github
/
metasploit-framework
mirror of https://github.com/rapid7/metasploit-framework
1
Fork 0
Code Releases Activity
metasploit-framework/plugins/ips_filter.rb

2151 lines
149 KiB
Ruby
Raw Normal View History

Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
module Msf
###
#
# This class hooks all sockets created by a running exploit
# and prevents data from being sent that matches a known IPS
# signature.
#
###
class Plugin::IPSFilter < Msf::Plugin
###
#
# This class implements a socket communication logger
#
###
class IPSSocketEventHandler
include Rex::Socket::Comm::Events
def on_before_socket_create(comm, param)
end
def on_socket_created(comm, sock, param)
# Sockets created by the exploit have MsfExploit set and MsfPayload not set
if (param.context['MsfExploit'] and (! param.context['MsfPayload'] ))
sock.extend(IPSFilter::SocketTracer)
sock.context = param.context
sock._init_hook_
end
end
end
def initialize(framework, opts)
super
@ips_eh = IPSSocketEventHandler.new
More recon hackery git-svn-id: file:///home/svn/incoming/trunk@3585 4d416f70-5f16-0410-b530-b9f4589650da
2006-04-03 00:33:34 +02:00
Rex::Socket::Comm::Local.register_event_handler(@ips_eh)
Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
end
def cleanup
More recon hackery git-svn-id: file:///home/svn/incoming/trunk@3585 4d416f70-5f16-0410-b530-b9f4589650da
2006-04-03 00:33:34 +02:00
Rex::Socket::Comm::Local.deregister_event_handler(@ips_eh)
Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
end
def name
"ips_filter"
end
def desc
"Scans all outgoing data to see if it matches a known IPS signature"
end
protected
end
end
# This module extends the captured socket instance
module IPSFilter
module SocketTracer
attr_accessor :context
# Hook the write method
def write(buf, opts = {})
More recon hackery git-svn-id: file:///home/svn/incoming/trunk@3585 4d416f70-5f16-0410-b530-b9f4589650da
2006-04-03 00:33:34 +02:00
if (ips_match(buf))
$stderr.puts "*** Outbound write blocked due to possible signature match"
return
end
Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
super(buf)
end
# Hook the read method
def read(length = nil, opts = {})
r = super(length, opts)
More recon hackery git-svn-id: file:///home/svn/incoming/trunk@3585 4d416f70-5f16-0410-b530-b9f4589650da
2006-04-03 00:33:34 +02:00
if (ips_match(r))
$stderr.puts "*** Incoming read may match a known signature"
end
Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
return r
end
# Called by the event handler on setup
def _init_hook_
# Load up the signature set here
end
def close(*args)
super(*args)
end
More recon hackery git-svn-id: file:///home/svn/incoming/trunk@3585 4d416f70-5f16-0410-b530-b9f4589650da
2006-04-03 00:33:34 +02:00
def ips_match(data)
lp = localport
rp = peerport
SIGS.each do |s|
begin
r = Regexp.new(s[1])
if (data.match(r))
$stderr.puts "*** Matched signature #{s[1]}"
return true
end
rescue ::Exception => e
$stderr.puts "*** Compiled error: #{s[1]}"
end
end
return false
end
SIGS =
[
['stream', ".*[1-9][0-9]*, 6667 : USERID : UNIX : die.*"],
['stream', ".*\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a.*"],
['smb-open-filename', ".*(\000)?\.(\000)?\[e(\000)?x(\000)?e(\000)?\]"],
['http-url-parsed-param', ".*\/getlatestversion\?ver=.*"],
['dns-type-name', ".*[\s%\|;\?\&\'\"].*"],
['packet', "[\0200-\0377].*"],
['packet', ".*\x00\x0c.."],
['snmp-community', "internal"],
['stream', ".*\[login incorrect\].*"],
['stream', ".*\[permission denied\].*"],
['http-header-accept-encoding', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-url-parsed-param', ".*\/\[gwweb\.exe\?\].*"],
['http-url-parsed-param', ".*\/\[PortInformation\]\?[0-9][^0-9]?.*"],
['http-url-parsed-param', ".*\/\[StreamingStatistics\]\?[0-9].*"],
['http-url-parsed', "\[\/cgi-bin\/logout\.exe\]"],
['http-header-user-agent', ".*\[QuickTime\].*"],
['http-url-parsed', "\/examples\/jsp\/snp\/[^.]+\.snp"],
['http-request', "SSH.*"],
['http-request', "\xff(\xfb|\xfd).*"],
['http-request', "\[CONNECT\].*"],
['http-request', "\[CONNECT scs.yahoo.com\].*"],
['http-request', "\[CONNECT login.oscar.aol.com\].*"],
['http-header', ".*\[p2p-agent:.*Kazaa\].*"],
['http-header-user-agent', ".*\[topsearch\].*"],
['http-header-user-agent', ".*\[MSMSGS\].*"],
['http-url-parsed-param', ".*\/\[imagemap\.exe\]\?.*"],
['stream', "\[CONNECT\].*"],
['stream', "\[CONNECT\].*"],
['stream', "\[CONNECT\].*"],
['stream', "\[CONNECT\].*"],
['stream', "\[CONNECT\].*"],
['http-header-user-agent', "ICQ"],
['http-text-html', ".*<(a|A)[^>]*\s\[href\]=>.*"],
['http-text-plain', "\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a"],
['http-text-html', ".*<\[bgsound\]( |\x09|\x0A)+\[src\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?\\\\[^>]+>.*"],
['http-text-html', ".*<\[OBJECT\][^>]+\[classid\]=( |\x09|\x0A)?(\"|')?clsid:D27CDB6E-AE6D-11cf-96B8-444553540000.*>.*<\[PARAM\] \[NAME\]=\"?\[movie\].*\[VALUE\]=.*\.\[swf\]\?AAA\.XXXXXXXX[^>]+>.*"],
['line', ".*\[1 file\].*"],
['line', ".*\[bad command or filename\].*"],
['line', ".*\[command completed\].*"],
['line', ".*\[connection closed by foreign host\].*"],
['line', ".*uid=0.*"],
['line', ".*\[volume serial number\].*"],
['http-status', ".*\[HTTP\]\/[0-9]+[^\012]+404 .*"],
['http-data', ".*\x30\x08\x23\x00\x3C\xA6\x0F\xA5\x18\x04\x2D\xB1\x38\x53\xF4\xA6\x10\x5B\x7E\x8A\x7D\xA2\x80\xB0\x8C\x38\x53\xF3\x14\x04\x0A\xC3\x91\x14\x05\xED\x3D\xBE\xA2\x80\x81\x4F\x6F\x94\xD0\x04\x14\xD0.*"],
['http-data', ".*\x04\x42\x81\x91\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\x05\xF9\x6F\x38\x9F\xDD\xE4\x5F\x59\xD7\xDF\x49\xE7\x9D\xF7\x82\x46\xE6\x73\x7C\x40\xFC\xE4\x7C\x52\x58\xE6\x37\x3A\x5F\x79\xBB\x01\x0E\x74\x6F\x59\xC2\x43\x6A\xA2\x71\x36\x87\xA3.*"],
['http-url-parsed-param', ".*\/s?bin\/halt.*"],
['http-url-parsed-param', ".*\[(\/usr)?\/s?bin\/(awk|bash|cat|chattr|chgrp|chmod|chown|cp|csh|dd|df|dir|dmesg|du|ed|gawk|groups|gunzip|install|kill|killall|last|link|ln|ls|lsattr)\].*"],
['http-url-parsed-param', ".*\[\/(usr)?\/s?bin\/(mail|mesg|mkdir|mkfifo|mknod|mktemp|more|mount|mv|netstat|nisdomainname|pidof|ps|rm|rmdir|sash|sed|sh|shred|sleep|stat|stty|tcsh|tempfile|touch|umount|unlink|utmpdump|uuidgen|vdir|wall|ypdomainname|halt|shutdown|restart|reboot|runlevel|swapoff|ctrlaltdel|mkswap|poweroff)\].*"],
['http-url-parsed-param', ".*\/\[dfire\.cgi\?.*IPONE\]=\|"],
['http-header-user-agent', ".*\[MoodLogic\].*"],
['http-url', ".*HandleSearch\.html\?searchTarget=.*&B1=Submit.*"],
['http-request', "\[CONNECT\] [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?:[0-9]+ \/ \[HTTP\]\/1.0.*"],
['http-header', ".*\[Authorization\]:[ ]+\[Negotiate\]\x00.*"],
['http-url-parsed', ".*\/test\/realPath\.jsp.*"],
['http-url-parsed', ".*\/test\/jsp\/buffer(1|2|3|4)\.jsp.*"],
['http-url-parsed', ".*\/test\/jsp\/(comments|extends(1|2))\.jsp.*"],
['http-url-parsed', ".*\/test\/jsp\/page(AutoFlush|Double|Extends|Import2|Info|Invalid|IsErrorPage|IsThreadSafe|Language|Session)\.jsp.*"],
['http-url-parsed', ".*\/test\/jsp\/declaration\/IntegerOverflow\.jsp.*"],
['http-url-parsed-param', ".*\/examples\/jsp\/source.jsp\?(\?|\/+.*\/+).*"],
['ftp-banner', ".*WS_FTP Server ([0-3]|(4\.0\.[0-2])).*"],
['ftp-banner', ".*Serv-U FTP Server v([0-4]|(5\.0(\.[0-5])?[^0-9])).*"],
['ftp-banner', ".*Serv-U FTP-Server v([0-1]|(2\.[0-5])).*"],
['ftp-banner', ".*Serv-U FTP Server v([0-3]|(4\.[0-1])).*"],
['ftp-banner', ".*Serv-U FTP Server v([0-3]|(4\.[0-2])).*"],
['ftp-banner', ".*WS_FTP Server ([0-4]|(5\.\0\.[0-3])).*"],
['ftp-password', "\[(manager|public|private|default|security|1234qwer|123qwe|user|super|123456|000000|Internet|abcd|abc123|abc|1234567|123abc|88888888|password|asdfgh|computer|5201314|00000000|!@#$%^&*\(\)|654321|888888|123asd|11111|!@#$%^&\*|passwd|!@#$%^&\*\(|111111|asdf|sql|database|111|!@#$%|pass|!@#$|54321|server|!@#$%^|sybase|oracle|12345678|1|secret|test|11111111|admin|anyone|!@#$%^&)\]"],
['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['ftp-command', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['ftp-username', "anonymous|ftp"],
['stream', ".*\[login incorrect\].*"],
['stream', ".*\[not on system console\].*"],
['stream', ".*\[guest account not allowed\].*"],
['stream', ".*\[login failure\].*"],
['stream', ".*\[server allows NTLM authentication \].*"],
['stream', ".*\[login failed\].*"],
['stream', ".*\[permission denied\].*"],
['stream', ".*cat( |\x09)+\/etc\/passwd.*"],
['stream', ".*halt( |\x09)*(\x0a|\x0d).*"],
['packet', "\X AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA \X"],
['stream', ".*\xaa..\x14\x48.....\x00\[L\x00o\x00g\x00i\x00n\x00 \x00f\x00a\x00i\x00l\x00e\x00d\].*"],
['smtp-command-line', "(\[HELO\]|\[EHLO\]) \[localhost\]"],
['smtp-data-text-plain', "\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a"],
['packet', "\x45\x00\x32\x00.*"],
['packet', ".*\X00 00 01 87 03 00 00 00\X.*"],
['smb-connect-path', "\\\00?\\\00?.*\\\00?I\00?P\00?C\00?$\00?.*"],
['pop3-user', "x#99999999"],
['pop3-user', "root"],
['http-url-parsed', "\/v[0-9][0-9][0-9]\/mainbar\/index.html.*"],
['dns-type-name', "\x00\x01c3312\.z1301\.winmx\.com.*"],
['dns-type-name', "\x00\x01\[test\].*\[\.winmx\.com\]"],
['packet', "1"],
['packet', "8.*"],
['dns-type-name', "\x00\x01\[c\][0-9]+\[\.z\][0-9]+\[\.winmx\.com\]"],
['http-header-user-agent', ".*\[DC\]\+\+.*"],
['stream', ".*$Key [^\0174]*\0174$ValidateNick .*"],
['http-url-parsed-param', "\[\/ver\/ver.php\?ver\]=[0-9]\.[0-9][0-9]\.[0-9]&\[app\]=[0-9][0-9].*"],
['packet', "\xe3....\x16.*"],
['packet', "\xe3....\x01.*"],
['packet', "\xe3....\x19.*"],
['packet', "\xe3....\x14.*"],
['packet', "\xe3....\x15.*"],
['packet', "\xe3\x96.*"],
['packet', "\xe3\x97.*"],
['http-header-user-agent', ".*\[Shareaza\].*"],
['stream', ".*UserAgent: KazaaClient [^\010]*\r\nX-Kazaa-Username:.*"],
['stream', ".*Server: KazaaClient.*X-Kazaa-Username:.*"],
['packet', "\x27\x00\x00\x00\xa9\x80KaZaA\x00"],
['stream', "GET \/.hash=([a-f]|[0-9])+.*KaZaA.*"],
['stream', ".*\[BitTorrent protocol\].*"],
['http-url-parsed-param', ".*\[announce\][^?]*\?[^ ]*\[info_hash\].*"],
['http-url-parsed-param', ".*\[scrape\][^?]*\?[^ ]*\[info_hash\].*"],
['packet', "\xe3\x0a.*"],
['packet', "\xe3\x0b.*"],
['packet', "\xe3\x0e.*"],
['packet', "\xe3\x21.*"],
['packet', "\xe3\x13.*"],
['ssh-header', "SSH-1.5-OpenSSH-1.2.3"],
['stream', ".*\.\[mp3\].*"],
['stream', ".*\.\[mp3\].*"],
['stream', ".*\.\[mp3\].*"],
['stream', ".*\.\[mp3\].*"],
['stream', ".*\.\[mp3\].*"],
['stream', ".*\.\[mp3\].*"],
['packet', ".*\x00\xcb\x00.*"],
['packet', ".*\x00\xcb\x00.*"],
['packet', ".\x00\x02\x00.*"],
['packet', ".\x00\x02\x00.*"],
['stream', ".*anon@napster.com.*"],
['packet', ".\x00\x06\x00.*"],
['packet', ".\x00\x06\x00.*"],
['packet', ".\x00\x5f\x02.*"],
['packet', ".\x00\x5f\x02.*"],
['http-header-user-agent', ".*\[MLdonkey\].*"],
['stream', ".*GNUTELLA OK.*"],
['stream', "GNUTELLA CONNECT\/0\.[0-9].*"],
['stream', ".*GNUTELLA\/0\.[0-9] 200 OK(\x0d)?\n.*"],
['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['http-header-user-agent', "\[gator\].*"],
['http-header-user-agent', ".*\[new\.net\].*"],
['http-header-user-agent', ".*\[DA\] [1-9]\.[0-9].*"],
['http-header', ".*Oracle9iAS-Web-Cache\/(9\.0\.(0\.4\.0|2\.3\.0|3\.1\.0|4\.0\.0)|2\.0\.0\.4\.0).*"],
['stream', ".*ADMINISTRATOR.*"],
['stream', ".*\[invalid login\].*"],
['packet', "NQ.*"],
['packet', "ST.*"],
['packet', "ST.*"],
['ftp-password', "cis@security\.check"],
['http-url-parsed', "\[Nikto\]-[0-9][0-9]?\.[0-9][^\00]+\.\[htm\]"],
['http-header-user-agent', ".*\(Nikto\/.*"],
['http-url', ".*search%3f<balisexss>%22%27.*"],
['stream', ".*\x00\x01\x00\x03\x00\x01\x00.*"],
['packet', "> .*"],
['packet', "> .*"],
['packet', "> .*"],
['stream', ".*cat \/etc\/passwd.*"],
['packet', ".*cat \/etc\/passwd.*"],
['stream', ".*\/usr\/(bin\/X11|X11R6\/bin)\/xterm.*"],
['packet', ".*\/usr\/(bin\/X11|X11R6\/bin)\/xterm.*"],
['packet', ".*\x2b\x06\x10\x40\x14\xd1\x02\x19.*"],
['packet', ".*WHATISIT.*"],
['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/group.*"],
['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/inetd.conf.*"],
['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/passwd.*"],
['stream', ".*cat( |\x09)*>>( |\x09)*\.rhosts"],
['stream', ".*cat( |\x09)*>>( |\x09)*\/etc\/passwd.*"],
['stream', ".*cd( |\x09)+\/bin\/\..*"],
['stream', ".*cd( |\x09)+\/usr\/\..*"],
['stream', ".*cd( |\x09)+\/var\/\..*"],
['stream', ".*cd( |\x09)+\.\.\..*"],
['stream', ".*id( |\x09)*\x0d.*"],
['stream', ".*mkdir( |\x09)+\.\..*"],
['stream', ".*nc .*"],
['stream', ".*nmap .*"],
['stream', ".*reboot.*"],
['stream', ".*shutdown.*"],
['stream', ".*strobe .*"],
['stream', ".*su( |\x09)+bin( |\x09)*\x0d.*"],
['stream', ".*su(( |\x09)+(root|-l root|- root|-))?( |\x09)*\x0d.*"],
['stream', ".*telnet[^\015]+21( |\x09)*\x0d.*"],
['stream', ".*telnet[^\015]+25( |\x09)*\x0d.*"],
['stream', ".*telnet[^\015]+80( |\x09)*\x0d.*"],
['stream', ".*vi( |\x09)+\/etc\/group( |\x09)*\x0d.*"],
['stream', ".*vi( |\x09)+\/etc\/passwd( |\x09)*\x0d.*"],
['stream', ".*xhost( |\x09)+.*"],
['stream', ".*xhost( |\x09)+\+( |\x09)*\x0d.*"],
['stream', ".*\[to su root\].*"],
['telnet-user', "cisco"],
['http-url-parsed', ".*conf\/httpd\.conf"],
['http-url-parsed', ".*\[\/admin_files\].*"],
['http-url-parsed-param', ".*\X20\X\/\[session\/adminlogin\]\?.*RCpage=\/\[sysadmin\]"],
['http-url-parsed', ".*\[\/ax-admin\.cgi\]"],
['http-url-parsed', ".*\[\/axs\.cgi\]"],
['http-url-parsed', ".*\/\[bigconf\.cgi\]"],
['http-url-parsed', ".*\[\/cgi-bin\/cachemgr\.cgi\]"],
['http-url-parsed', ".*\/\[day5data(copier|notifier)\.cgi\].*"],
['http-url-parsed', ".*\[\/environ\.cgi\]"],
['http-url-parsed', ".*\/\[filemail\.pl\]"],
['http-url-parsed', ".*\/\[finger(\.cgi|\.pl)?\]"],
['http-url-parsed', ".*\/\[flexform(\.pl|\.cgi)?\]"],
['http-url-parsed', ".*\[\/LWGate(\.cgi|\.pl)?\]"],
['http-url-parsed', ".*\[\/man\.sh\]"],
['http-url-parsed', ".*\[\/ministats\/admin\.cgi\]"],
['http-url-parsed', ".*\/\[mmstdod\.cgi\]"],
['http-url-parsed', ".*\/\[perlshop\.cgi\]"],
['http-url-parsed', ".*\/\[post-query\]"],
['http-url-parsed', ".*\[\/responder\.cgi\]"],
['http-url-parsed', ".*\/\[search\.vts\]"],
['http-url-parsed', ".*\[\/snork(erz)?\.(bat|cmd)\]"],
['http-url-parsed', ".*\[\/store\.cgi\]"],
['http-url-parsed', ".*\/\[textcounter\.pl\]"],
['http-url-parsed', ".*\/\[uploader\.exe\]"],
['http-url-parsed', ".*\/\[w3tvars\.pm\]"],
['http-url-parsed', ".*\[\/webdriver\]"],
['http-url-parsed', ".*\/\[web-map\.cgi\].*"],
['http-url-parsed', ".*\/\[cgi-bin\/www-sql\].*"],
['http-url-parsed', ".*\[\/cgi-bin\/MachineInfo\]"],
['http-url-parsed', ".*\/\[wais\.pl\]"],
['http-url-parsed', ".*\/admin\.pl.*"],
['http-url-parsed', ".*\/edit\.pl"],
['http-url-parsed', ".*\/files\.pl"],
['http-url-parsed', ".*\/maillist\.pl"],
['http-url-parsed', ".*\/rwwwshell\.pl"],
['http-url-parsed', ".*\/upload\.pl"],
['http-url-parsed', ".*\/wwwadmin\.pl.*"],
['http-url-parsed', ".*\[\/cfappman\/(index\.cfm)?\].*"],
['http-url-parsed', ".*\/\[cfdocs\/cfmlsyntaxcheck\.cfm\].*"],
['http-url-parsed', ".*\[\/cfdocs\/exampleapp\/\].*"],
['http-url-parsed', ".*\[\/cfdocs\/examples\/\].*"],
['http-url-parsed', ".*\[\/cfdocs\/snippets\/\].*"],
['http-url-parsed', ".*\[\/cfide\/administrator\/startstop\.html\].*"],
['http-url-parsed-param', ".*\?\[DeleteDocument\].*"],
['http-url-parsed-param', ".*\?\[EditDocument\].*"],
['http-url-parsed', ".*\[\/(catalog|domcfg|domlog|names|log)\.nsf\].*"],
['http-url-parsed', ".*\[\/_vti_(bin|pvt)\/\].*"],
['http-url-parsed', ".*\[\/cfgwiz\.exe\].*"],
['http-url-parsed', ".*\[\/admcgi\/contents\.htm\].*"],
['http-url-parsed', ".*\[\/scripts\/Fpadmcgi\.exe\].*"],
['http-url-parsed', ".*\[admisapi\/fpadmin\.htm\].*"],
['http-url-parsed', ".*\[\/fp(remadm|srvadm)\.exe\].*"],
['http-url-parsed', ".*\[\/author\.dll\].*"],
['http-url-parsed', ".*\[\/msdac\/\].*"],
['http-url-parsed', ".*\[\/scripts\/proxy\/w3proxy\.dll\].*"],
['http-url-parsed', ".*\[\.cnf\].*"],
['http-url-parsed', ".*\[\/_mem_bin\/\].*"],
['http-url-parsed', "\[\/msadc\/samples\/adctest\.asp\].*"],
['http-url-parsed', ".*\[\/Form_JScript\.asp\].*"],
['http-url-parsed', ".*\[\/scripts\/cpshost\.dll\].*"],
['http-url-parsed-param', ".*\[&del \/s c:\/\].*"],
['http-url-parsed', ".*\[\/ServerVariables_Jscript\.asp\].*"],
['http-url-parsed-param', ".*\[\/scripts\/tools\/getdrvr?s\.exe\].*"],
['http-url-parsed', ".*\[global\.asa\].*"],
['http-url-parsed', ".*\[\/scripts\/perl\].*"],
['http-url-parsed', ".*\/scripts\/postinfo\.asp.*"],
['http-url-parsed', ".*\/samples\/search\/queryhit\.htm.*"],
['http-url-parsed', ".*\[readme\.eml\].*"],
['http-url-parsed', ".*\[\/scripts\/repost\.asp\].*"],
['http-url-parsed', ".*\/scripts\/\X20\X.*"],
['http-url-parsed', ".*\[\/SiteServer\/Publishing\/viewcode\.asp\].*"],
['http-url-parsed', ".*\[\/Sites\/(Samples\/)?Knowledge\/Membership\/Inspired(tutorial)?\/ViewCode\.asp\].*"],
['http-url-parsed', ".*\[\/Sites\/Samples\/Knowledge\/(Push|Search)\/ViewCode\.asp\].*"],
['http-url-parsed', ".*\[\/site\/iisamples\].*"],
['http-url-parsed', ".*\[\/srchadm\].*"],
['http-url-parsed', ".*\[\/samples\/isapi\/srch\.htm\].*"],
['http-url-parsed', ".*\[\/SWEditServlet\].*"],
['http-url-parsed', ".*\[\/viewcode\.asp\].*"],
