summaryrefslogtreecommitdiffstats
path: root/tests/gen-msg.map
diff options
context:
space:
mode:
Diffstat (limited to 'tests/gen-msg.map')
-rw-r--r--tests/gen-msg.map318
1 files changed, 318 insertions, 0 deletions
diff --git a/tests/gen-msg.map b/tests/gen-msg.map
new file mode 100644
index 0000000..301a576
--- /dev/null
+++ b/tests/gen-msg.map
@@ -0,0 +1,318 @@
+# $Id: gen-msg.map,v 1.8 2010/04/15 19:55:13 mwatchinski Exp $
+# GENERATORS -> msg map
+# Format: generatorid || alertid || MSG
+
+1 || 1 || snort general alert
+2 || 1 || tag: Tagged Packet
+3 || 1 || snort dynamic alert
+100 || 1 || spp_portscan: Portscan Detected
+100 || 2 || spp_portscan: Portscan Status
+100 || 3 || spp_portscan: Portscan Ended
+101 || 1 || spp_minfrag: minfrag alert
+102 || 1 || http_decode: Unicode Attack
+102 || 2 || http_decode: CGI NULL Byte Attack
+102 || 3 || http_decode: large method attempted
+102 || 4 || http_decode: missing uri
+102 || 5 || http_decode: double encoding detected
+102 || 6 || http_decode: illegal hex values detected
+102 || 7 || http_decode: overlong character detected
+103 || 1 || spp_defrag: Fragmentation Overflow Detected
+103 || 2 || spp_defrag: Stale Fragments Discarded
+104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
+104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
+105 || 1 || spp_bo: Back Orifice Traffic Detected
+105 || 2 || spp_bo: Back Orifice Client Traffic Detected
+105 || 3 || spp_bo: Back Orifice Server Traffic Detected
+105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
+106 || 1 || spp_rpc_decode: Fragmented RPC Records
+106 || 2 || spp_rpc_decode: Multiple Records in one packet
+106 || 3 || spp_rpc_decode: Large RPC Record Fragment
+106 || 4 || spp_rpc_decode: Incomplete RPC segment
+106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
+110 || 1 || spp_unidecode: CGI NULL Attack
+110 || 2 || spp_unidecode: Directory Traversal
+110 || 3 || spp_unidecode: Unknown Mapping
+110 || 4 || spp_unidecode: Invalid Mapping
+111 || 1 || spp_stream4: Stealth Activity Detected
+111 || 2 || spp_stream4: Evasive Reset Packet
+111 || 3 || spp_stream4: Retransmission
+111 || 4 || spp_stream4: Window Violation
+111 || 5 || spp_stream4: Data on SYN Packet
+111 || 6 || spp_stream4: Full XMAS Stealth Scan
+111 || 7 || spp_stream4: SAPU Stealth Scan
+111 || 8 || spp_stream4: FIN Stealth Scan
+111 || 9 || spp_stream4: NULL Stealth Scan
+111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
+111 || 11 || spp_stream4: VECNA Stealth Scan
+111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
+111 || 13 || spp_stream4: SYN FIN Stealth Scan
+111 || 14 || spp_stream4: TCP forward overlap detected
+111 || 15 || spp_stream4: TTL Evasion attempt
+111 || 16 || spp_stream4: Evasive retransmitted data attempt
+111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
+111 || 18 || spp_stream4: Multiple acked
+111 || 19 || spp_stream4: Shifting to Emergency Session Mode
+111 || 20 || spp_stream4: Shifting to Suspend Mode
+111 || 21 || spp_stream4: TCP Timestamp option has value of zero
+111 || 22 || spp_stream4: Too many overlapping TCP packets
+111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
+111 || 24 || spp_stream4: Evasive FIN Packet
+111 || 25 || spp_stream4: SYN on established
+112 || 1 || spp_arpspoof: Directed ARP Request
+112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
+112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
+112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
+113 || 1 || spp_frag2: Oversized Frag
+113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
+113 || 3 || spp_frag2: TTL evasion detected
+113 || 4 || spp_frag2: overlap detected
+113 || 5 || spp_frag2: Duplicate first fragments
+113 || 6 || spp_frag2: memcap exceeded
+113 || 7 || spp_frag2: Out of order fragments
+113 || 8 || spp_frag2: IP Options on Fragmented Packet
+113 || 9 || spp_frag2: Shifting to Emegency Session Mode
+113 || 10 || spp_frag2: Shifting to Suspend Mode
+114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
+114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
+114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
+114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
+115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
+115 || 2 || spp_asn1: Invalid ASN.1 length encoding
+115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
+115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
+115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
+116 || 1 || snort_decoder: Not IPv4 datagram!
+116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
+116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len!
+116 || 4 || snort_decoder: Bad IPv4 Options
+116 || 5 || snort_decoder: Truncated IPv4 Options
+116 || 6 || snort_decoder: WARNING: IP dgm len > captured len!
+116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
+116 || 46 || snort_decoder: TCP Data Offset is less than 5!
