1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
# $Id: gen-msg.map,v 1.8 2010/04/15 19:55:13 mwatchinski Exp $
# GENERATORS -> msg map
# Format: generatorid || alertid || MSG
1 || 1 || snort general alert
2 || 1 || tag: Tagged Packet
3 || 1 || snort dynamic alert
100 || 1 || spp_portscan: Portscan Detected
100 || 2 || spp_portscan: Portscan Status
100 || 3 || spp_portscan: Portscan Ended
101 || 1 || spp_minfrag: minfrag alert
102 || 1 || http_decode: Unicode Attack
102 || 2 || http_decode: CGI NULL Byte Attack
102 || 3 || http_decode: large method attempted
102 || 4 || http_decode: missing uri
102 || 5 || http_decode: double encoding detected
102 || 6 || http_decode: illegal hex values detected
102 || 7 || http_decode: overlong character detected
103 || 1 || spp_defrag: Fragmentation Overflow Detected
103 || 2 || spp_defrag: Stale Fragments Discarded
104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
105 || 1 || spp_bo: Back Orifice Traffic Detected
105 || 2 || spp_bo: Back Orifice Client Traffic Detected
105 || 3 || spp_bo: Back Orifice Server Traffic Detected
105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
106 || 1 || spp_rpc_decode: Fragmented RPC Records
106 || 2 || spp_rpc_decode: Multiple Records in one packet
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
106 || 4 || spp_rpc_decode: Incomplete RPC segment
106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
110 || 1 || spp_unidecode: CGI NULL Attack
110 || 2 || spp_unidecode: Directory Traversal
110 || 3 || spp_unidecode: Unknown Mapping
110 || 4 || spp_unidecode: Invalid Mapping
111 || 1 || spp_stream4: Stealth Activity Detected
111 || 2 || spp_stream4: Evasive Reset Packet
111 || 3 || spp_stream4: Retransmission
111 || 4 || spp_stream4: Window Violation
111 || 5 || spp_stream4: Data on SYN Packet
111 || 6 || spp_stream4: Full XMAS Stealth Scan
111 || 7 || spp_stream4: SAPU Stealth Scan
111 || 8 || spp_stream4: FIN Stealth Scan
111 || 9 || spp_stream4: NULL Stealth Scan
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
111 || 11 || spp_stream4: VECNA Stealth Scan
111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
111 || 13 || spp_stream4: SYN FIN Stealth Scan
111 || 14 || spp_stream4: TCP forward overlap detected
111 || 15 || spp_stream4: TTL Evasion attempt
111 || 16 || spp_stream4: Evasive retransmitted data attempt
111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
111 || 18 || spp_stream4: Multiple acked
111 || 19 || spp_stream4: Shifting to Emergency Session Mode
111 || 20 || spp_stream4: Shifting to Suspend Mode
111 || 21 || spp_stream4: TCP Timestamp option has value of zero
111 || 22 || spp_stream4: Too many overlapping TCP packets
111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
111 || 24 || spp_stream4: Evasive FIN Packet
111 || 25 || spp_stream4: SYN on established
112 || 1 || spp_arpspoof: Directed ARP Request
112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
113 || 1 || spp_frag2: Oversized Frag
113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
113 || 3 || spp_frag2: TTL evasion detected
113 || 4 || spp_frag2: overlap detected
113 || 5 || spp_frag2: Duplicate first fragments
113 || 6 || spp_frag2: memcap exceeded
113 || 7 || spp_frag2: Out of order fragments
113 || 8 || spp_frag2: IP Options on Fragmented Packet
113 || 9 || spp_frag2: Shifting to Emegency Session Mode
113 || 10 || spp_frag2: Shifting to Suspend Mode
114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
115 || 2 || spp_asn1: Invalid ASN.1 length encoding
115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
116 || 1 || snort_decoder: Not IPv4 datagram!
116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len!
116 || 4 || snort_decoder: Bad IPv4 Options
116 || 5 || snort_decoder: Truncated IPv4 Options
116 || 6 || snort_decoder: WARNING: IP dgm len > captured len!
116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
116 || 46 || snort_decoder: TCP Data Offset is less than 5!
116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
116 || 54 || snort_decoder: Tcp Options found with bad lengths
116 || 55 || snort_decoder: Truncated Tcp Options
116 || 56 || snort_decoder: T/TCP Detected
116 || 57 || snort_decoder: Obsolete TCP options
116 || 58 || snort_decoder: Experimental TCP options
116 || 59 || snort_decoder: TCP Window Scale Option Scale Invalid (> 14)
116 || 95 || snort_decoder: Truncated UDP Header!
