2006-03-29 23:46:06 +02:00
module Msf
###
#
# This class hooks all sockets created by a running exploit
# and prevents data from being sent that matches a known IPS
# signature.
#
###
class Plugin :: IPSFilter < Msf :: Plugin
###
#
# This class implements a socket communication logger
#
###
class IPSSocketEventHandler
include Rex :: Socket :: Comm :: Events
def on_before_socket_create ( comm , param )
end
def on_socket_created ( comm , sock , param )
# Sockets created by the exploit have MsfExploit set and MsfPayload not set
if ( param . context [ 'MsfExploit' ] and ( ! param . context [ 'MsfPayload' ] ) )
sock . extend ( IPSFilter :: SocketTracer )
sock . context = param . context
sock . _init_hook_
end
end
end
def initialize ( framework , opts )
super
@ips_eh = IPSSocketEventHandler . new
2006-04-03 00:33:34 +02:00
Rex :: Socket :: Comm :: Local . register_event_handler ( @ips_eh )
2006-03-29 23:46:06 +02:00
end
def cleanup
2006-04-03 00:33:34 +02:00
Rex :: Socket :: Comm :: Local . deregister_event_handler ( @ips_eh )
2006-03-29 23:46:06 +02:00
end
def name
" ips_filter "
end
def desc
" Scans all outgoing data to see if it matches a known IPS signature "
end
protected
end
end
# This module extends the captured socket instance
module IPSFilter
module SocketTracer
attr_accessor :context
# Hook the write method
def write ( buf , opts = { } )
2006-04-03 00:33:34 +02:00
if ( ips_match ( buf ) )
$stderr . puts " *** Outbound write blocked due to possible signature match "
return
end
2006-03-29 23:46:06 +02:00
super ( buf )
end
# Hook the read method
def read ( length = nil , opts = { } )
r = super ( length , opts )
2006-04-03 00:33:34 +02:00
if ( ips_match ( r ) )
$stderr . puts " *** Incoming read may match a known signature "
end
2006-03-29 23:46:06 +02:00
return r
end
# Called by the event handler on setup
def _init_hook_
# Load up the signature set here
end
def close ( * args )
super ( * args )
end
2006-04-03 00:33:34 +02:00
def ips_match ( data )
lp = localport
rp = peerport
SIGS . each do | s |
begin
r = Regexp . new ( s [ 1 ] )
if ( data . match ( r ) )
$stderr . puts " *** Matched signature #{ s [ 1 ] } "
return true
end
rescue :: Exception = > e
$stderr . puts " *** Compiled error: #{ s [ 1 ] } "
end
end
return false
end
SIGS =
[
[ 'stream' , " .*[1-9][0-9]*, 6667 : USERID : UNIX : die.* " ] ,
[ 'stream' , " .* \x58 \x35 \x4f \x21 \x50 \x25 \x40 \x41 \x50 \x5b \x34 \x5c \x50 \x5a \x58 \x35 \x34 \x28 \x50 \x5e \x29 \x37 \x43 \x43 \x29 \x37 \x7d \x24 \x45 \x49 \x43 \x41 \x52 \x2d \x53 \x54 \x41 \x4e \x44 \x41 \x52 \x44 \x2d \x41 \x4e \x54 \x49 \x56 \x49 \x52 \x55 \x53 \x2d \x54 \x45 \x53 \x54 \x2d \x46 \x49 \x4c \x45 \x21 \x24 \x48 \x2b \x48 \x2a .* " ] ,
[ 'smb-open-filename' , " .*( \000 )? \ .( \000 )? \ [e( \000 )?x( \000 )?e( \000 )? \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ /getlatestversion \ ?ver=.* " ] ,
[ 'dns-type-name' , " .*[ \s % \ |; \ ? \ & \' \" ].* " ] ,
[ 'packet' , " [ \020 0- \037 7].* " ] ,
[ 'packet' , " .* \x00 \x0c .. " ] ,
[ 'snmp-community' , " internal " ] ,
[ 'stream' , " .* \ [login incorrect \ ].* " ] ,
[ 'stream' , " .* \ [permission denied \ ].* " ] ,
[ 'http-header-accept-encoding' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [gwweb \ .exe \ ? \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [PortInformation \ ] \ ?[0-9][^0-9]?.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [StreamingStatistics \ ] \ ?[0-9].* " ] ,
[ 'http-url-parsed' , " \ [ \ /cgi-bin \ /logout \ .exe \ ] " ] ,
[ 'http-header-user-agent' , " .* \ [QuickTime \ ].* " ] ,
[ 'http-url-parsed' , " \ /examples \ /jsp \ /snp \ /[^.]+ \ .snp " ] ,
[ 'http-request' , " SSH.* " ] ,
[ 'http-request' , " \xff ( \xfb | \xfd ).* " ] ,
[ 'http-request' , " \ [CONNECT \ ].* " ] ,
[ 'http-request' , " \ [CONNECT scs.yahoo.com \ ].* " ] ,
[ 'http-request' , " \ [CONNECT login.oscar.aol.com \ ].* " ] ,
[ 'http-header' , " .* \ [p2p-agent:.*Kazaa \ ].* " ] ,
[ 'http-header-user-agent' , " .* \ [topsearch \ ].* " ] ,
[ 'http-header-user-agent' , " .* \ [MSMSGS \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [imagemap \ .exe \ ] \ ?.* " ] ,
[ 'stream' , " \ [CONNECT \ ].* " ] ,
[ 'stream' , " \ [CONNECT \ ].* " ] ,
[ 'stream' , " \ [CONNECT \ ].* " ] ,
[ 'stream' , " \ [CONNECT \ ].* " ] ,
[ 'stream' , " \ [CONNECT \ ].* " ] ,
[ 'http-header-user-agent' , " ICQ " ] ,
[ 'http-text-html' , " .*<(a|A)[^>]* \s \ [href \ ]=>.* " ] ,
[ 'http-text-plain' , " \x58 \x35 \x4f \x21 \x50 \x25 \x40 \x41 \x50 \x5b \x34 \x5c \x50 \x5a \x58 \x35 \x34 \x28 \x50 \x5e \x29 \x37 \x43 \x43 \x29 \x37 \x7d \x24 \x45 \x49 \x43 \x41 \x52 \x2d \x53 \x54 \x41 \x4e \x44 \x41 \x52 \x44 \x2d \x41 \x4e \x54 \x49 \x56 \x49 \x52 \x55 \x53 \x2d \x54 \x45 \x53 \x54 \x2d \x46 \x49 \x4c \x45 \x21 \x24 \x48 \x2b \x48 \x2a " ] ,
[ 'http-text-html' , " .*< \ [bgsound \ ]( | \x09 | \x0A )+ \ [src \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')? \\ \\ [^>]+>.* " ] ,
[ 'http-text-html' , " .*< \ [OBJECT \ ][^>]+ \ [classid \ ]=( | \x09 | \x0A )?( \" |')?clsid:D27CDB6E-AE6D-11cf-96B8-444553540000.*>.*< \ [PARAM \ ] \ [NAME \ ]= \" ? \ [movie \ ].* \ [VALUE \ ]=.* \ . \ [swf \ ] \ ?AAA \ .XXXXXXXX[^>]+>.* " ] ,
[ 'line' , " .* \ [1 file \ ].* " ] ,
[ 'line' , " .* \ [bad command or filename \ ].* " ] ,
[ 'line' , " .* \ [command completed \ ].* " ] ,
[ 'line' , " .* \ [connection closed by foreign host \ ].* " ] ,
[ 'line' , " .*uid=0.* " ] ,
[ 'line' , " .* \ [volume serial number \ ].* " ] ,
[ 'http-status' , " .* \ [HTTP \ ] \ /[0-9]+[^ \012 ]+404 .* " ] ,
[ 'http-data' , " .* \x30 \x08 \x23 \x00 \x3C \xA6 \x0F \xA5 \x18 \x04 \x2D \xB1 \x38 \x53 \xF4 \xA6 \x10 \x5B \x7E \x8A \x7D \xA2 \x80 \xB0 \x8C \x38 \x53 \xF3 \x14 \x04 \x0A \xC3 \x91 \x14 \x05 \xED \x3D \xBE \xA2 \x80 \x81 \x4F \x6F \x94 \xD0 \x04 \x14 \xD0 .* " ] ,
[ 'http-data' , " .* \x04 \x42 \x81 \x91 \xFF \xDA \x00 \x0C \x03 \x01 \x00 \x02 \x11 \x03 \x11 \x00 \x3F \x00 \xF9 \x05 \xF9 \x6F \x38 \x9F \xDD \xE4 \x5F \x59 \xD7 \xDF \x49 \xE7 \x9D \xF7 \x82 \x46 \xE6 \x73 \x7C \x40 \xFC \xE4 \x7C \x52 \x58 \xE6 \x37 \x3A \x5F \x79 \xBB \x01 \x0E \x74 \x6F \x59 \xC2 \x43 \x6A \xA2 \x71 \x36 \x87 \xA3 .* " ] ,
[ 'http-url-parsed-param' , " .* \ /s?bin \ /halt.* " ] ,
[ 'http-url-parsed-param' , " .* \ [( \ /usr)? \ /s?bin \ /(awk|bash|cat|chattr|chgrp|chmod|chown|cp|csh|dd|df|dir|dmesg|du|ed|gawk|groups|gunzip|install|kill|killall|last|link|ln|ls|lsattr) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /(usr)? \ /s?bin \ /(mail|mesg|mkdir|mkfifo|mknod|mktemp|more|mount|mv|netstat|nisdomainname|pidof|ps|rm|rmdir|sash|sed|sh|shred|sleep|stat|stty|tcsh|tempfile|touch|umount|unlink|utmpdump|uuidgen|vdir|wall|ypdomainname|halt|shutdown|restart|reboot|runlevel|swapoff|ctrlaltdel|mkswap|poweroff) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [dfire \ .cgi \ ?.*IPONE \ ]= \ | " ] ,
[ 'http-header-user-agent' , " .* \ [MoodLogic \ ].* " ] ,
[ 'http-url' , " .*HandleSearch \ .html \ ?searchTarget=.*&B1=Submit.* " ] ,
[ 'http-request' , " \ [CONNECT \ ] [0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]?:[0-9]+ \ / \ [HTTP \ ] \ /1.0.* " ] ,
[ 'http-header' , " .* \ [Authorization \ ]:[ ]+ \ [Negotiate \ ] \x00 .* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /realPath \ .jsp.* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /jsp \ /buffer(1|2|3|4) \ .jsp.* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /jsp \ /(comments|extends(1|2)) \ .jsp.* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /jsp \ /page(AutoFlush|Double|Extends|Import2|Info|Invalid|IsErrorPage|IsThreadSafe|Language|Session) \ .jsp.* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /jsp \ /declaration \ /IntegerOverflow \ .jsp.* " ] ,
[ 'http-url-parsed-param' , " .* \ /examples \ /jsp \ /source.jsp \ ?( \ ?| \ /+.* \ /+).* " ] ,
[ 'ftp-banner' , " .*WS_FTP Server ([0-3]|(4 \ .0 \ .[0-2])).* " ] ,
[ 'ftp-banner' , " .*Serv-U FTP Server v([0-4]|(5 \ .0( \ .[0-5])?[^0-9])).* " ] ,
[ 'ftp-banner' , " .*Serv-U FTP-Server v([0-1]|(2 \ .[0-5])).* " ] ,
[ 'ftp-banner' , " .*Serv-U FTP Server v([0-3]|(4 \ .[0-1])).* " ] ,
[ 'ftp-banner' , " .*Serv-U FTP Server v([0-3]|(4 \ .[0-2])).* " ] ,
[ 'ftp-banner' , " .*WS_FTP Server ([0-4]|(5 \ . \0 \ .[0-3])).* " ] ,
[ 'ftp-password' , " \ [(manager|public|private|default|security|1234qwer|123qwe|user|super|123456|000000|Internet|abcd|abc123|abc|1234567|123abc|88888888|password|asdfgh|computer|5201314|00000000|!@ # $%^&* \ ( \ )|654321|888888|123asd|11111|!@ # $%^& \ *|passwd|!@ # $%^& \ * \ (|111111|asdf|sql|database|111|!@ # $%|pass|!@ # $|54321|server|!@ # $%^|sybase|oracle|12345678|1|secret|test|11111111|admin|anyone|!@ # $%^&) \ ] " ] ,
[ 'stream' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'ftp-command' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'ftp-username' , " anonymous|ftp " ] ,
[ 'stream' , " .* \ [login incorrect \ ].* " ] ,
[ 'stream' , " .* \ [not on system console \ ].* " ] ,
[ 'stream' , " .* \ [guest account not allowed \ ].* " ] ,
[ 'stream' , " .* \ [login failure \ ].* " ] ,
[ 'stream' , " .* \ [server allows NTLM authentication \ ].* " ] ,
[ 'stream' , " .* \ [login failed \ ].* " ] ,
[ 'stream' , " .* \ [permission denied \ ].* " ] ,
[ 'stream' , " .*cat( | \x09 )+ \ /etc \ /passwd.* " ] ,
[ 'stream' , " .*halt( | \x09 )*( \x0a | \x0d ).* " ] ,
[ 'packet' , " \ X AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA \ X " ] ,
[ 'stream' , " .* \xaa .. \x14 \x48 ..... \x00 \ [L \x00 o \x00 g \x00 i \x00 n \x00 \x00 f \x00 a \x00 i \x00 l \x00 e \x00 d \ ].* " ] ,
[ 'smtp-command-line' , " ( \ [HELO \ ]| \ [EHLO \ ]) \ [localhost \ ] " ] ,
[ 'smtp-data-text-plain' , " \x58 \x35 \x4f \x21 \x50 \x25 \x40 \x41 \x50 \x5b \x34 \x5c \x50 \x5a \x58 \x35 \x34 \x28 \x50 \x5e \x29 \x37 \x43 \x43 \x29 \x37 \x7d \x24 \x45 \x49 \x43 \x41 \x52 \x2d \x53 \x54 \x41 \x4e \x44 \x41 \x52 \x44 \x2d \x41 \x4e \x54 \x49 \x56 \x49 \x52 \x55 \x53 \x2d \x54 \x45 \x53 \x54 \x2d \x46 \x49 \x4c \x45 \x21 \x24 \x48 \x2b \x48 \x2a " ] ,
[ 'packet' , " \x45 \x00 \x32 \x00 .* " ] ,
[ 'packet' , " .* \ X00 00 01 87 03 00 00 00 \ X.* " ] ,
[ 'smb-connect-path' , " \\ \00 ? \\ \00 ?.* \\ \00 ?I \00 ?P \00 ?C \00 ?$ \00 ?.* " ] ,
[ 'pop3-user' , " x # 99999999 " ] ,
[ 'pop3-user' , " root " ] ,
[ 'http-url-parsed' , " \ /v[0-9][0-9][0-9] \ /mainbar \ /index.html.* " ] ,
[ 'dns-type-name' , " \x00 \x01 c3312 \ .z1301 \ .winmx \ .com.* " ] ,
[ 'dns-type-name' , " \x00 \x01 \ [test \ ].* \ [ \ .winmx \ .com \ ] " ] ,
[ 'packet' , " 1 " ] ,
[ 'packet' , " 8.* " ] ,
[ 'dns-type-name' , " \x00 \x01 \ [c \ ][0-9]+ \ [ \ .z \ ][0-9]+ \ [ \ .winmx \ .com \ ] " ] ,
[ 'http-header-user-agent' , " .* \ [DC \ ] \ + \ +.* " ] ,
[ 'stream' , " .*$Key [^ \017 4]* \017 4$ValidateNick .* " ] ,
[ 'http-url-parsed-param' , " \ [ \ /ver \ /ver.php \ ?ver \ ]=[0-9] \ .[0-9][0-9] \ .[0-9]& \ [app \ ]=[0-9][0-9].* " ] ,
[ 'packet' , " \xe3 .... \x16 .* " ] ,
[ 'packet' , " \xe3 .... \x01 .* " ] ,
[ 'packet' , " \xe3 .... \x19 .* " ] ,
[ 'packet' , " \xe3 .... \x14 .* " ] ,
[ 'packet' , " \xe3 .... \x15 .* " ] ,
[ 'packet' , " \xe3 \x96 .* " ] ,
[ 'packet' , " \xe3 \x97 .* " ] ,
[ 'http-header-user-agent' , " .* \ [Shareaza \ ].* " ] ,
[ 'stream' , " .*UserAgent: KazaaClient [^ \010 ]* \r \n X-Kazaa-Username:.* " ] ,
[ 'stream' , " .*Server: KazaaClient.*X-Kazaa-Username:.* " ] ,
[ 'packet' , " \x27 \x00 \x00 \x00 \xa9 \x80 KaZaA \x00 " ] ,
[ 'stream' , " GET \ /.hash=([a-f]|[0-9])+.*KaZaA.* " ] ,
[ 'stream' , " .* \ [BitTorrent protocol \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [announce \ ][^?]* \ ?[^ ]* \ [info_hash \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [scrape \ ][^?]* \ ?[^ ]* \ [info_hash \ ].* " ] ,
[ 'packet' , " \xe3 \x0a .* " ] ,
[ 'packet' , " \xe3 \x0b .* " ] ,
[ 'packet' , " \xe3 \x0e .* " ] ,
[ 'packet' , " \xe3 \x21 .* " ] ,
[ 'packet' , " \xe3 \x13 .* " ] ,
[ 'ssh-header' , " SSH-1.5-OpenSSH-1.2.3 " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'stream' , " .* \ . \ [mp3 \ ].* " ] ,
