1 || spp_portscan: Portscan Detected
|
9
|
+
100 || 2 || spp_portscan: Portscan Status
|
10
|
+
100 || 3 || spp_portscan: Portscan Ended
|
11
|
+
101 || 1 || spp_minfrag: minfrag alert
|
12
|
+
102 || 1 || http_decode: Unicode Attack
|
13
|
+
102 || 2 || http_decode: CGI NULL Byte Attack
|
14
|
+
102 || 3 || http_decode: large method attempted
|
15
|
+
102 || 4 || http_decode: missing uri
|
16
|
+
102 || 5 || http_decode: double encoding detected
|
17
|
+
102 || 6 || http_decode: illegal hex values detected
|
18
|
+
102 || 7 || http_decode: overlong character detected
|
19
|
+
103 || 1 || spp_defrag: Fragmentation Overflow Detected
|
20
|
+
103 || 2 || spp_defrag: Stale Fragments Discarded
|
21
|
+
104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
|
22
|
+
104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
|
23
|
+
105 || 1 || spp_bo: Back Orifice Traffic Detected
|
24
|
+
105 || 2 || spp_bo: Back Orifice Client Traffic Detected
|
25
|
+
105 || 3 || spp_bo: Back Orifice Server Traffic Detected
|
26
|
+
105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
|
27
|
+
106 || 1 || spp_rpc_decode: Fragmented RPC Records
|
28
|
+
106 || 2 || spp_rpc_decode: Multiple Records in one packet
|
29
|
+
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
|
30
|
+
106 || 4 || spp_rpc_decode: Incomplete RPC segment
|
31
|
+
106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
|
32
|
+
110 || 1 || spp_unidecode: CGI NULL Attack
|
33
|
+
110 || 2 || spp_unidecode: Directory Traversal
|
34
|
+
110 || 3 || spp_unidecode: Unknown Mapping
|
35
|
+
110 || 4 || spp_unidecode: Invalid Mapping
|
36
|
+
111 || 1 || spp_stream4: Stealth Activity Detected
|
37
|
+
111 || 2 || spp_stream4: Evasive Reset Packet
|
38
|
+
111 || 3 || spp_stream4: Retransmission
|
39
|
+
111 || 4 || spp_stream4: Window Violation
|
40
|
+
111 || 5 || spp_stream4: Data on SYN Packet
|
41
|
+
111 || 6 || spp_stream4: Full XMAS Stealth Scan
|
42
|
+
111 || 7 || spp_stream4: SAPU Stealth Scan
|
43
|
+
111 || 8 || spp_stream4: FIN Stealth Scan
|
44
|
+
111 || 9 || spp_stream4: NULL Stealth Scan
|
45
|
+
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
|
46
|
+
111 || 11 || spp_stream4: VECNA Stealth Scan
|
47
|
+
111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
|
48
|
+
111 || 13 || spp_stream4: SYN FIN Stealth Scan
|
49
|
+
111 || 14 || spp_stream4: TCP forward overlap detected
|
50
|
+
111 || 15 || spp_stream4: TTL Evasion attempt
|
51
|
+
111 || 16 || spp_stream4: Evasive retransmitted data attempt
|
52
|
+
111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
|
53
|
+
111 || 18 || spp_stream4: Multiple acked
|
54
|
+
111 || 19 || spp_stream4: Shifting to Emergency Session Mode
|
55
|
+
111 || 20 || spp_stream4: Shifting to Suspend Mode
|
56
|
+
111 || 21 || spp_stream4: TCP Timestamp option has value of zero
|
57
|
+
111 || 22 || spp_stream4: Too many overlapping TCP packets
|
58
|
+
111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
|
59
|
+
111 || 24 || spp_stream4: Evasive FIN Packet
|
60
|
+
111 || 25 || spp_stream4: SYN on established
|
61
|
+
112 || 1 || spp_arpspoof: Directed ARP Request
|
62
|
+
112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
|
63
|
+
112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
|
64
|
+
112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
|
65
|
+
113 || 1 || spp_frag2: Oversized Frag
|
66
|
+
113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
|
67
|
+
113 || 3 || spp_frag2: TTL evasion detected
|
68
|
+
113 || 4 || spp_frag2: overlap detected
|
69
|
+
113 || 5 || spp_frag2: Duplicate first fragments
|
70
|
+
113 || 6 || spp_frag2: memcap exceeded
|
71
|
+
113 || 7 || spp_frag2: Out of order fragments
|
72
|
+
113 || 8 || spp_frag2: IP Options on Fragmented Packet
|
73
|
+
113 || 9 || spp_frag2: Shifting to Emegency Session Mode
|
74
|
+
113 || 10 || spp_frag2: Shifting to Suspend Mode
|
75
|
+
114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
|
76
|
+
114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
|
77
|
+
114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
|
78
|
+
114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
|
79
|
+
115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
|
80
|
+
115 || 2 || spp_asn1: Invalid ASN.1 length encoding
|
81
|
+
115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
|
82
|
+
115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
|
83
|
+
115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
|
84
|
+
116 || 1 || snort_decoder: WARNING: Not IPv4 datagram!