116 || 96 || snort_decoder: Invalid UDP header, length field < 8
116 || 97 || snort_decoder: Short UDP packet, length field > payload length
116 || 98 || snort_decoder: Long UDP packet, length field < payload length
116 || 105 || snort_decoder: ICMP Header Truncated!
116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
116 || 107 || snort_decoder: ICMP Address Header Truncated!
116 || 108 || snort_decoder: Unknown Datagram decoding problem!
116 || 109 || snort_decoder: Truncated ARP Packet!
116 || 110 || snort_decoder: Truncated EAP Header!
116 || 111 || snort_decoder: EAP Key Truncated!
116 || 112 || snort_decoder: EAP Header Truncated!
116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
116 || 131 || snort_decoder: WARNING: Bad LLC header!
116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
116 || 150 || snort_decoder: Bad Traffic Loopback IP!
116 || 151 || snort_decoder: Bad Traffic Same Src/Dst IP!
116 || 160 || snort_decoder: WARNING: GRE header length > payload length
116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
116 || 162 || snort_decoder: WARNING: Invalid GRE version
116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
116 || 170 || snort_decoder: Bad MPLS Frame
116 || 171 || snort_decoder: MPLS Label 0 Appears in Nonbottom Header
116 || 172 || snort_decoder: MPLS Label 1 Appears in Bottom Header
116 || 173 || snort_decoder: MPLS Label 2 Appears in Nonbottom Header
116 || 174 || snort_decoder: Bad use of label 3
116 || 175 || snort_decoder: MPLS Label 4, 5,.. or 15 Appears in Header
116 || 176 || snort_decoder: Too Many MPLS headers
116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated!
116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4!
116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length!
116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits!
116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes!
116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0!
116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
116 || 273 || snort_decoder: WARNING: IPV6 truncated header
116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len!
116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len!
116 || 291 || snort_decoder: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
116 || 400 || snort_decoder: WARNING: XMAS Attack Detected!
116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected!
116 || 402 || snort_decoder: DOS NAPTHA Vulnerability Detected!
116 || 403 || snort_decoder: Bad Traffic SYN to multicast address
116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
116 || 406 || snort_decoder: Invalid IPv6 UDP packet, checksum zero
117 || 1 || spp_portscan2: Portscan detected!
118 || 1 || spp_conversation: Bad IP protocol!
119 || 1 || http_inspect: ASCII ENCODING
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
119 || 3 || http_inspect: U ENCODING
119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
119 || 5 || http_inspect: BASE36 ENCODING
119 || 6 || http_inspect: UTF-8 ENCODING
119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
119 || 8 || http_inspect: MULTI_SLASH ENCODING
119 || 9 || http_inspect: IIS BACKSLASH EVASION
119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
119 || 11 || http_inspect: DIRECTORY TRAVERSAL
119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
119 || 14 || http_inspect: NON-RFC DEFINED CHAR
119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
119 || 19 || http_inspect: LONG HEADER
119 || 20 || http_inspect: MAX HEADERS
119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
122 || 1 || portscan: TCP Portscan
122 || 2 || portscan: TCP Decoy Portscan
122 || 3 || portscan: TCP Portsweep
122 || 4 || portscan: TCP Distributed Portscan
122 || 5 || portscan: TCP Filtered Portscan
122 || 6 || portscan: TCP Filtered Decoy Portscan
122 || 7 || portscan: TCP Filtered Portsweep
122 || 8 || portscan: TCP Filtered Distributed Portscan
122 || 9 || portscan: IP Protocol Scan
122 || 10 || portscan: IP Decoy Protocol Scan
122 || 11 || portscan: IP Protocol Sweep
122 || 12 || portscan: IP Distributed Protocol Scan
122 || 13 || portscan: IP Filtered Protocol Scan
122 || 14 || portscan: IP Filtered Decoy Protocol Scan
122 || 15 || portscan: IP Filtered Protocol Sweep
122 || 16 || portscan: IP Filtered Distributed Protocol Scan
122 || 17 || portscan: UDP Portscan
122 || 18 || portscan: UDP Decoy Portscan
122 || 19 || portscan: UDP Portsweep
122 || 20 || portscan: UDP Distributed Portscan
122 || 21 || portscan: UDP Filtered Portscan