+116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
+116 || 54 || snort_decoder: Tcp Options found with bad lengths
+116 || 55 || snort_decoder: Truncated Tcp Options
+116 || 56 || snort_decoder: T/TCP Detected
+116 || 57 || snort_decoder: Obsolete TCP options
+116 || 58 || snort_decoder: Experimental TCP options
+116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14)
+116 || 95 || snort_decoder: Truncated UDP Header!
+116 || 96 || snort_decoder: Invalid UDP header, length field < 8
+116 || 97 || snort_decoder: Short UDP packet, length field > payload length
+116 || 98 || snort_decoder: Long UDP packet, length field < payload length
+116 || 105 || snort_decoder: ICMP Header Truncated!
+116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
+116 || 107 || snort_decoder: ICMP Address Header Truncated!
+116 || 108 || snort_decoder: Unknown Datagram decoding problem!
+116 || 109 || snort_decoder: Truncated ARP Packet!
+116 || 110 || snort_decoder: Truncated EAP Header!
+116 || 111 || snort_decoder: EAP Key Truncated!
+116 || 112 || snort_decoder: EAP Header Truncated!
+116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
+116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
+116 || 131 || snort_decoder: WARNING: Bad LLC header!
+116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
+116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
+116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
+116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
+116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
+116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
+116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
+116 || 150 || snort_decoder: Bad Traffic Loopback IP!
+116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP!
+116 || 160 || snort_decoder: WARNING: GRE header length > payload length
+116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
+116 || 162 || snort_decoder: WARNING: Invalid GRE version
+116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
+116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
+116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
+116 || 170 || snort_decoder: Bad MPLS Frame
+116 || 171 || snort_decoder: MPLS Label 0 Appears in Nonbottom Header
+116 || 172 || snort_decoder: MPLS Label 1 Appears in Bottom Header
+116 || 173 || snort_decoder: MPLS Label 2 Appears in Nonbottom Header
+116 || 174 || snort_decoder: Bad use of label 3
+116 || 175 || snort_decoder: MPLS Label 4, 5,.. or 15 Appears in Header
+116 || 176 || snort_decoder: Too Many MPLS headers
+116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!
+116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!
+116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!
+116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!
+116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes!
+116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!
+116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
+116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
+116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
+116 || 273 || snort_decoder: WARNING: IPV6 truncated header
+116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len!
+116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len!
+116 || 291 || snort_decoder: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
+116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
+116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
+116 || 402 || snort_decoder: DOS NAPTHA Vulnerability Detected!
+116 || 403 || snort_decoder: Bad Traffic SYN to multicast address
+116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
+116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
+116 || 406 || snort_decoder: Invalid IPv6 UDP packet, checksum zero
+117 || 1 || spp_portscan2: Portscan detected!
+118 || 1 || spp_conversation: Bad IP protocol!
+119 || 1 || http_inspect: ASCII ENCODING
+119 || 2 || http_inspect: DOUBLE DECODING ATTACK
+119 || 3 || http_inspect: U ENCODING
+119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
+119 || 5 || http_inspect: BASE36 ENCODING
+119 || 6 || http_inspect: UTF-8 ENCODING
+119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
+119 || 8 || http_inspect: MULTI_SLASH ENCODING
+119 || 9 || http_inspect: IIS BACKSLASH EVASION
+119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
+119 || 11 || http_inspect: DIRECTORY TRAVERSAL
+119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
+119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
+119 || 14 || http_inspect: NON-RFC DEFINED CHAR
+119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
+119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
+119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
+119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
+119 || 19 || http_inspect: LONG HEADER
+119 || 20 || http_inspect: MAX HEADERS
+119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
+119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
+120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
+121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
+121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
+121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
+121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
+122 || 1 || portscan: TCP Portscan
+122 || 2 || portscan: TCP Decoy Portscan
+122 || 3 || portscan: TCP Portsweep
+122 || 4 || portscan: TCP Distributed Portscan
+122 || 5 || portscan: TCP Filtered Portscan
+122 || 6 || portscan: TCP Filtered Decoy Portscan
+122 || 7 || portscan: TCP Filtered Portsweep
+122 || 8 || portscan: TCP Filtered Distributed Portscan
+122 || 9 || portscan: IP Protocol Scan
+122 || 10 || portscan: IP Decoy Protocol Scan
+122 || 11 || portscan: IP Protocol Sweep
+122 || 12 || portscan: IP Distributed Protocol Scan
+122 || 13 || portscan: IP Filtered Protocol Scan
+122 || 14 || portscan: IP Filtered Decoy Protocol Scan
+122 || 15 || portscan: IP Filtered Protocol Sweep
+122 || 16 || portscan: IP Filtered Distributed Protocol Scan
+122 || 17 || portscan: UDP Portscan
+122 || 18 || portscan: UDP Decoy Portscan
+122 || 19 || portscan: UDP Portsweep
+122 || 20 || portscan: UDP Distributed Portscan