[ 'packet' , " .* \x00 \xcb \x00 .* " ] ,
[ 'packet' , " .* \x00 \xcb \x00 .* " ] ,
[ 'packet' , " . \x00 \x02 \x00 .* " ] ,
[ 'packet' , " . \x00 \x02 \x00 .* " ] ,
[ 'stream' , " .*anon@napster.com.* " ] ,
[ 'packet' , " . \x00 \x06 \x00 .* " ] ,
[ 'packet' , " . \x00 \x06 \x00 .* " ] ,
[ 'packet' , " . \x00 \x5f \x02 .* " ] ,
[ 'packet' , " . \x00 \x5f \x02 .* " ] ,
[ 'http-header-user-agent' , " .* \ [MLdonkey \ ].* " ] ,
[ 'stream' , " .*GNUTELLA OK.* " ] ,
[ 'stream' , " GNUTELLA CONNECT \ /0 \ .[0-9].* " ] ,
[ 'stream' , " .*GNUTELLA \ /0 \ .[0-9] 200 OK( \x0d )? \n .* " ] ,
[ 'stream' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header-user-agent' , " \ [gator \ ].* " ] ,
[ 'http-header-user-agent' , " .* \ [new \ .net \ ].* " ] ,
[ 'http-header-user-agent' , " .* \ [DA \ ] [1-9] \ .[0-9].* " ] ,
[ 'http-header' , " .*Oracle9iAS-Web-Cache \ /(9 \ .0 \ .(0 \ .4 \ .0|2 \ .3 \ .0|3 \ .1 \ .0|4 \ .0 \ .0)|2 \ .0 \ .0 \ .4 \ .0).* " ] ,
[ 'stream' , " .*ADMINISTRATOR.* " ] ,
[ 'stream' , " .* \ [invalid login \ ].* " ] ,
[ 'packet' , " NQ.* " ] ,
[ 'packet' , " ST.* " ] ,
[ 'packet' , " ST.* " ] ,
[ 'ftp-password' , " cis@security \ .check " ] ,
[ 'http-url-parsed' , " \ [Nikto \ ]-[0-9][0-9]? \ .[0-9][^ \00 ]+ \ . \ [htm \ ] " ] ,
[ 'http-header-user-agent' , " .* \ (Nikto \ /.* " ] ,
[ 'http-url' , " .*search%3f<balisexss>%22%27.* " ] ,
[ 'stream' , " .* \x00 \x01 \x00 \x03 \x00 \x01 \x00 .* " ] ,
[ 'packet' , " > .* " ] ,
[ 'packet' , " > .* " ] ,
[ 'packet' , " > .* " ] ,
[ 'stream' , " .*cat \ /etc \ /passwd.* " ] ,
[ 'packet' , " .*cat \ /etc \ /passwd.* " ] ,
[ 'stream' , " .* \ /usr \ /(bin \ /X11|X11R6 \ /bin) \ /xterm.* " ] ,
[ 'packet' , " .* \ /usr \ /(bin \ /X11|X11R6 \ /bin) \ /xterm.* " ] ,
[ 'packet' , " .* \x2b \x06 \x10 \x40 \x14 \xd1 \x02 \x19 .* " ] ,
[ 'packet' , " .*WHATISIT.* " ] ,
[ 'stream' , " .*cat( | \x09 )*>( | \x09 )* \ /etc \ /group.* " ] ,
[ 'stream' , " .*cat( | \x09 )*>( | \x09 )* \ /etc \ /inetd.conf.* " ] ,
[ 'stream' , " .*cat( | \x09 )*>( | \x09 )* \ /etc \ /passwd.* " ] ,
[ 'stream' , " .*cat( | \x09 )*>>( | \x09 )* \ .rhosts " ] ,
[ 'stream' , " .*cat( | \x09 )*>>( | \x09 )* \ /etc \ /passwd.* " ] ,
[ 'stream' , " .*cd( | \x09 )+ \ /bin \ / \ ..* " ] ,
[ 'stream' , " .*cd( | \x09 )+ \ /usr \ / \ ..* " ] ,
[ 'stream' , " .*cd( | \x09 )+ \ /var \ / \ ..* " ] ,
[ 'stream' , " .*cd( | \x09 )+ \ . \ . \ ..* " ] ,
[ 'stream' , " .*id( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*mkdir( | \x09 )+ \ . \ ..* " ] ,
[ 'stream' , " .*nc .* " ] ,
[ 'stream' , " .*nmap .* " ] ,
[ 'stream' , " .*reboot.* " ] ,
[ 'stream' , " .*shutdown.* " ] ,
[ 'stream' , " .*strobe .* " ] ,
[ 'stream' , " .*su( | \x09 )+bin( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*su(( | \x09 )+(root|-l root|- root|-))?( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*telnet[^ \015 ]+21( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*telnet[^ \015 ]+25( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*telnet[^ \015 ]+80( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*vi( | \x09 )+ \ /etc \ /group( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*vi( | \x09 )+ \ /etc \ /passwd( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .*xhost( | \x09 )+.* " ] ,
[ 'stream' , " .*xhost( | \x09 )+ \ +( | \x09 )* \x0d .* " ] ,
[ 'stream' , " .* \ [to su root \ ].* " ] ,
[ 'telnet-user' , " cisco " ] ,
[ 'http-url-parsed' , " .*conf \ /httpd \ .conf " ] ,
[ 'http-url-parsed' , " .* \ [ \ /admin_files \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ X20 \ X \ / \ [session \ /adminlogin \ ] \ ?.*RCpage= \ / \ [sysadmin \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /ax-admin \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /axs \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [bigconf \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cgi-bin \ /cachemgr \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [day5data(copier|notifier) \ .cgi \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /environ \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [filemail \ .pl \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [finger( \ .cgi| \ .pl)? \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [flexform( \ .pl| \ .cgi)? \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /LWGate( \ .cgi| \ .pl)? \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /man \ .sh \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /ministats \ /admin \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [mmstdod \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [perlshop \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [post-query \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /responder \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [search \ .vts \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /snork(erz)? \ .(bat|cmd) \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /store \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [textcounter \ .pl \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [uploader \ .exe \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [w3tvars \ .pm \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /webdriver \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [web-map \ .cgi \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [cgi-bin \ /www-sql \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cgi-bin \ /MachineInfo \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [wais \ .pl \ ] " ] ,
[ 'http-url-parsed' , " .* \ /admin \ .pl.* " ] ,
[ 'http-url-parsed' , " .* \ /edit \ .pl " ] ,
[ 'http-url-parsed' , " .* \ /files \ .pl " ] ,
[ 'http-url-parsed' , " .* \ /maillist \ .pl " ] ,
[ 'http-url-parsed' , " .* \ /rwwwshell \ .pl " ] ,
[ 'http-url-parsed' , " .* \ /upload \ .pl " ] ,
[ 'http-url-parsed' , " .* \ /wwwadmin \ .pl.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfappman \ /(index \ .cfm)? \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [cfdocs \ /cfmlsyntaxcheck \ .cfm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfdocs \ /exampleapp \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfdocs \ /examples \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfdocs \ /snippets \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfide \ /administrator \ /startstop \ .html \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ ? \ [DeleteDocument \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ ? \ [EditDocument \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /(catalog|domcfg|domlog|names|log) \ .nsf \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /_vti_(bin|pvt) \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfgwiz \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /admcgi \ /contents \ .htm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /Fpadmcgi \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [admisapi \ /fpadmin \ .htm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /fp(remadm|srvadm) \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /author \ .dll \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /msdac \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /proxy \ /w3proxy \ .dll \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ .cnf \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /_mem_bin \ / \ ].* " ] ,
[ 'http-url-parsed' , " \ [ \ /msadc \ /samples \ /adctest \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /Form_JScript \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /cpshost \ .dll \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [&del \ /s c: \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /ServerVariables_Jscript \ .asp \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /scripts \ /tools \ /getdrvr?s \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [global \ .asa \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /perl \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /scripts \ /postinfo \ .asp.* " ] ,
[ 'http-url-parsed' , " .* \ /samples \ /search \ /queryhit \ .htm.* " ] ,
[ 'http-url-parsed' , " .* \ [readme \ .eml \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /repost \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /scripts \ / \ X20 \ X.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /SiteServer \ /Publishing \ /viewcode \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /Sites \ /(Samples \ /)?Knowledge \ /Membership \ /Inspired(tutorial)? \ /ViewCode \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /Sites \ /Samples \ /Knowledge \ /(Push|Search) \ /ViewCode \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /site \ /iisamples \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /srchadm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /samples \ /isapi \ /srch \ .htm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /SWEditServlet \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /viewcode \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /scripts \ /((samples \ /search)|srchadm) \ /webhits \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /backup( \ /.*)? " ] ,
[ 'http-url-parsed' , " .* \ [ \ /intranet \ / \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /htgrep.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ / \ ?PageServices \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /nph-publish " ] ,
[ 'http-request' , " \ [GETPROPERTIES \ ] \ X20 \ X.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /PSUser \ /PSCOErrPage \ .htm \ ? \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /dsgw \ /bin \ /search \ ?.*context=.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cgi-dos \ /args \ .bat \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /ping \ ?.*query=.* " ] ,
[ 'http-url-parsed' , " .* \ /ews \ /architext_query \ .pl.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /dcforum \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /sendform \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /sendmessage \ .cgi \ ] " ] ,
[ 'http-header' , " .*User-Agent: Webtrends Security Analyzer.* " ] ,
[ 'http-url-parsed-param' , " .* \ ?.* \ [PHP_AUTH_USER=boogieman \ ].* " ] ,
[ 'http-url-parsed' , " .* \ /code \ .php3.* " ] ,
[ 'http-url-parsed' , " .* \ /violation \ .php3.* " ] ,
[ 'line' , " .* \ [directory listing of \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /contextAdmin \ /contextAdmin \ .html \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /ls.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /ls.* \ |.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /ps.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /bash.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /cc.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /chgrp.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /chmod.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /chown.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /chsh.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /cpp.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /csh.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /echo.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /g \ + \ +.* " ] ,
[ 'http-url-parsed-param' , " .* \ /bin \ /gcc.* " ] ,
[ 'http-url-parsed-param' , " .* \ /s?bin \ /id(( \040 |%20|>| \ |).*)? " ] ,
[ 'http-url-parsed' , " .* \ /~root( \ /.*)? " ] ,
[ 'http-url-parsed-param' , " .* \ /etc \ /inetd \ .conf.* " ] ,
[ 'http-url-parsed-param' , " .* \ /etc \ /motd.* " ] ,
[ 'http-url-parsed-param' , " .* \ /etc \ /shadow.* " ] ,
[ 'http-url-parsed' , " .* \ /args \ .bat.* " ] ,
[ 'http-url-parsed' , " .* \ /args \ .cmd.* " ] ,
[ 'http-url-parsed-param' , " .* \ [cd \ ] \ X20 \ X \ . \ . " ] ,