['http-url-parsed', ".*\[\/scripts\/((samples\/search)|srchadm)\/webhits\.exe\].*"],
['http-url-parsed', ".*\/backup(\/.*)?"],
['http-url-parsed', ".*\[\/intranet\/\].*"],
['http-url-parsed', ".*\/htgrep.*"],
['http-url-parsed-param', ".*\[\/\?PageServices\].*"],
['http-url-parsed', ".*\/nph-publish"],
['http-request', "\[GETPROPERTIES\]\X20\X.*"],
['http-url-parsed-param', ".*\[\/PSUser\/PSCOErrPage\.htm\?\].*"],
['http-url-parsed-param', ".*\/dsgw\/bin\/search\?.*context=.*"],
['http-url-parsed', ".*\[\/cgi-dos\/args\.bat\].*"],
['http-url-parsed-param', ".*\/ping\?.*query=.*"],
['http-url-parsed', ".*\/ews\/architext_query\.pl.*"],
['http-url-parsed', ".*\[\/dcforum\.cgi\]"],
['http-url-parsed', ".*\[\/sendform\.cgi\]"],
['http-url-parsed', ".*\[\/sendmessage\.cgi\]"],
['http-header', ".*User-Agent: Webtrends Security Analyzer.*"],
['http-url-parsed-param', ".*\?.*\[PHP_AUTH_USER=boogieman\].*"],
['http-url-parsed', ".*\/code\.php3.*"],
['http-url-parsed', ".*\/violation\.php3.*"],
['line', ".*\[directory listing of\].*"],
['http-url-parsed', ".*\[\/contextAdmin\/contextAdmin\.html\].*"],
['http-url-parsed-param', ".*\/bin\/ls.*"],
['http-url-parsed-param', ".*\/bin\/ls.*\|.*"],
['http-url-parsed-param', ".*\/bin\/ps.*"],
['http-url-parsed-param', ".*\/bin\/bash.*"],
['http-url-parsed-param', ".*\/bin\/cc.*"],
['http-url-parsed-param', ".*\/bin\/chgrp.*"],
['http-url-parsed-param', ".*\/bin\/chmod.*"],
['http-url-parsed-param', ".*\/bin\/chown.*"],
['http-url-parsed-param', ".*\/bin\/chsh.*"],
['http-url-parsed-param', ".*\/bin\/cpp.*"],
['http-url-parsed-param', ".*\/bin\/csh.*"],
['http-url-parsed-param', ".*\/bin\/echo.*"],
['http-url-parsed-param', ".*\/bin\/g\+\+.*"],
['http-url-parsed-param', ".*\/bin\/gcc.*"],
['http-url-parsed-param', ".*\/s?bin\/id((\040|%20|>|\|).*)?"],
['http-url-parsed', ".*\/~root(\/.*)?"],
['http-url-parsed-param', ".*\/etc\/inetd\.conf.*"],
['http-url-parsed-param', ".*\/etc\/motd.*"],
['http-url-parsed-param', ".*\/etc\/shadow.*"],
['http-url-parsed', ".*\/args\.bat.*"],
['http-url-parsed', ".*\/args\.cmd.*"],
['http-url-parsed-param', ".*\[cd\]\X20\X\.\."],
['http-url-parsed-param', ".*\[tftp\.exe\].*"],
['http-url-parsed-param', ".*\[nc\.exe\].*"],
['http-url-parsed-param', ".*\[net localgroup administrators \/add\].*"],
['http-url-parsed-param', ".*\[perl\.exe\].*"],
['http-url-parsed', ".*\[rcmd\.exe\].*"],
['http-url-parsed-param', ".*\[telnet\.exe\].*"],
['http-url-parsed-param', ".*\[\/ws_ftp\.ini\].*"],
['http-url-parsed-param', ".*\[wsh\.exe\].*"],
['http-url-parsed', "\[\/cybercop\].*"],
['http-url', ".*\/nessus_is_probing_you_"],
['http-url-parsed', ".*\/(b?a|k|ch?|z|tc|rk?|pdk|sa|ad)?sh"],
['http-url-parsed', "\/\[scripts\/samples\/search\]\/[^\00]+\.(idq|exe)"],
['http-url-parsed', ".*\/\[newdsn\.exe\]"],
['http-url-parsed', ".*\.\[htw\]"],
['http-url-parsed', ".*\/(r|w)\[guest\.exe\]"],
['http-url-parsed', ".*\/\[alibaba\.pl\]"],
['http-url-parsed', ".*\/\[FormHandler\.cgi\]"],
['http-url-parsed', ".*\/\[test\.cgi\]"],
['http-header-user-agent', "VoidEYE CGI security scanner"],
['http-url-parsed', ".*\/\[win-c-sample\.exe\]"],
['http-url-parsed', ".*\/\[search97\.vts\]"],
['ftp-command', "\[mkd\]"],
['line', "MKD \..*"],
['packet', "\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e.*"],
['http-url-parsed', ".*\[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\.cfm\].*"],
['packet', ".*\x0Ahelp\x0Aquit\x0A.*"],
['packet', "............\x01.*"],
['packet', "....\xFF\xFF.*"],
['stream', ".*YMSG..\x00\x00..\x00\x06.*"],
['stream', ".*\[nick\].*"],
['stream', "YMSG..\x00\x00\x00..(W|L).*"],
['msn-message', ".*text\/plain.*"],
['packet', "VER [0-9]+ (MSNP[0-9]+ )+CVR0\015\012"],
['packet', "CAL [0-9]+ .*"],
['packet', "RNG [0-9]+ ([0-9]+\.)+[0-9]+:1863 CKI.*"],
['stream', ".*\x2a\x02....\x00\x01\x00\x02.*"],
['stream', ".*\x2a\x02....\x00\x01\x00\x03.*"],
['stream', ".*\x2a\x02....\x00\x04\x00\x06.*"],
['stream', ".*\x2a\x02....\x00\x04\x00\x07.*"],
['stream', ".*\x2a\x04..\x00\x00.*"],
['stream', "OFT2.*OFT_Windows ICBMFT V1.1 32.*"],
['stream', ".*Server: AIM HTTP\/1\.0 \(aim_http_proxy\)\x0d\x0a.*"],
['packet', "\x00\x01.*"],
['line', "550 .*\[user unknown\].*"],
['smtp-banner', ".*MERCUR SMTP-Server \(v([0-2]|(3\.[0-2])).*"],
['smtp-banner', ".*MERCUR SMTP-Server \(v((3\.([3-9]|([0-2][0-9])))|(4\.[0-2][^0-9])).*"],
['smtp-banner', ".*CMailServer ([0-4]|5\.([0-1]|2)[^0-9]).*"],
['smtp-command-line', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['smtp-from', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['smtp-rcpt', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['stream', "\[quit\].*"],
['smtp-mime-content-name', ".*\.\[zip\]"],
['smtp-mime-content-filename', ".*\.\[(w|e)mf\]"],
['smtp-mime-content-filename', ".*\.\[zip\]"],
['smtp-mime-content-filename', ".*\.\[hta\]"],
['smb-calling-name', "\[localhost\]\x20\x20\x20\x20\x20\x20\x20"],
['smb-open-filename', ".*\.\000?\[z\000?i\000?p\000?\]"],
['stream', ".*ftp:.*"],
['stream', ".*\x07\x61\x75\x74\x68\x6f\x72\x73\x04\x62\x69\x6e\x64\x00\x00\x10\x00\x03.*"],
['packet', ".*\x07\[version\]\x04\[bind\]\x00.*"],
['packet', "Server is online"],
['stream', "(get[A-z]+|scrnsav).*"],
['packet', "[A-z]:\\.*"],
['http-status', "Desconectado Web Serve CT.*"],
['stream', ".*@.*@.*"],
['finger-user', "search.*"],
['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['finger-user', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['packet', "\x00\x00\x07\xa2\x08\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['http-request', "PROPFIND \/.*"],
['http-request', "HEAD \/~root.*"],
['http-request', "(GET|POST) \/\/ HTTP\/1\.0"],
['http-request', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-header', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-header-accept', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-header-content-encoding', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-header-content-language', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-header-content-location', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
['http-url-parsed-param', ".*%1u%1u.*"],
['http-url', "([\001-\045]|[\047-\076]|[\0100-\0377])*\[%2Easp\].*"],
['http-url-parsed', "\[\/scripts\/iisadmin\].*"],
['http-url-parsed-param', "\/\[iissamples\]\/[^\077]*\/\[codebrws\.asp\]\?[^\000]*\[source=\].*"],
['http-url-parsed', ".*\[\/bdir\.htr\].*"],
['http-url-parsed-param', "\/\[ms(adc|dac)\/Samples\/SELECTOR\/showcode\.asp\]\?[^ ]*\[source\]=.*"],
['http-url-parsed-param', ".*\[#filename=(\"|')?\.(asp|exe)(\"|')?\].*"],
['http-header', ".*\[xp_enumdsn\].*"],
['http-url-parsed', ".*\[\/search\/(advsearch|query|search)\.asp\].*"],
['http-url-parsed', ".*\[xp_filelist\].*"],
['http-url-parsed-param', ".*\.\[htw\?.*CiWebHitsFile=\][^&]+\.\[asp\].*"],
['http-url-parsed', ".*(\x20)+\.\[htr\].*"],
['http-header', ".*\[xp_regread\].*"],
['http-url-parsed', ".*\/\[_vti_bin\/_vti_aut\/fp30reg.dll?.*<script.*>\].*"],
['http-url-parsed-param', "\[\/iissamples\/sdk\/asp\/docs\/CodeBrws\.asp\?.*Source=\].*"],
['http-url-parsed-param', ".*\/\[iissamples\]\/.*"],
['http-header', "\[Translate: *f\]"],
['http-url-parsed-param', "\/xxxiischeckxxx"],
['http-url-parsed', "\[\/msadc\/msadcs.dll\]"],
['http-url-parsed-param', ".*\/\[SQLQHit\.asp\?CiColumns\]=\*&CiScope=(webinfo|extended_fileinfo|extended_webinfo|fileinfo).*"],
['http-url-parsed-param', "\/\[level\]\/(1[6-9]|[2-9][0-9])\/\[exec\]\/.*"],
['http-url-parsed', ".*\[\/_vti_pvt\/(authors|users)\.pwd\].*"],
['http-url-parsed', ".*\[\/_private\/(orders|register|registrations|form_results)\.(htm|txt)\].*"],
['http-url-parsed', ".*\[\/_vti_bin\/shtml\.(dll|exe)\/.*\.(html|htm|asp|shtml)\].*"],
['http-url-parsed-param', ".*\/etc\/passwd.*"],
['http-url-parsed-param', ".*\/etc\/hosts\.allow.*"],
['http-url-parsed', ".*\/\.nsconfig"],
['http-url', "((\\|%5\[c\])+)?\[cgi-bin\].*"],
['http-url-parsed', "\[\/portal\/diag\]\/?"],
['http-url-parsed-param', ".*\[win\.ini\].*"],
['http-url-parsed', ".*\/\[chat\]\/!(\[pwds\]|\[nicks\])\.\[txt\]"],
['http-url-parsed-param', ".*\/\[cutenews\]\/\[index\.php\]\?\[debug\]"],
['http-url-parsed', ".*\.\[chm\]"],
['http-request', "\[INDEX\] \/ HTTP\/1\.0.*"],
['http-url-parsed-param', ".*\/\?wp-verify-link"],
['http-url-parsed-param', ".*\/\?wp-cs-dump"],
['http-url-parsed-param', ".*\/\?wp-ver-info"],
['http-url-parsed-param', ".*\/\?wp-ver-diff"],
['http-url-parsed-param', ".*\/\?wp-start-ver"],
['http-url-parsed-param', ".*\/\?wp-stop-ver"],
['http-url-parsed-param', ".*\/\?wp-uncheckout"],
['http-url-parsed-param', ".*\/\?wp-html-rend"],
['http-url-parsed-param', ".*\/\?wp-usr-prop"],
['stream', ".*GET \/%3CSCRIPT%3Ealert%28document%3EURL%29%3C\/SCRIPT%3E\/.*"],
['http-header-referer', ".*<\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\][^>]*>.*"],
['http-url-parsed-param', ".*\[compte\.php\?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20\]''='.*"],
['http-url-parsed', ".*\/(config|orders)\/(check|import)\.txt"],
['http-url-parsed-param', "\/*\[\/carbo\.dll\?.*icatcommand=\/?\.\.\/\]"],
['http-url-parsed-param', ".*\?\?\?\?\?\?\?.*"],
['http-url-parsed', ".*\[\.html\/\.\.\.\.\.\.\].*"],
['http-url-parsed-param', ".*\[tuxadm\.exe\]\?[^\012]*INIFILE=.*"],
['http-url-parsed-param', ".*\[\/webplus\.exe\?about\].*"],
['http-url-parsed-param', ".*\[\/webplus\.exe\?.*script=\][^&]+\.\[wml::\$DATA\].*"],
['http-url-parsed', ".*\[\/cfide\/administrator\/(index.cfm)?\].*"],
['http-url-parsed', ".*\/\[application\.cfm\].*"],
['http-url-parsed', ".*\[\/cfcache\.map\].*"],
['http-url-parsed-param', ".*\/\[getfile\.cfm\?.*FilePath=([a-z]:|\/?\.\.\/)\].*"],
['http-url-parsed', ".*\/\[onrequestend\.cfm\].*"],
['http-url-parsed', ".*\[;\.jsp\]"],
['http-text-html', ".*body {.*font-size: [1-9][0-9][0-9][0-9][0-9][0-9][0-9]px;.*}.*"],
['stream', ".*\x46\x57\x53\x04\x4e\x00\x00\x00\x78\x00\x05\x5f\x00\x00\x0f\xa0\x00\x00\x0c\x01\x00\x43\x02\xff\xff\xff\xa7\x00\x01\x00\x70\x7d\x09\xc4\x07\xd0\x9c\x40\x01\x00\xff\x00\x00\x01\x14\x00\x00\x00\x00\x11\x35\xc9\xc4\x07\xd1\xf6\xbe\x83\xb2\x0c\x1d\xb0\x60\xec.*"],
['http-text-html', ".*<object id=objSWF33 classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\".*<param name=\"src\" value=\"\[([a-z]|[0-9])+\.php\]\">"],
['stream', "\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a.*"],
['http-text-html', ".*<\[img\][^>]*\[width\][ ]*=[ ]*('|\")?[2-3][0-9][0-9][0-9][0-9]('|\")*[^<]*\[height\][ ]*=[ ]*('|\")?[1-9][0-9][0-9][0-9][0-9][0-9]+.*"],
['http-text-html', ".*<\[IMG\][^>]+\[src\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*::(\"|')?[^>]+onError( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*this\.src=('|\")?::('|\")?;('|\")?[^>]*>.*"],
['http-text-html', ".*\[<iframe src=\"?.*\.scm\"?.*mhtml:file:\/\/\/C:\/Program%20Files\/ICQ\/Sounds\/.*!file:\/\/\/\].*"],
['http-text-html', ".*<\[iframe\][^>]+\[src\]( |\012|\011)*=( |\012|\011)*(\"|')?.*\.\[jnlp\](\"|')?.*\[mhtml:file:\/\/\/C:\/Program%20Files\/Java%20Web%20Start\/\.javaws\/cache\/http\/\][^>]*!\[file\]:\/\/\/.*"],
['http-text-html', ".*\[<iframe src=\"?.*\.wsz\"?.*mhtml:file:\/\/\/C:\/Program%20Files\/Winamp\/Skins.*!file:\/\/\/\].*"],
['http-text-html', ".*\[ftp:\/\/\"><script>\].*"],
['http-text-html', ".*<\[script>.*'<'\+'script>.*<\/'+'script>'.*<\/script\]>.*"],
['http-text-html', ".*<\[img\][^>]*\[src\]=( |\x09|\x0A)*(\"|')?\[gopher\]:\/\/[^\/]+\/[^%]*%09 0[^>]*>.*"],
['stream', ".*\+ABSTRACT:\x0d\x0a.*\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99\xcf\x14\x2c.*"],
['http-text-html', ".*http:\/\/toolbar\.google\.com\/command\?script=\[document\.body\.insertAdjacentHTML\]\(.*<object[^>]*codebase=c:\/.*"],
['http-text-html', ".*http:\/\/toolbar\.google\.com\/command\?script=\[document.body.insertAdjacentHTML\]\(.*<iframe id=\[oFileRead\] src=file:\/\/.*"],
['stream', ".*\xff\xfe\x3c\x00\x65\x00\x6d\x00\x62\x00\x65\x00\x64\x00\x0d\x00\x73\x00\x72\x00\x63\x00\x3d\x00\x22\x00\x68\x00\x74\x00\x74\x00.*"],
['http-text-html', ".*hcp:\/\/system\/DFS(\/|\\)uplddrvinfo\.htm\?file:\/\/.*"],
['http-text-html', ".*oVuln\.NavigateAndFind\(\"javascript:alert\(document\.cookie\)\",\"\",\"\"\);.*"],
['http-text-html', ".*alert\(fVuln\(\"ElementIdInNewDoc\"\)\.document\.cookie\);.*"],
['http-text-html', ".*fVuln\(\"javascript:alert\(dialogArguments\.document\.cookie\)\",oWin,\"\"\);.*"],
['http-text-html', ".*\.pasteHTML\([^>]*javascript:alert\(document\.cookie\).*"],
['http-text-html', ".*alert\(oVuln\.getData\(\"text\"\)\); or oVuln\.setData\(\"text\",\"data\"\);.*"],
['http-text-html', ".*replace\('mk:@MSITStore:C:'.*"],
['http-text-html', ".*<\[frameset\][^>]*\[cols\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*[^>]*,\*,\*,\*,\*,\*,\*,\*,\*,\*.*"],
['http-text-html', ".*<\[object\][^>]*\[type\]=\"\x5b\xb8\xff\xff\xff\x99\x35\x4f\xfb\xea\x99\x40\x81\x38\x78\x56\x34\x12\x75\xf7\x83\xc0\x04\xff\xd0\x2f\x2f\x2f.*"],
['http-text-html', ".*\.write\(\"[^\012]*<\[HR\] [^>]*\[align\]='?\".*"],
['http-text-html', ".*\.\[location\.href\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')\[javascript\]:[^;]*<\[script\]>.*"],
['http-text-html', ".*<\[a href\]=\042\[http\]:\/\/[^>]+\.[^>]+(\x00\x00|%00%00)[^>]+>.*"],
['http-text-html', ".*=\s+\[window\.screen(left|top\])-.*"],
['http-text-html', ".*<\[SCRIPT\][^>]+((\[LANGUAGE\]\s*=\s*(\042|\047)?\[XML\][^>]+\[SRC\]\s*=)|(\[SRC\]\s*=[^>]+\[LANGUAGE\]\s*=\s*(\042|\047)?\[XML\]))[^>]*>.*"],
['http-url-parsed', ".*\.idc"],
['http-status', ".*403 Forbidden.*"],
['http-text-html', ".*<[^>]*=(\047|\042)?\[disk(s)?\]:\/\/[^>]*\.\[dmg\][^>]*>.*"],
['http-url-parsed-param', ".*\[\/ad\.cgi\?(value|file)=\/?\.\.\/\].*"],
['http-url-parsed-param', ".*\[\/windmail\.exe\?%20-n\].*"],
['http-url-parsed-param', ".*\/\[cgi-bin\/htmlscript\](\?|\/)\/?\.\.\/.*"],
['http-url-parsed-param', ".*\[\/search\.pl\?.*form=.*%00\]"],
['http-url-parsed', ".*\[\/quikstore\.cfg\]"],
['http-url-parsed-param', "\/\[cgi-bin\/sojourn\.cgi\]\?[^\012]*\[cat\]=[^&]*\/?\.\.\/.*"],
['http-url-parsed-param', ".*\/\[store\.cgi\]\?[^\012]*\[(product|StartID)\]=.*\.\.\/.*"],
['http-url-parsed-param', ".*\/\[cgi-bin\][^\077]*\[\/(ftp\/)?ftp\.pl\?\][^\000]*\[dir\]=\/?\.\.\/.*"],
['http-url-parsed-param', ".*\[\/way-board\.cgi\?.*db=.*%00\]"],
['http-url-parsed', ".*\/AT-admin\.cgi.*"],
['http-url-parsed-param', ".*\[\/web_store\.cgi\]\?[^?]*\[page=\/?\.\.\/\].*"],
['http-url-parsed-param', ".*\/\[faxsurvey(\?|\/)(\/|\.\.)+(bin|etc)\].*"],
['http-url-parsed-param', ".*(Count\.cgi|Count\.exe)\?user=a%90%BF8%EE%FF%BF8.*"],
['http-url-parsed-param', ".*\[newsadmin\/upload\.php\?.*userinfo..*=hop&.*userinfo..*=100\].*"],
['http-url-parsed-param', ".*\[admin\.php\?.*en_log_id=0&.*action=(users|config)\].*"],
['http-url-parsed', ".*\[\/ip\.txt\]"],
['http-url-parsed-param', ".*\[admin\.php4\?.*reg_login=1\].*"],
['http-url-parsed', ".*\[admin\/admin_phpinfo\.php4\].*"],
['http-url-parsed-param', ".*\[viewimg\.php\?.*path=viewimg\.php&.*form=1&.*var=1\].*"],
['http-url-parsed', "\/cgi-bin\/rwcgi60(\/|\/showenv)?"],
['http-url', ".*cgi-bin\/redir\.exe\?\[URL=http(:\/\/|%3A%2F%2F).*%0D%0A%0D%0A%3CSCRIPT%3E\].*"],
['http-url-parsed', "\/cgi-isapi\/..*"],
['http-url-parsed-param', ".*\/\[cgi-bin\/texis\.exe\][^ ](-dump|-version).*"],
['http-url-parsed', ".*\/\[(formmail|contact|mailform|mail|fmail|feedback|cgie?mail|sender|ezformml|mailer)(\.(cgi|pl|exe))?\]"],
['http-url-parsed-param', ".*\/\[test-cgi\]\/\052*\?[^\00]*\052.*"],
['http-url-parsed-param', ".*\/\[mlog\.phtml\]\?\[screen\]=\/.*"],
['http-url-parsed', ".*\/cgi-bin\/dumpenv\.pl"],
['http-url-parsed-param', ".*\/\[sendtemp\.pl\]\?.*\.\.\/.*"],
['http-url-parsed-param', ".*\[command=X&type=\";\].*"],
['http-url-parsed-param', "\/userprefs\.cgi\?Bugzilla_login=[^&]+&Bugzilla_password=[^&]+&bank=footer&dosave=1&mybugslink=1%27%20%2cgroupset=%279223372036854775807"],
['http-url-parsed-param', ".*editproducts\.cgi\?Bugzilla_login=[^&]&Bugzilla_password=[^&]&version=unspecified&product=[^&]+&action=new"],
['http-url-parsed', "\/mail\/[^ ]+\.nsf"],
['http-url', "\/\.nsf\/\.\.\/[^ ]*"],
['http-url-parsed-param', ".*\?[^ ]*\.\.\/.*"],
['http-url-parsed', ".*\.www_?acl"],
['http-header', ".*\[xp_availablemedia\].*"],
['http-url', "\/\.\.\.\.?\.?.*"],
['http-url-parsed-param', ".*\.\[php\]\?xoopsOption=.*"],
['http-url-parsed', "\/user_settings?\.cfg"],
['http-url-parsed', ".*\[(lpt|com)[0-9]\.xtp\]"],
['http-url-parsed', ".*dscgi\/ds\.py\/ApplyUpload\/Collection-10.*"],
['stream', ".*(\[GET\]|\[POST\])[^\011]+\/\[cgi-bin\/\.cobalt\/alert\/service\.cgi\]\?[^\011]*\[service=\](<|%3C).*"],
['http-url-parsed-param', ".*\/include\/(oci8|postgres65|mysql|mysql7|msql)\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
['http-url-parsed-param', ".*\/include\/postgres\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
['http-url-parsed-param', ".*\/user\/(agora_user|ldap_example)\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
['http-url-parsed-param', ".*\/doc\/admin\/(index|help[0-9]+)\.php\?ptinclude=http:\/\/.*"],
['http-url', ".*\.php<\?.*"],
['http-url-parsed-param', ".*\/(\[(index|inc\.lib|inc\.cp)\.php\]\?[^ ]*\[sfx\]=|\[lib\/(comment|weblog)\.add\.php\])"],