|
85
|
+
116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
|
86
|
+
116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len!
|
87
|
+
116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
|
88
|
+
116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
|
89
|
+
116 || 6 || snort_decoder: WARNING: IP dgm len > captured len!
|
90
|
+
116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes!
|
91
|
+
116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5!
|
92
|
+
116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload!
|
93
|
+
116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
|
94
|
+
116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
|
95
|
+
116 || 56 || snort_decoder: WARNING: T/TCP Detected
|
96
|
+
116 || 57 || snort_decoder: WARNING: Obsolete TCP options
|
97
|
+
116 || 58 || snort_decoder: WARNING: Experimental TCP options
|
98
|
+
116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
|
99
|
+
116 || 95 || snort_decoder: WARNING: Truncated UDP Header!
|
100
|
+
116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
|
101
|
+
116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
|
102
|
+
116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
|
103
|
+
116 || 105 || snort_decoder: WARNING: ICMP Header Truncated!
|
104
|
+
116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated!
|
105
|
+
116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated!
|
106
|
+
116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem!
|
107
|
+
116 || 109 || snort_decoder: WARNING: Truncated ARP Packet!
|
108
|
+
116 || 110 || snort_decoder: WARNING: Truncated EAP Header!
|
109
|
+
116 || 111 || snort_decoder: WARNING: EAP Key Truncated!
|
110
|
+
116 || 112 || snort_decoder: WARNING: EAP Header Truncated!
|
111
|
+
116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
|
112
|
+
116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
|
113
|
+
116 || 131 || snort_decoder: WARNING: Bad LLC header!
|
114
|
+
116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
|
115
|
+
116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
|
116
|
+
116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
|
117
|
+
116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
|
118
|
+
116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
|
119
|
+
116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
|
120
|
+
116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
|
121
|
+
116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP!
|
122
|
+
116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP!
|
123
|
+
116 || 160 || snort_decoder: WARNING: GRE header length > payload length
|
124
|
+
116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
|
125
|
+
116 || 162 || snort_decoder: WARNING: Invalid GRE version
|
126
|
+
116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
|
127
|
+
116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
|
128
|
+
116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
|
129
|
+
116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
|
130
|
+
116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
|
131
|
+
116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
|
132
|
+
116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
|
133
|
+
116 || 174 || snort_decoder: WARNING: Bad use of label 3
|
134
|
+
116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
|
135
|
+
116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
|
136
|
+
116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!
|
137
|
+
116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!
|
138
|
+
116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!
|
139
|
+
116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!
|
140
|
+
116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes!
|
141
|
+
116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!
|
142
|
+
116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
|
143
|
+
116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
|
144
|
+
116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
|
145
|
+
116 || 273 || snort_decoder: WARNING: IPV6 truncated header
|
146
|
+
116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len!
|
147
|
+
116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len!