[ 'http-url-parsed-param' , " .* \ [tftp \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [nc \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [net localgroup administrators \ /add \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [perl \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [rcmd \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [telnet \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /ws_ftp \ .ini \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [wsh \ .exe \ ].* " ] ,
[ 'http-url-parsed' , " \ [ \ /cybercop \ ].* " ] ,
[ 'http-url' , " .* \ /nessus_is_probing_you_ " ] ,
[ 'http-url-parsed' , " .* \ /(b?a|k|ch?|z|tc|rk?|pdk|sa|ad)?sh " ] ,
[ 'http-url-parsed' , " \ / \ [scripts \ /samples \ /search \ ] \ /[^ \00 ]+ \ .(idq|exe) " ] ,
[ 'http-url-parsed' , " .* \ / \ [newdsn \ .exe \ ] " ] ,
[ 'http-url-parsed' , " .* \ . \ [htw \ ] " ] ,
[ 'http-url-parsed' , " .* \ /(r|w) \ [guest \ .exe \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [alibaba \ .pl \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [FormHandler \ .cgi \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [test \ .cgi \ ] " ] ,
[ 'http-header-user-agent' , " VoidEYE CGI security scanner " ] ,
[ 'http-url-parsed' , " .* \ / \ [win-c-sample \ .exe \ ] " ] ,
[ 'http-url-parsed' , " .* \ / \ [search97 \ .vts \ ] " ] ,
[ 'ftp-command' , " \ [mkd \ ] " ] ,
[ 'line' , " MKD \ ..* " ] ,
[ 'packet' , " \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e \x2e .* " ] ,
[ 'http-url-parsed' , " .* \ [AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \ .cfm \ ].* " ] ,
[ 'packet' , " .* \x0A help \x0A quit \x0A .* " ] ,
[ 'packet' , " ............ \x01 .* " ] ,
[ 'packet' , " .... \xFF \xFF .* " ] ,
[ 'stream' , " .*YMSG.. \x00 \x00 .. \x00 \x06 .* " ] ,
[ 'stream' , " .* \ [nick \ ].* " ] ,
[ 'stream' , " YMSG.. \x00 \x00 \x00 ..(W|L).* " ] ,
[ 'msn-message' , " .*text \ /plain.* " ] ,
[ 'packet' , " VER [0-9]+ (MSNP[0-9]+ )+CVR0 \015 \012 " ] ,
[ 'packet' , " CAL [0-9]+ .* " ] ,
[ 'packet' , " RNG [0-9]+ ([0-9]+ \ .)+[0-9]+:1863 CKI.* " ] ,
[ 'stream' , " .* \x2a \x02 .... \x00 \x01 \x00 \x02 .* " ] ,
[ 'stream' , " .* \x2a \x02 .... \x00 \x01 \x00 \x03 .* " ] ,
[ 'stream' , " .* \x2a \x02 .... \x00 \x04 \x00 \x06 .* " ] ,
[ 'stream' , " .* \x2a \x02 .... \x00 \x04 \x00 \x07 .* " ] ,
[ 'stream' , " .* \x2a \x04 .. \x00 \x00 .* " ] ,
[ 'stream' , " OFT2.*OFT_Windows ICBMFT V1.1 32.* " ] ,
[ 'stream' , " .*Server: AIM HTTP \ /1 \ .0 \ (aim_http_proxy \ ) \x0d \x0a .* " ] ,
[ 'packet' , " \x00 \x01 .* " ] ,
[ 'line' , " 550 .* \ [user unknown \ ].* " ] ,
[ 'smtp-banner' , " .*MERCUR SMTP-Server \ (v([0-2]|(3 \ .[0-2])).* " ] ,
[ 'smtp-banner' , " .*MERCUR SMTP-Server \ (v((3 \ .([3-9]|([0-2][0-9])))|(4 \ .[0-2][^0-9])).* " ] ,
[ 'smtp-banner' , " .*CMailServer ([0-4]|5 \ .([0-1]|2)[^0-9]).* " ] ,
[ 'smtp-command-line' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'smtp-from' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'smtp-rcpt' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'stream' , " \ [quit \ ].* " ] ,
[ 'smtp-mime-content-name' , " .* \ . \ [zip \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [(w|e)mf \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [zip \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [hta \ ] " ] ,
[ 'smb-calling-name' , " \ [localhost \ ] \x20 \x20 \x20 \x20 \x20 \x20 \x20 " ] ,
[ 'smb-open-filename' , " .* \ . \000 ? \ [z \000 ?i \000 ?p \000 ? \ ] " ] ,
[ 'stream' , " .*ftp:.* " ] ,
[ 'stream' , " .* \x07 \x61 \x75 \x74 \x68 \x6f \x72 \x73 \x04 \x62 \x69 \x6e \x64 \x00 \x00 \x10 \x00 \x03 .* " ] ,
[ 'packet' , " .* \x07 \ [version \ ] \x04 \ [bind \ ] \x00 .* " ] ,
[ 'packet' , " Server is online " ] ,
[ 'stream' , " (get[A-z]+|scrnsav).* " ] ,
[ 'packet' , " [A-z]: \\ .* " ] ,
[ 'http-status' , " Desconectado Web Serve CT.* " ] ,
[ 'stream' , " .*@.*@.* " ] ,
[ 'finger-user' , " search.* " ] ,
[ 'stream' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'finger-user' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'packet' , " \x00 \x00 \x07 \xa2 \x08 \x12 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'http-request' , " PROPFIND \ /.* " ] ,
[ 'http-request' , " HEAD \ /~root.* " ] ,
[ 'http-request' , " (GET|POST) \ / \ / HTTP \ /1 \ .0 " ] ,
[ 'http-request' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header-accept' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header-content-encoding' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header-content-language' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-header-content-location' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \032 ]|[ \034 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'http-url-parsed-param' , " .*%1u%1u.* " ] ,
[ 'http-url' , " ([ \001 - \045 ]|[ \047 - \076 ]|[ \010 0- \037 7])* \ [%2Easp \ ].* " ] ,
[ 'http-url-parsed' , " \ [ \ /scripts \ /iisadmin \ ].* " ] ,
[ 'http-url-parsed-param' , " \ / \ [iissamples \ ] \ /[^ \077 ]* \ / \ [codebrws \ .asp \ ] \ ?[^ \000 ]* \ [source= \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /bdir \ .htr \ ].* " ] ,
[ 'http-url-parsed-param' , " \ / \ [ms(adc|dac) \ /Samples \ /SELECTOR \ /showcode \ .asp \ ] \ ?[^ ]* \ [source \ ]=.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ # filename=( \" |')? \ .(asp|exe)( \" |')? \ ].* " ] ,
[ 'http-header' , " .* \ [xp_enumdsn \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /search \ /(advsearch|query|search) \ .asp \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [xp_filelist \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ . \ [htw \ ?.*CiWebHitsFile= \ ][^&]+ \ . \ [asp \ ].* " ] ,
[ 'http-url-parsed' , " .*( \x20 )+ \ . \ [htr \ ].* " ] ,
[ 'http-header' , " .* \ [xp_regread \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [_vti_bin \ /_vti_aut \ /fp30reg.dll?.*<script.*> \ ].* " ] ,
[ 'http-url-parsed-param' , " \ [ \ /iissamples \ /sdk \ /asp \ /docs \ /CodeBrws \ .asp \ ?.*Source= \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [iissamples \ ] \ /.* " ] ,
[ 'http-header' , " \ [Translate: *f \ ] " ] ,
[ 'http-url-parsed-param' , " \ /xxxiischeckxxx " ] ,
[ 'http-url-parsed' , " \ [ \ /msadc \ /msadcs.dll \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [SQLQHit \ .asp \ ?CiColumns \ ]= \ *&CiScope=(webinfo|extended_fileinfo|extended_webinfo|fileinfo).* " ] ,
[ 'http-url-parsed-param' , " \ / \ [level \ ] \ /(1[6-9]|[2-9][0-9]) \ / \ [exec \ ] \ /.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /_vti_pvt \ /(authors|users) \ .pwd \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /_private \ /(orders|register|registrations|form_results) \ .(htm|txt) \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /_vti_bin \ /shtml \ .(dll|exe) \ /.* \ .(html|htm|asp|shtml) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /etc \ /passwd.* " ] ,
[ 'http-url-parsed-param' , " .* \ /etc \ /hosts \ .allow.* " ] ,
[ 'http-url-parsed' , " .* \ / \ .nsconfig " ] ,
[ 'http-url' , " (( \\ |%5 \ [c \ ])+)? \ [cgi-bin \ ].* " ] ,
[ 'http-url-parsed' , " \ [ \ /portal \ /diag \ ] \ /? " ] ,
[ 'http-url-parsed-param' , " .* \ [win \ .ini \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [chat \ ] \ /!( \ [pwds \ ]| \ [nicks \ ]) \ . \ [txt \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [cutenews \ ] \ / \ [index \ .php \ ] \ ? \ [debug \ ] " ] ,
[ 'http-url-parsed' , " .* \ . \ [chm \ ] " ] ,
[ 'http-request' , " \ [INDEX \ ] \ / HTTP \ /1 \ .0.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-verify-link " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-cs-dump " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-ver-info " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-ver-diff " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-start-ver " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-stop-ver " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-uncheckout " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-html-rend " ] ,
[ 'http-url-parsed-param' , " .* \ / \ ?wp-usr-prop " ] ,
[ 'stream' , " .*GET \ /%3CSCRIPT%3Ealert%28document%3EURL%29%3C \ /SCRIPT%3E \ /.* " ] ,
[ 'http-header-referer' , " .*< \ /? \ [(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META) \ ][^>]*>.* " ] ,
[ 'http-url-parsed-param' , " .* \ [compte \ .php \ ?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20 \ ]''='.* " ] ,
[ 'http-url-parsed' , " .* \ /(config|orders) \ /(check|import) \ .txt " ] ,
[ 'http-url-parsed-param' , " \ /* \ [ \ /carbo \ .dll \ ?.*icatcommand= \ /? \ . \ . \ / \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ ? \ ? \ ? \ ? \ ? \ ? \ ?.* " ] ,
[ 'http-url-parsed' , " .* \ [ \ .html \ / \ . \ . \ . \ . \ . \ . \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [tuxadm \ .exe \ ] \ ?[^ \012 ]*INIFILE=.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /webplus \ .exe \ ?about \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /webplus \ .exe \ ?.*script= \ ][^&]+ \ . \ [wml:: \ $DATA \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfide \ /administrator \ /(index.cfm)? \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [application \ .cfm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cfcache \ .map \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [getfile \ .cfm \ ?.*FilePath=([a-z]:| \ /? \ . \ . \ /) \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [onrequestend \ .cfm \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [; \ .jsp \ ] " ] ,
[ 'http-text-html' , " .*body {.*font-size: [1-9][0-9][0-9][0-9][0-9][0-9][0-9]px;.*}.* " ] ,
[ 'stream' , " .* \x46 \x57 \x53 \x04 \x4e \x00 \x00 \x00 \x78 \x00 \x05 \x5f \x00 \x00 \x0f \xa0 \x00 \x00 \x0c \x01 \x00 \x43 \x02 \xff \xff \xff \xa7 \x00 \x01 \x00 \x70 \x7d \x09 \xc4 \x07 \xd0 \x9c \x40 \x01 \x00 \xff \x00 \x00 \x01 \x14 \x00 \x00 \x00 \x00 \x11 \x35 \xc9 \xc4 \x07 \xd1 \xf6 \xbe \x83 \xb2 \x0c \x1d \xb0 \x60 \xec .* " ] ,
[ 'http-text-html' , " .*<object id=objSWF33 classid= \" clsid:d27cdb6e-ae6d-11cf-96b8-444553540000 \" .*<param name= \" src \" value= \" \ [([a-z]|[0-9])+ \ .php \ ] \" > " ] ,
[ 'stream' , " \x4f \x4b \x0d \x0a \x0d \x0a \x39 \x2e \x39 \x39 \x0d \x0a \x0d \x0a .* " ] ,
[ 'http-text-html' , " .*< \ [img \ ][^>]* \ [width \ ][ ]*=[ ]*('| \" )?[2-3][0-9][0-9][0-9][0-9]('| \" )*[^<]* \ [height \ ][ ]*=[ ]*('| \" )?[1-9][0-9][0-9][0-9][0-9][0-9]+.* " ] ,
[ 'http-text-html' , " .*< \ [IMG \ ][^>]+ \ [src \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')?( | \x09 | \x0A )*::( \" |')?[^>]+onError( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')?( | \x09 | \x0A )*this \ .src=('| \" )?::('| \" )?;('| \" )?[^>]*>.* " ] ,
[ 'http-text-html' , " .* \ [<iframe src= \" ?.* \ .scm \" ?.*mhtml:file: \ / \ / \ /C: \ /Program%20Files \ /ICQ \ /Sounds \ /.*!file: \ / \ / \ / \ ].* " ] ,
[ 'http-text-html' , " .*< \ [iframe \ ][^>]+ \ [src \ ]( | \012 | \011 )*=( | \012 | \011 )*( \" |')?.* \ . \ [jnlp \ ]( \" |')?.* \ [mhtml:file: \ / \ / \ /C: \ /Program%20Files \ /Java%20Web%20Start \ / \ .javaws \ /cache \ /http \ / \ ][^>]*! \ [file \ ]: \ / \ / \ /.* " ] ,
[ 'http-text-html' , " .* \ [<iframe src= \" ?.* \ .wsz \" ?.*mhtml:file: \ / \ / \ /C: \ /Program%20Files \ /Winamp \ /Skins.*!file: \ / \ / \ / \ ].* " ] ,
[ 'http-text-html' , " .* \ [ftp: \ / \ / \" ><script> \ ].* " ] ,
[ 'http-text-html' , " .*< \ [script>.*'<' \ +'script>.*< \ /'+'script>'.*< \ /script \ ]>.* " ] ,
[ 'http-text-html' , " .*< \ [img \ ][^>]* \ [src \ ]=( | \x09 | \x0A )*( \" |')? \ [gopher \ ]: \ / \ /[^ \ /]+ \ /[^%]*%09 0[^>]*>.* " ] ,
[ 'stream' , " .* \ +ABSTRACT: \x0d \x0a .* \x68 \x5e \x56 \xc3 \x90 \x54 \x59 \xff \xd1 \x58 \x33 \xc9 \xb1 \x1c \x90 \x90 \x90 \x90 \x03 \xf1 \x56 \x5f \x33 \xc9 \x66 \xb9 \x95 \x04 \x90 \x90 \x90 \xac \x34 \x99 \xaa \xe2 \xfa \x71 \x99 \x99 \x99 \x99 \xc4 \x18 \x74 \x40 \xb8 \xd9 \x99 \x14 \x2c \x6b \xbd \xd9 \x99 \x14 \x24 \x63 \xbd \xd9 \x99 \xf3 \x9e \x09 \x09 \x09 \x09 \xc0 \x71 \x4b \x9b \x99 \x99 \x14 \x2c \xb3 \xbc \xd9 \x99 \x14 \x24 \xaa \xbc \xd9 \x99 \xf3 \x93 \x09 \x09 \x09 \x09 \xc0 \x71 \x23 \x9b \x99 \x99 \xf3 \x99 \x14 \x2c \x40 \xbc \xd9 \x99 \xcf \x14 \x2c \x7c \xbc \xd9 \x99 \xcf \x14 \x2c .* " ] ,