['http-url-parsed', "\/modules\/(Downloads\/voteinclude|Your_Account\/navbar|Forums\/(attachment|auth)|News\/comments|Web_Links\/voteinclude|WebMail\/contactbook)\.php.*"],
['http-url-parsed', "\/modules\/Private_Messages\/(functions|index|read|reply)\.php.*"],
['http-header-user-agent', "Mozzarella\/1\.37\+\+.*"],
['http-url-parsed', ".*\.\[hts\]\."],
['ftp-password', "\+"],
['ftp-password', "blueskies"],
['line', "STOR.*space\.asp.*"],
['stream', ".*USER private\r\nPASS #\x0d\x0a.*"],
['ftp-username', "(lp|nuucp|EZsetup|demos|OutOfBox|guest|4Dgifts)"],
['stream', ".*\[password required. but none set\].*"],
['packet', ".*\x00\x00\x00\x00....\x00\x01\x86\xa0....\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['stream', ".*\[SELECT +(UserName|\*) +FROM +ALL_USERS\].*"],
['packet', "\x0A.*"],
['stream', ".*\[s\00p\00_\00(a\00d\00d\00_\00j\00o\00b|a\00d\00d\00_\00j\00o\00b\00s\00t\00e\00p|a\00d\00d\00_\00j\00o\00b\00s\00e\00r\00v\00e\00r|s\00t\00a\00r\00t\00_\00j\00o\00b)\].*"],
['smtp-mime-content-filename', "\[explorer\.doc\]"],
['smtp-mime-content-filename', "\[explorer\.doc\]|\[resume1\.doc\]|\[normal\.dot\]"],
['stream', ".*\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00(\x01|\x02|\x03)\x00\x00\x00(\x02|\x05|\x06).*"],
['packet', ".*\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00(\x01|\x02|\x03)\x00\x00\x00(\x02|\x05|\x06).*"],
['stream', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
['stream', ".*\.write\((\"|')<\[HR align\]=.*"],
['pop3-command-line', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[zip\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[bas\]\".*"],
['stream', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
['packet', "\r\n"],
['stream', "........[\0001-\0377][\0000-\0377].*"],
['stream', "VERS[ ]*.*"],
['smb-open-filename', "\[\0134(\000)?S(\000)?A(\000)?M(\000)?R(\000)?\]"],
['ftp-password', "-saint.*"],
['smtp-from', ".*nessus.*"],
['stream', ".*can't hide from me.*"],
['ftp-password', "retina@example.org"],
['smtp-from', "<(cis|scan)@cerberus.*"],
['ftp-password', "-iss@iss"],
['ftp-password', "-satan.*"],
['ftp-password', "ddd@"],
['http-url-parsed', ".*\/\[cgi-bin\/test-cgi\].*"],
['http-url-parsed', "\/\[server-info\]"],
['http-url', "\/\[server%20logfile\]"],
['ftp-pathname', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
['ftp-pathname', ".*\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x2c.*"],
['ftp-pathname', ".*\x90\x31\xC0\x99\x52\x52\xB0\x17\xCD\x80\x68\xCC\x73\x68.*"],
['ftp-pathname', ".*\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff.*"],
['ftp-pathname', "aaaa\x01\x88\x5f\x01\x01\x87\xe5\xca%u%u%u%u%u.*"],
['ftp-command', ".*\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3.*"],
['ftp-pathname', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0.*"],
['ftp-pathname', ".*\x41\x41\x29\xc0\x50\xb0\x17\x50\xcd\x80\x29\xc0\x50\xbf\x66\x69\x73\x68.*"],
['ftp-pathname', "\x41\x2a\x2f\x2e\x2e\x2f\x41\x2a\x2f\x2e\x2e\x2f\x41\x2a\x2f.*"],
['ftp-pathname', ".*\x80\xe8\xc5\xff\xff\xff\xff\xff\xff\x30\x64\x65\x76\x30\x63\x64.*"],
['ftp-pathname', ".*\xe8\x97\xff\xff\xff\xff\xff\xff\x45\x45\x32\x32\x33\x32\x32\x33.*"],
['ftp-password', "fts\@undernet.org"],
['ftp-password', "-cklaus.*"],
['smtp-command-line', "\[vrfy\] netect-.*"],
['packet', ".*\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00.*"],
['stream', ".*SSH_Version_Mapper.*"],
['stream', ".*\x0A .*"],
['finger-host', "localhost"],
['packet', ".*AAAAAAAAAAAAAAAA.*"],
['smtp-command-line', "\[ehlo cybercop\]"],
['smtp-command-line', "\[expn cybercop\]"],
['packet', ".*cybercop.*"],
['ssh-header', "USER AMAP"],
['http-request', "USER AMAP"],
['pop3-user', "AMAP"],
['ssh-header', "GET \/ HTTP\/1\.0"],
['smtp-command-line', "GET \/ HTTP\/1\.0"],
['ssh-header', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
['smtp-command-line', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
['http-request', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
['ssh-header', "\x00\x00\x01\x06\xff\xff\xff\xff"],
['smtp-command-line', "\x00\x00\x01\x06\xff\xff\xff\xff"],
['http-request', "\x00\x00\x01\x06\xff\xff\xff\xff"],
['packet', "............\x0e.*"],
['packet', ".......\x08\x00\x0a.*"],
['packet', ".......\x2b.*"],
['packet', ".......\x11.*"],
['line', "550 .*\[relay access denied\].*"],
['line', "550 .*\[relaying denied\].*"],
['line', "550 .*\[relaying is prohibited\].*"],
['smtp-mime-content-filename', ".*\[[a-z]\.[a-z]\.[a-z]\.[a-z]\.([a-z]\.?)*\]"],
['smtp-command-line', "( |\x09)*\[help\].*"],
['smtp-command-line', ".*\[BDAT \].*"],
['smtp-mime-content-filename', ".*\.\[crt\]"],
['smtp-mime-content-filename', ".*\.\[mdb\]"],
['smtp-mime-content-filename', ".*\.\[url\]"],
['smtp-header-line', "\[(Content-Type: )?multipart\/mixed; boundary\]=\"\".*"],
['smtp-header-from', ".*\"\"\"\"\"\"@.*"],
['smtp-rcpt', "[^@]+@[^\040]+@[^@]+"],
['dhcp-option', "\x0c.*<.*"],
['stream', ".*200 .*[0-9]+ (%\[[a-z]\])+.*"],
['smb-open-filename', ".*\.(\00)?\[j(\00)?o(\00)?b\](\00)?"],
['smb-open-filename', ".*\[a(\000)?u(\000)?t(\000)?o(\000)?r(\000)?u(\000)?n(\000)?\.(\000)?i(\000)?n(\000)?f(\000)?\]"],
['smb-open-filename', "\\00?w\00?i\00?n\00?r\00?e\00?g\00?"],
['stream', ".*\xe9\xac\x10\x05\xe8\x97\x6c\x8d\x46\x88\x94\x61\x08\xd4\x62\xe8\x94\x61\x45\x6e\xb5\x45\xe8\x9f\x3b\x90\x00\x0b\xa0\x00\x0b\x85\x00\x0c\xd8\x05\x08\xd5\xe2\xb9\xff\x10\x0b\x82\x70\x00\xcd\x80\x8d\x5e\x2b\x83\xd0.*"],
['stream', ".*\x40\x00\x2e\x10\x00\x90\x3e\x0d\x59\x21\x02\x00\x82\x10\x20\x59\x1d\x02\x00\xa0\x10\x08\x90\x3e\x0c\xc9\x21\x02\x1f\xf8\x21\x02\x05\x09\x1d\x02\x00\x90\x3e\x0c\xc8\x21\x02\x03\xd9\x1d\x02\x00\x90\x10\x01\x08\x21.*"],
['stream', ".*\xe9\xd4\x10\x05\xe3\x1c\x05\x05\x0b\x01\x7c\xd8\x03\x1c\x05\x05\x05\x65\x0b\x05\xcd\x80\x89\x46\x28\xb9\xff\x10\x05\x18\xd4\x62\x50\x50\xb8\x88\x00\x0c\xd8\x08\xd4\x62\x50\x50\xb8\x3d\x00\x0c\xd8\x08\xb4\x62\x85\x05\x0b\x8a.*"],
['stream', ".*\xe9\x79\x10\x05\xe5\x0b\x82\x00\x0c\xd8\x08\x5c\x0f\x85\xe6\x00\x08\xd5\x63\x88\x95\x62\x88\xd4\x64\x08\x94\x62\xc8\xd4\x64\x38\x94\x63\x08\xd4\x63\x05\x08\xd4\x62\x85\x05\x25\x0b\x83\xb0\x00\xcd\x80\x50\x50\xb8\x10\x00.*"],
['stream', "\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61.*"],
['packet', ".*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61.*"],
['packet', ".*\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff\xff\xff\/bin\/.*"],
['stream', ".*\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff\xff\xff\/bin\/.*"],
['packet', ".*\xb0\x3b\x53\x53\x56\x56\xeb\x10\xe8\xe5\xff\xff\xff\/bin\/.*"],
['stream', ".*\xb0\x3b\x53\x53\x56\x56\xeb\x10\xe8\xe5\xff\xff\xff\/bin\/.*"],
['packet', ".*\xff\xff\/bin\/sh\/\xff\x2d\x63\xff.*"],
['stream', ".*\xff\xff\/bin\/sh\/\xff\x2d\x63\xff.*"],
['packet', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
['stream', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
['packet', ".*\xc7\x06\x2f\x62\x69\x6e\xc7\x46\x04\x2f\x73\x68\x41\x30\xc0\x88\x46\x07\x89\x76\x0c\x8d\x56\x10\x8d\x4e.*"],
['stream', ".*\xc7\x06\x2f\x62\x69\x6e\xc7\x46\x04\x2f\x73\x68\x41\x30\xc0\x88\x46\x07\x89\x76\x0c\x8d\x56\x10\x8d\x4e.*"],
['packet', ".*\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe6.*"],
['stream', ".*\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe6.*"],
['packet', ".*\xe8.\xff\xff\xff\/bin\/.*"],
['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
['packet', ".*\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82.*"],
['stream', ".*\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82.*"],
['packet', ".*\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34.*"],
['stream', ".*\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34.*"],
['packet', ".*\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25.*"],
['stream', ".*\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25.*"],
['packet', ".*\x03\xff\xff\xcc\/bin\/.*"],
['stream', ".*\x03\xff\xff\xcc\/bin\/.*"],
['packet', ".*\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f.*"],
['stream', ".*\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f.*"],
['packet', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
['stream', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
['packet', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31.*"],
['stream', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31.*"],
['packet', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['packet', ".*\xb0\xb5\xcd\x80.*"],
['stream', ".*\xb0\xb5\xcd\x80.*"],
['packet', ".*\xb0\x17\xcd\x80.*"],
['stream', ".*\xb0\x17\xcd\x80.*"],
['packet', ".*\x90\x90\x90\x90\x90\x90\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f.*"],
['packet', ".*\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80.*"],
['stream', ".*\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80.*"],
['packet', ".*\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80.*"],
['stream', ".*\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80.*"],
['packet', ".*\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11.*"],
['stream', ".*\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11.*"],
['packet', ".*\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08.*"],
['stream', ".*\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08.*"],
['packet', ".*\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0.*"],
['stream', ".*\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0.*"],
['packet', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
['stream', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
['packet', ".*\x25\x0b\xcb\xc8\xa4\x14\xaf\x75\x27\x1c\xdc\x88.*"],
['stream', ".*\x25\x0b\xcb\xc8\xa4\x14\xaf\x75\x27\x1c\xdc\x88.*"],
['packet', ".*\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13.*"],
['packet', ".*\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6.*"],
['stream', ".*\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6.*"],
['stream', ".*\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13.*"],
['packet', ".*\x90\x1a\x40\x90\x82\x10\x20\x2e\x91\xd0\x20.*"],
['stream', ".*\x90\x1a\x40\x90\x82\x10\x20\x2e\x91\xd0\x20.*"],
['packet', ".*\x82\x10\x20\x17\x91\xd0\x20\x08.*"],
['stream', ".*\x82\x10\x20\x17\x91\xd0\x20\x08.*"],
['packet', ".*\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32\x2e\x64\x6c\x6c\x00.*"],
['stream', ".*\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32\x2e\x64\x6c\x6c\x00.*"],
['packet', ".*\xbf\xff\xd0\x8b\xf0\x5a\x43\x53\x52\x32\xe4\x83\xc3\x04\x88\x23\xb8\x28.*"],
['stream', ".*\xbf\xff\xd0\x8b\xf0\x5a\x43\x53\x52\x32\xe4\x83\xc3\x04\x88\x23\xb8\x28.*"],
['snmp-community', "\[\*?ilmi\]"],
['snmp-oid', "\x2b\x06\x01\x04\x01\x4D.*"],
['packet', "\x01\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['snmp-oid-parsed', "\.1\.3\.6\.1\.4\.1\.11\.2\.3\.9\.1\.1\.13\.0"],
['packet', ".*\x30\x11\x06\x0d\x2b\x06\x01\x04\x01\x9e\x73\x02\x01\x0d\x01\x02(\x01|\x02).*"],
['stream', ".*Host \[v\]ersion [2-4]\..*"],
['packet', "(list|hide|show|info|proc|error|chat)"],
['stream', "conadministrator"],
['packet', "14Y3K[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?"],
['packet', "Y3K.*"],
['packet', ".*--Ahhhhhhhhhh.*"],
['stream', ".*\* Doly trojan.*"],
['stream', ".*(INFO|scrnerron|scrnerroff|hidebar|showbar|runprog|OpenDL|CloseDL).*"],
['packet', "0`[A-z][A-z][A-z][A-z]"],
['stream', "ER 0\x0d\x0a.*"],
['stream', ".*OK\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.*"],
['stream', ".*Connected to host \(.*"],
['stream', ".*Blade Runner ver .*"],
['stream', "\x20Remote > OK\.\.\..*"],
['stream', ".*\x0c\x00\x00\x00\x0e\x00\x00\x00Screen Capture\x0c.*"],
['packet', "(CURDIR|DRIVES|CD [A-Z]:\\)\x0d"],
['packet', "\*\?!\?[A-Z][A-Z].*\x0d"],
['stream', ".*CAFEiNi [0-9]\.[0-9].*"],
['stream', "\x20>>\x20\x20MTX Celine Trojan.*"],
['packet', "accept:.*"],
['stream', "(%NBMSGRESULT|@1%DONE|004200[0-9][0-9]T?).*"],
['stream', "Conectado!.*"],
['stream', "\|DRVS\|[A-Z],.*"],
['stream', "\|ENUMDRVS\|.*"],
['stream', "\x50\x6f\x6c\xb9\x63\x7a\x6f\x6e\x6f\x2e\x2e\x2e.*"],
['stream', "DCIClient[0-9][0-9].*"],
['stream', "DCIServer[0-9][0-9].*"],
['packet', "001"],
['packet', "085"],
['stream', "\/MSG,Rootbeer Rules!.*"],
['stream', ".*\x0d\x0aDRaT Version.*"],
['stream', ".*\x20\x20\x20DTr v\.[0-9]\.[0-9].*"],
['packet', "(s?invisible|s?visible|sunenabled|s?enabled|disabled|\[N\]umlock|\[C\]aps|\[S\]croll|emessage from duddie|progid|crazy);?"],
['stream', ".*ECLYPSE v[0-9]\.[0-9].*"],
['packet', "Execute[A-Z][A-z]+.*"],
['stream', "Frenzy [0-9](\.|[0-9]).*"],
['packet', "(icq|gui|cli|det|eet|gaa|sth|sts|eyo|eyf|tiz|wvr|rab|rao)"],
['packet', "(password|FileSend|FileGet|MsgBox|unkillbutton|killbutton|lockCAD|unlockCAD|disconnect);"],
['stream', "GirlFriend Server [0-9].*"],
['packet', "(hidetaskbar|showtaskbar|openformessage|test|hidedesktop|showdesktop)"],
['stream', ".*R_Server version:[0-9].*"],
['packet', "Execute[A-z].*"],
['packet', "(hidestart|showstart|hidetaskbar|showtaskbar|4testmassage)"],
['stream', ".*intrudordedicated.*"],
['stream', ".*Kid Terror [0-9]\.[0-9].*"],
['stream', "\|FOLDERS\|xxxROOTxxx"],
['packet', ".*SH@H SERVER [0-9]\.[0-9]*"],
['packet', "(x|w|r|tbarh|tbars|rappv)"],
['stream', "00Ver\. [0-9]\.[0-9]+,.*"],
['stream', ".*(\xa9HaHa |\xd0\"[0-9][0-9][0-9]\" \"[0-9][0-9]?[0-9]?\").*"],
['packet', "\.(hidetask|showtask|notepad)"],
['stream', ".*One Server.*"],
['packet', "(messagebox|inputboxman)"],
['packet', "(0400004.*|25|31)"],
['stream', "220 Mandar\/Receber Arquivos no PCI\.\x0d\x0a.*"],
['stream', ".*Product Name :.*"],
['packet', "(get drives|get user|get info)"],
['packet', "0x100"],
['stream', "Hook\x0d\x0a\x0d\x0a\0133\.remote hack.*"],
['stream', ".*(get|kill [0-9]+)OK.*"],
['packet', ".?Connected to The Revenger.*"],
['stream', ".*(WINDIR|SYSDIR|ABCJZDATEIEV|FILELAENGE|GETUSER|COUNTRY).*"],
['stream', "-=COM:.*"],
['packet', "0\.9[0-1]"],
['packet', "The Unexplained\.\.\..*"],
['packet', "(download[A-z]:\\|msg%|tit%).*"],
['stream', ".*LoginUploaderServer.*"],
['stream', "[^|]+\|[^|]+\|cmd:.*"],
['packet', "(fil[A-z]:\\.*|msg.*|apa)"],
['stream', "MANAGER_FILE_GETDRIVES\x00\x09\x00"],
['packet', "PING\x00\x09\x00"],
['stream', "0400000000.*"],
['packet', "0[0-9]00000000"],
['stream', "WindowsMite Server v1.0 Port 65530.*"],
['stream', "WinCrash Server [0-9].*"],
['stream', "This Program can not be opered by a Telnet Conection\.Use WinCrash Client 1\.03\. Get it at www\.wincrash\.cjb\.net.*"],
['http-text-html', ".*WANRemote 3\.0 - Main Menu.*"],
['packet', "(text:.*|opennotepad|config|listen|stop listen)"],
['packet', "(CDTRAY\/OPEN|FLASH-COLORS\/.*)"],
['stream', "\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08.*"],
['stream', "# \+---------------------------\+.*"],
['stream', "[^Y]+YOU ARE NOW CONNECTED TO[^C]+C r e d i t s[^v]+v2\.[0-9]+\..*"],
['http-url-parsed', ".*\/test\/tracker\.exe.*"],
['telnet-user', "\[backdoor\]"],
['telnet-user', "\[d13hh\][[]"],
['telnet-user', "friday"],
['telnet-user', "hax0r"],
['telnet-user', "lrkr0x"],
['telnet-user', "r00t"],
['telnet-user', "rewt"],
['telnet-user', "satori"],
['telnet-user', "StoogR"],
['telnet-user', "w00w00"],
['telnet-user', "wank"],
['telnet-user', "wh00t"],
['stream', ".*BN.*"],
['stream', ".*FC .*"],
['stream', ".*c:\\.*"],
['stream', "[0-9]+\x00[^\0]+\x00bin\x00.*"],
['stream', "[0-9]+\x00[^\0]+\x00echo\x00.*"],
['stream', "[0-9]+\x00[^\0]+\x00root\x00.*"],
['finger-user', "\."],
['finger-user', "0"],
['stream', "[^@]* .*"],
['stream', ".*\x00.*"],
['stream', ".*\|.*"],
['finger-user', "root"],
['finger-user', "\/.*"],
['finger-host', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
['stream', ".*killme.*"],
['stream', ".*betaalmostdone.*"],
['stream', ".*gOrave.*"],
['stream', ".*dos .*"],
['stream', ".*killdead.*"],
['stream', ".*mdie .*"],
['stream', ".*mdos .*"],
['stream', ".*mping .*"],
['stream', ".*msize .*"],
['packet', ".*HELLO.*"],
['packet', ".*PONG.*"],
['packet', ".*HELLO.*"],
['packet', ".*PONG.*"],
['stream', ".*trinoo>.*"],
['packet', ".*[[][]]\.\.Ks.*"],
['packet', ".*bbb .*"],
['packet', ".*d1e .*"],
['packet', ".*png .*"],
['packet', ".*alive.*"],
['packet', ".*alive.*"],
['packet', ".*alive tijgu.*"],
['stream', ".*!@#\x0d.*"],
['packet', "newserver"],
['packet', "pong"],
['packet', "pong"],
['packet', "pong"],
['packet', "pong"],
['packet', "ping.*"],
['http-url-parsed', ".*org\.apache\.catalina\.servlets\.DefaultServlet\/[^ ]\.jsp.*"],
['http-header-referer', "http:\/\/host\/xxxxxx\/exp\.php\?hi_lames=haha"],
['http-url-parsed-param', ".*\[htgrep(\/|\?)file=index\.html&hdr=\/\].*"],
['stream', ".*\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a.*"],
['http-url-parsed-param', "\/bin\/wintty\.exe\?%2dt\+.*"],
['http-url-parsed', ".*\/\[WEB-INF\]\.(\.)?\/"],
['http-header', "\[Content-Length\]: -.*"],
['http-url-parsed-param', ".*\x0d?\x0a(\040|\011)*([A-z]|[0-9]|-)+:.*"],
['http-request', "\[CONNECT\] .+\..+\..+\..+:[0-9]+ HTTP\/.*"],
['http-url-parsed-param', ".*\[\/newdsn\.exe\]\?[^\012]*\[dbq\]=\/?\.\.\/.*"],
['http-url-parsed', "\/\[adsamples\/config\/site\.csc\].*"],
['http-url-parsed-param', "\/\[iissamples\/exair\/howitworks\/codebrws\.asp\?*source=\].*"],
['http-url-parsed', ".*\[\/(cgi-bin|scripts)\/cmd(32)?\.exe\]"],
['http-header', ".*\[xp_cmdshell\].*"],