|
148
|
+
116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
|
149
|
+
116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
|
150
|
+
116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
|
151
|
+
116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
|
152
|
+
116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
|
153
|
+
116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
|
154
|
+
116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
|
155
|
+
116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
|
156
|
+
116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
|
157
|
+
116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with invalid code field
|
158
|
+
116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
|
159
|
+
116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
|
160
|
+
116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
|
161
|
+
116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
|
162
|
+
116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
|
163
|
+
116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
|
164
|
+
116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
|
165
|
+
116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
|
166
|
+
116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
|
167
|
+
116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
|
168
|
+
116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected!
|
169
|
+
116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
|
170
|
+
116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
|
171
|
+
116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
|
172
|
+
116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
|
173
|
+
116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
|
174
|
+
116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
|
175
|
+
116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
|
176
|
+
116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
|
177
|
+
116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
|
178
|
+
116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
|
179
|
+
116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
|
180
|
+
116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
|
181
|
+
116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
|
182
|
+
116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
|
183
|
+
116 || 417 || snort_decoder: WARNING: ICMP4 source quence
|
184
|
+
116 || 418 || snort_decoder: WARNING: ICMP4 type other
|
185
|
+
116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
|
186
|
+
116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
|
187
|
+
116 || 421 || snort_decoder: WARNING: TCP SYN with RST
|
188
|
+
116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
|
189
|
+
116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
|
190
|
+
116 || 424 || snort_decoder: WARNING: truncated eth header
|
191
|
+
116 || 425 || snort_decoder: WARNING: truncated IP4 header
|
192
|
+
116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
|
193
|
+
116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
|
194
|
+
116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
|
195
|
+
116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
|
196
|
+
116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
|
197
|
+
116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
|
198
|
+
116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
|
199
|
+
116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
|
200
|
+
116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
|
201
|
+
116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
|
202
|
+
116 || 436 || snort_decoder: WARNING: ICMP redirect host
|
203
|
+
116 || 437 || snort_decoder: WARNING: ICMP redirect net
|
204
|
+
116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
|
205
|
+
116 || 439 || snort_decoder: WARNING: ICMP Source Quench
|
206
|
+
116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
|
207
|
+
116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
|
208
|
+
116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
|
209
|
+
116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
|
210
|
+
116 || 444 || snort_decoder: WARNING: MISC IP option set
|
211
|
+
116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
|
212
|
+
116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
|
213
|
+
116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
|
214
|
+
116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
|
215
|
+
116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
|
216
|
+
116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
|
217
|
+
116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
|
218
|
+
117 || 1 || spp_portscan2: Portscan detected!
|
219
|
+
118 || 1 || spp_conversation: Bad IP protocol!
|
220
|
+
119 || 1 || http_inspect: ASCII ENCODING
|
221
|
+
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
|
222
|
+
119 || 3 || http_inspect: U ENCODING
|
223
|
+
119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
|
224
|
+
119 || 5 || http_inspect: BASE36 ENCODING
|
225
|
+
119 || 6 || http_inspect: UTF-8 ENCODING