[ 'http-text-html' , " .*http: \ / \ /toolbar \ .google \ .com \ /command \ ?script= \ [document \ .body \ .insertAdjacentHTML \ ] \ (.*<object[^>]*codebase=c: \ /.* " ] ,
[ 'http-text-html' , " .*http: \ / \ /toolbar \ .google \ .com \ /command \ ?script= \ [document.body.insertAdjacentHTML \ ] \ (.*<iframe id= \ [oFileRead \ ] src=file: \ / \ /.* " ] ,
[ 'stream' , " .* \xff \xfe \x3c \x00 \x65 \x00 \x6d \x00 \x62 \x00 \x65 \x00 \x64 \x00 \x0d \x00 \x73 \x00 \x72 \x00 \x63 \x00 \x3d \x00 \x22 \x00 \x68 \x00 \x74 \x00 \x74 \x00 .* " ] ,
[ 'http-text-html' , " .*hcp: \ / \ /system \ /DFS( \ /| \\ )uplddrvinfo \ .htm \ ?file: \ / \ /.* " ] ,
[ 'http-text-html' , " .*oVuln \ .NavigateAndFind \ ( \" javascript:alert \ (document \ .cookie \ ) \" , \" \" , \" \" \ );.* " ] ,
[ 'http-text-html' , " .*alert \ (fVuln \ ( \" ElementIdInNewDoc \" \ ) \ .document \ .cookie \ );.* " ] ,
[ 'http-text-html' , " .*fVuln \ ( \" javascript:alert \ (dialogArguments \ .document \ .cookie \ ) \" ,oWin, \" \" \ );.* " ] ,
[ 'http-text-html' , " .* \ .pasteHTML \ ([^>]*javascript:alert \ (document \ .cookie \ ).* " ] ,
[ 'http-text-html' , " .*alert \ (oVuln \ .getData \ ( \" text \" \ ) \ ); or oVuln \ .setData \ ( \" text \" , \" data \" \ );.* " ] ,
[ 'http-text-html' , " .*replace \ ('mk:@MSITStore:C:'.* " ] ,
[ 'http-text-html' , " .*< \ [frameset \ ][^>]* \ [cols \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')?( | \x09 | \x0A )*[^>]*, \ *, \ *, \ *, \ *, \ *, \ *, \ *, \ *, \ *.* " ] ,
[ 'http-text-html' , " .*< \ [object \ ][^>]* \ [type \ ]= \" \x5b \xb8 \xff \xff \xff \x99 \x35 \x4f \xfb \xea \x99 \x40 \x81 \x38 \x78 \x56 \x34 \x12 \x75 \xf7 \x83 \xc0 \x04 \xff \xd0 \x2f \x2f \x2f .* " ] ,
[ 'http-text-html' , " .* \ .write \ ( \" [^ \012 ]*< \ [HR \ ] [^>]* \ [align \ ]='? \" .* " ] ,
[ 'http-text-html' , " .* \ . \ [location \ .href \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |') \ [javascript \ ]:[^;]*< \ [script \ ]>.* " ] ,
[ 'http-text-html' , " .*< \ [a href \ ]= \042 \ [http \ ]: \ / \ /[^>]+ \ .[^>]+( \x00 \x00 |%00%00)[^>]+>.* " ] ,
[ 'http-text-html' , " .*= \s + \ [window \ .screen(left|top \ ])-.* " ] ,
[ 'http-text-html' , " .*< \ [SCRIPT \ ][^>]+(( \ [LANGUAGE \ ] \s *= \s *( \042 | \047 )? \ [XML \ ][^>]+ \ [SRC \ ] \s *=)|( \ [SRC \ ] \s *=[^>]+ \ [LANGUAGE \ ] \s *= \s *( \042 | \047 )? \ [XML \ ]))[^>]*>.* " ] ,
[ 'http-url-parsed' , " .* \ .idc " ] ,
[ 'http-status' , " .*403 Forbidden.* " ] ,
[ 'http-text-html' , " .*<[^>]*=( \047 | \042 )? \ [disk(s)? \ ]: \ / \ /[^>]* \ . \ [dmg \ ][^>]*>.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /ad \ .cgi \ ?(value|file)= \ /? \ . \ . \ / \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /windmail \ .exe \ ?%20-n \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [cgi-bin \ /htmlscript \ ]( \ ?| \ /) \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /search \ .pl \ ?.*form=.*%00 \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /quikstore \ .cfg \ ] " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-bin \ /sojourn \ .cgi \ ] \ ?[^ \012 ]* \ [cat \ ]=[^&]* \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [store \ .cgi \ ] \ ?[^ \012 ]* \ [(product|StartID) \ ]=.* \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [cgi-bin \ ][^ \077 ]* \ [ \ /(ftp \ /)?ftp \ .pl \ ? \ ][^ \000 ]* \ [dir \ ]= \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /way-board \ .cgi \ ?.*db=.*%00 \ ] " ] ,
[ 'http-url-parsed' , " .* \ /AT-admin \ .cgi.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /web_store \ .cgi \ ] \ ?[^?]* \ [page= \ /? \ . \ . \ / \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [faxsurvey( \ ?| \ /)( \ /| \ . \ .)+(bin|etc) \ ].* " ] ,
[ 'http-url-parsed-param' , " .*(Count \ .cgi|Count \ .exe) \ ?user=a%90%BF8%EE%FF%BF8.* " ] ,
[ 'http-url-parsed-param' , " .* \ [newsadmin \ /upload \ .php \ ?.*userinfo..*=hop&.*userinfo..*=100 \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [admin \ .php \ ?.*en_log_id=0&.*action=(users|config) \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /ip \ .txt \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [admin \ .php4 \ ?.*reg_login=1 \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [admin \ /admin_phpinfo \ .php4 \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [viewimg \ .php \ ?.*path=viewimg \ .php&.*form=1&.*var=1 \ ].* " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ /rwcgi60( \ /| \ /showenv)? " ] ,
[ 'http-url' , " .*cgi-bin \ /redir \ .exe \ ? \ [URL=http(: \ / \ /|%3A%2F%2F).*%0D%0A%0D%0A%3CSCRIPT%3E \ ].* " ] ,
[ 'http-url-parsed' , " \ /cgi-isapi \ /..* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [cgi-bin \ /texis \ .exe \ ][^ ](-dump|-version).* " ] ,
[ 'http-url-parsed' , " .* \ / \ [(formmail|contact|mailform|mail|fmail|feedback|cgie?mail|sender|ezformml|mailer)( \ .(cgi|pl|exe))? \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [test-cgi \ ] \ / \052 * \ ?[^ \00 ]* \052 .* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [mlog \ .phtml \ ] \ ? \ [screen \ ]= \ /.* " ] ,
[ 'http-url-parsed' , " .* \ /cgi-bin \ /dumpenv \ .pl " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [sendtemp \ .pl \ ] \ ?.* \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [command=X&type= \" ; \ ].* " ] ,
[ 'http-url-parsed-param' , " \ /userprefs \ .cgi \ ?Bugzilla_login=[^&]+&Bugzilla_password=[^&]+&bank=footer&dosave=1&mybugslink=1%27%20%2cgroupset=%279223372036854775807 " ] ,
[ 'http-url-parsed-param' , " .*editproducts \ .cgi \ ?Bugzilla_login=[^&]&Bugzilla_password=[^&]&version=unspecified&product=[^&]+&action=new " ] ,
[ 'http-url-parsed' , " \ /mail \ /[^ ]+ \ .nsf " ] ,
[ 'http-url' , " \ / \ .nsf \ / \ . \ . \ /[^ ]* " ] ,
[ 'http-url-parsed-param' , " .* \ ?[^ ]* \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " .* \ .www_?acl " ] ,
[ 'http-header' , " .* \ [xp_availablemedia \ ].* " ] ,
[ 'http-url' , " \ / \ . \ . \ . \ .? \ .?.* " ] ,
[ 'http-url-parsed-param' , " .* \ . \ [php \ ] \ ?xoopsOption=.* " ] ,
[ 'http-url-parsed' , " \ /user_settings? \ .cfg " ] ,
[ 'http-url-parsed' , " .* \ [(lpt|com)[0-9] \ .xtp \ ] " ] ,
[ 'http-url-parsed' , " .*dscgi \ /ds \ .py \ /ApplyUpload \ /Collection-10.* " ] ,
[ 'stream' , " .*( \ [GET \ ]| \ [POST \ ])[^ \011 ]+ \ / \ [cgi-bin \ / \ .cobalt \ /alert \ /service \ .cgi \ ] \ ?[^ \011 ]* \ [service= \ ](<|%3C).* " ] ,
[ 'http-url-parsed-param' , " .* \ /include \ /(oci8|postgres65|mysql|mysql7|msql) \ .php \ ?.*inc_dir=http: \ / \ /.*&ext=txt.* " ] ,
[ 'http-url-parsed-param' , " .* \ /include \ /postgres \ .php \ ?.*inc_dir=http: \ / \ /.*&ext=txt.* " ] ,
[ 'http-url-parsed-param' , " .* \ /user \ /(agora_user|ldap_example) \ .php \ ?.*inc_dir=http: \ / \ /.*&ext=txt.* " ] ,
[ 'http-url-parsed-param' , " .* \ /doc \ /admin \ /(index|help[0-9]+) \ .php \ ?ptinclude=http: \ / \ /.* " ] ,
[ 'http-url' , " .* \ .php< \ ?.* " ] ,
[ 'http-url-parsed-param' , " .* \ /( \ [(index|inc \ .lib|inc \ .cp) \ .php \ ] \ ?[^ ]* \ [sfx \ ]=| \ [lib \ /(comment|weblog) \ .add \ .php \ ]) " ] ,
[ 'http-url-parsed' , " \ /modules \ /(Downloads \ /voteinclude|Your_Account \ /navbar|Forums \ /(attachment|auth)|News \ /comments|Web_Links \ /voteinclude|WebMail \ /contactbook) \ .php.* " ] ,
[ 'http-url-parsed' , " \ /modules \ /Private_Messages \ /(functions|index|read|reply) \ .php.* " ] ,
[ 'http-header-user-agent' , " Mozzarella \ /1 \ .37 \ + \ +.* " ] ,
[ 'http-url-parsed' , " .* \ . \ [hts \ ] \ . " ] ,
[ 'ftp-password' , " \ + " ] ,
[ 'ftp-password' , " blueskies " ] ,
[ 'line' , " STOR.*space \ .asp.* " ] ,
[ 'stream' , " .*USER private \r \n PASS # \x0d \x0a .* " ] ,
[ 'ftp-username' , " (lp|nuucp|EZsetup|demos|OutOfBox|guest|4Dgifts) " ] ,
[ 'stream' , " .* \ [password required. but none set \ ].* " ] ,
[ 'packet' , " .* \x00 \x00 \x00 \x00 .... \x00 \x01 \x86 \xa0 .... \x00 \x00 \x00 \x04 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'stream' , " .* \ [SELECT +(UserName| \ *) +FROM +ALL_USERS \ ].* " ] ,
[ 'packet' , " \x0A .* " ] ,
[ 'stream' , " .* \ [s \00 p \00 _ \00 (a \00 d \00 d \00 _ \00 j \00 o \00 b|a \00 d \00 d \00 _ \00 j \00 o \00 b \00 s \00 t \00 e \00 p|a \00 d \00 d \00 _ \00 j \00 o \00 b \00 s \00 e \00 r \00 v \00 e \00 r|s \00 t \00 a \00 r \00 t \00 _ \00 j \00 o \00 b) \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [explorer \ .doc \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [explorer \ .doc \ ]| \ [resume1 \ .doc \ ]| \ [normal \ .dot \ ] " ] ,
[ 'stream' , " .* \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x02 \x00 \x01 \x86 \xa5 \x00 \x00 \x00 ( \x01 | \x02 | \x03 ) \x00 \x00 \x00 ( \x02 | \x05 | \x06 ).* " ] ,
[ 'packet' , " .* \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x02 \x00 \x01 \x86 \xa5 \x00 \x00 \x00 ( \x01 | \x02 | \x03 ) \x00 \x00 \x00 ( \x02 | \x05 | \x06 ).* " ] ,
[ 'stream' , " .*< \ [iframe \ ][^>]* \ [src= \ ][^>]+ \ . \ [exe \ ][^>]*>.* " ] ,
[ 'stream' , " .* \ .write \ (( \" |')< \ [HR align \ ]=.* " ] ,
[ 'pop3-command-line' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [zip \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [bas \ ] \" .* " ] ,
[ 'stream' , " .*< \ [iframe \ ][^>]* \ [src= \ ][^>]+ \ . \ [exe \ ][^>]*>.* " ] ,
[ 'packet' , " \r \n " ] ,
[ 'stream' , " ........[ \000 1- \037 7][ \000 0- \037 7].* " ] ,
[ 'stream' , " VERS[ ]*.* " ] ,
[ 'smb-open-filename' , " \ [ \013 4( \000 )?S( \000 )?A( \000 )?M( \000 )?R( \000 )? \ ] " ] ,
[ 'ftp-password' , " -saint.* " ] ,
[ 'smtp-from' , " .*nessus.* " ] ,
[ 'stream' , " .*can't hide from me.* " ] ,
[ 'ftp-password' , " retina@example.org " ] ,
[ 'smtp-from' , " <(cis|scan)@cerberus.* " ] ,
[ 'ftp-password' , " -iss@iss " ] ,
[ 'ftp-password' , " -satan.* " ] ,
[ 'ftp-password' , " ddd@ " ] ,
[ 'http-url-parsed' , " .* \ / \ [cgi-bin \ /test-cgi \ ].* " ] ,
[ 'http-url-parsed' , " \ / \ [server-info \ ] " ] ,
[ 'http-url' , " \ / \ [server%20logfile \ ] " ] ,
[ 'ftp-pathname' , " .* \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 .* " ] ,
[ 'ftp-pathname' , " .* \x31 \xdb \x89 \xd8 \xb0 \x17 \xcd \x80 \xeb \x2c .* " ] ,
[ 'ftp-pathname' , " .* \x90 \x31 \xC0 \x99 \x52 \x52 \xB0 \x17 \xCD \x80 \x68 \xCC \x73 \x68 .* " ] ,
[ 'ftp-pathname' , " .* \x90 \x90 \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 \x31 \xc0 \x31 \xdb \xb0 \x2e \xcd \x80 \xeb \x4f \x31 \xc0 \x31 \xc9 \x5e \xb0 \x27 \x8d \x5e \x05 \xfe \xc5 \xb1 \xed \xcd \x80 \x31 \xc0 \x8d \x5e \x05 \xb0 \x3d \xcd \x80 \x31 \xc0 \xbb \xd2 \xd1 \xd0 \xff \xff \xf7 \xdb \x31 \xc9 \xb1 \x10 \x56 \x01 \xce \x89 \x1e \x83 \xc6 \x03 \xe0 \xf9 \x5e \xb0 \x3d \x8d \x5e \x10 \xcd \x80 \x31 \xc0 \x88 \x46 \x07 \x89 \x76 \x08 \x89 \x46 \x0c \xb0 \x0b \x89 \xf3 \x8d \x4e \x08 \x8d \x56 \x0c \xcd \x80 \xe8 \xac \xff \xff \xff .* " ] ,
[ 'ftp-pathname' , " aaaa \x01 \x88 \x5f \x01 \x01 \x87 \xe5 \xca %u%u%u%u%u.* " ] ,
[ 'ftp-command' , " .* \x31 \xdb \x89 \xd8 \xb0 \x17 \xcd \x80 \xeb \x66 \x5e \x89 \xf3 \x80 \xc3 \x0f \x39 \xf3 \x7c \x07 \x80 \x2b \x02 \xfe \xcb \xeb \xf5 \x31 \xc0 \x88 \x46 \x01 \x88 \x46 \x08 \x88 \x46 \x10 \x8d \x5e \x07 \xb0 \x0c \xcd \x80 \x8d \x1e \x31 \xc9 \xb0 \x27 \xcd \x80 \x31 \xc0 \xb0 \x3d \xcd \x80 \x31 \xc0 \x8d \x5e \x02 \xb0 \x0c \xcd \x80 \x31 \xc0 \x88 \x46 \x03 \x8d \x5e \x02 \xb0 \x3d \xcd \x80 \x89 \xf3 \x80 \xc3 .* " ] ,
[ 'ftp-pathname' , " .* \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 \x31 \xc0 .* " ] ,
[ 'ftp-pathname' , " .* \x41 \x41 \x29 \xc0 \x50 \xb0 \x17 \x50 \xcd \x80 \x29 \xc0 \x50 \xbf \x66 \x69 \x73 \x68 .* " ] ,
[ 'ftp-pathname' , " \x41 \x2a \x2f \x2e \x2e \x2f \x41 \x2a \x2f \x2e \x2e \x2f \x41 \x2a \x2f .* " ] ,
[ 'ftp-pathname' , " .* \x80 \xe8 \xc5 \xff \xff \xff \xff \xff \xff \x30 \x64 \x65 \x76 \x30 \x63 \x64 .* " ] ,
[ 'ftp-pathname' , " .* \xe8 \x97 \xff \xff \xff \xff \xff \xff \x45 \x45 \x32 \x32 \x33 \x32 \x32 \x33 .* " ] ,