['http-url', ".*\[%(0a|20)\.pl\].*"],
['http-request', "GET x HTTP\/1\.0.*"],
['http-url-parsed', ".*\/\[repair\/sam\]\._.*"],
['http-url-parsed', ".*\/(\[winnt\]|\[windows\])\/\[system32\]\/\[cmd\.exe\].*"],
['http-data', ".*<[^>]+xmlns:.=.\[DAV\][^>]+>.*<u:.+"],
['http-url', "\/%69%6E%64%65%78%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E.*"],
['http-url-parsed-param', ".*\?[^ ]*<%00\[script\].*"],
['http-url-parsed', ".*\[(scripts|msadc)\/sensepost\.exe\].*"],
['http-url-parsed-param', ".*\.\[htw\]\?[^\000]*\[CiWebHitsFile\]=[^&]+(%20|\[(qfullhit|qsumrhit)\.htw\]).*"],
['http-url-parsed', ".*\[msadcs\.dll\/VbBusObj\].*"],
['http-data', ".*\[SELECT DAV:displayname from\]\x0a?[ ]*\[SCOPE\]\(\".*"],
['http-data', ".*<a:displayname \/><u:VVVVVVVVVVVVVV.*"],
['http-url-parsed-param', ".*\/scripts\/convert\.bas\?\/?\.\.\/.*"],
['http-url-parsed', ".*\/local\/httpd$map\.conf.*"],
['http-url-parsed', ".*\/(-)+\/\*(\.\*)?.*"],
['http-url-parsed-param', ".*\[\/StreamingStatistics\?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9])\].*"],
['http-url-parsed-param', ".*\[\/PortInformation\?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9])\].*"],
['http-url-parsed', ".*\/\[vti_pvt\/administrators\.pwd\].*"],
['http-url-parsed-param', ".*\/\[_vti_bin\/_vti_aut\/dvwssr\.dll\?\].*"],
['http-url-parsed-param', ".*\/\.\.\.\.\/.*"],
['http-url-parsed', ".*\/\[_vti_pvt\/services\.pwd\].*"],
['http-url-parsed', "\/\[main\]\/\[(config\.bin|profile\.wlp|event\.logs)\]"],
['http-url-parsed-param', ".*\[\/win-c-sample\.exe\?.*(cmd\.exe|command\.com)\]"],
['http-request', "GET \/[^ ]* HTTP\/...[^\012]*\.[0-9].*"],
['stream', "\[(GET|POST|HEAD)\] \/[^ ]* HTTP\/...[^ ]*\.[0-9].*"],
['http-url', "\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
['http-url-parsed', ".*\/wwwboard\/passwd\.txt.*"],
['http-url-parsed-param', ".*\.htaccess"],
['http-url-parsed', ".*\[admin_files\/order\.log\]"],
['http-url-parsed', "\/fpdb\/shop.mdb.*"],
['http-url-parsed', "\/\[WEB-INF\]\.\/.*"],
['http-url', "\/\[upnp\/service\/(%2e|\.)(%2e|\.)(%2f|\/)netgear\.cfg\].*"],
['http-url', ".*\.\[jsp\](%00|%20).*"],
['http-url-parsed-param', ".*\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\">>>>>>>>>>>>.*"],
['http-url-parsed-param', "\/\[cgi-bin\]\/\[cart32.exe\]\/\[expdate\]"],
['http-url-parsed-param', ".*\/\.\[htpasswd\]"],
['http-url-parsed', "\/ver\.asp"],
['http-url-parsed-param', ".*\[boot\.ini\].*"],
['http-url-parsed', ".*\/\[XSQLConfig\.xml\]"],
['http-url-parsed', ".*\.\[DS_Store\]"],
['http-request', "\[GET\]\.\..*"],
['http-url', "(%%%|%%%%%)"],
['stream', "\[(GET|HEAD|POST|PUT|DELETE|LINK|UNLINK)\][^\012]*\[http:\/\/\]@@+[^\012]*[\012].*"],
['http-url-parsed-param', ".*\[http\]:\/\/?@@+.*"],
['http-url-parsed', ".*\.\[(w|e)mf\]"],
['http-url-parsed', ".*\.\[job\]"],
['http-url-parsed-param', ".*\Xeb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d\X.*"],
['http-url-parsed', ".*\.\[jsp\](\+|\\).*"],
['stream', "\x7c\x53\x61\x4d\x61\x4e\x7c"],
['http-header-host', ".*([\000-\054]|\057|[\073-\0100]|[\0133-\0136]|\0140|[\0173-\0377]).*"],
['http-url-parsed-param', ".*\.\[htw\]\?[^ ]*\[CiWebHitsFile\]=[^&]+&\[CiRestriction\]=\"<.*"],
['http-url-parsed', ".*(<|&\[lt\];)\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\][^>]*(>|&\[gt\];).*"],
['http-url-parsed-param', ".*\?[^<]*(<|%(\[u\]00)?3\[C\])\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\].*(>|%(\[u\]00)?3\[E\]).*"],
['http-url', ".*search\.php\?search=a(%27%20|%25%27).*"],
['http-url', ".*\[(discuss\.asp\?discussblurbid=|author\.asp\?authornumber=).*%3B%20FLUSH%20PRIVILEGES%3B\].*"],
['stream', "\[(GET|POST)[ ]+\/SimpleBar\.dll\/RunReport\]\?.*"],
['http-url-parsed-param', ".*edit\.php\?a=pre&submit=&auth=1&sid=[0-9]+--"],
['http-url-parsed-param', ".*\/modules\.php(\?|\/)[^ ]+&sortby=\[(select|insert|uname|update|explain)\].*"],
['http-url-parsed-param', ".*\/\[browse_item_details\.asp\]\?[^\012]*Item_ID=[^;]*;.*"],
['http-url', ".*\/([a-z]|[A-Z]|\.)+\.%00\.txt.*"],
['http-url', "\/ext\.ini\.% ?00\.txt"],
['http-request', "GET[ ]+HTTP\/1\.0"],
['http-url', "\/(\.\.\.\/)+\/.*"],
['http-url-parsed-param', ".*\[mfcisapicommand=PassThru\].*"],
['http-url-parsed-param', ".*\/\[apexec\.pl\?.*template\]=\/?\.\.\/.*%00.*"],
['http-url-parsed', ".*\/fezmall2000\/mall_log_files\/forder\.log"],
['http-url-parsed', ".*\[\/servlet\/ServletExec\].*"],
['http-url-parsed-param', ".*\/\[websendmail\?.*query\]=';.*"],
['http-url', ".*(user_logged_in=true|user_dnstools_administrator=YES).*"],
['http-url', ".*db4web_c\.exe\/(([a-z]|[A-Z]|[0-9])*\/)*.%3A%5C.*"],
['http-url', ".*\/\[db4web_c\]\/[^ ]*\/\/.*"],
['stream', ".*\[GET[ ]+\/surf\/scwebusers\].*"],
['http-url-parsed-param', ".*\/Carello\.dll\?VBEXE=[a-z]:\\\.\\.*"],
['stream', ".*\[(GET|POST)\] \/cgi-bin\/\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\winnt\/.*"],
['http-url-parsed', ".*\/web\/usermgr\/userlist\.asp.*"],
['http-url-parsed-param', ".*\[tuxadm\.exe\]\?[^\012]*INIFILE=\[(CON|AUX|COM1|COM2|COM3|COM4)\].*"],
['http-url-parsed-param', ".*\/\[catalog_type\.asp\]\?[^\00]*\[ProductType\]=\|\[shell\]\(.*"],
['http-url-parsed-param', "\/\[cgi-bin\/webplus\?.*script=\/?\.\.\/\]"],
['http-url-parsed-param', ".*\[\/webplus\.cgi\?.*Script=\/webplus\/webping\/webping\.wml\].*"],
['http-url-parsed-param', ".*bb-hist.sh\?.*\.\.\/\.\..*"],
['http-url-parsed-param', ".*\/cgi-bin\/bb-(hist|histlog|hostsvc|rep|replog|ack)\.sh\?.*[A-Z]+=\/"],
['http-url', ".*%00.\[jsp\]"],
['http-url', ".*%00x"],
['http-url-parsed-param', ".*\[ExprCalc\.cfm\?.*OpenFilePath=\].*"],
['http-text-html', ".*\[codeBase=hhctrl\.ocx\].*"],
['http-text-html', ".*<[^>]*\[telnet\]:\/\/(-|(&055;)|(%55))(n|f)((%20)| |%2f|\/|\.\.\/)+[^>]*>.*"],
['http-text-html', ".*<[^>]*\[notes\]:( |\011)?(\042|\047)?=[\0134][\0134][^>]*[\0134]\[notes\.ini\][^>]*>.*"],
['http-text-html', ".*<\[img\][^>]+(\[width\]|\[height\])=[0-9][0-9][0-9][0-9][0-9][0-9]+[^>]*>.*"],
['http-data', "\0377WPC..\000\000\001\012.*"],
['http-url-parsed', ".*\.\[w(al|sz)\]"],
['http-header-content-type', "\[application\/hta\]"],
['http-text-html', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
['http-data', ".* = (\"|')\x33\xdb\x8b\xd4\x80\xc6\xff\xc7\x42\xfc\x63\x6d\x64\x01\x88\x5a\xff\x8d\x42\xfc\x8b\xf5\x56\x52\x53\x53\x53\x53\x53\x53\x50\x53\xb8\x41\x77\xf7\xbf\xff\xd0\xb8\xf8\xd4\xf8\xbf\xff\xd0\xcc(\"|').*"],
['http-data', "BM....\00\00\00\00[\0200-\0377].*"],
['http-header', "\[content-disposition\]:(\040|\011)*\[attachment\](\040|\011)*;(\040|\011)*\[filename\](\040|\011)*=(\040|\011)*[^\000]*\.{[^\055]+-[^\055]+-[^\055]+-[^\055]+-[^\055]+}.*"],
['http-text-html', ".*<\[SCRIPT\].*(\[Create\]|\[ActiveX\])\[Object\](\((\"|\')?|[ ]+)\[Shell\.Application\].*\[\.ShellExecute\].*"],
['http-text-html', ".*<\[SCRIPT\].*=( |\x09)*\[location\.assign\]( |\x09)*;.*"],
['http-text-html', ".*<\[iframe\][^>]+\[src\]=(\047|\042)?\[mhtml\]:[^\041]+\041[^>]+.*"],
['http-text-html', ".*<\[a\][^>]*\[href\](\040|\011)*=(\040|\011)*(\"|')?\\\\.*"],
['http-header-content-location', ".*\?[0-5][0-5][0-5];.*"],
['http-text-html', ".*\[document\.execCommand\(\"SaveAs\"\][^\051]*\.\[(pif|scr|exe|cmd|bat|zip|com|js)\]\"\).*"],
['http-text-html', ".*<[^>]*\[(href|src)\](\040|\011)*=(\040|\011)*(\"|')?\[shell:\].*"],
['http-text-html', ".*\.initKeyEvent(\(| )(\"|')?keypress(\"|')?, ?(\"|')?true(\"|')?, ?(\"|')?true(\"|')?, ?(\"|')?window(\"|')?, ?(\"|')?(false|true)(\"|')?, ?(\"|')?false(\"|')?, ?(\"|')?(false|true)(\"|')?, ?(\"|')?false(\"|')?, ?45, ?0, ?(\"|')?text(\"|')?\)?;.*"],
['http-text-html', ".*classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11.*"],
['http-data', "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a....IHDR(([^\00])|(\00[^\00])|(\00[\00][\0177-\0377])).*"],
['http-data', "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a....IHDR....(([^\00])|(\00[^\00])|(\00[\00][\0177-\0377])).*"],
['http-text-html', ".*<([a-z]|[A-Z])+[^>]+\[hcp\]:\/\/([\000-\041]|[\043-\046]|[\050-\0377])*(\"|&\[quot\];|&#34;)([\000-\041]|[\043-\046]|[\050-\0377])*-\[url\][ ]+(\"|&\[quot\];|&#34;).*"],
['http-url-parsed', "\/cgi-bin\/nph-test-cgi"],
['http-url-parsed', ".*\/\[(prn|con|aux|nul|com\][1-9]|\[lpt\][1-9])\.(\[asp|cgi|html?)\].*"],
['http-url-parsed-param', ".*\[cmd1?\.exe=?\].*"],
['http-url-parsed-param', ".*\[scripts\/root\.exe\].*"],
['http-url-parsed-param', ".*\[rguest\.exe\?.*template=[a-z]:\].*"],
['http-url-parsed-param', ".*\[wguest\.exe\?.*template=[a-z]:\].*"],
['http-url-parsed-param', ".*\/search\.cgi\?.*keys.*cat(e|i)gory=\.\.\/.*"],
['http-url-parsed-param', ".*\/cgi-bin\/bizdb1-search\.cgi(\?|\/)[^\012]*\[dbname=\].*"],
['http-url-parsed-param', ".*\[\/survey\.cgi\]\?.*(\||<|>|;).*"],
['http-url-parsed-param', ".*\/\[whois_raw\.cgi\]\?[^\00]*\[fqdn\]=[^\00]*(%0A|%20).*"],
['http-url-parsed-param', ".*\/\[Poll_It_SSI\][^.]*\.\[cgi\]\?[^\012]*\[data_dir\]=[^\012]*%00"],
['http-url-parsed-param', ".*\[\/(post32\.exe|lsindex2\.bat)\|\]"],
['http-url-parsed', "\[\/_private\/shopping_cart\.mdb\]"],
['http-url-parsed-param', ".*\/\[formmail\.cgi\?.*env_report\]=[A-Z]+"],
['http-url', ".*\[\/shop\.cgi\/page=\/?\.\.\/\].*"],
['http-url-parsed-param', ".*\/\[info2www\]\?\((\.\.\/)+[^\0174]*\|\).*"],
['http-url-parsed-param', ".*\/\[hsx\.cgi\?.*show\]=\?\.\.\/.*%00"],
['http-url-parsed-param', ".*\[\/cached_feed\.cgi\?.*\.\.\/\]"],
['http-url', ".*%00.*"],
['http-url-parsed-param', ".*\[\/ows-bin\/.*\]\?&"],
['http-url-parsed-param', ".*\[\/webspirs\.cgi\?.*sp.nextform=\/?\.\.\/\]"],
['http-url-parsed-param', ".*\[YaBB\.pl\?.*num\]=.*(\/?\.\.\/|%00).*"],
['http-url-parsed-param', "\/\[cgi-bin\/infosrch\.cgi\?.*fname\]=\|"],
['http-url-parsed-param', ".*\/\[authenticate\.cgi\?.*PASSWORD.*config\.ini\].*"],
['http-url-parsed-param', ".*\[\/commerce\.cgi\?.*page=\/?\.\.\/.*%00\].*"],
['http-url-parsed-param', ".*\[\/dcboard\.cgi\]\?.*(\||;|\/?\.\.\/).*"],
['http-url-parsed', ".*\/aglimpse[^|]*\|.*"],
['stream', "\[POST\] \[\/cgi-bin\/w3-msql\/\][^\000]+\[content-length\]:[ ]+[1-9][0-9][0-9][0-9]+.*"],
['http-url-parsed-param', ".*\/\[main\.cgi\]\?[^\012]*\[filename\]=\/?\.\.\/.*"],
['http-url-parsed-param', ".*\/\[print\.cgi\]\?[^\012]*\[board\]=\/?\.\.\/.*"],
['http-header', "\[content-length\]:.*\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06.*"],
['http-url', "query\?mss=.*(\.\.|%2e%2e).*"],
['http-url', "\[\/cgi-bin\/htsearch\?exclude=%60.*\]"],
['http-url-parsed-param', ".*\/\[emumail\.cgi\]\?[^\012]*type=[^&]*%00.*"],
['http-header-user-agent', ".*Hackscape\/1\.0 (j00r asS gonna gets 0wned).*"],
['stream', ".*POST \/cgi-bin\/formtest\.cgi HTTP\/1\.0\x0aConnection: close\x0aUser-Agent: (\x90)+\xeb\x30\x5e\x89\x76\x3b\x31\xc0\x88\x46\x08\x88\x46\x0b\x88\x46\x3a\x89\x46\x47\xb0\x0b\x8d\x5e\x09.*"],
['http-url', "\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x61\x6d\x70\x6c\x65\x33\x2e\x63\x67\x69\x3f\x6e\x61\x6d\x65\x3d(\x58\x58)+\x24\xfc\xff\xbf\x26\x61\x64\x64\x72\x65\x73\x73\x3d\x74\x65\x73\x74\x26\x74\x65\x6c\x65\x70\x68\x6f\x6e\x65\x3d\x74\x65\x73\x74\x20\x48\x54\x54\x50\x2f.*"],
['http-url-parsed-param', ".*smartsearch\.cgi\?[^ ]*keywords=\|.*"],
['http-url-parsed-param', ".*\[parse_xml\.cgi(\?|\/)filename\]=\.\.\.?\/.*"],
['http-header-cookie', ".*lang=([^A-z]|[\0133-\0140]).*"],
['http-url-parsed-param', ".*\/none\.php\?(\.\.:|\/).*"],
['http-url-parsed-param', ".*\/\[viewCart\.asp\]\?[^\00]*\[userID\]=[^&]*'.*"],
['http-url-parsed-param', "\/reports\.cgi\?output=show_chart&product=[^&]+&datasets=1"],
['http-request', "\[GET\] \/cgi-bin\/helpout\.exe (HTTP|HTTP\/)?"],
['http-url-parsed', "\/(\[webadmin\]|\[names\]|\[log\])\.\[ntf\]..........[^\012]*\.\[nsf\]"],
['http-url-parsed', ".*\.(pl|exe|csp)(\.| \.|%20\.|%20%2\[e\])"],
['http-request', "\[GET !\"#\].*"],
['http-url-parsed', "\/servlet\/con"],
['http-url', "\/sw[0-9]+\/cgi\/device_reset\?.*"],
['http-url-parsed', "%"],
['stream', ".*POST \/cgi-bin\/\[([a-z]|[0-9]|\.)+\] HTTP\/1\.0\x0d\x0aContent-Length: 111111111111111111111111111\x0d\x0a\x0d\x0aA\x0d\x0a\x0d\x0a.*"],
['http-request', "\[OPTIONS \/AAAAAAAAAAAA[A]+\.html\].*"],
['stream', "GET \/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/[^ ]* HTTP\/1\.[0-1].*"],
['http-url-parsed', "(\/aux\/aux\/|\/con\/con)"],
['http-url-parsed-param', "\/cgi-bin\/hpnst\.exe(\?|\/)c=p\+i=hpnst\.exe"],
['http-header', "(connection|range):"],
['http-url-parsed-param', "\/emailpwdreset\.srf\?lc=1033&em=[^@]+@hotmail\.com&[^\012]*prefem=[^@]+@([^h]|[^H])[^&]+&rst=1"],
['stream', ".*(uname|bin\/ls|bin\/id|bin\/nc|bin\/g?cc|bin\/(send)?mail|ifconfig|bin\/(k|ba|z|c|tc)?sh).*"],
['http-url-parsed-param', ".*\[\/admin\/browse.asp?.*FilePath=(c|d|e|f|g):\\.*&Opt=2&.*level=0\].*"],
['http-url-parsed-param', "\/cgi-bin\/wrap\?\/?\.\.\/.*"],
['http-url-parsed', "\/cgi-bin\/\.cobalt\/overflow\/overflow\.cgi"],
['http-url-parsed', "\/cgi-bin\/\.cobalt\/overflow\/overflowTestEmail\.cgi"],
['stream', ".*GET \/\.cobalt\/sysManage\/\.\.\/admin\/[^\040]+ HTTP\/1\.[0-1].*"],
['stream', ".*(GET|POST) \[\/cgi-bin\/\.cobalt\/alert\/service\.cgi\]\?.*service=\/\[AAAAAAAAAAAAAAA[A]+\].*"],
['http-url-parsed-param', ".*\/\[my?log\.p?html\?.*screen\]=.*\/.*"],
['http-url-parsed-param', ".*\/\[php\.cgi\]\?(\/|\.\.)"],
['http-url-parsed-param', ".*\/[^.]*\.\[php\]\?[^\012]*_PHPLIB\x5Blibdir\x5D=.*"],
['http-url', ".*dostuff.php.*"],
['http-url', ".*\[member\.php\?.*&+member='%20OR%20(password='PASSWORD|status='ADMINIST)\].*"],
['http-url', ".*\[\/misc\.php\?.*&?send=yes.*&loser='%20OR%20password='PASSWOR\].*"],
['http-url', ".*\[\/pm\.php\?.*action=reply.*&pmid=.+\].*"],
['http-url-parsed', ".*midicart\.mdb.*"],
['http-url-parsed-param', ".*\[index\.php\]\?[^\012]*\[m=projects\][^\012]*&\[user_cookie\]=1.*"],
['http-url-parsed-param', ".*class\.atkdateattribute\.js\.php(\?|\/).*&?config_atkroot=(http|ftp):.*"],
['http-url', ".*summary_graph_functions\.php\?.*\[g_jpgraph_path=http(:\/\/|%3A%2F%2F)\].*"],
['http-url', ".*login_page\.php\?.*g_meta_include_file=http(:\/\/|%3A%2F%2F).*"],
['http-url-parsed-param', ".*\/(template|reply)\.php(\?|\/)nm=\.\.\/users.*"],
['http-url', ".*board\.php\?boardid=[^\/]*%27,%20userid=%27.*"],
['http-url-parsed-param', ".*calendar\.php\?calbirthdays=[0-9][^ ]*&action=getday[^ ]*&comma=%22;echo.*"],
['http-url-parsed-param', ".*customize\.php\?l=http:\/.*"],
['http-url', ".*avatar\.php\?img=3D\.\.\/secret\/connect\.php.*"],
['http-url-parsed-param', ".*\/aff_news\.php\?chemin=http:\/\/.*"],
['http-url', ".*\.php\?uid='%20OR%20''='&pwd='%20OR%20''='"],
['http-url-parsed-param', ".*\[customize\.php\]\?\l=\/.*"],
['http-url-parsed-param', ".*\/email\.php(\?|\/)[^&]+&cer_skin=http:\/\/.*"],
['http-url-parsed-param', ".*\/lib\/emailreader_execute_on_each_page\.inc\.php(\?|\/)emailreader_ini=http:\/.*"],
['http-url-parsed-param', ".*\/\[ssi\.php\](\?|\/)[^\012]*\[sourcedir=(\"|')?http\]:\/\/.*"],
['http-url-parsed-param', ".*\[mainfile\.php\]\?[^ ]*MAIN_PATH=\[(http|ftp)\]:\/\/.*"],
['http-url-parsed-param', ".*\/artlist\.php\?root_path=http:\/\/.*"],
['http-url-parsed-param', ".*\/config\.php\?root_path=http:\/\/.*"],
['http-url-parsed-param', ".*\/thatfile\.php\?root_path=http:\/\/.*"],
['http-url-parsed-param', ".*\/auth\.inc\.php\?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n.*"],
['http-url', ".*\/modules\.php\?name=News&file=article&sid=[0-9]+%20or%20.*"],
['http-url-parsed-param', ".*modules\.php(\?|\/)name=Search([^\012]|[^\015])*&days=[0-9]+\+or\+mid\(a\.pwd.*"],
['http-url-parsed-param', ".*\[modules\.php\](\?|\\)[^\012]*(c|l|art|sec)id=-?[0-9]+(\+|%20)\[UNION\](\+|%20).*"],
['http-url-parsed-param', ".*\/\[modules\.php\]\?[^\012]*&\[sid\]=[^&]*\[UNION\].*"],
['http-url-parsed-param', ".*\[index\.php(\?|\/)forum_id=[0-9]+\+or\].*"],
['http-url-parsed-param', ".*\/\[prefs\.php\](\?|\/)([^ ]|[^\012]|[^\015])*&lang=\/\.\.\/.*"],
['http-url-parsed-param', ".*\[profile\.php\]\?[^\012]*\[mode=viewprofile\][^\012]*&\[u\]='.*"],
['http-url-parsed-param', ".*search\.php\?[^\012]*search_id=[0-9]+(\+|%20)\[union\].*"],
['http-url-parsed-param', ".*(captionator|errors\/(configmode|needinit|reconfigure|unconfigured))\.php\?GALLERY_BASEDIR=.*"],
['http-url-parsed-param', ".*\/\[setup\.cgi\]\?[^\012]*\[todo=debug\].*"],
['http-url', ".*(SnoopServlet|TroubleShooter).*"],
['http-url-parsed', ".*\/examples\/servlet\/(AUX|LPT1|CON|PRN).*"],
['http-url', ".*\x00\.jsp"],
['http-request', ".*\x00\.\[jsp\].*"],
['http-url-parsed', "\/cgi-bin\/rpm_query"],
['stream', ".*NOTIFY \* HTTP\/1\.1\x0d\x0aHOST: 239\.255\.255\.250:1900\x0d\x0a.*USN: uuid:QB0X\x0d\x0a\x0d\x0a\x0d\x0a.*"],
['stream', ".*\xE3\x24\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE3\x03\x00\x00\x00\x4E\x00\x00.*"],
['stream', ".*\xc4\x01\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\xae\x01\x4d\x53\x54\x53\x43\x00\x11\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x05\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x08\x00\x01\x00\x01\x00\x01\x00\x00\x05\x00\x04\x00\x00\x01\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\x2a\x00\x01\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00.*"],
['stream', ".*@PJL RDYMSG DISPLAY =.*"],
['stream', ".*@PJL RDYMSG DISPLAY =.*"],
