# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
# $Id: attack-responses.rules,v 1.4 2001/10/29 01:52:54 roesch Exp $
# ----------------
# ATTACK RESPONSES
# ----------------
# These signatures are those when they happen, its usually because a machine
# has been compromised.  These should not false that often and almost always
# mean a compromise.

alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES http dir listing"; content: "Volume Serial Number"; flags: A+; classtype:bad-unknown; sid:1292; rev:1;)
alert tcp any any -> any any (msg:"ATTACK RESPONSES id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:2;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command completed"; content:"Command completed"; nocase; flags:A+; classtype:bad-unknown; sid:494; rev:2;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES command error"; content:"Bad command or filename"; nocase; flags:A+; classtype:bad-unknown; sid:495; rev:2;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; content:"Directory Listing of"; nocase; flags:A+; classtype:unknown; sid:496; rev:2;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES file copied ok"; content:"1 file(s) copied"; nocase; flags:A+; classtype:bad-unknown; sid:497; rev:2;)