+122 || 21 || portscan: UDP Filtered Portscan
+122 || 22 || portscan: UDP Filtered Decoy Portscan
+122 || 23 || portscan: UDP Filtered Portsweep
+122 || 24 || portscan: UDP Filtered Distributed Portscan
+122 || 25 || portscan: ICMP Sweep
+122 || 26 || portscan: ICMP Filtered Sweep
+122 || 27 || portscan: Open Port
+123 || 1 || frag3: IP Options on fragmented packet
+123 || 2 || frag3: Teardrop attack
+123 || 3 || frag3: Short fragment, possible DoS attempt
+123 || 4 || frag3: Fragment packet ends after defragmented packet
+123 || 5 || frag3: Zero-byte fragment
+123 || 6 || frag3: Bad fragment size, packet size is negative
+123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
+123 || 8 || frag3: Fragmentation overlap
+123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
+123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
+123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
+123 || 12 || frag3: Number of overlapping fragments exceed configured limit
+123 || 13 || frag3: Fragments smaller than configured min_fragment_length
+124 || 1 || smtp: Attempted command buffer overflow
+124 || 2 || smtp: Attempted data header buffer overflow
+124 || 3 || smtp: Attempted response buffer overflow
+124 || 4 || smtp: Attempted specific command buffer overflow
+124 || 5 || smtp: Unknown command
+124 || 6 || smtp: Illegal command
+124 || 7 || smtp: Attempted header name buffer overflow
+124 || 8 || smtp: Attempted X-Link2State command buffer overflow
+125 || 1 || ftp_pp: Telnet command on FTP command channel
+125 || 2 || ftp_pp: Invalid FTP command
+125 || 3 || ftp_pp: FTP parameter length overflow
+125 || 4 || ftp_pp: FTP malformed parameter
+125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
+125 || 6 || ftp_pp: FTP response length overflow
+125 || 7 || ftp_pp: FTP command channel encrypted
+125 || 8 || ftp_pp: FTP bounce attack
+125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
+126 || 1 || telnet_pp: Telnet consecutive AYT overflow
+126 || 2 || telnet_pp: Telnet data encrypted
+126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
+128 || 1 || ssh: Gobbles exploit
+128 || 2 || ssh: SSH1 CRC32 exploit
+128 || 3 || ssh: Server version string overflow
+128 || 4 || ssh: Protocol mismatch
+128 || 5 || ssh: Bad message direction
+128 || 6 || ssh: Payload size incorrect for the given payload
+128 || 7 || ssh: Failed to detect SSH version string
+129 || 1 || stream5: SYN on established session
+129 || 2 || stream5: Data on SYN packet
+129 || 3 || stream5: Data sent on stream not accepting data
+129 || 4 || stream5: TCP Timestamp is outside of PAWS window
+129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
+129 || 6 || stream5: Window size (after scaling) larger than policy allows
+129 || 7 || stream5: Limit on number of overlapping TCP packets reached
+129 || 8 || stream5: Data sent on stream after TCP Reset
+129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
+129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
+129 || 11 || stream5: TCP Data with no TCP Flags set
+129 || 12 || stream5: TCP Small Segment Threshold Exceeded
+129 || 13 || stream5: TCP 4-way handshake detected
+129 || 14 || stream5: TCP Timestamp is missing
+130 || 1 || dcerpc: Maximum memory usage reached
+131 || 1 || dns: Obsolete DNS RData Type
+131 || 2 || dns: Experimental DNS RData Type
+131 || 3 || dns: Client RData TXT Overflow
+133 || 1 || dcerpc2: Memory cap exceeded
+133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
+133 || 3 || dcerpc2: SMB - Bad SMB message type
+133 || 4 || dcerpc2: SMB - Bad SMB Id (not \xffSMB)
+133 || 5 || dcerpc2: SMB - Bad word count for command
+133 || 6 || dcerpc2: SMB - Bad byte count for command
+133 || 7 || dcerpc2: SMB - Bad format type for command
+133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
+133 || 9 || dcerpc2: SMB - Zero total data count in command
+133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
+133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
+133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
+133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
+133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
+133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
+133 || 16 || dcerpc2: SMB - Byte count less than command data size
+133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
+133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
+133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
+133 || 20 || dcerpc2: SMB - Excessive command chaining
+133 || 21 || dcerpc2: SMB - Multiple chained login requests
+133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
+133 || 23 || dcerpc2: SMB - Chained login followed by logoff
+133 || 24 || dcerpc2: SMB - Chained tree connect followed by tree disconnect
+133 || 25 || dcerpc2: SMB - Chained open pipe followed by close pipe
+133 || 26 || dcerpc2: SMB - Invalid share access
+133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
+133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
+133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
+133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
+133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
+133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
+133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
+133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
+133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
+133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
+133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
+133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
+133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
+133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
+133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
+133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
+133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
+134 || 1 || ppm: rule tree disabled
+134 || 2 || ppm: rule tree enabled
+135 || 1 || internal: syn received
+135 || 2 || internal: session established
+135 || 3 || internal: session cleared
+139 || 1 || sensitive_data: sensitive data global threshold exceeded
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-16 16:00:59 +0000