['http-url-parsed-param', "(.*\/error\?\/?)|(\?)"],
['stream', ".*\[POST \/plugins\/framework\/script\/content\.hts\].*"],
['http-url-parsed-param', ".*\[\/plugins\/framework\/framework\.ini\].*"],
['ftp-pathname', "\*\?AAAAAA.*"],
['ftp-sitestring', "\[cpwd\].*"],
['stream', ".*\x4d\x4b\x44\x20\x90\x90\x90\x90\x90\x31\xdb\x31\xc9\xeb\x12\x5e\xbf\x10\x10\x10\x10\xb1\x21\x29\x7e\x01\x83\xc6\x04\xe2\xf8\xeb\x05\xe8\xe9\xff\xff\xff\xff\xff\xff\x90\xfb\x5d\x6e\x41\xd0\xc0\x27\x63\x63\xaa\x10\x10\x10\x10\x17\x10\x41\xd0\xc0\x60\x9d\x8e.*"],
['ftp-put-filename', "\/bin\/(ls|cd).*"],
['ftp-sitestring', "\[exec\].*"],
['ftp-pathname', "@\/\.\.@\/\.\..*"],
['ftp-pathname', ".*-w [1-9][0-9][0-9][0-9][0-9].*"],
['ftp-pathname', "\*\*\*\*\*\*\*\*\*.*"],
['ftp-password', "root"],
['ftp-pathname', ".*\.%20\..*"],
['line', "\[CWD\] .*\.\.\/\.\."],
['ftp-get-filename', "\/?\.\.\/\.\.\/\.\.\/.*"],
['ftp-put-filename', ".*\.\.\/autoexec\.bat"],
['ftp-pathname', ".*\.?\*\.?\/\.?\*?\??\.?\/\*?.*"],
['ftp-username', ".*(%[0-9]*(n|h|s|x))+.*"],
['ftp-username', "\[root\]"],
['telnet-user', "root"],
['http-url-parsed-param', ".*(c|d)\/inetpub\/scripts\/root\.exe\?.*"],
['http-url-parsed-param', ".*(c|d)\/winnt\/system32\/cmd\.exe\?.*"],
['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\ImagePath.*"],
['smtp-data-line', ".*http:\/\/www\.friendgreetings\.com\/pickup\/pickup\.aspx.*"],
['smtp-mime-content-filename', "(\[your_details\]|\[application\]|\[document\]|\[screensaver\]|\[movie\])\.zip.*"],
['http-url-parsed-param', "\/(1|\[scr\])\.php"],
['http-url-parsed-param', "\/search\?(p|q)=inurl:\*\.php\?\*=.*"],
['http-url', "\[\/scripts\/root\.exe\?\/c\+dir\]"],
['http-url', "\[\/MSADC\/root\.exe\?\/c\+dir\]"],
['http-url', "\[\/scripts\/\.\.%255c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
['http-url', "\[\/_(vti|mem)_bin\/\.\.%255c\.\.\/\.\.%255c\.\.\/\.\.%255c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
['http-url', "\[\/scripts\/\.\.(%c1%1c|%c0%af|%c1%9c)\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
['smtp-data-line', ".*<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>.*"],
['smb-open-filename', ".*\.\[(\x00)?N(\x00)?W(\x00)?S(\x00)?\]"],
['smb-open-filename', ".*\.\[(\x00)?E(\x00)?M(\x00)?L(\x00)?\].*"],
['http-url', ".*\x2f\x64\x65\x66\x61\x75\x6c\x74\x2e\x69\x64\x61\x3f\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x38\x31\x39\x30\x25\x75\x30\x30\x63\x33\x25\x75\x30\x30\x30\x33\x25\x75\x38\x62\x30\x30\x25\x75\x35\x33\x31\x62\x25\x75\x35\x33\x66\x66\x25\x75\x30\x30\x37\x38\x25\x75\x30\x30\x30\x30.*"],
['stream', ".*\[BEGIN +ctxsys\.driload\.validate_stmt\]\(.*"],
['stream', ".*ORA-01017:( invalid username\/password; logon denied)?.*"],
['stream', ".*adamswoodXXXXX.*"],
['stream', ".*scotttigerXXXXX.*"],
['stream', ".*blakepaperXXXXX.*"],
['stream', ".*clarkclothXXXXX.*"],
['stream', ".*\[ctxsys(ctxsys|unknown|change_on_install)\]XXXXX.*"],
['stream', ".*dbsnmpdbsnmpXXXXX.*"],
['stream', ".*aurora$orb$unauthenticatedinvalidXXXXX.*"],
['stream', ".*jonessteelXXXXX.*"],
['stream', ".*mdsysmdsysXXXXX.*"],
['stream', ".*ordpluginsordpluginsXXXXX.*"],
['stream', ".*ordsysordsysXXXXX.*"],
['stream', ".*outlnoutlnXXXXX.*"],
['stream', ".*\[system(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*)\]XXXXX.*"],
['stream', ".*tracesvrtraceXXXXX.*"],
['stream', ".*\[sys(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*)\]XXXXX.*"],
['stream', ".*\[ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT\].*"],
['packet', "....\0377[\024-\025]\04.*"],
['stream', ".*\[s\00p\00_\00p\00a\00s\00s\00w\00o\00r\00d\00\].*"],
['stream', ".*\[s\00p\00_\00a\00d\00d\00u\00s\00e\00r\].*"],
['stream', ".*\x10\x01\x00.\x00\x00\x01\x00..\x00\x00\x00\x00\x00\x71\x00\x00\x00\x00\x00\x00\x00\x07....\x00\x00\x00\x00\xE0\x03\x00\x00..\x00\x00..\x00\x00.\x00.\x00.\x00.\x00.\x00\x00\x00.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[explorer\.doc\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[normal\.dot\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[resume1\.doc\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[kak\.hta\]*\".*"],
['smtp-mime-content-filename', ".*\.\[exe\]\."],
['smtp-mime-content-filename', "(approved|application|doc_details|movie28|password|ref-39....|screen_doc|screen_temp|_approved)\.pi[f]*"],
['smtp-header-subject', ".*(Hi|Hello|Re:|Fw:)*\040?(Very |special |Happy |Have a )(New |funny |nice |humour |excite |good |powful |WinXP |IE 6.0 )*(game\.|tool\.|website\.|patch\.|Allhallowmas|Epiphany)"],
['smtp-header-subject', "(W32\.Elkern|W32\.Klez\.E) removal tools"],
['smtp-mime-content-data', "(\x4d\x5a|\x4c\x01).(\000|\001).*"],
['smtp-mime-content-filename', "\[photos\.zip\]"],
['smtp-mime-content-data', "PK.*\.(pif|scr|exe|cmd|bat|zip|com)(\x4d\x5a|\x4c\x01).(\000|\001).*"],
['stream', ".*\\\\\.\.\/\x00\x00\x00.*"],
['stream', ".*\\\\\.\.\.\/\x00\x00\x00.*"],
['smb-connect-path', "\\\00?\\\00?.*\\\00?A\00?D\00?M\00?I\00?N\00?$\00?.*"],
['smb-connect-path', "\\\00?\\\00?.*\\\00?C\00?$\00?.*"],
['smb-connect-path', "\\\00?\\\00?.*\\\00?D\00?$\00?.*"],
['smb-native-os', "Unix"],
['packet', ".*([\001-\010]|[\013-\014]|[\016-\037]|[\0200-\0377]).*"],
['pop3-command-line', "(UIDL|DELE) 11111111111111111111111111111111.*"],
['pop3-command-line', "helo:AAAAAAAAAAAAAAAA.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[bat\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[com\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[cpl\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ocx\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[hta\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ade\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.386\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[adp\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[inf\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[lnk\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msp\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[reg\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[w(al|sz)\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ht\]\".*"],
['packet', "\xe3\x36\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x02\x00\x00\x00\x02\x01\x00\x01\x04\x00\x54\x65\x73\x74\x03\x01\x00.*"],
['stream', ".*\[Authorization: Basic A==\].*"],
['stream', "RCH0.*"],
['packet', "play\x2d\x00..............(([\060-\0377])|(.[^\000])|(..[^\000])|(...[^\000])).*"],
['stream', ".*\x0a\[Max-dotdot\][ ]+[0-9][0-9][0-9][0-9].*"],
['packet', "\x00\x01\x00\x07.....(.[^\000]|[^\000].).*"],
['packet', ".*\x45\x89\x02\x00....\x00\x00\x00\x20\x45\x00\x00\x00"],
['stream', ".*\|\|[0-9]\|\|"],
['stream', "\[(get|head|post|source)\][^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012.*"],
['stream', ".*\x05\x00\x06\x01\x00\x00\x00\x00\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x00\x00\x00\x00\x00\x00\x00\x00.*"],
['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*"],
['packet', "1234567890"],
['smb-open-filename', ".*\u\[\\ci_skads\]\u"],
['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
['packet', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
['packet', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
['http-url-parsed-param', ".*\.htgroup.*"],
['http-url-parsed-param', ".*\/\[cgi-bin\/plusmail\]\?.*password=.*password1=.*new_login=.*"],
['http-url-parsed-param', ".*\[BBBB\.htr\].*"],
['packet', "[\0101-\0172]+"],
['packet', "............\x15.*"],
['packet', "............\x0d.*"],
['packet', "............\x12.*"],
['packet', ".......\x08\x00\x04.*"],
['packet', ".......\x08\x00\x01.*"],
['packet', "..[^\00][^\00].*"],
['stream', ".*\xeb\x4b\x5b\x53\x32\xe4\x83\xc3\x0b\x4b\x88\x23\xb8\x50\x77.*"],
['stream', ".*PING :1986115026.*001 :irc\.random\.org trillian.*"],
['stream', ".*<\[a href\] ?= ?\"\.\.\/\.\.\/.*"],
['packet', "\x00\x01\[admin\.dll\].*"],
['packet', "\x00\x02.*"],
['packet', ".*\.\..*"],
['smtp-data-text-plain', "XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X"],
['smtp-mime-content-filename', ".*\.\[wp5\]"],
['smtp-header-line', "\[content-type\]:[^\000]+<(\[script\]>|[^\000]+\[onLoad=java\])[^>]*>.*"],
['stream', ".*<[^>]*\[notes\]:( |\011)?(\042|\047)?=[\0134][\0134][^>]*[\0134]\[notes\.ini\][^>]*>.*"],
['stream', ".*<[^>]*\[href=\](3D)?(\"|')?\[aim:goaway\?message=\].*"],
['smtp-mime-content-filename', "\[PC210017\.JPG\].*"],
['smtp-rcpt', ".*\[IMCEASMTP\]-[^+]*\+[^+]*\+[^@]*@.*"],
['stream', ".*\012(\040|\011)*\[password address=\].*\012(\040|\011)*\[password address=\].*"],
['stream', ".*MASSINE.*"],
['smtp-command-line', ".*__safebomb__.*"],
['smtp-header-to', "x"],
['smtp-command-line', ".*\[AUTH( |\011)+GUEST\].*"],
['smtp-header-from', ".*\|.*"],
['smtp-from', ".*\|.*"],
['smtp-header-to', ".*\|.*"],
['smtp-rcpt', ".*\|.*"],
['smtp-header-reply-to', ".*\|.*"],
['smtp-header-line', "\[a\015*t\015*t\015*a\015*c\015*h\015*m\015*e\015*n\015*t\015* c\015*o\015*n\015*v\015*e\015*r\015*t\015*e\015*d\015*\]:.*"],
['smtp-data-text-plain', "Attachment Converted(\x0d|=0\[d\]):.*"],
['smtp-data-text-html', "Attachment Converted(\x0d|=0\[d\]|=00):.*"],
['smtp-command-line', ".*( |\x09)*\[expn\]( |\x09)+(admin|bin|decode|root|rpmmail).*"],
['smtp-command-line', "( |\x09)*\[vrfy\]( |\x09)+(bbs|decode|guest|postmaster|root|sybase)"],
['smtp-mime-content-filename', ".*\.\[exe\]"],
['smtp-mime-content-filename', ".*\.\[pif\]"],
['smtp-mime-content-filename', ".*\.\[scr\]"],
['smtp-mime-content-filename', ".*\.\[shs\]"],
['smtp-mime-content-filename', ".*\.\[vbs\]"],
['smtp-mime-content-filename', ".*\.\[com\]"],
['smtp-mime-content-filename', ".*\.\[bat\]"],
['smtp-mime-content-filename', ".*\.\[ocx\]"],
['smtp-mime-content-filename', ".*\.\[cmd\]"],
['smtp-mime-content-filename', ".*\[\.job\]"],
['smtp-mime-content-filename', ".*\.\[CPL\]"],
['smtp-mime-content-filename', ".*\.\[ade\]"],
['smtp-mime-content-filename', ".*\.386"],
['smtp-mime-content-filename', ".*\.\[adp\]"],
['smtp-mime-content-filename', ".*\.\[bas\]"],
['smtp-mime-content-filename', ".*\.\[chm\]"],
['smtp-mime-content-filename', ".*\.\[hlp\]"],
['smtp-mime-content-filename', ".*\.\[inf\]"],
['smtp-mime-content-filename', ".*\.\[ins\]"],
['smtp-mime-content-filename', ".*\.\[isp\]"],
['smtp-mime-content-filename', ".*\.\[js\]"],
['smtp-mime-content-filename', ".*\.\[jse\]"],
['smtp-mime-content-filename', ".*\.\[lnk\]"],
['smtp-mime-content-filename', ".*\.\[mde\]"],
['smtp-mime-content-filename', ".*\.\[msc\]"],
['smtp-mime-content-filename', ".*\.\[msi\]"],
['smtp-mime-content-filename', ".*\.\[msp\]"],
['smtp-mime-content-filename', ".*\.\[pcd\]"],
['smtp-mime-content-filename', ".*\.\[reg\]"],
['smtp-mime-content-filename', ".*\.\[sct\]"],
['smtp-mime-content-filename', ".*\.\[vb\]"],
['smtp-mime-content-filename', ".*\.\[wsc\]"],
['smtp-mime-content-filename', ".*\.\[wsf\]"],
['smtp-mime-content-filename', ".*\.\[wsh\]"],
['smtp-mime-content-filename', ".*\.\[w(al|sz)\]"],
['smtp-mime-content-filename', ".*\.\[ht\]"],
['smtp-header-line', ".*;\s+\[boundary\]\s*=\s*\"\""],
['packet', ".*\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x63\x82\x53\x63\x35[\001-\017][\001-\017].*"],
['stream', ".*\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08\xb0\x66\x43\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x90\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x29\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\x43\xcd\x80\x29\xc0\x40\x89\x46\x04\xb3\x04\xb0\x66\xcd\x80\xeb\x02\xeb\x4c\x29\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\x43\xcd\x80\x88\xc3\x29\xc9\xb0\x3f\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46\x04\x29\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\x64\xff\xff\xff.*"],
['stream', "\x31\xc9\xf7\xe1\x51\x5b\xb0\xa4\xcd\x80\x31\xc9\x6a\x02\x5b\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58\xcd\x80\xeb\x1f.*"],
['stream', "\x6d\x6f\x64\x65\x20\x72\x65\x61\x64\x65\x72\x0d\x0a\x67\x72\x6f\x75\x70\x20\x74\x65\x73\x74\x0d\x0a\x70\x6f\x73\x74\x0d\x0a\x4d\x65\x73\x73\x61\x67\x65\x2d\x49\x44\x3a\x20\x3c......\x40a*\x3e\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x61\x40\x61\x2e\x04\x80\x13\x08\xec\x83\x13\x08\x0d\x0a\x53\x65\x6e\x64\x65\x72\x3a\x20\x61\x40\x61\x2e\x04\x80\x13\x08\xec\x83\x13\x08\x0d\x0a\x4e\x65\x77\x73\x67\x72\x6f\x75\x70\x73\x3a\x20\x74\x65\x73\x74\x0d\x0a\x53\x75\x62\x6a\x65\x63\x74\x3a\x20\x62\x6c\x61\x68\x0d\x0a\x0d\x0a\x62\x6c\x61\x68\x0d\x0a\x2e\x0d\x0a\x67\x72\x6f\x75\x70\x20\x63\x6f\x6e\x74\x72\x6f\x6c\x0d\x0a\x70\x6f\x73\x74\x0d\x0a\x4d\x65\x73\x73\x61\x67\x65\x2d\x49\x44\x3a\x20\x3c......\x40\x74\x65\x73\x74\x3e\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x61\x40\x62\x2e\x63\x0d\x0a\x53\x65\x6e\x64\x65\x72\x3a\x20\x61\x40\x62\x2e\x63\x0d\x0a\x43\x6f\x6e\x74\x72\x6f\x6c\x3a\x20\x63\x61\x6e\x63\x65\x6c\x20\x3c......\x40a*\x3e\x0d\x0a\x53\x75\x62\x6a\x65\x63\x74\x3a\x20\x63\x6d\x73\x67\x20\x63\x61\x6e\x63\x65\x6c\x20\x3c......\x40a*\x3e\x0d\x0a\x4e\x65\x77\x73\x67\x72\x6f\x75\x70\x73\x3a\x20\x63\x6f\x6e\x74\x72\x6f\x6c\x0d\x0a.*"],
['stream', "100.*\x25\x2e\x34\x38\x37\x37\x37\x75\x25\x38\x35\x24\x68\x6e\x5c\x25\x2e\x31\x34\x32\x33\x33\x75\x25\x38\x36\x24\x68\x6e\x0a.*"],
['stream', ".*\x68\x00\x57\x72\x4c\x65\x68\x00\x42\x31\x33\x42\x57\x7a\x00\x01\x00.*"],
['stream', ".*\xff\xd8.*([\000-\0376].|.[\000-\0376])\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
['smb-open-filename', ".*\[p\00?s\00?e\00?x\00?e\00?s\00?v\00?c\00?\.\00?e\00?x\00?e\].*"],
['stream', "\x07\[authors\]...\x04\[bind\].*"],
['packet', "\x07\[authors\]...\x04\[bind\].*"],
['stream', ".*XC-QUERY-SECURITY.*"],
['stream', ".*\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50\x50\x66\x68..\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02\x52\x51.*"],
['packet', ".*\xeb\x02\xeb\x02\xeb\x02.*"],
['stream', ".*\xeb\x02\xeb\x02\xeb\x02.*"],
['stream', ".*\u\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1.\x81\x73\x17....\x83\xeb\xfc\xe2\xf4\u.*"],
['packet', ".*\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef\/bin.*"],
['stream', ".*\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef\/bin.*"],
['packet', ".*\x8d\x0e\x89\x4e\x08\x89\x46\x0c\x8d\x4e\x08\x50\x51\x56\x50\xb0\x3b\xcd\x80\xe8\xe5\xff\xff\xff\/bin.*"],
['stream', ".*\x8d\x0e\x89\x4e\x08\x89\x46\x0c\x8d\x4e\x08\x50\x51\x56\x50\xb0\x3b\xcd\x80\xe8\xe5\xff\xff\xff\/bin.*"],
['packet', ".*\x84\xff\xff\xff[\0371-\0377].*"],
['packet', ".*\x30\x81\xaf\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa0\x81\xa1\x02\x02\x09\x28\x02\x01\x00\x02\x01\x00\x30\x81\x94\x30\x81\x91\x06\x81\x8c\x4d(\x73\x25)+\x73\x81\xff\xff\xff\xff\xff\xff\xff\xff\x7f\x05.*"],
['snmp-oid', "\x2b\x06\x01\x04\x01\x82\x37\x01\x02\x05\x03.*"],
['snmp-community', "NoGaH$@!"],
['snmp-community', "secret"],
['stream', ".*((http:\/\/217\.107\.218\.147\/msits.exe\047;)|(function getRealShell\(\))|(84;66;86;5;73;119;71;89;95)|(\[%41%44%4F%44%42%2E\])|(\[%53%74%72%65%61%6D\])).*"],
['http-text-html', ".*<applet CODE=\"BlackBox\.class\" width=1 height=1><\/APPLET>.*"],
['smtp-header-from', ".*nongmin_cn.*"],
['stream', ".*qazwsx.hsq;*"],
['stream', ".*qaswsx.*"],
['ftp-username', "w0rm"],
['stream', "connected.*"],
['packet', ".*\x00#.*"],
['packet', ".*Ahhhh My Mouth Is Open.*"],
['packet', "03.*"],
['packet', "02.*"],
['packet', "20.*"],
['packet', "60.*"],
['packet', "121.*"],
['packet', "39.*"],
['packet', "41.*"],
['packet', "23.*"],
['packet', "13.*"],
['packet', "12[^1]?.*"],
['packet', "24.*"],
['packet', "110.*"],
['packet', "117.*"],
['packet', "118.*"],
['packet', "35.*"],
['packet', "21.*"],
['packet', "09.*"],
['packet', "100.*"],
['packet', "26.*"],
['packet', "32.*"],
['packet', "33.*"],
['packet', "31.*"],
['packet', "04.*"],
['packet', "30.*"],
['packet', "199.*"],
['packet', "88.*"],
['packet', "40.*"],
['packet', ".*KeyLogger Shut Down.*"],
['packet', ".*KeyLogger Is Enabled On port.*"],
['packet', "38.*"],
['packet', "07.*"],
['packet', "36.*"],
['packet', "64.*"],
['packet', "17.*"],
['packet', "89.*"],
['packet', "911.*"],
['packet', "125.*"],
['packet', "15.*"],
['packet', "14.*"],
['packet', "63.*"],
['packet', "91.*"],
['packet', "92.*"],
['packet', ".*shutd0wnM0therF\*\*\*eR.*"],
['packet', "10.*"],
['packet', "70.*"],
['packet', "22.*"],
['packet', "71.*"],
['packet', "25.*"],
['packet', "34.*"],
['packet', "13.*"],
['packet', "37.*"],
['packet', "370.*"],
['packet', "16.*"],
['packet', ".*Retreaving.*"],
['packet', ".*KeyLogger Is Enabled On port.*"],
['packet', ".*FTP Server changed to.*"],
['packet', ".*Comp Name.*"],
['packet', ".*Wrong Password.*"],
['packet', ".*Volume Serial Number.*"],
['packet', ".*Host.*"],
['packet', ".*\x00#.*"],
['packet', "A.*"],
['stream', ".*host.*"],
['stream', ".*NetSphere.*"],
['stream', ".*NetSphere.*"],
['stream', ".*Wtzup User.*"],
['packet', "srv_infoSERVER INFO:\x0d\x0a\x0dFilename: .*"],
['stream', ".*--.*"],
['stream', ".*--.*"],
['packet', "(\xce\x63\xd1\xd2\x16\xe7\x13\xcf|\*!\*QWTY\?|\x9e\xf4\xc2\xeb\x87\x89\xa2\x04).*"],
['http-header', "\[server\]: BO\/.*"],
['smtp-rcpt', "funguscrack@hotmail.com"],
['packet', "\x1d\xa3\x2b\x85\x4f\x55\x00\xbb\x37\xf8\xab\x30.*"],