122 || 22 || portscan: UDP Filtered Decoy Portscan
122 || 23 || portscan: UDP Filtered Portsweep
122 || 24 || portscan: UDP Filtered Distributed Portscan
122 || 25 || portscan: ICMP Sweep
122 || 26 || portscan: ICMP Filtered Sweep
122 || 27 || portscan: Open Port
123 || 1 || frag3: IP Options on fragmented packet
123 || 2 || frag3: Teardrop attack
123 || 3 || frag3: Short fragment, possible DoS attempt
123 || 4 || frag3: Fragment packet ends after defragmented packet
123 || 5 || frag3: Zero-byte fragment
123 || 6 || frag3: Bad fragment size, packet size is negative
123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
123 || 8 || frag3: Fragmentation overlap
123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
123 || 12 || frag3: Number of overlapping fragments exceed configured limit
123 || 13 || frag3: Fragments smaller than configured min_fragment_length
124 || 1 || smtp: Attempted command buffer overflow
124 || 2 || smtp: Attempted data header buffer overflow
124 || 3 || smtp: Attempted response buffer overflow
124 || 4 || smtp: Attempted specific command buffer overflow
124 || 5 || smtp: Unknown command
124 || 6 || smtp: Illegal command
124 || 7 || smtp: Attempted header name buffer overflow
124 || 8 || smtp: Attempted X-Link2State command buffer overflow
125 || 1 || ftp_pp: Telnet command on FTP command channel
125 || 2 || ftp_pp: Invalid FTP command
125 || 3 || ftp_pp: FTP parameter length overflow
125 || 4 || ftp_pp: FTP malformed parameter
125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
125 || 6 || ftp_pp: FTP response length overflow
125 || 7 || ftp_pp: FTP command channel encrypted
125 || 8 || ftp_pp: FTP bounce attack
125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
126 || 1 || telnet_pp: Telnet consecutive AYT overflow
126 || 2 || telnet_pp: Telnet data encrypted
126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
128 || 1 || ssh: Gobbles exploit
128 || 2 || ssh: SSH1 CRC32 exploit
128 || 3 || ssh: Server version string overflow
128 || 4 || ssh: Protocol mismatch
128 || 5 || ssh: Bad message direction
128 || 6 || ssh: Payload size incorrect for the given payload
128 || 7 || ssh: Failed to detect SSH version string
129 || 1 || stream5: SYN on established session
129 || 2 || stream5: Data on SYN packet
129 || 3 || stream5: Data sent on stream not accepting data
129 || 4 || stream5: TCP Timestamp is outside of PAWS window
129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
129 || 6 || stream5: Window size (after scaling) larger than policy allows
129 || 7 || stream5: Limit on number of overlapping TCP packets reached
129 || 8 || stream5: Data sent on stream after TCP Reset
129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
129 || 11 || stream5: TCP Data with no TCP Flags set
129 || 12 || stream5: TCP Small Segment Threshold Exceeded
129 || 13 || stream5: TCP 4-way handshake detected
129 || 14 || stream5: TCP Timestamp is missing
130 || 1 || dcerpc: Maximum memory usage reached
131 || 1 || dns: Obsolete DNS RData Type
131 || 2 || dns: Experimental DNS RData Type
131 || 3 || dns: Client RData TXT Overflow
133 || 1 || dcerpc2: Memory cap exceeded
133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
133 || 3 || dcerpc2: SMB - Bad SMB message type
133 || 4 || dcerpc2: SMB - Bad SMB Id (not \xffSMB)
133 || 5 || dcerpc2: SMB - Bad word count for command
133 || 6 || dcerpc2: SMB - Bad byte count for command
133 || 7 || dcerpc2: SMB - Bad format type for command
133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
133 || 9 || dcerpc2: SMB - Zero total data count in command
133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
133 || 16 || dcerpc2: SMB - Byte count less than command data size
133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
133 || 20 || dcerpc2: SMB - Excessive command chaining
133 || 21 || dcerpc2: SMB - Multiple chained login requests
133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
133 || 23 || dcerpc2: SMB - Chained login followed by logoff
133 || 24 || dcerpc2: SMB - Chained tree connect followed by tree disconnect
133 || 25 || dcerpc2: SMB - Chained open pipe followed by close pipe
133 || 26 || dcerpc2: SMB - Invalid share access
133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
134 || 1 || ppm: rule tree disabled
134 || 2 || ppm: rule tree enabled
135 || 1 || internal: syn received
135 || 2 || internal: session established
135 || 3 || internal: session cleared
139 || 1 || sensitive_data: sensitive data global threshold exceeded
|