[ 'ftp-password' , " fts \ @undernet.org " ] ,
[ 'ftp-password' , " -cklaus.* " ] ,
[ 'smtp-command-line' , " \ [vrfy \ ] netect-.* " ] ,
[ 'packet' , " .* \x00 \x00 \x00 \x60 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x00 \x00 .* " ] ,
[ 'stream' , " .*SSH_Version_Mapper.* " ] ,
[ 'stream' , " .* \x0A .* " ] ,
[ 'finger-host' , " localhost " ] ,
[ 'packet' , " .*AAAAAAAAAAAAAAAA.* " ] ,
[ 'smtp-command-line' , " \ [ehlo cybercop \ ] " ] ,
[ 'smtp-command-line' , " \ [expn cybercop \ ] " ] ,
[ 'packet' , " .*cybercop.* " ] ,
[ 'ssh-header' , " USER AMAP " ] ,
[ 'http-request' , " USER AMAP " ] ,
[ 'pop3-user' , " AMAP " ] ,
[ 'ssh-header' , " GET \ / HTTP \ /1 \ .0 " ] ,
[ 'smtp-command-line' , " GET \ / HTTP \ /1 \ .0 " ] ,
[ 'ssh-header' , " \x80 \x80 \x01 \x03 \x01 \x00 \x57 \x00 \x00 \x00 \x20 \x00 \x00 \x16 \x00 \x00 \x13 \x00 \x00 " ] ,
[ 'smtp-command-line' , " \x80 \x80 \x01 \x03 \x01 \x00 \x57 \x00 \x00 \x00 \x20 \x00 \x00 \x16 \x00 \x00 \x13 \x00 \x00 " ] ,
[ 'http-request' , " \x80 \x80 \x01 \x03 \x01 \x00 \x57 \x00 \x00 \x00 \x20 \x00 \x00 \x16 \x00 \x00 \x13 \x00 \x00 " ] ,
[ 'ssh-header' , " \x00 \x00 \x01 \x06 \xff \xff \xff \xff " ] ,
[ 'smtp-command-line' , " \x00 \x00 \x01 \x06 \xff \xff \xff \xff " ] ,
[ 'http-request' , " \x00 \x00 \x01 \x06 \xff \xff \xff \xff " ] ,
[ 'packet' , " ............ \x0e .* " ] ,
[ 'packet' , " ....... \x08 \x00 \x0a .* " ] ,
[ 'packet' , " ....... \x2b .* " ] ,
[ 'packet' , " ....... \x11 .* " ] ,
[ 'line' , " 550 .* \ [relay access denied \ ].* " ] ,
[ 'line' , " 550 .* \ [relaying denied \ ].* " ] ,
[ 'line' , " 550 .* \ [relaying is prohibited \ ].* " ] ,
[ 'smtp-mime-content-filename' , " .* \ [[a-z] \ .[a-z] \ .[a-z] \ .[a-z] \ .([a-z] \ .?)* \ ] " ] ,
[ 'smtp-command-line' , " ( | \x09 )* \ [help \ ].* " ] ,
[ 'smtp-command-line' , " .* \ [BDAT \ ].* " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [crt \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [mdb \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [url \ ] " ] ,
[ 'smtp-header-line' , " \ [(Content-Type: )?multipart \ /mixed; boundary \ ]= \" \" .* " ] ,
[ 'smtp-header-from' , " .* \" \" \" \" \" \" @.* " ] ,
[ 'smtp-rcpt' , " [^@]+@[^ \040 ]+@[^@]+ " ] ,
[ 'dhcp-option' , " \x0c .*<.* " ] ,
[ 'stream' , " .*200 .*[0-9]+ (% \ [[a-z] \ ])+.* " ] ,
[ 'smb-open-filename' , " .* \ .( \00 )? \ [j( \00 )?o( \00 )?b \ ]( \00 )? " ] ,
[ 'smb-open-filename' , " .* \ [a( \000 )?u( \000 )?t( \000 )?o( \000 )?r( \000 )?u( \000 )?n( \000 )? \ .( \000 )?i( \000 )?n( \000 )?f( \000 )? \ ] " ] ,
[ 'smb-open-filename' , " \\ 00?w \00 ?i \00 ?n \00 ?r \00 ?e \00 ?g \00 ? " ] ,
[ 'stream' , " .* \xe9 \xac \x10 \x05 \xe8 \x97 \x6c \x8d \x46 \x88 \x94 \x61 \x08 \xd4 \x62 \xe8 \x94 \x61 \x45 \x6e \xb5 \x45 \xe8 \x9f \x3b \x90 \x00 \x0b \xa0 \x00 \x0b \x85 \x00 \x0c \xd8 \x05 \x08 \xd5 \xe2 \xb9 \xff \x10 \x0b \x82 \x70 \x00 \xcd \x80 \x8d \x5e \x2b \x83 \xd0 .* " ] ,
[ 'stream' , " .* \x40 \x00 \x2e \x10 \x00 \x90 \x3e \x0d \x59 \x21 \x02 \x00 \x82 \x10 \x20 \x59 \x1d \x02 \x00 \xa0 \x10 \x08 \x90 \x3e \x0c \xc9 \x21 \x02 \x1f \xf8 \x21 \x02 \x05 \x09 \x1d \x02 \x00 \x90 \x3e \x0c \xc8 \x21 \x02 \x03 \xd9 \x1d \x02 \x00 \x90 \x10 \x01 \x08 \x21 .* " ] ,
[ 'stream' , " .* \xe9 \xd4 \x10 \x05 \xe3 \x1c \x05 \x05 \x0b \x01 \x7c \xd8 \x03 \x1c \x05 \x05 \x05 \x65 \x0b \x05 \xcd \x80 \x89 \x46 \x28 \xb9 \xff \x10 \x05 \x18 \xd4 \x62 \x50 \x50 \xb8 \x88 \x00 \x0c \xd8 \x08 \xd4 \x62 \x50 \x50 \xb8 \x3d \x00 \x0c \xd8 \x08 \xb4 \x62 \x85 \x05 \x0b \x8a .* " ] ,
[ 'stream' , " .* \xe9 \x79 \x10 \x05 \xe5 \x0b \x82 \x00 \x0c \xd8 \x08 \x5c \x0f \x85 \xe6 \x00 \x08 \xd5 \x63 \x88 \x95 \x62 \x88 \xd4 \x64 \x08 \x94 \x62 \xc8 \xd4 \x64 \x38 \x94 \x63 \x08 \xd4 \x63 \x05 \x08 \xd4 \x62 \x85 \x05 \x25 \x0b \x83 \xb0 \x00 \xcd \x80 \x50 \x50 \xb8 \x10 \x00 .* " ] ,
[ 'stream' , " \xAB \xCD \x09 \x80 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x01 \x20 \x20 \x20 \x20 \x02 \x61 .* " ] ,
[ 'packet' , " .* \xAB \xCD \x09 \x80 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x01 \x20 \x20 \x20 \x20 \x02 \x61 .* " ] ,
[ 'packet' , " .* \xf9 \x53 \x51 \x56 \x56 \xeb \x10 \xe8 \xe0 \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \xf9 \x53 \x51 \x56 \x56 \xeb \x10 \xe8 \xe0 \xff \xff \xff \ /bin \ /.* " ] ,
[ 'packet' , " .* \xb0 \x3b \x53 \x53 \x56 \x56 \xeb \x10 \xe8 \xe5 \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \xb0 \x3b \x53 \x53 \x56 \x56 \xeb \x10 \xe8 \xe5 \xff \xff \xff \ /bin \ /.* " ] ,
[ 'packet' , " .* \xff \xff \ /bin \ /sh \ / \xff \x2d \x63 \xff .* " ] ,
[ 'stream' , " .* \xff \xff \ /bin \ /sh \ / \xff \x2d \x63 \xff .* " ] ,
[ 'packet' , " .* \x89 \xf7 \x29 \xc7 \x89 \xf3 \x89 \xf9 \x89 \xf2 \xac \x3c \xfe .* " ] ,
[ 'stream' , " .* \x89 \xf7 \x29 \xc7 \x89 \xf3 \x89 \xf9 \x89 \xf2 \xac \x3c \xfe .* " ] ,
[ 'packet' , " .* \xc7 \x06 \x2f \x62 \x69 \x6e \xc7 \x46 \x04 \x2f \x73 \x68 \x41 \x30 \xc0 \x88 \x46 \x07 \x89 \x76 \x0c \x8d \x56 \x10 \x8d \x4e .* " ] ,
[ 'stream' , " .* \xc7 \x06 \x2f \x62 \x69 \x6e \xc7 \x46 \x04 \x2f \x73 \x68 \x41 \x30 \xc0 \x88 \x46 \x07 \x89 \x76 \x0c \x8d \x56 \x10 \x8d \x4e .* " ] ,
[ 'packet' , " .* \xeb \x15 \x59 \x31 \xc0 \x31 \xdb \x31 \xd2 \xb0 \x04 \xb3 \x01 \xb2 \x50 \xcd \x80 \x31 \xc0 \xb0 \x01 \xcd \x80 \xe8 \xe6 .* " ] ,
[ 'stream' , " .* \xeb \x15 \x59 \x31 \xc0 \x31 \xdb \x31 \xd2 \xb0 \x04 \xb3 \x01 \xb2 \x50 \xcd \x80 \x31 \xc0 \xb0 \x01 \xcd \x80 \xe8 \xe6 .* " ] ,
[ 'packet' , " .* \xe8 . \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \xe8 . \xff \xff \xff \ /bin \ /.* " ] ,
[ 'packet' , " .* \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 .* " ] ,
[ 'stream' , " .* \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 \x4f \xff \xfb \x82 .* " ] ,
[ 'packet' , " .* \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 .* " ] ,
[ 'stream' , " .* \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 \x24 \x0f \x12 \x34 .* " ] ,
[ 'packet' , " .* \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 .* " ] ,
[ 'stream' , " .* \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 \x03 \xe0 \xf8 \x25 .* " ] ,
[ 'packet' , " .* \x03 \xff \xff \xcc \ /bin \ /.* " ] ,
[ 'stream' , " .* \x03 \xff \xff \xcc \ /bin \ /.* " ] ,
[ 'packet' , " .* \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f .* " ] ,
[ 'stream' , " .* \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f \x47 \xff \x04 \x1f .* " ] ,
[ 'packet' , " .* \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 .* " ] ,
[ 'stream' , " .* \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 .* " ] ,
[ 'packet' , " .* \x31 \xc0 \xb0 \x3f \x31 \xdb \xb3 \xff \x31 \xc9 \xcd \x80 \x31 .* " ] ,
[ 'stream' , " .* \x31 \xc0 \xb0 \x3f \x31 \xdb \xb3 \xff \x31 \xc9 \xcd \x80 \x31 .* " ] ,
[ 'packet' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'stream' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'packet' , " .* \xb0 \xb5 \xcd \x80 .* " ] ,
[ 'stream' , " .* \xb0 \xb5 \xcd \x80 .* " ] ,
[ 'packet' , " .* \xb0 \x17 \xcd \x80 .* " ] ,
[ 'stream' , " .* \xb0 \x17 \xcd \x80 .* " ] ,
[ 'packet' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x31 \xc0 \x89 \xc3 \xb0 \x02 \xcd \x80 \x38 \xc3 \x74 \x05 \x8d \x43 \x01 \xcd \x80 \x31 \xc0 \x89 \x45 \x10 \x40 \x89 \xc3 \x89 \x45 \x0c \x40 \x89 \x45 \x08 \x8d \x4d \x08 \xb0 \x66 \xcd \x80 \x89 \x45 \x08 \x43 \x66 \x89 \x5d \x14 \x66 \xc7 \x45 \x16 \x07 \xd3 \x31 \xd2 \x89 \x55 \x18 \x8d \x55 \x14 \x89 \x55 \x0c \xc6 \x45 \x10 \x10 \xb0 \x66 \xcd \x80 \x40 \x89 \x45 \x0c \x43 \x43 \xb0 \x66 \xcd \x80 \x43 \x89 \x45 \x0c \x89 \x45 \x10 \xb0 \x66 \xcd \x80 \x89 \xc3 \x31 \xc9 \xb0 \x3f .* " ] ,
[ 'packet' , " .* \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 .* " ] ,
[ 'stream' , " .* \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 \x08 \x21 \x02 \x80 .* " ] ,
[ 'packet' , " .* \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 .* " ] ,
[ 'stream' , " .* \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 \x0b \x39 \x02 \x80 .* " ] ,
[ 'packet' , " .* \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 .* " ] ,
[ 'stream' , " .* \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 \x80 \x1c \x40 \x11 .* " ] ,
[ 'packet' , " .* \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 .* " ] ,
[ 'stream' , " .* \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 \x3f \xff \x90 \x08 .* " ] ,
[ 'packet' , " .* \x20 \x3b \x91 \xd0 \x20 \x08 \x90 \x1b \xc0 \x0f \x82 \x10 \x20 \x01 \x91 \xd0 .* " ] ,
[ 'stream' , " .* \x20 \x3b \x91 \xd0 \x20 \x08 \x90 \x1b \xc0 \x0f \x82 \x10 \x20 \x01 \x91 \xd0 .* " ] ,
[ 'packet' , " .* \x90 \x1a \xc0 \x0f \x90 \x02 \x20 \x08 \x92 \x02 \x20 \x0f \xd0 \x23 \xbf \xf8 .* " ] ,
[ 'stream' , " .* \x90 \x1a \xc0 \x0f \x90 \x02 \x20 \x08 \x92 \x02 \x20 \x0f \xd0 \x23 \xbf \xf8 .* " ] ,
[ 'packet' , " .* \x25 \x0b \xcb \xc8 \xa4 \x14 \xaf \x75 \x27 \x1c \xdc \x88 .* " ] ,
[ 'stream' , " .* \x25 \x0b \xcb \xc8 \xa4 \x14 \xaf \x75 \x27 \x1c \xdc \x88 .* " ] ,
[ 'packet' , " .* \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 .* " ] ,
[ 'packet' , " .* \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 .* " ] ,
[ 'stream' , " .* \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 \x13 \xc0 \x1c \xa6 .* " ] ,
[ 'stream' , " .* \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 \xa6 \x1c \xc0 \x13 .* " ] ,
[ 'packet' , " .* \x90 \x1a \x40 \x90 \x82 \x10 \x20 \x2e \x91 \xd0 \x20 .* " ] ,
[ 'stream' , " .* \x90 \x1a \x40 \x90 \x82 \x10 \x20 \x2e \x91 \xd0 \x20 .* " ] ,
[ 'packet' , " .* \x82 \x10 \x20 \x17 \x91 \xd0 \x20 \x08 .* " ] ,
[ 'stream' , " .* \x82 \x10 \x20 \x17 \x91 \xd0 \x20 \x08 .* " ] ,
[ 'packet' , " .* \x6E \x64 \x6C \x65 \x41 \x00 \x73 \x68 \x65 \x6C \x6C \x33 \x32 \x2e \x64 \x6c \x6c \x00 .* " ] ,
[ 'stream' , " .* \x6E \x64 \x6C \x65 \x41 \x00 \x73 \x68 \x65 \x6C \x6C \x33 \x32 \x2e \x64 \x6c \x6c \x00 .* " ] ,
[ 'packet' , " .* \xbf \xff \xd0 \x8b \xf0 \x5a \x43 \x53 \x52 \x32 \xe4 \x83 \xc3 \x04 \x88 \x23 \xb8 \x28 .* " ] ,
[ 'stream' , " .* \xbf \xff \xd0 \x8b \xf0 \x5a \x43 \x53 \x52 \x32 \xe4 \x83 \xc3 \x04 \x88 \x23 \xb8 \x28 .* " ] ,
[ 'snmp-community' , " \ [ \ *?ilmi \ ] " ] ,
[ 'snmp-oid' , " \x2b \x06 \x01 \x04 \x01 \x4D .* " ] ,
[ 'packet' , " \x01 \x00 \x00 \x00 \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'snmp-oid-parsed' , " \ .1 \ .3 \ .6 \ .1 \ .4 \ .1 \ .11 \ .2 \ .3 \ .9 \ .1 \ .1 \ .13 \ .0 " ] ,
[ 'packet' , " .* \x30 \x11 \x06 \x0d \x2b \x06 \x01 \x04 \x01 \x9e \x73 \x02 \x01 \x0d \x01 \x02 ( \x01 | \x02 ).* " ] ,
[ 'stream' , " .*Host \ [v \ ]ersion [2-4] \ ..* " ] ,
[ 'packet' , " (list|hide|show|info|proc|error|chat) " ] ,
[ 'stream' , " conadministrator " ] ,
[ 'packet' , " 14Y3K[0-9]?[0-9]?[0-9]?[0-9]?[0-9]? " ] ,
[ 'packet' , " Y3K.* " ] ,
[ 'packet' , " .*--Ahhhhhhhhhh.* " ] ,
[ 'stream' , " .* \ * Doly trojan.* " ] ,
[ 'stream' , " .*(INFO|scrnerron|scrnerroff|hidebar|showbar|runprog|OpenDL|CloseDL).* " ] ,
[ 'packet' , " 0`[A-z][A-z][A-z][A-z] " ] ,
[ 'stream' , " ER 0 \x0d \x0a .* " ] ,
[ 'stream' , " .*OK \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 \x20 .* " ] ,
[ 'stream' , " .*Connected to host \ (.* " ] ,
[ 'stream' , " .*Blade Runner ver .* " ] ,
[ 'stream' , " \x20 Remote > OK \ . \ . \ ..* " ] ,
[ 'stream' , " .* \x0c \x00 \x00 \x00 \x0e \x00 \x00 \x00 Screen Capture \x0c .* " ] ,
[ 'packet' , " (CURDIR|DRIVES|CD [A-Z]: \\ ) \x0d " ] ,
[ 'packet' , " \ * \ ?! \ ?[A-Z][A-Z].* \x0d " ] ,
[ 'stream' , " .*CAFEiNi [0-9] \ .[0-9].* " ] ,
[ 'stream' , " \x20 >> \x20 \x20 MTX Celine Trojan.* " ] ,
[ 'packet' , " accept:.* " ] ,
[ 'stream' , " (%NBMSGRESULT|@1%DONE|004200[0-9][0-9]T?).* " ] ,
[ 'stream' , " Conectado!.* " ] ,
[ 'stream' , " \ |DRVS \ |[A-Z],.* " ] ,
[ 'stream' , " \ |ENUMDRVS \ |.* " ] ,
[ 'stream' , " \x50 \x6f \x6c \xb9 \x63 \x7a \x6f \x6e \x6f \x2e \x2e \x2e .* " ] ,
[ 'stream' , " DCIClient[0-9][0-9].* " ] ,
[ 'stream' , " DCIServer[0-9][0-9].* " ] ,