['packet', "\xce\x63\xd1\xd2\x16\xe7\x13\xcf.\xa5\xa5\x86.\x75\x4b\x99.*"],
['packet', ".\x00\x00\x00.*"],
['packet', ".*Alvgus's Trojan Server.*"],
['stream', ".*Connected To Amanda.*"],
['stream', ".*AOL Admin Server.*"],
['stream', ".*(RQS|PAS|GNT|DIE|UPL|RBT|WDR|SDR|RUN|INV).*"],
['stream', ".*Execute[A-Z][a-z]+.*"],
['stream', ".*Basic Hell - .*"],
['packet', ".*\x00Bla Ver [1-6]\.o0\x00.*"],
['stream', ".*B\.R\.E\.A\.C\.H Server.*"],
['packet', "\*VERBuHa [0-9]\..*"],
['stream', "Crazzynet.*"],
['packet', "Exploiter (Server )?[0-9]\.[0-9] \.? Port.*"],
['stream', "NaZWA UZYTKOWNIKA.*"],
['stream', "ForCed EnTrY .*"],
['stream', "access ok\x20.*"],
['stream', "ver:Ghost version .*"],
['packet', "(0020|0021|0030|0031|0040|0041|0050|0051|0060|0061|025|027|0220)"],
['stream', ".*(H01|T01|V01|C01|M01|Q03|J01|P03)\x08.*"],
['stream', "Conectado!\x0d\x0a.*"],
['packet', "(001|015|038.*|060|065.*)"],
['stream', ".*InCommand (v )?[0-9]\.[0-9].*"],
['stream', "Insane Network vs [0-9]\.[0-9].*"],
['stream', "verpc,.*"],
['stream', "Leszcz [0-9].*"],
['stream', ".*\x29\x00\x00\x00\x00\x00\x03\x00\x09\x00\x00\x00.*\x0c\x00\x00\x00v[0-9]\..*"],
['packet', "(swapmouse|normalmouse|taskbargizle|taskbargoster|ctrlaltdelyok|ctrlaltdelvar)"],
['stream', "\0133OK\0135 \([^\0051]*\) version [0-9]\..*"],
['packet', "(List|Closewindow [0-9]+|MouseMove.*)"],
['stream', ".*Mavericks Matrix .*"],
['stream', ".*start hide.*"],
['stream', "Michal [0-9]\.[0-9]+ \x0d.*"],
['packet', "({[A-z]:\\|clrrmt|reqfiledir|K[A-z]:\\.*)"],
['stream', ".*Millenium [0-9]\.[0-9].*"],
['packet', "RQS [0-9]"],
['stream', ".*Mneah Remote Control, .*"],
['stream', "ver(BETA [0-9]|[0-9]\.[0-9]).*"],
['stream', ".*220 MoonPie 1\.3\x0d\x0a.*"],
['ftp-banner', "MoonPie FTP-Server"],
['stream', ".*(KEY=.*)?Connected to.*"],
['packet', "(Computer|User|WinInfo|TIME)"],
['stream', ".*NSServer-s.*"],
['stream', ".*\[NetSpy Version\] [0-9]\.[0-9]\x0d\x0a.*"],
['packet', "con[0-9]\.[0-9][0-9]?"],
['packet', "([0-5]|F)([0-9]|[A-F])[0-9]?"],
['stream', "PhuCk y0u\x0d\x0a.*"],
['stream', "#01#[0-9].*"],
['stream', "Oblivion [0-0]\.[0-9]+ ready\..*"],
['stream', ".*Optix Pro.*"],
['stream', "02[0-2][0-9]?[0-9]?(\.[0-9][0-9]?[0-9]?)+.*"],
['stream', "cmd=[a-z]+ var1=.*"],
['packet', "(001|0060|0061|060|065[A-z]:.*|061)"],
['stream', "phAse zero server.*"],
['stream', ".*The Phoenix is ready.*"],
['stream', ".*PitFall Ativo !!!.*"],
['stream', "Conectado a [^\012]+ - The Prayer .*"],
['packet', "Execute[A-z]+.*"],
['stream', "Accept,.*"],
['stream', "210 Prosiak v.*"],
['stream', "psychward (revised|final).*"],
['stream', "son-of-pw .*"],
['packet', "(0031|0030|060|001)"],
['packet', "R0X_[A-Z]+.*"],
['stream', ".*R3C Server.*"],
['stream', "MSG You have connected to.*"],
['stream', "Remote Hack [0-9]\.[0-9]+ Server.*"],
['stream', ".*(hidestart|showstart|hidetaskbar|showtaskbar|message|swapon|swapoff|ftpon|ftpoff).*"],
['stream', "Connected to.*"],
['stream', "ServerSocket Connect\.\.\."],
['stream', ".*Schneckenkorn.*"],
['stream', "{E}([A-Z]|[a-z]):.*"],
['stream', ".*(YES, connected|the tHing ).*"],
['stream', "ID[0-9][0-9]?[0-9]?(\.[0-9][0-9]?[0-9]?)+;.*"],
['packet', "(run|del):.*"],
['stream', "<(SYSTMTIME|REQSTFILE|UPLOADING)>.*"],
['stream', "Truva Server.*"],
['stream', ".*ULTOR'S TROJAN.*"],
['stream', ".*23L'esclave.*"],
['stream', "(Undetected |STL(Undetected|Udt)).*"],
['stream', "Vagr Nocker .*"],
['stream', "Vampire v[0-9]\.[0-9] Server On-Line.*"],
['stream', ".*phAse Zero.*"],
['packet', ".*activate.*"],
['packet', ".*logged in.*"],
['stream', "\x0b\x00\x00\x00\x07\x00\x00\x00Connect.*"],
['stream', "\x32\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00.*"],
['stream', ".*GirlFriend.*"],
['stream', ".*\[ypi0ca\].*"],
['stream', ".*\[ypi0ca\].*"],
['stream', ".*\[Access Granted\.\.\.\].*"],
['stream', ".*\[GateCrasher\].*"],
['stream', "(\x85.?\x13\x3c\x9e\xa2.*)|(\x04\x01..[^\000]...).*"],
['stream', "(\x85.?\x13\x3c\x9e\xa2.*)|(\x04\x01..[^\000]...).*"],
['stream', ".*GET .*"],
['stream', "\000#waste\000.*"],
['line', "221 Goodbye, have a good infection :\)."],
['stream', ".*GetInfo.*"],
['stream', ".*GetInfo.*"],
['stream', ".*NetBus.*"],
['stream', ".*NetBus.*"],
['stream', ".*WHATISIT.*"],
['stream', ".*FTPON.*"],
['stream', ".*FTP Port open.*"],
['stream', ".*pINg.*"],
['stream', ".*@@.*"],
['packet', ".*l44adsl.*"],
['packet', ".*aaa .*"],
['packet', ".*rsz .*"],
['packet', ".*shi .*"],
['packet', ".*xyz .*"],
['irc-join-chan', "#b3eblebr0x"],
['packet', "stream\/.*"],
['packet', "ping.*"],
['http-header-content-type', "multipart\/form-data; boundary=---------------------------123"],
['http-header', "authorization: (%n%n%n%n)+"],
['http-url-parsed-param', ".*:\/+[^\012]*\0133(\?.*|\/.*|#.*)"],
['http-url-parsed-param', ".*:\/+[^\012]*\0133:[^:]*[^\0135]*(\?.*|\/.*|#.*)"],
['http-url-parsed-param', ".*\[\.(bat|cmd)\?&\].*"],
['http-url-parsed-param', ".*\[(a|NULL|test)\.ida\].*"],
['http-url-parsed-param', ".*\/\[_vti_bin\/fpcount\.exe\](\?|\/)[^\012]*\[digits\]=[1-9][0-9][0-9].*"],
['http-url-parsed-param', ".*\[\/IISADMPWD\/((aexp|anot).*|achg)\.htr\].*"],
['http-url-parsed-param', "\/\[_AuthChangeUrl\?\].*"],
['http-url-parsed-param', ".*\[.asp::$data\].*"],
['http-request', "\[POST\] \/\[msadc\/msadcs\.dll\/(VbBusObj\.VbBusObjCls\.GetRecordset|AdvancedDataFactory\.Query)\].*"],
['http-url-parsed-param', ".*\[\/catalog_type\.asp\?ProductType=\|\].*"],
['http-url-parsed-param', ".*\[\/exchange\/LogonFrm\.asp\?.*mailbox=%%%\].*"],
['http-request', "PUT \[\/users\/\][^.]*\.\[asp\].*"],
['http-url-parsed-param', "\/\[scripts\/iisadmin\/ism\.dll\?http\/dir\].*"],
['http-url', "\/\[scripts\]\/[^\012]*\.\.((%c1%9c)|(%c0%af))\.\.\/.*"],
['stream', "\[POST \/ext\.dll HTTP\/1\..\]\x0d\x0aContent-Length: 1\x0d\x0a\x0d\x0aAAA*.*"],
['http-header-host', ".*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
['http-url-parsed-param', "\[\/scripts\/tools\/newdsn\.exe\]\?[^ ]*newdb=CREATE_DB.*"],
['http-url', ".*%20HTTP\/1\.[0-9](%0\[d\])?%0\[a\].*"],
['http-url-parsed-param', ".*\.bat\"\+.*"],
['http-request', "\[POST\] \/scripts\/nsiislog\.dll.*"],
['http-url', "\/\[scripts\][^>]*[^.]+\.\[bat\]\"\+\"?&\+.*"],
['http-url-parsed-param', ".*\/\[gwweb\.exe\?\][^\000]*\[help\]=\/?\.\.\/.*"],
['http-url-parsed', "\/exec\/show\/config\/cr"],
['http-url-parsed-param', ".*\[\/vti_bin\/.*\/?fp(30|4a)reg\.dl\].*"],
['http-url-parsed', "\/app_sta\.stm"],
['http-url-parsed', "\[\/cgi-bin\/config\.bin\]"],
['http-url', ".*\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4"],
['stream', ".*\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff.*"],
['stream', ".*GET \/\x90*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89.*"],
['stream', "AAAAAAAAAAAAAAAAAAAAAAA+.*"],
['http-url', ".*(\x90)*\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e.*"],
['stream', ".*POST (\x82\xe4\x04\x08)+\x0d\x0a(\x53)+.*"],
['http-request', "(\xc0\xf4\xff\xbf)+[N]+\x89\xe5\x31\xd2\xb2.*"],
['http-request', "GET \/(\x2d)+\x5a\xb4\x40\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\xeb\x67\x5e\x8b\xec\x8b\x06\x66\x33\xc0\x8b\xd8\x03\x40\x3c\x8b\x40\x78\x03\xc3\x8b\x78\x20\x8d\x3c\x3b\x03\x1f\x33\xd2\x33\xc9\x43\x38\x13\x75\x01\x41\x81.*"],
['http-header-accept-encoding', ".*(\x90)+\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b.*"],
['http-url', "\[\/cgi-bin\/webc\.(cgi|exe)\/(~|%7e)carl\/g\/\].*"],
['http-request', "[^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].*"],
['http-url', ".*\.\[(pdf|fdf|xfdf|xdp|xfd)\]%00.*"],
['http-url-parsed', "\[\/vgn\/style\].*"],
['http-url', "\/a+\x01\x01\x01\x01.*"],
['http-url', "\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/[a-z]:\winnt.*"],
['http-url-parsed-param', ".*\[\/visadmin\.exe\?user=guest\]"],
['http-request', "REVLOG \/.*"],
['http-url-parsed-param', ".*\[Template\]\/[^ ]*\.\[xml\]\?[^ ]*\[contenttype=text\].*"],
['http-header-host', ".*(\046|\057|\077|\0174).*"],
['http-url-parsed-param', ".*(<|\[%3c\])\[img\][^\000]*\[src\]( |\011)*=( |\011)*(\042|\047)?\[javascript\]:.*"],
['http-url-parsed-param', ".*\/mailbox\.php3\?actionID=6&server=x&imapuser=x';[^\012]*\+--&pass=x.*"],
['http-url-parsed-param', ".*(\[RawCustomSearchField|rawdocdata)\.asp\]\?[^;];execmaster\.dbo\.(xp_cmdshell|sp_grantlogin).*"],
['http-url-parsed-param', ".*\[SiteAdmin\.ASP\]\?[^\012]*&\[GroupName\]=.*';.*"],
['http-header', ".*&\[(userid|password)\]=[^&]*%27.*"],
['http-url-parsed-param', ".*\/\.\.\.\.\.\.\.\.\.\.\..*"],
['http-url-parsed-param', ".*\/\[webcart\/.*(orders\/checks\.txt|config\/import\.txt|config\/mountain\.cfg)\]"],
['http-url-parsed-param', ".*\[\/cgi-bin\/console\.exe\?.*page_size=\].*"],
['http-url-parsed-param', ".*\[\/cgi-bin\/cs\.exe\?.*action=\]"],
['http-url-parsed-param', ".*\[\/scripts\/slxweb\.dll\/admin\?.*command=\].*"],
['http-url-parsed', ".*\/\[officescan\/cgi\/jdkRqNotify\.exe\]"],
['http-url', "\/<script>window\.location=\"\/https-admserv\/bin\/perl\/importInfo%3Fdir=.*"],
['http-header-user-agent', "webmin"],
['line', ".*\xeb\x0b\x3c\x66\x61\x6b\x65\x68\x61\x6c\x6f\x3f\x3e\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x23\x83\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1.*"],
['http-text-html', ".*<\[OBJECT\][^>]*\[classid=\"CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF\"\][^>]*>.*"],
['http-text-html', ".*(m|&#109;|M|&#77;)(h|H|&#72;|&#104;)(t|T|&#84;|&#116;)(m|&#109;|M|&#77;)(l|L|&#76;|&#108;)(:|&#58)((f|F|&#70;|&#102;)(i|I|&#73;|&#105;)(l|L|&#76;|&#108;)(e|E|&#69;|&#101;)|(r|R|&#82;|&#114;)(e|E|&#69;|&#101;)(s|S|&#83;|&#115;)|(m|M|&#77;|&#109;)(i|I|&#73;|&#105;)(d|D|&#68;|&#100;))(:|&#58;)(\/|&#47;)(\/|&#47;)[^!]*!(h|H|&#72;|&#104;)(t|T|&#84;|&#116;)(t|T|&#84;|&#116;)(p|P|&#80;|&#112;).*"],
['http-text-html', ".*\[mhtml:\]((\[file\]|\[res\]|\[mid\]):\/\/[^!]*!${[^}]*}|${[^}]*}[^!]*!(\[http\]|\[ftp\])).*"],
['http-text-html', ".*<\[object\][^>]*\[classid=(\042|\047)clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B\](\042|\047)[^>]*>.*"],
['http-header', "\[location\]:[ ]*\[URL\]:(\[ms-its\]|\[res\]):.*"],
['http-text-html', ".*\[showHelp\][ ]*(\([ ]*(\"|')?|(\"|'))(mk:@MSITStore:|\[res:\/\/\]|\[(ms-)?its:\]).*"],
['stream', ".*qxco7=document\.cookie;function gc099\(n21\).*"],
['http-text-html', ".*<\[iframe\] [^>]*\[src\](\040|\011)*=(\040|\011)*(\"|')?\\\\.*"],
['http-text-html', ".*<\[a\][^>]+\[folder\](\011|\040)*=(\011|\040)*('|\")?\[shell\]:.*"],
['http-text-html', ".*<\[script\].*<\[frameset\][^>]+\[this\.focus\]\(\).*"],
['http-text-html', ".*<\[a\][^>]+\[mailto:\](\041|[\043-\046]|[\050-\075]|[\076-\0176])*&(\[quot\]|#34);[^>]*>.*"],
['http-text-html', ".*<[^>]*\[href=\](\"|')?\[shell:user profile\\\].*"],
['http-text-html', ".*<\[object\][^>]*\[clsid:26676CDD-DD35-4AF2-8751CC25DC468EF2\].*\.LaunchURL\(.*"],
['http-text-html', ".*<\[object\][^>]*\[clsid:0534CF61-83C5-4765-B19B-45F7A4E135D0\].*\.LaunchCustomRuleWizard\(.*"],
['http-text-html', ".*\u\[getClass\(\)\.forName\(('|\")?(sun|javax?\.security|javax?\.rmi|javax?\.transaction|org|javax?\.nio\.channels)\]\u.*"],
['http-data', "\xff\xd8.*\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
['http-text-html', ".*<[^>]*=(\"|')?\[help:runscript\]=[^ ]*\.\[scpt\][^>]*>.*"],
['http-text-html', ".*<[^>]*=( |\090)*(\047|\042)?( |\090)*\[HCP:\/\/system\/DVDUpgrd\/dvdupgrd\.htm\]\?[^>]+>.*"],
['http-url-parsed-param', ".*\/cgi-bin\/campas.*(\X0A\X|%0(a|A)).*"],
['http-url-parsed-param', ".*\/cgi-bin\/jj[^\012]*(HTTPdRocKs|SDGROCKS).*"],
['http-url-parsed', "\/cgi-bin\/phf.*"],
['http-data', ".*\[AnyFormTo\]=[^&]*(;|%\[3b\]).*"],
['http-url-parsed-param', ".*\/process_bug\.cgi?.*=.*;.*"],
['http-url-parsed-param', ".*\/classifieds\.cgi\?[^ ]+return=.+@.+\..+(\.\.\/|\/).*"],
['http-url', ".*\/cvsweb\.cgi\/.*\/;.*"],
['http-url', ".*site_searcher\.cgi\?page=\|.*"],
['http-url-parsed-param', "\/\[cgi-sys\/guestbook\.cgi(\?|\/)user=cpanel&template\]=\|.*"],
['http-url-parsed-param', ".*\.\[(bat|cmd)\](\?|\/)\x7c.*"],
['http-url-parsed-param', ".*\[(insert into\]|\[(select|update)\] [^;]*\[(from|set)\] [^;]*\[where\]|\[delete from)\].*"],
['http-request', ".*\.(php|cgi)\?.*\=[^&]*[\"\'\`][^&]*[;\|][^&]*[\"\'\`].*"],
['http-url', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08.*"],
['http-url', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40.*"],
['http-header-host', ".*\.\.\/.*"],
['http-authorization', "(super:5777364|superman:21241036)\00?\00?"],
['http-url-parsed', "\/\[frame_debug\.asp\]"],
['http-url-parsed-param', "\/cgi-bin\/handler\/.*;.+\?.*"],
['http-url-parsed-param', ".*\/pfdispaly\.cgi\?'%0A"],
['http-url-parsed-param', "\/cgi-bin\/webdist\.cgi\?.*distloc=.*;"],
['http-url-parsed-param', ".*\/passwd\.php3\?.*\[(%2F|%3B|;|\+)\].*"],
['http-url-parsed-param', ".*\/\[include_once\.php\]\?[^ ]*\[inc_prefix\]=(http|ftp):\/\/.*"],
['http-header-user-agent', "tirpitz"],
['http-url-parsed-param', ".*\[Sources\/Packages\.php\?sourcedir=http\]:\/\/.*"],
['http-url-parsed-param', ".*\/\[hit\.php\?url_hit=http\]:\/\/.*"],
['http-url-parsed-param', ".*\/includes\/(header|footer)\.php3\?[^ ]*my_(footer|header)=http:\/\/.*"],
['http-url-parsed-param', ".*\/\[admin\/(system|exec)\.php3\?cmd\]=.*"],
['http-url-parsed-param', ".*\/index\.php(\?|\/)theme=\.\.(\/|%2\[F\]).*"],
['http-url-parsed', ".*\/\[mail\]\/\[admin\]"],
['http-url-parsed-param', ".*\/\[zentrack\/index\.php\](\?|\/)[^\012]*\[configFile\]=\[http\]:\/\/.*"],
['http-url-parsed-param', ".*\/\[lib\.inc\.php\]\?[^ ]*\[pm_path=http\]:\/\/.*"],
['http-data', ".*form-data;[^\012]*name=\"([\000-\041]|[\043-\0132]|[\0134-\0377])*\0133.*Content-Type:[ ]+\.\.\/.*"],
['http-data', ".*\[Content-Disposition: form-data;\][^\012]*\[filename=\]\"?\.\.(\/|\\).*"],
['http-url-parsed-param', ".*\/\[sendtofriend\]\.\[php\]\?[^\00]*\[mid\]=[^&]*'+.*"],
['http-url-parsed-param', ".*\/\[admin\.php3\?.*(step=4|option=pass).*(step=4|option=pass)\].*"],
['http-url-parsed-param', ".*\[\/read\.php3\]\?[^\012]*\[sSQL\]=.*"],
['http-url-parsed-param', "\/\[phorum\/plugin\/replace\/plugin.php?.*PHORUM[[]settings_dir\][]].*"],
['http-url-parsed-param', ".*quick_reply\.php\?phpbb_root_path=http:\/\/.*"],
['http-request', "\[GET\] \/init\.php\?.*(HTTP_(GET|POST|COOKIE)_VARS|HTTP_POST_FILES)=.*"],
['http-url', ".*GALLERY_EMBEDDED_INSIDE(_TYPE)?.*"],
['stream', ".*\xff\xf4\xff\xfd\x06.*"],
['stream', ".*\/viewsource\/template\.html\?.*"],
['stream', ".*\/viewsource\/template\.html\?.*"],
['http-url-parsed', "\/graphics\/sml3com%s%s%s"],
['packet', ".*NAMENAME\xffPASS.*"],
['stream', ".*\x0a.*"],
['http-url', ".*\/%%"],
['stream', ".*\xff\xf3\xff\xf3\xff\xf3\xff\xf3\xff\xf3.*"],
['http-url-parsed-param', "\/?\[Gozila\.cgi\]\?"],
['packet', ".*NAMENAME..?PASSWORD.*"],
['http-url-parsed', ".*\/OPTIONS( |%20)([^ ]|[^\056])+\.\[HTML\].*"],
['http-url-parsed-param', ".*\[setinfo\.hts\]\?[^?]*\[setinclude\]=[^?]*(\.\.\/)+[^?]*"],
['packet', "(\x00|\x02)\x00.*"],
['stream', ".*\x68\x2f\x62\x69\x6e\x5f\x6a\x70\x58\x66\x50\x66\x68\x2f\x63\x57\x54\x5b\x31\xf6\x56\x54\x5a\x68\x2f\x61\x73\x68\x59\x51\x57\x54\x5d\x56\x51\x68\x2f\x74\x6d\x70\x54\x59\x56\x51\x55\x53\x54\x51\x5d\x59\xb0\x02\xcd\x80\x39\xc6\x75\x06\xb0\x0b\xcd\x80\xeb\x1a\x31\xdb\x4b\x56\x54\x59\x31\xd2\x6a\x07\x58\xcd\x80\x31\xc9\x66\xb9\x6d\x09\x55\x5b\x6a\x0f\x58\xcd\x80\x6a\x01\x58\xcd\x80\x90\x90\x90\x90\xa0\x01\x07\x08\x29\x0a\x35\x33\x30\x20\x6c\x6f\x6f\x6b\x20\x77\x68\x61\x74\x20\x69\x20\x64\x69\x64\x20\x74\x6f\x20\x79\x6f\x75\x0a.*"],
['stream', "RETR \"\|.*"],
['ftp-pathname', "(spt\.dat|rom-0)"],
['ftp-sitestring', ".*kakaka\.zip"],
['ftp-pathname', ".*\/\/\.\.\/.*"],
['ftp-password', "wh00t.*"],
['ftp-password', "h0tb0x"],
['ftp-password', "lrkr0x"],
['ftp-password', "satori"],
['ftp-password', ".*\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0.*"],
['ftp-pathname', ".*\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb.*"],
['ftp-password', ".*-broken@shattered\.hopes.*"],
['ftp-password', ".*hi@blahblah\.net.*"],
['ftp-sitestring', "\[EXEC\] (%5$p|%20d\|%).*"],
['ftp-pathname', "~{.*"],
['ftp-username', "%x%x%x"],
['stream', ".*\xb4\x20\xb4\x21\x8b\xcc\x83\xe9\x04\x8b\x19\x33\xc9\x66\xb9\x10.*"],
['ftp-username', "themosthax0ruserthatthisw0rldhaseverseen.*"],
['stream', ".*(size [^\0012]+\0012.+ size [^\0012]+\0012.+size)+.*"],
['ftp-pathname', "\/dadasjasojdasj\/adhjaodhahasohasaoihroaha.*"],
['telnet-user', "\[4Dgifts\]"],
['telnet-user', "\[ezsetup\]"],
['telnet-user', "\[OutOfBox\]"],
['stream', ".*TENmanUFactOryPOWER.*"],
['telnet-user', "userNotUsed"],
['telnet-user', "copyright"],
['stream', ".*\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04.*"],
['stream', ".*\x0D\x0A[[]Yes[]]\x0D\x0A\xFF\xFE\x08\xFF\xFD\x26.*"],
['stream', ".*\xff\xf6\xff\xfb\x08\xff\xfb\x26.*"],
['stream', ".*\xf0\x00\x00\x00\x58\x55\x89\xe5\x81\xec\x2c\x00\x00\x00\x89\x45\xd4\xc7\x45\xfc\x00\x00\xe6\x77\x8b\x45\xfc\x66\x81\x38\x4d\x5a\x75\x7c\x05\x3c\x00\x00\x00\x8b\x18\x03.*"],
['stream', "DESCRIBE.*(\/\.\.\/\.\.)+.*\.\[smi RTSP\/1.0\]\x0d\x0a\x0d\x0a.*"],
['smtp-header-to', ".*(hacker117@163\.com|54love@fescomail\.net).*"],
['stream', "(\0211|\0223|\0261|\0273|\0354|\0366|\0025)(\0023|\0024)\x00\x00.*"],
['smtp-data-line', ".*(AHMAZQByAHYAYwAuAGUAeAB|AGwAcwBlAHIAdgBjAC4AZQB4|AbABzAGUAcgB2AGMALgBlAHg).*"],