|
226
|
+
119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
|
227
|
+
119 || 8 || http_inspect: MULTI_SLASH ENCODING
|
228
|
+
119 || 9 || http_inspect: IIS BACKSLASH EVASION
|
229
|
+
119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
|
230
|
+
119 || 11 || http_inspect: DIRECTORY TRAVERSAL
|
231
|
+
119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
|
232
|
+
119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
|
233
|
+
119 || 14 || http_inspect: NON-RFC DEFINED CHAR
|
234
|
+
119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
|
235
|
+
119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
|
236
|
+
119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
|
237
|
+
119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
|
238
|
+
119 || 19 || http_inspect: LONG HEADER
|
239
|
+
119 || 20 || http_inspect: MAX HEADERS
|
240
|
+
119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
|
241
|
+
119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
|
242
|
+
119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
|
243
|
+
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
|
244
|
+
120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
|
245
|
+
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
|
246
|
+
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
|
247
|
+
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
|
248
|
+
121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
|
249
|
+
122 || 1 || portscan: TCP Portscan
|
250
|
+
122 || 2 || portscan: TCP Decoy Portscan
|
251
|
+
122 || 3 || portscan: TCP Portsweep
|
252
|
+
122 || 4 || portscan: TCP Distributed Portscan
|
253
|
+
122 || 5 || portscan: TCP Filtered Portscan
|
254
|
+
122 || 6 || portscan: TCP Filtered Decoy Portscan
|
255
|
+
122 || 7 || portscan: TCP Filtered Portsweep
|
256
|
+
122 || 8 || portscan: TCP Filtered Distributed Portscan
|
257
|
+
122 || 9 || portscan: IP Protocol Scan
|
258
|
+
122 || 10 || portscan: IP Decoy Protocol Scan
|
259
|
+
122 || 11 || portscan: IP Protocol Sweep
|
260
|
+
122 || 12 || portscan: IP Distributed Protocol Scan
|
261
|
+
122 || 13 || portscan: IP Filtered Protocol Scan
|
262
|
+
122 || 14 || portscan: IP Filtered Decoy Protocol Scan
|
263
|
+
122 || 15 || portscan: IP Filtered Protocol Sweep
|
264
|
+
122 || 16 || portscan: IP Filtered Distributed Protocol Scan
|
265
|
+
122 || 17 || portscan: UDP Portscan
|
266
|
+
122 || 18 || portscan: UDP Decoy Portscan
|
267
|
+
122 || 19 || portscan: UDP Portsweep
|
268
|
+
122 || 20 || portscan: UDP Distributed Portscan
|
269
|
+
122 || 21 || portscan: UDP Filtered Portscan
|
270
|
+
122 || 22 || portscan: UDP Filtered Decoy Portscan
|
271
|
+
122 || 23 || portscan: UDP Filtered Portsweep
|
272
|
+
122 || 24 || portscan: UDP Filtered Distributed Portscan
|
273
|
+
122 || 25 || portscan: ICMP Sweep
|
274
|
+
122 || 26 || portscan: ICMP Filtered Sweep
|
275
|
+
122 || 27 || portscan: Open Port
|
276
|
+
123 || 1 || frag3: IP Options on fragmented packet
|
277
|
+
123 || 2 || frag3: Teardrop attack
|
278
|
+
123 || 3 || frag3: Short fragment, possible DoS attempt
|
279
|
+
123 || 4 || frag3: Fragment packet ends after defragmented packet
|
280
|
+
123 || 5 || frag3: Zero-byte fragment
|
281
|
+
123 || 6 || frag3: Bad fragment size, packet size is negative
|
282
|
+
123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
|
283
|
+
123 || 8 || frag3: Fragmentation overlap
|
284
|
+
123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
|
285
|
+
123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
|
286
|
+
123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
|
287
|
+
123 || 12 || frag3: Number of overlapping fragments exceed configured limit
|
288
|
+
123 || 13 || frag3: Fragments smaller than configured min_fragment_length
|
289
|
+
124 || 1 || smtp: Attempted command buffer overflow
|
290
|
+
124 || 2 || smtp: Attempted data header buffer overflow
|
291
|
+
124 || 3 || smtp: Attempted response buffer overflow
|
292
|
+
124 || 4 || smtp: Attempted specific command buffer overflow
|
293
|
+
124 || 5 || smtp: Unknown command
|
294
|
+
124 || 6 || smtp: Illegal command
|
295
|
+
124 || 7 || smtp: Attempted header name buffer overflow
|
296
|
+
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
|
297
|
+
125 || 1 || ftp_pp: Telnet command on FTP command channel
|
298
|
+
125 || 2 || ftp_pp: Invalid FTP command
|
299
|
+
125 || 3 || ftp_pp: FTP parameter length overflow
|
300
|
+
125 || 4 || ftp_pp: FTP malformed parameter
|
301
|
+
125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
|
302
|
+
125 || 6 || ftp_pp: FTP response length overflow
|
303
|
+
125 || 7 || ftp_pp: FTP command channel encrypted
|
304
|
+
125 || 8 || ftp_pp: FTP bounce attack
|
305
|
+
125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
|
306
|
+
126 || 1 || telnet_pp: Telnet consecutive AYT overflow
|
307
|
+
126 || 2 || telnet_pp: Telnet data encrypted
|
308
|
+
126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
|
309
|
+
128 || 1 || ssh: Gobbles exploit
|
310
|
+
128 || 2 || ssh: SSH1 CRC32 exploit
|
311
|
+
128 || 3 || ssh: Server version string overflow