[ 'packet' , " 001 " ] ,
[ 'packet' , " 085 " ] ,
[ 'stream' , " \ /MSG,Rootbeer Rules!.* " ] ,
[ 'stream' , " .* \x0d \x0a DRaT Version.* " ] ,
[ 'stream' , " .* \x20 \x20 \x20 DTr v \ .[0-9] \ .[0-9].* " ] ,
[ 'packet' , " (s?invisible|s?visible|sunenabled|s?enabled|disabled| \ [N \ ]umlock| \ [C \ ]aps| \ [S \ ]croll|emessage from duddie|progid|crazy);? " ] ,
[ 'stream' , " .*ECLYPSE v[0-9] \ .[0-9].* " ] ,
[ 'packet' , " Execute[A-Z][A-z]+.* " ] ,
[ 'stream' , " Frenzy [0-9]( \ .|[0-9]).* " ] ,
[ 'packet' , " (icq|gui|cli|det|eet|gaa|sth|sts|eyo|eyf|tiz|wvr|rab|rao) " ] ,
[ 'packet' , " (password|FileSend|FileGet|MsgBox|unkillbutton|killbutton|lockCAD|unlockCAD|disconnect); " ] ,
[ 'stream' , " GirlFriend Server [0-9].* " ] ,
[ 'packet' , " (hidetaskbar|showtaskbar|openformessage|test|hidedesktop|showdesktop) " ] ,
[ 'stream' , " .*R_Server version:[0-9].* " ] ,
[ 'packet' , " Execute[A-z].* " ] ,
[ 'packet' , " (hidestart|showstart|hidetaskbar|showtaskbar|4testmassage) " ] ,
[ 'stream' , " .*intrudordedicated.* " ] ,
[ 'stream' , " .*Kid Terror [0-9] \ .[0-9].* " ] ,
[ 'stream' , " \ |FOLDERS \ |xxxROOTxxx " ] ,
[ 'packet' , " .*SH@H SERVER [0-9] \ .[0-9]* " ] ,
[ 'packet' , " (x|w|r|tbarh|tbars|rappv) " ] ,
[ 'stream' , " 00Ver \ . [0-9] \ .[0-9]+,.* " ] ,
[ 'stream' , " .*( \xa9 HaHa | \xd0 \" [0-9][0-9][0-9] \" \" [0-9][0-9]?[0-9]? \" ).* " ] ,
[ 'packet' , " \ .(hidetask|showtask|notepad) " ] ,
[ 'stream' , " .*One Server.* " ] ,
[ 'packet' , " (messagebox|inputboxman) " ] ,
[ 'packet' , " (0400004.*|25|31) " ] ,
[ 'stream' , " 220 Mandar \ /Receber Arquivos no PCI \ . \x0d \x0a .* " ] ,
[ 'stream' , " .*Product Name :.* " ] ,
[ 'packet' , " (get drives|get user|get info) " ] ,
[ 'packet' , " 0x100 " ] ,
[ 'stream' , " Hook \x0d \x0a \x0d \x0a \013 3 \ .remote hack.* " ] ,
[ 'stream' , " .*(get|kill [0-9]+)OK.* " ] ,
[ 'packet' , " .?Connected to The Revenger.* " ] ,
[ 'stream' , " .*(WINDIR|SYSDIR|ABCJZDATEIEV|FILELAENGE|GETUSER|COUNTRY).* " ] ,
[ 'stream' , " -=COM:.* " ] ,
[ 'packet' , " 0 \ .9[0-1] " ] ,
[ 'packet' , " The Unexplained \ . \ . \ ..* " ] ,
[ 'packet' , " (download[A-z]: \\ |msg%|tit%).* " ] ,
[ 'stream' , " .*LoginUploaderServer.* " ] ,
[ 'stream' , " [^|]+ \ |[^|]+ \ |cmd:.* " ] ,
[ 'packet' , " (fil[A-z]: \\ .*|msg.*|apa) " ] ,
[ 'stream' , " MANAGER_FILE_GETDRIVES \x00 \x09 \x00 " ] ,
[ 'packet' , " PING \x00 \x09 \x00 " ] ,
[ 'stream' , " 0400000000.* " ] ,
[ 'packet' , " 0[0-9]00000000 " ] ,
[ 'stream' , " WindowsMite Server v1.0 Port 65530.* " ] ,
[ 'stream' , " WinCrash Server [0-9].* " ] ,
[ 'stream' , " This Program can not be opered by a Telnet Conection \ .Use WinCrash Client 1 \ .03 \ . Get it at www \ .wincrash \ .cjb \ .net.* " ] ,
[ 'http-text-html' , " .*WANRemote 3 \ .0 - Main Menu.* " ] ,
[ 'packet' , " (text:.*|opennotepad|config|listen|stop listen) " ] ,
[ 'packet' , " (CDTRAY \ /OPEN|FLASH-COLORS \ /.*) " ] ,
[ 'stream' , " \x01 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x08 \x08 .* " ] ,
[ 'stream' , " # \ +--------------------------- \ +.* " ] ,
[ 'stream' , " [^Y]+YOU ARE NOW CONNECTED TO[^C]+C r e d i t s[^v]+v2 \ .[0-9]+ \ ..* " ] ,
[ 'http-url-parsed' , " .* \ /test \ /tracker \ .exe.* " ] ,
[ 'telnet-user' , " \ [backdoor \ ] " ] ,
[ 'telnet-user' , " \ [d13hh \ ][[] " ] ,
[ 'telnet-user' , " friday " ] ,
[ 'telnet-user' , " hax0r " ] ,
[ 'telnet-user' , " lrkr0x " ] ,
[ 'telnet-user' , " r00t " ] ,
[ 'telnet-user' , " rewt " ] ,
[ 'telnet-user' , " satori " ] ,
[ 'telnet-user' , " StoogR " ] ,
[ 'telnet-user' , " w00w00 " ] ,
[ 'telnet-user' , " wank " ] ,
[ 'telnet-user' , " wh00t " ] ,
[ 'stream' , " .*BN.* " ] ,
[ 'stream' , " .*FC .* " ] ,
[ 'stream' , " .*c: \\ .* " ] ,
[ 'stream' , " [0-9]+ \x00 [^ \0 ]+ \x00 bin \x00 .* " ] ,
[ 'stream' , " [0-9]+ \x00 [^ \0 ]+ \x00 echo \x00 .* " ] ,
[ 'stream' , " [0-9]+ \x00 [^ \0 ]+ \x00 root \x00 .* " ] ,
[ 'finger-user' , " \ . " ] ,
[ 'finger-user' , " 0 " ] ,
[ 'stream' , " [^@]* .* " ] ,
[ 'stream' , " .* \x00 .* " ] ,
[ 'stream' , " .* \ |.* " ] ,
[ 'finger-user' , " root " ] ,
[ 'finger-user' , " \ /.* " ] ,
[ 'finger-host' , " .*([ \000 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \017 7- \037 7]).* " ] ,
[ 'stream' , " .*killme.* " ] ,
[ 'stream' , " .*betaalmostdone.* " ] ,
[ 'stream' , " .*gOrave.* " ] ,
[ 'stream' , " .*dos .* " ] ,
[ 'stream' , " .*killdead.* " ] ,
[ 'stream' , " .*mdie .* " ] ,
[ 'stream' , " .*mdos .* " ] ,
[ 'stream' , " .*mping .* " ] ,
[ 'stream' , " .*msize .* " ] ,
[ 'packet' , " .*HELLO.* " ] ,
[ 'packet' , " .*PONG.* " ] ,
[ 'packet' , " .*HELLO.* " ] ,
[ 'packet' , " .*PONG.* " ] ,
[ 'stream' , " .*trinoo>.* " ] ,
[ 'packet' , " .*[[][]] \ . \ .Ks.* " ] ,
[ 'packet' , " .*bbb .* " ] ,
[ 'packet' , " .*d1e .* " ] ,
[ 'packet' , " .*png .* " ] ,
[ 'packet' , " .*alive.* " ] ,
[ 'packet' , " .*alive.* " ] ,
[ 'packet' , " .*alive tijgu.* " ] ,
[ 'stream' , " .*!@ # \x0d .* " ] ,
[ 'packet' , " newserver " ] ,
[ 'packet' , " pong " ] ,
[ 'packet' , " pong " ] ,
[ 'packet' , " pong " ] ,
[ 'packet' , " pong " ] ,
[ 'packet' , " ping.* " ] ,
[ 'http-url-parsed' , " .*org \ .apache \ .catalina \ .servlets \ .DefaultServlet \ /[^ ] \ .jsp.* " ] ,
[ 'http-header-referer' , " http: \ / \ /host \ /xxxxxx \ /exp \ .php \ ?hi_lames=haha " ] ,
[ 'http-url-parsed-param' , " .* \ [htgrep( \ /| \ ?)file=index \ .html&hdr= \ / \ ].* " ] ,
[ 'stream' , " .* \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a \x0d \x0a .* " ] ,
[ 'http-url-parsed-param' , " \ /bin \ /wintty \ .exe \ ?%2dt \ +.* " ] ,
[ 'http-url-parsed' , " .* \ / \ [WEB-INF \ ] \ .( \ .)? \ / " ] ,
[ 'http-header' , " \ [Content-Length \ ]: -.* " ] ,
[ 'http-url-parsed-param' , " .* \x0d ? \x0a ( \040 | \011 )*([A-z]|[0-9]|-)+:.* " ] ,
[ 'http-request' , " \ [CONNECT \ ] .+ \ ..+ \ ..+ \ ..+:[0-9]+ HTTP \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /newdsn \ .exe \ ] \ ?[^ \012 ]* \ [dbq \ ]= \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " \ / \ [adsamples \ /config \ /site \ .csc \ ].* " ] ,
[ 'http-url-parsed-param' , " \ / \ [iissamples \ /exair \ /howitworks \ /codebrws \ .asp \ ?*source= \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [ \ /(cgi-bin|scripts) \ /cmd(32)? \ .exe \ ] " ] ,
[ 'http-header' , " .* \ [xp_cmdshell \ ].* " ] ,
[ 'http-url' , " .* \ [%(0a|20) \ .pl \ ].* " ] ,
[ 'http-request' , " GET x HTTP \ /1 \ .0.* " ] ,
[ 'http-url-parsed' , " .* \ / \ [repair \ /sam \ ] \ ._.* " ] ,
[ 'http-url-parsed' , " .* \ /( \ [winnt \ ]| \ [windows \ ]) \ / \ [system32 \ ] \ / \ [cmd \ .exe \ ].* " ] ,
[ 'http-data' , " .*<[^>]+xmlns:.=. \ [DAV \ ][^>]+>.*<u:.+ " ] ,
[ 'http-url' , " \ /%69%6E%64%65%78%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E.* " ] ,
[ 'http-url-parsed-param' , " .* \ ?[^ ]*<%00 \ [script \ ].* " ] ,
[ 'http-url-parsed' , " .* \ [(scripts|msadc) \ /sensepost \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ . \ [htw \ ] \ ?[^ \000 ]* \ [CiWebHitsFile \ ]=[^&]+(%20| \ [(qfullhit|qsumrhit) \ .htw \ ]).* " ] ,
[ 'http-url-parsed' , " .* \ [msadcs \ .dll \ /VbBusObj \ ].* " ] ,
[ 'http-data' , " .* \ [SELECT DAV:displayname from \ ] \x0a ?[ ]* \ [SCOPE \ ] \ ( \" .* " ] ,
[ 'http-data' , " .*<a:displayname \ /><u:VVVVVVVVVVVVVV.* " ] ,
[ 'http-url-parsed-param' , " .* \ /scripts \ /convert \ .bas \ ? \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " .* \ /local \ /httpd$map \ .conf.* " ] ,
[ 'http-url-parsed' , " .* \ /(-)+ \ / \ *( \ . \ *)?.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /StreamingStatistics \ ?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9]) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /PortInformation \ ?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9]) \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [vti_pvt \ /administrators \ .pwd \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [_vti_bin \ /_vti_aut \ /dvwssr \ .dll \ ? \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ . \ . \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " .* \ / \ [_vti_pvt \ /services \ .pwd \ ].* " ] ,
[ 'http-url-parsed' , " \ / \ [main \ ] \ / \ [(config \ .bin|profile \ .wlp|event \ .logs) \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /win-c-sample \ .exe \ ?.*(cmd \ .exe|command \ .com) \ ] " ] ,
[ 'http-request' , " GET \ /[^ ]* HTTP \ /...[^ \012 ]* \ .[0-9].* " ] ,
[ 'stream' , " \ [(GET|POST|HEAD) \ ] \ /[^ ]* HTTP \ /...[^ ]* \ .[0-9].* " ] ,
[ 'http-url' , " \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ /.* " ] ,
[ 'http-url-parsed' , " .* \ /wwwboard \ /passwd \ .txt.* " ] ,
[ 'http-url-parsed-param' , " .* \ .htaccess " ] ,
[ 'http-url-parsed' , " .* \ [admin_files \ /order \ .log \ ] " ] ,
[ 'http-url-parsed' , " \ /fpdb \ /shop.mdb.* " ] ,
[ 'http-url-parsed' , " \ / \ [WEB-INF \ ] \ . \ /.* " ] ,
[ 'http-url' , " \ / \ [upnp \ /service \ /(%2e| \ .)(%2e| \ .)(%2f| \ /)netgear \ .cfg \ ].* " ] ,
[ 'http-url' , " .* \ . \ [jsp \ ](%00|%20).* " ] ,
[ 'http-url-parsed-param' , " .* \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" \" >>>>>>>>>>>>.* " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-bin \ ] \ / \ [cart32.exe \ ] \ / \ [expdate \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ . \ [htpasswd \ ] " ] ,
[ 'http-url-parsed' , " \ /ver \ .asp " ] ,
[ 'http-url-parsed-param' , " .* \ [boot \ .ini \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [XSQLConfig \ .xml \ ] " ] ,
[ 'http-url-parsed' , " .* \ . \ [DS_Store \ ] " ] ,
[ 'http-request' , " \ [GET \ ] \ . \ ..* " ] ,
[ 'http-url' , " (%%%|%%%%%) " ] ,
[ 'stream' , " \ [(GET|HEAD|POST|PUT|DELETE|LINK|UNLINK) \ ][^ \012 ]* \ [http: \ / \ / \ ]@@+[^ \012 ]*[ \012 ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [http \ ]: \ / \ /?@@+.* " ] ,
[ 'http-url-parsed' , " .* \ . \ [(w|e)mf \ ] " ] ,
[ 'http-url-parsed' , " .* \ . \ [job \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ Xeb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d \ X.* " ] ,
[ 'http-url-parsed' , " .* \ . \ [jsp \ ]( \ +| \\ ).* " ] ,
[ 'stream' , " \x7c \x53 \x61 \x4d \x61 \x4e \x7c " ] ,
[ 'http-header-host' , " .*([ \000 - \054 ]| \057 |[ \073 - \010 0]|[ \013 3- \013 6]| \014 0|[ \017 3- \037 7]).* " ] ,
[ 'http-url-parsed-param' , " .* \ . \ [htw \ ] \ ?[^ ]* \ [CiWebHitsFile \ ]=[^&]+& \ [CiRestriction \ ]= \" <.* " ] ,
[ 'http-url-parsed' , " .*(<|& \ [lt \ ];) \ /? \ [(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META) \ ][^>]*(>|& \ [gt \ ];).* " ] ,
[ 'http-url-parsed-param' , " .* \ ?[^<]*(<|%( \ [u \ ]00)?3 \ [C \ ]) \ /? \ [(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META) \ ].*(>|%( \ [u \ ]00)?3 \ [E \ ]).* " ] ,
[ 'http-url' , " .*search \ .php \ ?search=a(%27%20|%25%27).* " ] ,
[ 'http-url' , " .* \ [(discuss \ .asp \ ?discussblurbid=|author \ .asp \ ?authornumber=).*%3B%20FLUSH%20PRIVILEGES%3B \ ].* " ] ,
[ 'stream' , " \ [(GET|POST)[ ]+ \ /SimpleBar \ .dll \ /RunReport \ ] \ ?.* " ] ,
[ 'http-url-parsed-param' , " .*edit \ .php \ ?a=pre&submit=&auth=1&sid=[0-9]+-- " ] ,
[ 'http-url-parsed-param' , " .* \ /modules \ .php( \ ?| \ /)[^ ]+&sortby= \ [(select|insert|uname|update|explain) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [browse_item_details \ .asp \ ] \ ?[^ \012 ]*Item_ID=[^;]*;.* " ] ,
[ 'http-url' , " .* \ /([a-z]|[A-Z]| \ .)+ \ .%00 \ .txt.* " ] ,
[ 'http-url' , " \ /ext \ .ini \ .% ?00 \ .txt " ] ,
[ 'http-request' , " GET[ ]+HTTP \ /1 \ .0 " ] ,
[ 'http-url' , " \ /( \ . \ . \ . \ /)+ \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [mfcisapicommand=PassThru \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [apexec \ .pl \ ?.*template \ ]= \ /? \ . \ . \ /.*%00.* " ] ,
[ 'http-url-parsed' , " .* \ /fezmall2000 \ /mall_log_files \ /forder \ .log " ] ,
[ 'http-url-parsed' , " .* \ [ \ /servlet \ /ServletExec \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [websendmail \ ?.*query \ ]=';.* " ] ,
[ 'http-url' , " .*(user_logged_in=true|user_dnstools_administrator=YES).* " ] ,