['http-url', "\/\[default\.ida\?XXXXXXXXXX+%u9090%u6858%ucbd3%u\].*"],
['smtp-mime-content-filename', "\[message\.zip\]"],
['smtp-mime-content-filename', "\[wendy\.zip\]"],
['stream', "tftp -i [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ GET ms(blast|laugh)\.exe.*"],
['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\Start.*"],
['stream', ".*HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery.*"],
['packet', "\x5c\xbf\x01\x29\xca\x62\xeb\xf1"],
['smtp-data-text-html', "<xml id=(3D)?\"oExec\">"],
['stream', ".*RETR [0-9]+_up.exe.*"],
['stream', ".*>>cmd\.ftp&echo anonymous>>cmd\.ftp&echo user&echo bin>>cmd\.ftp&echo get .*"],
['stream', "\[get\] \/[0-9][0-9][0-9][0-9][0-9][0-9]\.\[php\].*"],
['smtp-data-line', "bQ1naQ8wU3T9tZ\+9BW5nczNNb2R1NTlOYW0f\+7eDR1ByO0FkZHJlc3MPU3lzdH\+b\/fZlbURp"],
['stream', "C"],
['tftp-filename', "\[hello\.all\]"],
['stream', "tftp -i [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ GET h3110\.411 package\.exe & package\.exe & exit\x0a\x00.*"],
['smb-open-filename', ".*(\[slacke-worm\.exe\]|\[\x00s\x00l\x00a\x00c\x00k\x00e\x00-\x00w\x00o\x00r\x00m\x00\.\x00e\x00x\x00e\]).*"],
['stream', ".*\x0B\x01\x06\x00\x00\x20\x01\x00\x00\x10\x00\x00\x00\xE0\x06\x00\x20\x01\x08\x00\x00\xF0\x06\x00\x00\x10\x08\x00\x00\x00\x40\x00\x00\x10\x00\x00\x00\x02\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x20\x08\x00\x00\x10\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x08\x00\x64\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x11\x08\x00\x0C.*\x55\x50\x58\x30\x00\x00\x00\x00\x00\xE0\x06\x00\x00\x10\x00\x00.*"],
['smb-copy-filename', ".*R\x00I\x00C\x00H\x00E\x00D\x002\x000.*"],
['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x7d\x01\x80\x34\x0a\x99\xe2\xfa\xeb\x05\xe8\xeb.*"],
['stream', "echo open [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ [0-9]+ > o&echo user 1 1 >> o &echo get bling\.exe >> o &echo quit >> o &ftp -n -s:o &bling\.exe.*"],
['packet', ".*hel32hkernQhounthickChGetTf\xb9llQh32.*\x45\xcc\x50\x8b\x45\xc0\x50\xff.*"],
['stream', ".*User Access Verification.*Your PassWord:.*"],
['stream', ".*\x20\x03\xb3\xb2\x19\x11\xaa\x80\x3c\x46\xfe\x61\x34\x86\xc2\x68\x30\x18\x56\x0d\x95\x75\xac\x52\x23\x16\x42\xb1\x24\x8b\xa0\xc8\x11\xac\x2b\xbb\xb2\x4d\x92\x20\x40\xb6\xc6\x67\xb7\x59\x6a\x29\xba\xa5\x50\x19\x1d\x91\xc9\xb3\xd3\x50\xed\xa5\xe7\x5c\xc4\x6f.*"],
['smb-open-filename', ".*(\[M\000?o\000?F\000?e\000?i\000?\.\000?v\000?e\000?r\]|\[S\000?c\000?a\000?r\000?d\000?s\000?v\000?r\000?3\000?2\000?\.\000?\000?e\000?x\000?e\]|\[l\000?a\000?s\000?v\000?r\000?3\000?2\000?\.\000?e\000?x\000?e\]).*"],
['http-url', ".*%u5951%u6841%u7533%u0018%u754F%u7405%u4E03.*"],
['dns-type-name', "\x00\x01(cheese\.dns4biz\.org|butter\.dns4biz\.org|chilly\.no-ip\.info|kwill\.hopto\.org)"],
['stream', "SNAF.*"],
['stream', "USER x\012PASS x\012PORT \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['http-data', "id=crutop&vvpupkin.*"],
['stream', ".*CONNECT_DATA(\x20|\x09|\x0a|\x0d)*=(\x20|\x09|\x0a|\x0d)*\((\x20|\x09|\x0a|\x0d)*\((\x20|\x09|\x0a|\x0d)*COMMAND(\x20|\x09|\x0a|\x0d)*=(\x20|\x09|\x0a|\x0d)*SERVICE_CURLOAD.*"],
['http-url', ".*\[S%F(F|9)S\.OWA\].*"],
['stream', ".*\x01\x31\xDB\xCD\x80\xE8\x5B\xFF\xFF\xFF.*"],
['stream', ".*\[x\00p\00_\00c\00m\00d\00s\00h\00e\00l\00l\00\].*"],
['stream', ".*\[x\00p\00_\00c\00m\00d\00s\00h\00e\00l\00l\00\].*"],
['stream', ".*\[s\00p\00_\00s\00t\00a\00r\00t\00_\00j\00o\00b\00\].*"],
['stream', ".*\[s\00p\00_\00s\00t\00a\00r\00t\00_\00j\00o\00b\00\].*"],
['stream', ".*xp_dirtree N'%..%..%.....*'.*"],
['stream', ".*\[SELECT pwdencrypt\(REPLICATE\]\('.',([3-9][0-9][0-9]|[1-9][0-9][0-9][0-9]+)\)\).*"],
['stream', "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02\x10\x00\x00\x00.*\x00\x24\x01\x00\x00.*"],
['stream', "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02\x10\x00\x00\x00(\x58)+\x00\x24\x01\x00\x00.*"],
['stream', ".*\[x\00p\00_\00(e\00x\00e\00c\00r\00e\00s\00u\00l\00t\00s\00e\00t\00|p\00r\00i\00n\00t\00s\00t\00a\00t\00e\00m\00e\00n\00t\00s|d\00i\00s\00p\00l\00a\00y\00p\00a\00r\00a\00m\00s\00t\00m\00t)\].*"],
['packet', ".*\x04\x41\x41\x41\x41.*"],
['packet', "\x08[^:]*:.*"],
['packet', "\x04.................................................................*"],
['packet', "\x10\x00\x00.*"],
['stream', ".*\[cash_words\]\(.-[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+.\);.*"],
['stream', ".*\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x8d\x0c\x24\xcd\x80\xb3\x02\xb1\x02\x31\xc9\x51\x51\x51.*"],
['packet', "\x00\x00\x00\x00(([\0310-\0377]\x71\x1c\x07)|(.[\0162-\0377]\x1c\x07)|(..[\0035-\0377]\x07)|(...[\0011-\0377])).*"],
['packet', ".*\x0d\x00..\x09\x00\x00\x00[^\000]*\xff\xff\xff\xfe.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[x-mas.exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[badass.exe\]\".*"],
['line', ".*BubbleBoy is back!.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[links\.vbs\]\".*"],
['line', "\[X-Spanska\]:( |\x09)*.\[Yes\]"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[irok\.exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[pics4you\.exe\]\".*"],
['line', "\[subject\]: ble bla. bee.*"],
['line', "\[subject\]: I Love You ;\).*"],
['line', "\[subject\]: Matrix has you\.\.\..*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myjuliet\.chm\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myromeo\.exe\]\".*"],
['line', "\[subject\]: From shake-beer.*"],
['line', "\[subject\]: Sorry\.\.\. Hey you !.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[navidad\.exe\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[setup\.exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[the_fly\.chm\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[toadie\.exe\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[666test\.vbs\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[tune\.vbs\]*\".*"],
['line', ".*begin .*\.\[vbs\].*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[dinheiro\.doc\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[money\.doc\]*\".*"],
['smtp-mime-content-filename', "\[badass.exe\]"],
['smtp-header-subject', ".*BubbleBoy is back!.*"],
['smtp-mime-content-filename', "\[links\]\.\[vbs\]"],
['smtp-mime-content-filename', "\[file_zippati\.exe\]"],
['smtp-header-line', "X-Spanska:( |\x09)*.Yes"],
['smtp-mime-content-filename', "\[irok\.exe\]"],
['smtp-data-line', ".*\[Software provided by \X5B\XMATRiX\X5D\X\].*"],
['smtp-mime-content-filename', "\[pics4you\.exe\]"],
['smtp-data-line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myjuliet\.chm\]\".*"],
['smtp-data-line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myromeo\.exe\]\".*"],
['smtp-header-subject', "Sorry\.\.\. Hey you !.*"],
['smtp-mime-content-filename', "\[navidad\.exe\]"],
['smtp-mime-content-filename', "\[readme\.exe\]|\[sample\.exe\]"],
['smtp-mime-content-filename', "\[xpass\.xls\]"],
['smtp-mime-content-filename', "\[icq_greetings\.exe\]"],
['smtp-header-subject', "Pikachu Pokemon.*"],
['smtp-mime-content-filename', "\[setup\.exe\]"],
['smtp-mime-content-filename', "\[the_fly\.chm\]"],
['smtp-mime-content-filename', "\[666test\.vbs\]"],
['smtp-mime-content-filename', "\[tune\.vbs\]"],
['smtp-mime-content-filename', "\[kak\.hta\]"],
['stream', ".*LRCQID7dIDFEECggDSLm9df8C\/zSNKDBBAAoGA0AEUQ\+FEN23f7doqAT\/dCQk\/xWcEQmDxCTD.*"],
['smtp-mime-content-filename', "(\[About_Me\]|\[driver\]|\[enjoy\]|\[Source\]|\[Interesting\]|\[README\]|\[images\]|\[Pics\.ZIP\]|\[Doom3 Preview\]|\[you_are_fat\]!*)\.(\[exe\]|\[scr\]|\[pif\])"],
['smtp-mime-content-filename', ".*\.(\[doc|txt|xl.|gif|jpg|zip|enc|end|ps|pdf|dot|etf|rtf|ex_|ex$|ram|rm|bak|bas|bdf|bga|bhz|lha|lzh|arc|arj|cdx|csv|cal|dat|pcm|wav|mpg|mpeg|avi|wmv|mp3|mpe|anus\])\s*\.\s*(\[386|ADE|ADP|ANI|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DO.|EXE|GRP|HLP|HTA|INF|INS|ISP|JOB|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|WMF|WSC|WSF|WSH|WSZ|XL.\])"],
['smtp-header-subject', "Important information for you\. Read it immediately !"],
['stream', ".*(enRN(\x0d\x0a)?di5x(\x0d\x0a)?eXk3|dnp0(\x0d\x0a)?TXYu(\x0d\x0a)?cXl5|dXZ6(\x0d\x0a)?dE12(\x0d\x0a)?LnF5).*"],
['stream', ".*(HwoL(\x0d\x0a)?cGdz(\x0d\x0a)?emJh|XB8K(\x0d\x0a)?C3Bn(\x0d\x0a)?c3pi|G1wf(\x0d\x0a)?Cgtw(\x0d\x0a)?Z3N6).*"],
['stream', ".*(TSUR(\x0d\x0a)?ce0U(\x0d\x0a)?2RkI|XHtF(\x0d\x0a)?NkZC(\x0d\x0a)?NUUy|TFNJ(\x0d\x0a)?RFx7(\x0d\x0a)?RTZG).*"],
['stream', ".*(PUkg(\x0d\x0a)?YW0g(\x0d\x0a)?Ikly|PT1J(\x0d\x0a)?IGFt(\x0d\x0a)?ICJJ|SSBh(\x0d\x0a)?bSAi(\x0d\x0a)?SXJ6).*"],
['stream', ".*(NShF(\x0d\x0a)?OXU6(\x0d\x0a)?el1n|RTl1(\x0d\x0a)?Onpd(\x0d\x0a)?Z\/YO|KEU5(\x0d\x0a)?dTp6(\x0d\x0a)?XWf2).*"],
['stream', ".*aW5nB7oGdbA7FU11aA9GtlgQQWEPSert\/0Nvb2xoZWxwMzJTbjxzaG87trUNlI8tRGSDAJML.*"],
['smtp-data-text-html', "<OBJECT STYLE=\"display:none\" DATA=\"http:\/\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?:81\/[0-9][0-9][0-9][0-9][0-9][0-9]\.php\">"],
['smtp-header-subject', "(ble bla, bee)|(I Love You ;\))|(sorry\.\.\.)|(Hey you !)|(Matrix has you\.\.\.)|(my picture)|(from shake-beer)"],
['smtp-header-subject', "(Good Times|Market share tipoff\.\.\.|New Developments|WWIII!)"],
['smtp-mime-content-filename', "\[baby\.exe\]|\[bboy\.exe\]|\[boss\.exe\]|\[casper\.exe\]|\[chestburst\.exe\]|\[cooler1\.exe\]|\[cooler3\.exe\]|\[copier\.exe\]|\[cupid2\.exe\]|\[farter\.exe\]|\[fborfw\.exe\]|\[g-zilla.exe\]|\[gadget\.exe\]|\[goal\.exe\]|\[goal1\.exe\]|\[hog\.exe\]|\[irnglant\.exe\]|\[monica\.exe\]|\[panther\.exe\]|\[party\.exe\]|\[pirate\.exe\]|\[saddam\.exe\]|\[theobbq\.exe\]|\[video\.exe\]"],
['smtp-mime-content-filename', "\[money\.doc\]|\[dinheiro\.doc\]"],
['stream', ".*\X80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 \X.*"],
['stream', ".*\x00\x00\x04\x00\/...\xfc\xff\xff\xff\xfc\xff\xff\xff\xa1\xff\xff\xbf\xf8\xe2\xff\xbf\x20\xd9\x05\x08[A-z]+.*"],
['packet', ".*(\x90)+\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89.*"],
['packet', ".*AAAABBBBABCDBBBBABCF.*"],
['packet', ".*\xeb\x3d\x9a\xff\xff\xff\xff\x07\xff.*|.*\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff.*"],
['packet', ".*ADM_METHOD\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16\x00\x00\x00\x15\.\.\/.*"],
['stream', ".*uid=[0-9]+\([^)]+\).*"],
['packet', "..\x85\x00\x00\x00\x00.\x00\x00\x00\x00[\041-\0377].\x00((\001)|(\040))\x00\x01.*"],
['stream', ".*\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00.*"],
['stream', ".*\x5C\x00\x5C\x00\x2A\x00\x53\x00\x4D\x00\x42\x00\x53\x00\x45\x00\x52\x00\x56\x00\x45\x00\x52\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00.*"],
['stream', ".*\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2.*"],
['packet', "..\x40\x00......\x00\x01.*"],
['stream', ".*\"[^\"]*\[https?\]:\/\/[^ ]*(%00|\x00|%01|\x01|%09|\x09)[^ ]*@[^\"]*\".*"],
['stream', ".*<\[OBJECT\][^>]*\[classid=\"CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF\"\][^>]*>.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[doc\.vbs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[gif\.vbs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[jpg\.vbs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[pif\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[scr\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[shs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[txt\.vbs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vbs\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[xls\.vbs\]\".*"],
['line', "(\[Content-Disposition: attachment\];)?( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[cmd\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[chm\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[crt\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[hlp\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ins\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[isp\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[js\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[jse\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[mdb\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[mde\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msc\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msi\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[pcd\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[sct\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[url\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vb\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vbe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsc\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsf\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsh\]\".*"],
['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
['line', ".*\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff.*"],
['stream', ".*\xeb\x34\x5e\x8d\x1E\x89\x5e\x0b\x31\xd2\x89\x56\x07.*"],
['stream', ".*\xeb\x35\x5E\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30.*"],
['stream', ".*\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02.*"],
['stream', ".*\xeb\x58\x5E\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26.*"],
['line', "1 LSUB \"\" {1064}.*"],
['stream', ".*\x2a\x20\x41\x55\x54\x48\x45\x4e\x54\x49\x43\x41\x54\x45\x20\x7b\x31\x30\x32\x38\x7d\x0a\x90*\xeb\x21\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0\xb0\x3b\xbf\x30\x30\x30\x30\x29\x7e\x01\x29\x7e\x03\x53\x53\x56\x56\xeb\x10\xe8\xda\xff\xff\xff.*"],
['stream', ".*x82 partial 1 body\x5b(\x41\x41)+\xeb\x38\x5e\x80\x46\x01\x50\x80\x46\x02\x50\x80\x46\x03\x50\x80\x46\x05\x50\x80\x46\x06.*"],
['stream', ".*A0666 PARTIAL 1 BODY\x5b(\x90)+\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03.*"],
['stream', ".*\x78\x20\x6c\x6f\x67\x69\x6e\x20\x7b\x34\x32\x39\x34\x39\x36\x37\x32\x39\x35\x7d\x0d\x0a\xc3\xb0\xc3\xaf\xc3\xbf\xc2\xbf\xc2\x90\xc3\xaf\xc3\xbf\xc2\xbf\xc3\xbc\xc3\xbf\xc3\xbf\xc3\xbf\xc3\xbc.*"],
['stream', ".*\x00\x01\x57\x00\x00\x00\x18.\xFF\xFF\xFF\xFF\x00\x00.*"],
['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['stream', "SSH-1\.1-A*\xb8\x00\x03\xff\xe0\x00A*\x90*\x00\xbb\x12\x00\x0a\x00\x90*\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5.*"],
['ssh-header', ".*(#RHL|SISQO|AcidBurns|Born|God|Joker|Owned|Protected|Shadow|SloboZ|U-B00T's_BACKDOOR|hai|X.X.X|GOBBLES|KobrAs@Undernet.Org|check_ssh_1.17|7.7.7).*"],
['stream', ".*(uname|bin\/ls|bin\/id|bin\/nc|bin\/g?cc|bin\/mail|ifconfig|bin\/(k|ba|c|tc|z)?sh).*"],
['stream', ".*uid=[0-9]+\([^)]+\).*"],
['stream', "\[(GET|HEAD|POST)\] \/?(\.\.(\/|\\))+.*"],
['line', "227 ...............................................[^\0353]+\xeb\x40\x5e\x31\xc0\x88.*"],
['http-url-parsed-param', "\/\[cgi-bin\]\/\[readfile\]\.\[tcl\]\?\[file\]=.*\/(\[etc\]|\[usr\]|\[bin\]|\[sbin\]|\[var\/log\]).*"],
['stream', "[^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].*"],
['packet', "-soa [^\012]+%(%|d|D|i|o|u|x|X|f|e|g|E|s|c|\0133|p|n).*"],
['stream', ".*-805289688=%31%C0%89%C3%B0%02%CD%80%38%C3%74%05%8D%43%01%CD%80%31%C0%89%45%10%40.*"],
['stream', ".*\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012.*"],
['packet', "\x00\x09.........................[\0100-\0200].*"],
['stream', ".*\x31\x30\x30\x30\x33\x2e\x68\x74\x74\x70\x3a\x2f\x2f(\x90)+\x30\x9b\xbf\xef\x90\xeb\x1f\x5e\x31\xc0\x89.*"],
['stream', ".*\x00\x00domain HELL\x00.*"],
['stream', ".*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03\x00\x40\x06\x08\x00\x40.*"],
['stream', ".*\x70\xf9\xff\xbf\x70\xf9\xff\xbf\x70\xf9\xff\xbf\x72\xf9\xff\xbf\x25\x2e\x66\x25\x2e\x66\x25\x2e\x66\x25\x2e\x66.*"],
['stream', ".*\x40\x82\x82\x82\x82\x24\xd2\x04\x08\x82\x82\x82\x82\x25\xd2\x04\x08\x82\x82\x82\x82\x26\xd2\x04\x08\x82\x82\x82\x82\x27\xd2\x04\x08\x25\x31\x31\x24\x32\x33\x36\x78\x25\x31\x32\x24\x6e\x25\x31.*"],
['packet', "\x3e\x3e\x3e\x0a\x80\xf7\xff\xbf\xff\xff\xff\xff\x81\xf7\xff\xbf\xff\xff\xff\xff\x82\xf7\xff\xbf\xff\xff\xff\xff\x83\xf7\xff\xbf\x25\x30\x38\x78.*"],
['stream', ".*\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51.*"],
['stream', "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00.*\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00.*"],
['stream', ".*\[Plonked by Dave Aitel\].*"],
['stream', ".*\x5c\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x74\x00\x6f\x00\x72\x00.*\x39\x04\x00\x00\x00\x00\x00\x00\x39\x04\x00\x00\x2f\x00\x2e\x00\x3a\x00\x2f\x00.*"],
['smb-native-lanman', "Metasploit Framework"],
['stream', ".*ADMROCKS.*"],
['packet', ".*ADMROCKS.*"],
['line', "[^ ]*%[0-9]*n"],
['tftp-filename', ".*AA(A)+\.(AA)+\xff\xff\xff\xff\xeb\x27\x8b\x34\x24\x33\xc9\x33.*"],
['tftp-filename', "\/.*"],
['stream', ".*\x01a\\\.\.\\\.\.\\winnt\\repair\\sam.*"],
['line', "550 .* \[cannot mail\].*\[to programs\].*"],
['smtp-data-text-html', ".*\[https?\]:\/\/[^ ]*(%00|\x00|%01|\x01|%09|\x09)[^ ]*@.*"],
['smtp-data-text-html', ".*<\[a\][^>]+\[mailto:\](\041|[\043-\046]|[\050-\075]|[\076-\0176])*&(\[quot\]|#34);.*"],
['stream', ".*<[^>]*=( |\090)*(\047|\042)?( |\090)*\[HCP:\/\/system\/DVDUpgrd\/dvdupgrd\.htm\]\?[^>]+>.*"],
['stream', ".*<[^>]*\[href=\](\"|')?\[shell:user profile\\\].*"],
['smtp-mime-content-data', "\xff\xd8.*\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