|
312
|
+
128 || 4 || ssh: Protocol mismatch
|
313
|
+
128 || 5 || ssh: Bad message direction
|
314
|
+
128 || 6 || ssh: Payload size incorrect for the given payload
|
315
|
+
128 || 7 || ssh: Failed to detect SSH version string
|
316
|
+
129 || 1 || stream5: SYN on established session
|
317
|
+
129 || 2 || stream5: Data on SYN packet
|
318
|
+
129 || 3 || stream5: Data sent on stream not accepting data
|
319
|
+
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
|
320
|
+
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
|
321
|
+
129 || 6 || stream5: Window size (after scaling) larger than policy allows
|
322
|
+
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
|
323
|
+
129 || 8 || stream5: Data sent on stream after TCP Reset
|
324
|
+
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
|
325
|
+
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
|
326
|
+
129 || 11 || stream5: TCP Data with no TCP Flags set
|
327
|
+
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
|
328
|
+
129 || 13 || stream5: TCP 4-way handshake detected
|
329
|
+
129 || 14 || stream5: TCP Timestamp is missing
|
330
|
+
130 || 1 || dcerpc: Maximum memory usage reached
|
331
|
+
131 || 1 || dns: Obsolete DNS RData Type
|
332
|
+
131 || 2 || dns: Experimental DNS RData Type
|
333
|
+
131 || 3 || dns: Client RData TXT Overflow
|
334
|
+
133 || 1 || dcerpc2: Memory cap exceeded
|
335
|
+
133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
|
336
|
+
133 || 3 || dcerpc2: SMB - Bad SMB message type
|
337
|
+
133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
|
338
|
+
133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
|
339
|
+
133 || 6 || dcerpc2: SMB - Bad byte count for command
|
340
|
+
133 || 7 || dcerpc2: SMB - Bad format type for command
|
341
|
+
133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
|
342
|
+
133 || 9 || dcerpc2: SMB - Zero total data count in command
|
343
|
+
133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
|
344
|
+
133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
|
345
|
+
133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
|
346
|
+
133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
|
347
|
+
133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
|
348
|
+
133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
|
349
|
+
133 || 16 || dcerpc2: SMB - Byte count less than command data size
|
350
|
+
133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
|
351
|
+
133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
|
352
|
+
133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
|
353
|
+
133 || 20 || dcerpc2: SMB - Excessive command chaining
|
354
|
+
133 || 21 || dcerpc2: SMB - Multiple chained login requests
|
355
|
+
133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
|
356
|
+
133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
|
357
|
+
133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
|
358
|
+
133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
|
359
|
+
133 || 26 || dcerpc2: SMB - Invalid share access
|
360
|
+
133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
|
361
|
+
133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
|
362
|
+
133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
|
363
|
+
133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
|
364
|
+
133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
|
365
|
+
133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
|
366
|
+
133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
|
367
|
+
133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
|
368
|
+
133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
|
369
|
+
133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
|
370
|
+
133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
|
371
|
+
133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
|
372
|
+
133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
|
373
|
+
133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
|
374
|
+
133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
|
375
|
+
133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
|
376
|
+
133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
|
377
|
+
133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
|
378
|
+
133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
|
379
|
+
133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
|
380
|
+
133 || 47 || dcerpc2: SMB - Excessive command compounding
|
381
|
+
134 || 1 || ppm: rule tree disabled
|
382
|
+
134 || 2 || ppm: rule tree enabled
|
383
|
+
135 || 1 || internal: syn received
|
384
|
+
135 || 2 || internal: session established
|
385
|
+
135 || 3 || internal: session cleared
|
386
|
+
138 || 2 || sensitive_data: sensitive data - Credit card numbers
|
387
|
+
138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
|
388
|
+
138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
|
389
|
+
138 || 5 || sensitive_data: sensitive data - eMail addresses
|
390
|
+
138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
|
391
|
+
139 || 1 || sensitive_data: sensitive data global threshold exceeded
|