[ 'http-url' , " .*db4web_c \ .exe \ /(([a-z]|[A-Z]|[0-9])* \ /)*.%3A%5C.* " ] ,
[ 'http-url' , " .* \ / \ [db4web_c \ ] \ /[^ ]* \ / \ /.* " ] ,
[ 'stream' , " .* \ [GET[ ]+ \ /surf \ /scwebusers \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /Carello \ .dll \ ?VBEXE=[a-z]: \\ \ . \\ .* " ] ,
[ 'stream' , " .* \ [(GET|POST) \ ] \ /cgi-bin \ / \ . \ . \\ \ . \ . \\ \ . \ . \\ \ . \ . \\ \ . \ . \\ \ . \ . \\ winnt \ /.* " ] ,
[ 'http-url-parsed' , " .* \ /web \ /usermgr \ /userlist \ .asp.* " ] ,
[ 'http-url-parsed-param' , " .* \ [tuxadm \ .exe \ ] \ ?[^ \012 ]*INIFILE= \ [(CON|AUX|COM1|COM2|COM3|COM4) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [catalog_type \ .asp \ ] \ ?[^ \00 ]* \ [ProductType \ ]= \ | \ [shell \ ] \ (.* " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-bin \ /webplus \ ?.*script= \ /? \ . \ . \ / \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /webplus \ .cgi \ ?.*Script= \ /webplus \ /webping \ /webping \ .wml \ ].* " ] ,
[ 'http-url-parsed-param' , " .*bb-hist.sh \ ?.* \ . \ . \ / \ . \ ..* " ] ,
[ 'http-url-parsed-param' , " .* \ /cgi-bin \ /bb-(hist|histlog|hostsvc|rep|replog|ack) \ .sh \ ?.*[A-Z]+= \ / " ] ,
[ 'http-url' , " .*%00. \ [jsp \ ] " ] ,
[ 'http-url' , " .*%00x " ] ,
[ 'http-url-parsed-param' , " .* \ [ExprCalc \ .cfm \ ?.*OpenFilePath= \ ].* " ] ,
[ 'http-text-html' , " .* \ [codeBase=hhctrl \ .ocx \ ].* " ] ,
[ 'http-text-html' , " .*<[^>]* \ [telnet \ ]: \ / \ /(-|(&055;)|(%55))(n|f)((%20)| |%2f| \ /| \ . \ . \ /)+[^>]*>.* " ] ,
[ 'http-text-html' , " .*<[^>]* \ [notes \ ]:( | \011 )?( \042 | \047 )?=[ \013 4][ \013 4][^>]*[ \013 4] \ [notes \ .ini \ ][^>]*>.* " ] ,
[ 'http-text-html' , " .*< \ [img \ ][^>]+( \ [width \ ]| \ [height \ ])=[0-9][0-9][0-9][0-9][0-9][0-9]+[^>]*>.* " ] ,
[ 'http-data' , " \037 7WPC.. \000 \000 \001 \012 .* " ] ,
[ 'http-url-parsed' , " .* \ . \ [w(al|sz) \ ] " ] ,
[ 'http-header-content-type' , " \ [application \ /hta \ ] " ] ,
[ 'http-text-html' , " .*< \ [iframe \ ][^>]* \ [src= \ ][^>]+ \ . \ [exe \ ][^>]*>.* " ] ,
[ 'http-data' , " .* = ( \" |') \x33 \xdb \x8b \xd4 \x80 \xc6 \xff \xc7 \x42 \xfc \x63 \x6d \x64 \x01 \x88 \x5a \xff \x8d \x42 \xfc \x8b \xf5 \x56 \x52 \x53 \x53 \x53 \x53 \x53 \x53 \x50 \x53 \xb8 \x41 \x77 \xf7 \xbf \xff \xd0 \xb8 \xf8 \xd4 \xf8 \xbf \xff \xd0 \xcc ( \" |').* " ] ,
[ 'http-data' , " BM.... \00 \00 \00 \00 [ \020 0- \037 7].* " ] ,
[ 'http-header' , " \ [content-disposition \ ]:( \040 | \011 )* \ [attachment \ ]( \040 | \011 )*;( \040 | \011 )* \ [filename \ ]( \040 | \011 )*=( \040 | \011 )*[^ \000 ]* \ .{[^ \055 ]+-[^ \055 ]+-[^ \055 ]+-[^ \055 ]+-[^ \055 ]+}.* " ] ,
[ 'http-text-html' , " .*< \ [SCRIPT \ ].*( \ [Create \ ]| \ [ActiveX \ ]) \ [Object \ ]( \ (( \" | \' )?|[ ]+) \ [Shell \ .Application \ ].* \ [ \ .ShellExecute \ ].* " ] ,
[ 'http-text-html' , " .*< \ [SCRIPT \ ].*=( | \x09 )* \ [location \ .assign \ ]( | \x09 )*;.* " ] ,
[ 'http-text-html' , " .*< \ [iframe \ ][^>]+ \ [src \ ]=( \047 | \042 )? \ [mhtml \ ]:[^ \041 ]+ \041 [^>]+.* " ] ,
[ 'http-text-html' , " .*< \ [a \ ][^>]* \ [href \ ]( \040 | \011 )*=( \040 | \011 )*( \" |')? \\ \\ .* " ] ,
[ 'http-header-content-location' , " .* \ ?[0-5][0-5][0-5];.* " ] ,
[ 'http-text-html' , " .* \ [document \ .execCommand \ ( \" SaveAs \" \ ][^ \051 ]* \ . \ [(pif|scr|exe|cmd|bat|zip|com|js) \ ] \" \ ).* " ] ,
[ 'http-text-html' , " .*<[^>]* \ [(href|src) \ ]( \040 | \011 )*=( \040 | \011 )*( \" |')? \ [shell: \ ].* " ] ,
[ 'http-text-html' , " .* \ .initKeyEvent( \ (| )( \" |')?keypress( \" |')?, ?( \" |')?true( \" |')?, ?( \" |')?true( \" |')?, ?( \" |')?window( \" |')?, ?( \" |')?(false|true)( \" |')?, ?( \" |')?false( \" |')?, ?( \" |')?(false|true)( \" |')?, ?( \" |')?false( \" |')?, ?45, ?0, ?( \" |')?text( \" |')? \ )?;.* " ] ,
[ 'http-text-html' , " .*classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11.* " ] ,
[ 'http-data' , " \x89 \x50 \x4e \x47 \x0d \x0a \x1a \x0a ....IHDR(([^ \00 ])|( \00 [^ \00 ])|( \00 [ \00 ][ \017 7- \037 7])).* " ] ,
[ 'http-data' , " \x89 \x50 \x4e \x47 \x0d \x0a \x1a \x0a ....IHDR....(([^ \00 ])|( \00 [^ \00 ])|( \00 [ \00 ][ \017 7- \037 7])).* " ] ,
[ 'http-text-html' , " .*<([a-z]|[A-Z])+[^>]+ \ [hcp \ ]: \ / \ /([ \000 - \041 ]|[ \043 - \046 ]|[ \050 - \037 7])*( \" |& \ [quot \ ];|& # 34;)([ \000 - \041 ]|[ \043 - \046 ]|[ \050 - \037 7])*- \ [url \ ][ ]+( \" |& \ [quot \ ];|& # 34;).* " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ /nph-test-cgi " ] ,
[ 'http-url-parsed' , " .* \ / \ [(prn|con|aux|nul|com \ ][1-9]| \ [lpt \ ][1-9]) \ .( \ [asp|cgi|html?) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [cmd1? \ .exe=? \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [scripts \ /root \ .exe \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [rguest \ .exe \ ?.*template=[a-z]: \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [wguest \ .exe \ ?.*template=[a-z]: \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ /search \ .cgi \ ?.*keys.*cat(e|i)gory= \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /cgi-bin \ /bizdb1-search \ .cgi( \ ?| \ /)[^ \012 ]* \ [dbname= \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /survey \ .cgi \ ] \ ?.*( \ ||<|>|;).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [whois_raw \ .cgi \ ] \ ?[^ \00 ]* \ [fqdn \ ]=[^ \00 ]*(%0A|%20).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [Poll_It_SSI \ ][^.]* \ . \ [cgi \ ] \ ?[^ \012 ]* \ [data_dir \ ]=[^ \012 ]*%00 " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /(post32 \ .exe|lsindex2 \ .bat) \ | \ ] " ] ,
[ 'http-url-parsed' , " \ [ \ /_private \ /shopping_cart \ .mdb \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [formmail \ .cgi \ ?.*env_report \ ]=[A-Z]+ " ] ,
[ 'http-url' , " .* \ [ \ /shop \ .cgi \ /page= \ /? \ . \ . \ / \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [info2www \ ] \ ? \ (( \ . \ . \ /)+[^ \017 4]* \ | \ ).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [hsx \ .cgi \ ?.*show \ ]= \ ? \ . \ . \ /.*%00 " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /cached_feed \ .cgi \ ?.* \ . \ . \ / \ ] " ] ,
[ 'http-url' , " .*%00.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /ows-bin \ /.* \ ] \ ?& " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /webspirs \ .cgi \ ?.*sp.nextform= \ /? \ . \ . \ / \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [YaBB \ .pl \ ?.*num \ ]=.*( \ /? \ . \ . \ /|%00).* " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-bin \ /infosrch \ .cgi \ ?.*fname \ ]= \ | " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [authenticate \ .cgi \ ?.*PASSWORD.*config \ .ini \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /commerce \ .cgi \ ?.*page= \ /? \ . \ . \ /.*%00 \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /dcboard \ .cgi \ ] \ ?.*( \ ||;| \ /? \ . \ . \ /).* " ] ,
[ 'http-url-parsed' , " .* \ /aglimpse[^|]* \ |.* " ] ,
[ 'stream' , " \ [POST \ ] \ [ \ /cgi-bin \ /w3-msql \ / \ ][^ \000 ]+ \ [content-length \ ]:[ ]+[1-9][0-9][0-9][0-9]+.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [main \ .cgi \ ] \ ?[^ \012 ]* \ [filename \ ]= \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [print \ .cgi \ ] \ ?[^ \012 ]* \ [board \ ]= \ /? \ . \ . \ /.* " ] ,
[ 'http-header' , " \ [content-length \ ]:.* \x8b \x74 \x24 \xfc \xb8 \x2e \x61 \x68 \x6d \x05 \x01 \x01 \x01 \x01 \x39 \x06 .* " ] ,
[ 'http-url' , " query \ ?mss=.*( \ . \ .|%2e%2e).* " ] ,
[ 'http-url' , " \ [ \ /cgi-bin \ /htsearch \ ?exclude=%60.* \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [emumail \ .cgi \ ] \ ?[^ \012 ]*type=[^&]*%00.* " ] ,
[ 'http-header-user-agent' , " .*Hackscape \ /1 \ .0 (j00r asS gonna gets 0wned).* " ] ,
[ 'stream' , " .*POST \ /cgi-bin \ /formtest \ .cgi HTTP \ /1 \ .0 \x0a Connection: close \x0a User-Agent: ( \x90 )+ \xeb \x30 \x5e \x89 \x76 \x3b \x31 \xc0 \x88 \x46 \x08 \x88 \x46 \x0b \x88 \x46 \x3a \x89 \x46 \x47 \xb0 \x0b \x8d \x5e \x09 .* " ] ,
[ 'http-url' , " \x2f \x63 \x67 \x69 \x2d \x62 \x69 \x6e \x2f \x73 \x61 \x6d \x70 \x6c \x65 \x33 \x2e \x63 \x67 \x69 \x3f \x6e \x61 \x6d \x65 \x3d ( \x58 \x58 )+ \x24 \xfc \xff \xbf \x26 \x61 \x64 \x64 \x72 \x65 \x73 \x73 \x3d \x74 \x65 \x73 \x74 \x26 \x74 \x65 \x6c \x65 \x70 \x68 \x6f \x6e \x65 \x3d \x74 \x65 \x73 \x74 \x20 \x48 \x54 \x54 \x50 \x2f .* " ] ,
[ 'http-url-parsed-param' , " .*smartsearch \ .cgi \ ?[^ ]*keywords= \ |.* " ] ,
[ 'http-url-parsed-param' , " .* \ [parse_xml \ .cgi( \ ?| \ /)filename \ ]= \ . \ . \ .? \ /.* " ] ,
[ 'http-header-cookie' , " .*lang=([^A-z]|[ \013 3- \014 0]).* " ] ,
[ 'http-url-parsed-param' , " .* \ /none \ .php \ ?( \ . \ .:| \ /).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [viewCart \ .asp \ ] \ ?[^ \00 ]* \ [userID \ ]=[^&]*'.* " ] ,
[ 'http-url-parsed-param' , " \ /reports \ .cgi \ ?output=show_chart&product=[^&]+&datasets=1 " ] ,
[ 'http-request' , " \ [GET \ ] \ /cgi-bin \ /helpout \ .exe (HTTP|HTTP \ /)? " ] ,
[ 'http-url-parsed' , " \ /( \ [webadmin \ ]| \ [names \ ]| \ [log \ ]) \ . \ [ntf \ ]..........[^ \012 ]* \ . \ [nsf \ ] " ] ,
[ 'http-url-parsed' , " .* \ .(pl|exe|csp)( \ .| \ .|%20 \ .|%20%2 \ [e \ ]) " ] ,
[ 'http-request' , " \ [GET ! \" # \ ].* " ] ,
[ 'http-url-parsed' , " \ /servlet \ /con " ] ,
[ 'http-url' , " \ /sw[0-9]+ \ /cgi \ /device_reset \ ?.* " ] ,
[ 'http-url-parsed' , " % " ] ,
[ 'stream' , " .*POST \ /cgi-bin \ / \ [([a-z]|[0-9]| \ .)+ \ ] HTTP \ /1 \ .0 \x0d \x0a Content-Length: 111111111111111111111111111 \x0d \x0a \x0d \x0a A \x0d \x0a \x0d \x0a .* " ] ,
[ 'http-request' , " \ [OPTIONS \ /AAAAAAAAAAAA[A]+ \ .html \ ].* " ] ,
[ 'stream' , " GET \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ /[^ ]* HTTP \ /1 \ .[0-1].* " ] ,
[ 'http-url-parsed' , " ( \ /aux \ /aux \ /| \ /con \ /con) " ] ,
[ 'http-url-parsed-param' , " \ /cgi-bin \ /hpnst \ .exe( \ ?| \ /)c=p \ +i=hpnst \ .exe " ] ,
[ 'http-header' , " (connection|range): " ] ,
[ 'http-url-parsed-param' , " \ /emailpwdreset \ .srf \ ?lc=1033&em=[^@]+@hotmail \ .com&[^ \012 ]*prefem=[^@]+@([^h]|[^H])[^&]+&rst=1 " ] ,
[ 'stream' , " .*(uname|bin \ /ls|bin \ /id|bin \ /nc|bin \ /g?cc|bin \ /(send)?mail|ifconfig|bin \ /(k|ba|z|c|tc)?sh).* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /admin \ /browse.asp?.*FilePath=(c|d|e|f|g): \\ .*&Opt=2&.*level=0 \ ].* " ] ,
[ 'http-url-parsed-param' , " \ /cgi-bin \ /wrap \ ? \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ / \ .cobalt \ /overflow \ /overflow \ .cgi " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ / \ .cobalt \ /overflow \ /overflowTestEmail \ .cgi " ] ,
[ 'stream' , " .*GET \ / \ .cobalt \ /sysManage \ / \ . \ . \ /admin \ /[^ \040 ]+ HTTP \ /1 \ .[0-1].* " ] ,
[ 'stream' , " .*(GET|POST) \ [ \ /cgi-bin \ / \ .cobalt \ /alert \ /service \ .cgi \ ] \ ?.*service= \ / \ [AAAAAAAAAAAAAAA[A]+ \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [my?log \ .p?html \ ?.*screen \ ]=.* \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [php \ .cgi \ ] \ ?( \ /| \ . \ .) " ] ,
[ 'http-url-parsed-param' , " .* \ /[^.]* \ . \ [php \ ] \ ?[^ \012 ]*_PHPLIB \x5B libdir \x5D =.* " ] ,
[ 'http-url' , " .*dostuff.php.* " ] ,
[ 'http-url' , " .* \ [member \ .php \ ?.*&+member='%20OR%20(password='PASSWORD|status='ADMINIST) \ ].* " ] ,
[ 'http-url' , " .* \ [ \ /misc \ .php \ ?.*&?send=yes.*&loser='%20OR%20password='PASSWOR \ ].* " ] ,
[ 'http-url' , " .* \ [ \ /pm \ .php \ ?.*action=reply.*&pmid=.+ \ ].* " ] ,
[ 'http-url-parsed' , " .*midicart \ .mdb.* " ] ,
[ 'http-url-parsed-param' , " .* \ [index \ .php \ ] \ ?[^ \012 ]* \ [m=projects \ ][^ \012 ]*& \ [user_cookie \ ]=1.* " ] ,
[ 'http-url-parsed-param' , " .*class \ .atkdateattribute \ .js \ .php( \ ?| \ /).*&?config_atkroot=(http|ftp):.* " ] ,
[ 'http-url' , " .*summary_graph_functions \ .php \ ?.* \ [g_jpgraph_path=http(: \ / \ /|%3A%2F%2F) \ ].* " ] ,
[ 'http-url' , " .*login_page \ .php \ ?.*g_meta_include_file=http(: \ / \ /|%3A%2F%2F).* " ] ,