['smtp-header-reply-to', ".*(\${\[ifs\]}|\/bin\/).*"],
['stream', ".*\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x05\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff.*"],
['smtp-header-from', ".*(ABCDEFGHIJKLMNOPQRSTUVWXYZabc|\x55\x54\x5d\x33\xff\x57\xc6\x45\xfc\x63\xc6\x45\xfd\x6d\xc6\x45\xfe\x64\x57\xc6).*"],
['smtp-rcpt', ".*\xff\xff\xff\xff.*"],
['smtp-command-line', ".*\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff.*"],
['smtp-header-line', ".*charset( |\x09)*=( |\x09)*\"\".*"],
['smtp-command-line', ".*\xeb\x45\xeb\x20\x5b\xfc\x33\xc9\xb1\xaf\x8b\xf3\x80\x2b.*"],
['smtp-rcpt', "(\[uu\])?\[decode\]"],
['stream', ".*<\[META http-equiv=refresh content=\"1; &#13;&#10;url=file:\/\/C:\WINDOWS\Application Data\Qualcomm\Eudora\Embedded\.*\.mhtml\"\]>.*"],
['smtp-command-line', "( |\x09)*\[etrn\].*"],
['smtp-data-text-html', ".*<([a-z]|[A-Z])+[^>]+\[hcp\]:\/\/([\000-\041]|[\043-\046]|[\050-\0377])*(\"|&\[quot\];|&#34;)([\000-\041]|[\043-\046]|[\050-\0377])*-\[url\][ ]+(\"|&\[quot\];|&#34;).*"],
['smtp-command-line', "(\[HELO\]|\[RCPT TO\])[^\00]*%(\.?[0-9][0-9]?($|\*)*)?[a-z].*"],
['packet', ".*(\x90)+\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xd8\x75\x2d\x31\xc0\x50\x66\x68\x2d\x46\x89.*"],
['packet', ".*(\x0c|\x51)..*%\[(n|h|s|x)\].*"],
['stream', ".*\x41\x39\x30\xc0\xa8\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x00.*"],
['stream', ".*(XXXX%\.172u%300\$n|\xE8\x94\xFF\xFF\xFF\/bin\/sh).*"],
['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
['stream', ".*\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46.*"],
['stream', ".*\xeb\x56\x5E\x56\x56\x56\x31\xd2\x88\x56\x0b\x88\x56\x1e.*"],
['stream', ".*\xeb\x40\x5E\x31\xc0\x40\x89\x46\x04\x89\xc3\x40\x89\x06.*"],
['stream', ".*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xe8.*"],
['stream', ".*\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01.*"],
['stream', ".*\xff\xff\xff\x2f\x42\x49\x4e\x2f\x53\x48\x00.*"],
['stream', ".*\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78.*\x40\x8A\xFF\xC8\x40\x82\xFF\xD8\x3B\x36\xFE\x03\x3B\x76\xFE\x02.*"],
['stream', ".*\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36.*"],
['packet', ".*\xA0\x09\x30\x07\xA1\x05\x23\x03\x03\x01[\001-\007].*"],
['stream', ".*\xeb\x7f\x5d\x55\xfe\x4d.\xfe\x4d.\xfe\x4d.*"],
['line', ".*\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08.*"],
['lpr-command', ".*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
['stream', ".*\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/.*"],
['stream', ".*\/bin\/(ba|k|c|tc)?sh.*"],
['stream', ".*\.\.\/\.\.\/\.\.\/\.\.\/.*"],
['packet', ".*\xff\xff\/(usr\/)?bin\/.*"],
['packet', ".*\xff\xff\xff\/bin\/sh.*"],
['stream', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
['packet', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
['stream', ".*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05.*"],
['packet', ".*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05.*"],
['stream', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0.*"],
['packet', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0.*"],
['stream', ".*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0.*"],
['packet', ".*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0.*"],
['stream', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
['packet', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['packet', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['stream', ".*\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x7a\x69\x03\x21\x00\x90*\x31\xdb\x31\xc0\xeb\x30\x5e\x8d\x7e\x10\x89\xf9\x89\x3e\x8d\x7e\x18\x89.*"],
['stream', ".*\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x7a\x69\x03\x21\x00\x90*\x31\xdb\x31\xc0\xeb\x38\x5e\x8b\xfe\x89\x7e\x3c\x8d\x7e\x14\x89\x7e\x40.*"],
['packet', "..\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00.*"],
['http-header-user-agent', "\[Autoproxy\]"],
['stream', ".*>net start r_server.*"],
['packet', "\xb4\xb4"],
['stream', ".*B\.F\. Evolution RAT.*"],
['stream', ".*Mini Oblivion v[0-9]\.[0-9] Ready.*"],
['stream', ".*(LISTAPP|FTPON|MOUSE(OFF|ON)|TIME|SPAWN|RUN|VER|EXPLOREFOL|APPDATE|CONFIG|DEVICE|PROGRAMS|PWZ|BIOS(VER|EX)|SCRN|HIDESTART).*"],
['stream', ".*PitFall Vers\xe3o TelNet.*"],
['stream', "((\x6c)|(\xc7)|(\xc8.*)|(\xc9.*)|(\xca.*))"],
['stream', ".*Remote: You are connected to me.*"],
['stream', ".*connected\. .*"],
['stream', ".*version:.DEFCON8.2.1"],
['stream', ".* [[]RPL[]]002.*"],
['stream', ".*YOK2BENNY.*"],
['stream', "\x00[^\0]*\x00bin\x00.*"],
['stream', "\x00[^\0]*(\x00|\x0d)echo\+\++(\x00|\x0d).*"],
['stream', "\x00[^\0]*\x00root\x00.*"],
['finger-user', "cmd_rootsh"],
['stream', "\x30\x82..\x02\x01.\x60\x82..\x02[\0005-\0377].*"],
['http-header-host', "apache-nosejob\.c.*"],
['http-header-host', "apache-scalp\.c.*"],
['stream', "POST \/ HTTP\/1.1\x0d\x0aHost: Unknown\x0d\x0aX-CCCCCCC: A.*Transfer-Encoding: chunked.*\x0d\x0affffff6e\x0d\x0a.*"],
['stream', ".*TERM=xterm; export TERM=xterm; exec bash -i\x0a.*"],
['http-url', "[^:]*%(i|o|x|X|s|g|G|n)([\000-\071]|[\073-\076]|[\077-\0377])*:.*"],
['http-authorization', "[^:]*%.*"],
['http-url', ".*\[\/null\.printer\].*"],
['http-url-parsed-param', ".*\[(a|NULL|test)\.idq\].*"],
['http-url-parsed-param', ".*\.asp(\?|\/)\xeb\x06\xeb\x06.*"],
['stream', ".*\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa.*"],
['stream', ".*NNNNaaaa\?cjjs HTTP\/.*"],
['http-request', "\[LOCK\] \/X+\x25\x75\x33\x30\x37\x33.*"],
['stream', ".*\[search\] \/[^ ]*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['http-url-parsed', "\[\/servlet\/UploadServlet\]"],
['stream', "\[POST +\/_vti_bin\/_vti_aut\/fp30reg\.dll\].*\[Transfer-Encoding: +chunked\].*"],
['stream', "(GET|HEAD|POST) .*%s.* HTTP\/.*"],
['stream', ".*\x50\x4f\x53\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x2d\x38\x30\x30\x0a\x0a\x0a\xeb\x0a\x2d\x2d\x6e\x65\x74\x72\x69.*"],
['http-request', ".*\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\xff\x49\x02\x6a\x10\x51\x50\x89\xe1\x43\xb0\x66\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0.*"],
['http-request', ".*(\x83\xc4\x40\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb\xb3\x01\x31\xc0|\x83\xc4\x40\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80\x89\xc7\x83\xec).*"],
['http-url-parsed', ".*\/\[c32web\.exe\/ChangeAdminPassword\]"],
['http-url-parsed', ".*\[\/cart32\.exe\/cart32clientlist\]"],
['http-url-parsed-param', ".*\[\/cgi-bin\/FtpSave\.dll\?\].*"],
['http-text-html', ".*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*<\[object\][^>]+\[classid=\"clsid:\][^>]+\[codebase\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*[\0103-\0172]:.*"],
['http-text-html', ".*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*<\[object\][^>]*\[codebase\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*[\0103-\0172]:[^>]*\[classid\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*\[clsid:\].*"],
['http-text-html', ".*<[^>]*=(\047|\042)?\[ssh\]:\/\/[^>]*%20-(F|R)[^>]*>.*"],
['http-url-parsed-param', ".*\[\/pals-cgi\?.*(palsAction=restart|documentName=).*(palsAction=restart|documentName=)\].*"],
['http-url-parsed-param', ".*\/\[wsisa\.dll\/WService=.*\?WSMadmin\].*"],
['http-request', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['http-header', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['ftp-pathname', ".*\x83\xec\x04\x5e\x83\xc6\x70\x83\xc6\x28\xd5\xe0\xc0.*"],
['ftp-password', "-user@"],
['ftp-pathname', "\xeb\x0e\x5e\x56\x5f\xac\x3c\xa0\x74\x0b\x90\x34\x98\xaa\xeb\xf5.*"],
['ftp-password', ".*(\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb|\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb).*"],
['ftp-pathname', "~root"],
['ftp-sitestring', "exec xx.*(\x25\x2E\x66)+.*"],
['ftp-password', "\x78\x78\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\xae\x10.*"],
['line', ".*\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03.*"],
['ftp-password', "h@ck\.er.*"],
['telnet-subnegotiation', ".*\x03\xff\xff\xff\xff\xcc\/bin\/.*"],
['telnet-subnegotiation', ".*\[ld_library_path\].*"],
['telnet-subnegotiation', ".*\[ld_preload\].*"],
['telnet-subnegotiation', ".*\[resolv_host_conf\].*"],
['telnet-subnegotiation', ".*_\[rld\].*"],
['telnet-subnegotiation', ".*\x27\x00\x00T\x02*T\x02*Y\x02*P\x02*R\x02*O\x02*M\x02*P\x02*T.*"],
['stream', ".*\x00\x00\x44\x49\x53\x50\x6c\x41\x59\x01\x6d\x61\x74\x74\x65\x72\x3a\x30\x2e\x30\xff\xf0\xff\xfd\x01\xff\xfc\x01(\x41)+.*"],
['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa5\xec.\x04\xb5\xec.\x04\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa9\xec.\x04\xb9\xec.\x04\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa5\xec.\x03\xb5\xec.\x03\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
['stream', "\x53\x45\x54\x55\x50\x20\x2f\x8b\xfa\x33\xc9\xb2\x35\x90\x90\x90.*"],
['irc-join-chan', "#(aaNIya827|ABIGAI285|abvGai68|abvGai689|AIdas865|alEKaN33|alEKaN33|ALexAn7|aMBEr552|AMEXaN544|aMFeR44|anDHeW9|AnDREA861|AnGnL2|AnyeLI5|aOEJaN329|AutoMN232|aUtumN790|BrIana628|BribNa146|bROOME564|BryXE955|CAlHeR44|cHASW30|ChrIsb80|cHRisT319|cqloE581|cvrLoS32|daKOGa641|dakOtA29|dakotz40|dAnirl638|dEsTyn4|dRSTIn5|eatHAN9|Elizrb738|eric259|etHam4|FAIxh452|GAbrie484|GacRIE6|gaRRut550|gaureT85|gaViN9|geBRiE88|GZBriE1|HAAEY40|HlexAN1|huNTwR79|iAN12|iSaBEL1|ISabeL37|IsNBEl41|jada6|jared8|jenfa2|JenNA9|jeRPMi18|JEsUS428|JGREmY1|JHCqUe2|joRdaN3|jOsCua832|JOSE737|jOsE90|JoSEoH51|jOsHPA863|jOSW89|jQHn659|jYsmIN17|KATher354|KATHrc6|KAtzER231).*"],
['irc-join-chan', "#(KenHET92|KeViN1|kevin678|LauRd150|lauva822|LESLie3|ligueL5|LoGEn1|MaCven441|MAdiSo236|MAIY78|MaMeLi144|marc7|maRISs8|maRy211|MEGaT33|merK4|MGRk176|MIchrL605|mIGUEl4|MjLLY10|MsRK9|mygaN504|nATalH0|NaThAv2|nIChoL12|noah420|paige300|PatrzC3|psAIaH333|Q8DarK|riCEAr797|robERt686|RtBeCC499|SEan31|SHelbY692|SihRrA2|SrIN809|sYDNEe3|TyleR607|vICoOR779|vICTor6|VIctTR7|WArOLi666|WILlIA779|xaVIEE9|xQvIEr151|yaDa61|zHCHar13|ZOE4|zoh3).*"],
['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\ImagePath.*"],
['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['http-url-parsed', "\/(images|0)\/cinik\.c.*"],
['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
['smb-open-filename', ".*\0134\000?(\[d\00?v\00?l\00?d\00?r\x00?3\x00?2\00?\.\00?e\00?x\00?e\00?\]|\[i\00?n\00?s\00?t\00?\.\00?e\00?x\00?e\]).*"],
['stream', ".*\x59\x49\x39\xE0\xC3\x1D\xD3\x4D\xD8\xF2\x61\x73\x73\x6B\x47\x69\xDA\xB5\xBC\x05\x3A\xF0\xE4\xC7\x98\x76\xCB\xB4\x37\xA4\x39\x4A.*"],
['stream', ".*PONG :aux4\.suckit\.com.*"],
['smb-connect-path', "\x5c\x00\x5c\x00\x31\x00\x32\x00\x2e\x00\x33\x00\x34\x00\x2e\x00\x35\x00\x36\x00\x2e\x00\x37\x00\x38\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00"],
['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x66\xb9\x86\x06\x80\x73.*"],
['stream', ".*\[update user set password\]='90909090.*"],
['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[eurocalculator\.exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[file_zippati\.exe\]\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[fix2001\.exe\]\".*"],
['line', ".*\[Software provided by \X5B\XMATRiX\X5D\X\].*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"readme.exe\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[xpass\.xls\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[icq_greeting\](s)*\.\[exe\]*\".*"],
['line', "\[Subject\]: Pikachu Pokemon.*"],
['line', "Subject: C:\\CoolProgs\\Pretty Park\.exe.*"],
['stream', ".*qazwsx\.hsq.*SOFTWARE\Microsoft\Windows\Current Version\Run.*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[suppl\.doc\]*\".*"],
['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[timofonica\.txt\.vbs\]\".*"],
['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[y2k\.exe\]\".*"],
['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[Zipped_Files.EXE\]\".*"],
['smtp-mime-content-filename', "\[x-mas\.exe\]"],
['smtp-mime-content-filename', "\[eurocalculator\.exe\]"],
['smtp-mime-content-filename', "\[fix2001\.exe\]"],
['smtp-header-subject', "\[C:\\\\CoolProgs\\\\Pretty Park\.exe\].*"],
['smtp-data-line', ".*\[qazwsx\.hsq\].*\[SOFTWARE\Microsoft\Windows\Current Version\Run\].*"],
['smtp-mime-content-filename', "\[suppl\.doc\]"],
['smtp-mime-content-filename', "\[timofonica\.txt\.vbs\]"],
['smtp-mime-content-filename', "\[toadie\.exe\]"],
['smtp-mime-content-filename', "begin.*\.\[vbs\].*"],
['smtp-mime-content-filename', "\[wtc\.exe\]"],
['smtp-mime-content-filename', "\[y2k\.exe\]"],
['smtp-mime-content-filename', "\[Zipped_Files\.EXE\]"],
['stream', ".*\xeb\x31\x5e\x89\x76\xac|\xeb\x35\x5e\x89\x76\x18.*"],
['stream', ".*\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x04\xFF\xFF\xFF\xFF.*"],
['packet', ".*\xeb\x4b\x5e\x89\x76\xac\x83\xee\x20\x8d\x5e\x28\x83\xc6\x20\x89\x5e\xb0\x83\xee\x20\x8d\x5e\x2e\x83\xc6\x20\x83\xc3\x20\x83\xeb\x23\x89\x5e\xb4\x31\xc0\x83\xee\x20\x88\x46\x27\x88\x46\x2a\x83\xc6\x20\x88\x46\xab\x89\x46\xb8\xb0\x2b\x2c\x20\x89\xf3\x8d\x4e.*"],
['packet', ".*\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x32\x33\x36\x78\x25\x6e\x25\x31\x33\x37\x78\x25\x6e\x25\x31\x30\x78\x25\x6e\x25\x31\x39\x32\x78\x25\x6e.*"],
['packet', ".*\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x32\x33\x36\x78\x25\x6e\x25\x31\x33\x37\x78\x25\x6e\x25\x31\x30\x78\x25.*"],
['stream', "(.*\Xff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f ff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f\X.*|\x20\xbf\xff\xff\x20\xbf\xff\xff)"],
['packet', ".*(\xc0\x0f\x80\x1b\xc0\x0f\x80\x1b\xc0\x0f\x80\x1b\xc0\x0f\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x5c\x92\x22\x20\x10\x94\x1b\xc0\x0f\xec\x02\x3f\xf0\xac\x22\x80\x16\xae\x02|\x90\x90\xeb\x45\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46\xbc\x31\xc0\x50).*"],
['packet', ".*ADM_METHOD\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16\x00\x00\x00\x15\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/bin\/sh.*"],
['stream', ".*\x90\x90\x31\xdb\x89\xe7\x8d\x77\x10\x89\x77\x04\x8d\x4f\x20\x89\x4f\x08\xb3\x10\x89\x19\x31\xc9\xb1\xff\x89\x0f\x51\x31\xc0\xb0.*"],
['stream', ".*(uname|\/bin\/|export).*"],
['stream', ".*\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa1\x05\x23\x03\x03\x01[\001-\007].*"],
['stream', ".*\x05\xe0\xe3\x1c\x0b\x03\xb8\xd7\xe0\xe8\x09\xfa\x89\xf9.*"],
['stream', ".*\x68\x5d\x5e\xff\xd5\xff\xd4\xff\xf5\x8b\xf5\x90\x66\x31.*"],
['pop3-command-line', ".*.\xff\xff\xff\/bin\/.*"],
['stream', ".*\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e\x12\x89\xf9\x89\xf9.*"],
['line', "AUTH.*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
['line', "LIST 1 .*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
['line', "XTND .*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
['line', "AUTH .*\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff.*"],
['stream', ".*(\x41)+\xf0\x00\x00\x00\x58\x55\x89\xe5\x81\xec\x2c\x00\x00\x00\x89\x45\xd4\xc7\x45\xfc\x00\x00\xe7\x77\x8b\x45\xfc\x66\x81\x38\x4d\x5a\x75\x7c\x05\x3c\x00\x00\x00\x8b\x18\x03\x5d\xfc\x66\x81\x3b.*"],
['ssh-header', "SSH-2\.0-G+O+B+L+E+S+.*"],
['ssh-header', ".*http:\/\/anti\.security\.is.*"],
['stream', ".*\*GOBBLE\*.*"],
['packet', ".*\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50\x50\x66\x68..\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02\x52\x51.*"],
['packet', "..........[\061-\071][\060-\071][\060-\071]([\060-\071]|\x62|\x64).*"],
['stream', "\[A+BBBB\].*"],
['stream', "\[DATE\] A+.*"],
['packet', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd.*"],
['stream', ".*\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01.*"],
['stream', ".*\[FLATLINE'S( )+KWAADWAAR\].*"],
['packet', ".*\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14.*"],
['stream', ".*\x08\x00\x5c\x00\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00\x00\x03\x10\x00\x00\x00.\x08\x00\x00\x01\x00\x00\x00.\x08\x00\x00\x00\x00(\x1b\x00|\x19\x00).*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
['stream', ".*\x5c\x00\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00\x30\x00\x2e\x00.*"],
['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*(\\\x00\\\x00l\x00o\x00c\x00a\x00l\x00h\x00o\x00s\x00t|\\\x00\\\x001\x002\x007\x00\.\x000\x00\.\x000\x00\.\x001).*"],
['stream', ".*\x5c\x00\x6c\x00\x73\x00\x61\x00\x72\x00\x70\x00\x63\x00.*\x6a\x28\x19\x39\x0c\xb1\xd0\x11\x9b\xa8\x00\xc0\x4f\xd9\x2e\xf5.*"],
['packet', "gstsearch"],
['smtp-rcpt', ".*ixltd@postone.com.*"],
['smtp-command-line', ".*\[(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to)\]:([^\012]|[^\015])*(<><><><>|\(\)>\(\)>\(\)>).*"],
['smtp-header-line', ".*\[(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to)\]:([^\012]|[^\015])*(<><><><>|\(\)>\(\)>\(\)>).*"],
['smtp-data-text-plain', ".*g0YIG4lGDIhGF4hGGohGRVBW\/zawO1CQ.*"],
['smtp-command-line', ".*\[XEXCH50\][ ]+([1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+|-[0-9]+).*"],
['smtp-command-line', "( |\x09)*\[debug\].*"],
['smtp-command-line', "( |\x09)*\[wiz\]( |\x09)*"],
['stream', ".*R( )*<( )*\"( )*\|( )*\/bin\/.*"]
]
Tempalte for filtering outgoing socket data git-svn-id: file:///home/svn/incoming/trunk@3580 4d416f70-5f16-0410-b530-b9f4589650da
2006-03-29 23:46:06 +02:00
end
end