[ 'http-url-parsed-param' , " .* \ /(template|reply) \ .php( \ ?| \ /)nm= \ . \ . \ /users.* " ] ,
[ 'http-url' , " .*board \ .php \ ?boardid=[^ \ /]*%27,%20userid=%27.* " ] ,
[ 'http-url-parsed-param' , " .*calendar \ .php \ ?calbirthdays=[0-9][^ ]*&action=getday[^ ]*&comma=%22;echo.* " ] ,
[ 'http-url-parsed-param' , " .*customize \ .php \ ?l=http: \ /.* " ] ,
[ 'http-url' , " .*avatar \ .php \ ?img=3D \ . \ . \ /secret \ /connect \ .php.* " ] ,
[ 'http-url-parsed-param' , " .* \ /aff_news \ .php \ ?chemin=http: \ / \ /.* " ] ,
[ 'http-url' , " .* \ .php \ ?uid='%20OR%20''='&pwd='%20OR%20''=' " ] ,
[ 'http-url-parsed-param' , " .* \ [customize \ .php \ ] \ ? \ l= \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /email \ .php( \ ?| \ /)[^&]+&cer_skin=http: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /lib \ /emailreader_execute_on_each_page \ .inc \ .php( \ ?| \ /)emailreader_ini=http: \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [ssi \ .php \ ]( \ ?| \ /)[^ \012 ]* \ [sourcedir=( \" |')?http \ ]: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [mainfile \ .php \ ] \ ?[^ ]*MAIN_PATH= \ [(http|ftp) \ ]: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /artlist \ .php \ ?root_path=http: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /config \ .php \ ?root_path=http: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /thatfile \ .php \ ?root_path=http: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /auth \ .inc \ .php \ ?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n.* " ] ,
[ 'http-url' , " .* \ /modules \ .php \ ?name=News&file=article&sid=[0-9]+%20or%20.* " ] ,
[ 'http-url-parsed-param' , " .*modules \ .php( \ ?| \ /)name=Search([^ \012 ]|[^ \015 ])*&days=[0-9]+ \ +or \ +mid \ (a \ .pwd.* " ] ,
[ 'http-url-parsed-param' , " .* \ [modules \ .php \ ]( \ ?| \\ )[^ \012 ]*(c|l|art|sec)id=-?[0-9]+( \ +|%20) \ [UNION \ ]( \ +|%20).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [modules \ .php \ ] \ ?[^ \012 ]*& \ [sid \ ]=[^&]* \ [UNION \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [index \ .php( \ ?| \ /)forum_id=[0-9]+ \ +or \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [prefs \ .php \ ]( \ ?| \ /)([^ ]|[^ \012 ]|[^ \015 ])*&lang= \ / \ . \ . \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [profile \ .php \ ] \ ?[^ \012 ]* \ [mode=viewprofile \ ][^ \012 ]*& \ [u \ ]='.* " ] ,
[ 'http-url-parsed-param' , " .*search \ .php \ ?[^ \012 ]*search_id=[0-9]+( \ +|%20) \ [union \ ].* " ] ,
[ 'http-url-parsed-param' , " .*(captionator|errors \ /(configmode|needinit|reconfigure|unconfigured)) \ .php \ ?GALLERY_BASEDIR=.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [setup \ .cgi \ ] \ ?[^ \012 ]* \ [todo=debug \ ].* " ] ,
[ 'http-url' , " .*(SnoopServlet|TroubleShooter).* " ] ,
[ 'http-url-parsed' , " .* \ /examples \ /servlet \ /(AUX|LPT1|CON|PRN).* " ] ,
[ 'http-url' , " .* \x00 \ .jsp " ] ,
[ 'http-request' , " .* \x00 \ . \ [jsp \ ].* " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ /rpm_query " ] ,
[ 'stream' , " .*NOTIFY \ * HTTP \ /1 \ .1 \x0d \x0a HOST: 239 \ .255 \ .255 \ .250:1900 \x0d \x0a .*USN: uuid:QB0X \x0d \x0a \x0d \x0a \x0d \x0a .* " ] ,
[ 'stream' , " .* \xE3 \x24 \x00 \x00 \x00 \x01 \x10 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xFF \xFF \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xE3 \x03 \x00 \x00 \x00 \x4E \x00 \x00 .* " ] ,
[ 'stream' , " .* \xc4 \x01 \x13 \x00 \xf0 \x03 \xea \x03 \x01 \x00 \xea \x03 \x06 \x00 \xae \x01 \x4d \x53 \x54 \x53 \x43 \x00 \x11 \x00 \x00 \x00 \x01 \x00 \x18 \x00 \x01 \x00 \x03 \x00 \x00 \x02 \x00 \x00 \x00 \x00 \x05 \x04 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x02 \x00 \x1c \x00 \x08 \x00 \x01 \x00 \x01 \x00 \x01 \x00 \x00 \x05 \x00 \x04 \x00 \x00 \x01 \x00 \x01 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x03 \x00 \x58 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x14 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x2a \x00 \x01 \x00 \x01 \x01 \x01 \x00 \x00 \x01 \x01 \x01 \x00 \x01 \x00 \x00 .* " ] ,
[ 'stream' , " .*@PJL RDYMSG DISPLAY =.* " ] ,
[ 'stream' , " .*@PJL RDYMSG DISPLAY =.* " ] ,
[ 'http-url-parsed-param' , " (.* \ /error \ ? \ /?)|( \ ?) " ] ,
[ 'stream' , " .* \ [POST \ /plugins \ /framework \ /script \ /content \ .hts \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /plugins \ /framework \ /framework \ .ini \ ].* " ] ,
[ 'ftp-pathname' , " \ * \ ?AAAAAA.* " ] ,
[ 'ftp-sitestring' , " \ [cpwd \ ].* " ] ,
[ 'stream' , " .* \x4d \x4b \x44 \x20 \x90 \x90 \x90 \x90 \x90 \x31 \xdb \x31 \xc9 \xeb \x12 \x5e \xbf \x10 \x10 \x10 \x10 \xb1 \x21 \x29 \x7e \x01 \x83 \xc6 \x04 \xe2 \xf8 \xeb \x05 \xe8 \xe9 \xff \xff \xff \xff \xff \xff \x90 \xfb \x5d \x6e \x41 \xd0 \xc0 \x27 \x63 \x63 \xaa \x10 \x10 \x10 \x10 \x17 \x10 \x41 \xd0 \xc0 \x60 \x9d \x8e .* " ] ,
[ 'ftp-put-filename' , " \ /bin \ /(ls|cd).* " ] ,
[ 'ftp-sitestring' , " \ [exec \ ].* " ] ,
[ 'ftp-pathname' , " @ \ / \ . \ .@ \ / \ . \ ..* " ] ,
[ 'ftp-pathname' , " .*-w [1-9][0-9][0-9][0-9][0-9].* " ] ,
[ 'ftp-pathname' , " \ * \ * \ * \ * \ * \ * \ * \ * \ *.* " ] ,
[ 'ftp-password' , " root " ] ,
[ 'ftp-pathname' , " .* \ .%20 \ ..* " ] ,
[ 'line' , " \ [CWD \ ] .* \ . \ . \ / \ . \ . " ] ,
[ 'ftp-get-filename' , " \ /? \ . \ . \ / \ . \ . \ / \ . \ . \ /.* " ] ,
[ 'ftp-put-filename' , " .* \ . \ . \ /autoexec \ .bat " ] ,
[ 'ftp-pathname' , " .* \ .? \ * \ .? \ / \ .? \ *? \ ?? \ .? \ / \ *?.* " ] ,
[ 'ftp-username' , " .*(%[0-9]*(n|h|s|x))+.* " ] ,
[ 'ftp-username' , " \ [root \ ] " ] ,
[ 'telnet-user' , " root " ] ,
[ 'http-url-parsed-param' , " .*(c|d) \ /inetpub \ /scripts \ /root \ .exe \ ?.* " ] ,
[ 'http-url-parsed-param' , " .*(c|d) \ /winnt \ /system32 \ /cmd \ .exe \ ?.* " ] ,
[ 'stream' , " .*HKLM \\ System \\ CurrentControlSet \\ Services \\ NetDDE \\ ImagePath.* " ] ,
[ 'smtp-data-line' , " .*http: \ / \ /www \ .friendgreetings \ .com \ /pickup \ /pickup \ .aspx.* " ] ,
[ 'smtp-mime-content-filename' , " ( \ [your_details \ ]| \ [application \ ]| \ [document \ ]| \ [screensaver \ ]| \ [movie \ ]) \ .zip.* " ] ,
[ 'http-url-parsed-param' , " \ /(1| \ [scr \ ]) \ .php " ] ,
[ 'http-url-parsed-param' , " \ /search \ ?(p|q)=inurl: \ * \ .php \ ? \ *=.* " ] ,
[ 'http-url' , " \ [ \ /scripts \ /root \ .exe \ ? \ /c \ +dir \ ] " ] ,
[ 'http-url' , " \ [ \ /MSADC \ /root \ .exe \ ? \ /c \ +dir \ ] " ] ,
[ 'http-url' , " \ [ \ /scripts \ / \ . \ .%255c \ . \ . \ /winnt \ /system32 \ /cmd \ .exe \ ? \ /c \ +dir \ ] " ] ,
[ 'http-url' , " \ [ \ /_(vti|mem)_bin \ / \ . \ .%255c \ . \ . \ / \ . \ .%255c \ . \ . \ / \ . \ .%255c \ . \ . \ /winnt \ /system32 \ /cmd \ .exe \ ? \ /c \ +dir \ ] " ] ,
[ 'http-url' , " \ [ \ /scripts \ / \ . \ .(%c1%1c|%c0%af|%c1%9c) \ . \ . \ /winnt \ /system32 \ /cmd \ .exe \ ? \ /c \ +dir \ ] " ] ,
[ 'smtp-data-line' , " .*<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>.* " ] ,
[ 'smb-open-filename' , " .* \ . \ [( \x00 )?N( \x00 )?W( \x00 )?S( \x00 )? \ ] " ] ,
[ 'smb-open-filename' , " .* \ . \ [( \x00 )?E( \x00 )?M( \x00 )?L( \x00 )? \ ].* " ] ,
[ 'http-url' , " .* \x2f \x64 \x65 \x66 \x61 \x75 \x6c \x74 \x2e \x69 \x64 \x61 \x3f \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x4e \x25 \x75 \x39 \x30 \x39 \x30 \x25 \x75 \x36 \x38 \x35 \x38 \x25 \x75 \x63 \x62 \x64 \x33 \x25 \x75 \x37 \x38 \x30 \x31 \x25 \x75 \x39 \x30 \x39 \x30 \x25 \x75 \x36 \x38 \x35 \x38 \x25 \x75 \x63 \x62 \x64 \x33 \x25 \x75 \x37 \x38 \x30 \x31 \x25 \x75 \x39 \x30 \x39 \x30 \x25 \x75 \x36 \x38 \x35 \x38 \x25 \x75 \x63 \x62 \x64 \x33 \x25 \x75 \x37 \x38 \x30 \x31 \x25 \x75 \x39 \x30 \x39 \x30 \x25 \x75 \x39 \x30 \x39 \x30 \x25 \x75 \x38 \x31 \x39 \x30 \x25 \x75 \x30 \x30 \x63 \x33 \x25 \x75 \x30 \x30 \x30 \x33 \x25 \x75 \x38 \x62 \x30 \x30 \x25 \x75 \x35 \x33 \x31 \x62 \x25 \x75 \x35 \x33 \x66 \x66 \x25 \x75 \x30 \x30 \x37 \x38 \x25 \x75 \x30 \x30 \x30 \x30 .* " ] ,
[ 'stream' , " .* \ [BEGIN +ctxsys \ .driload \ .validate_stmt \ ] \ (.* " ] ,
[ 'stream' , " .*ORA-01017:( invalid username \ /password; logon denied)?.* " ] ,
[ 'stream' , " .*adamswoodXXXXX.* " ] ,
[ 'stream' , " .*scotttigerXXXXX.* " ] ,
[ 'stream' , " .*blakepaperXXXXX.* " ] ,
[ 'stream' , " .*clarkclothXXXXX.* " ] ,
[ 'stream' , " .* \ [ctxsys(ctxsys|unknown|change_on_install) \ ]XXXXX.* " ] ,
[ 'stream' , " .*dbsnmpdbsnmpXXXXX.* " ] ,
[ 'stream' , " .*aurora$orb$unauthenticatedinvalidXXXXX.* " ] ,
[ 'stream' , " .*jonessteelXXXXX.* " ] ,
[ 'stream' , " .*mdsysmdsysXXXXX.* " ] ,
[ 'stream' , " .*ordpluginsordpluginsXXXXX.* " ] ,
[ 'stream' , " .*ordsysordsysXXXXX.* " ] ,
[ 'stream' , " .*outlnoutlnXXXXX.* " ] ,
[ 'stream' , " .* \ [system(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*) \ ]XXXXX.* " ] ,
[ 'stream' , " .*tracesvrtraceXXXXX.* " ] ,
[ 'stream' , " .* \ [sys(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*) \ ]XXXXX.* " ] ,
[ 'stream' , " .* \ [ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT \ ].* " ] ,
[ 'packet' , " .... \037 7[ \024 - \025 ] \04 .* " ] ,
[ 'stream' , " .* \ [s \00 p \00 _ \00 p \00 a \00 s \00 s \00 w \00 o \00 r \00 d \00 \ ].* " ] ,
[ 'stream' , " .* \ [s \00 p \00 _ \00 a \00 d \00 d \00 u \00 s \00 e \00 r \ ].* " ] ,
[ 'stream' , " .* \x10 \x01 \x00 . \x00 \x00 \x01 \x00 .. \x00 \x00 \x00 \x00 \x00 \x71 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x07 .... \x00 \x00 \x00 \x00 \xE0 \x03 \x00 \x00 .. \x00 \x00 .. \x00 \x00 . \x00 . \x00 . \x00 . \x00 . \x00 \x00 \x00 .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [explorer \ .doc \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [normal \ .dot \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [resume1 \ .doc \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [kak \ .hta \ ]* \" .* " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [exe \ ] \ . " ] ,
[ 'smtp-mime-content-filename' , " (approved|application|doc_details|movie28|password|ref-39....|screen_doc|screen_temp|_approved) \ .pi[f]* " ] ,
[ 'smtp-header-subject' , " .*(Hi|Hello|Re:|Fw:)* \040 ?(Very |special |Happy |Have a )(New |funny |nice |humour |excite |good |powful |WinXP |IE 6.0 )*(game \ .|tool \ .|website \ .|patch \ .|Allhallowmas|Epiphany) " ] ,
[ 'smtp-header-subject' , " (W32 \ .Elkern|W32 \ .Klez \ .E) removal tools " ] ,
[ 'smtp-mime-content-data' , " ( \x4d \x5a | \x4c \x01 ).( \000 | \001 ).* " ] ,
[ 'smtp-mime-content-filename' , " \ [photos \ .zip \ ] " ] ,
[ 'smtp-mime-content-data' , " PK.* \ .(pif|scr|exe|cmd|bat|zip|com)( \x4d \x5a | \x4c \x01 ).( \000 | \001 ).* " ] ,
[ 'stream' , " .* \\ \\ \ . \ . \ / \x00 \x00 \x00 .* " ] ,
[ 'stream' , " .* \\ \\ \ . \ . \ . \ / \x00 \x00 \x00 .* " ] ,
[ 'smb-connect-path' , " \\ \00 ? \\ \00 ?.* \\ \00 ?A \00 ?D \00 ?M \00 ?I \00 ?N \00 ?$ \00 ?.* " ] ,
[ 'smb-connect-path' , " \\ \00 ? \\ \00 ?.* \\ \00 ?C \00 ?$ \00 ?.* " ] ,
[ 'smb-connect-path' , " \\ \00 ? \\ \00 ?.* \\ \00 ?D \00 ?$ \00 ?.* " ] ,
[ 'smb-native-os' , " Unix " ] ,
[ 'packet' , " .*([ \001 - \010 ]|[ \013 - \014 ]|[ \016 - \037 ]|[ \020 0- \037 7]).* " ] ,
[ 'pop3-command-line' , " (UIDL|DELE) 11111111111111111111111111111111.* " ] ,
[ 'pop3-command-line' , " helo:AAAAAAAAAAAAAAAA.* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [bat \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [com \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [cpl \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [ocx \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [hta \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [ade \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ .386 \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [adp \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [inf \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [lnk \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [msp \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [reg \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [w(al|sz) \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [ht \ ] \" .* " ] ,
[ 'packet' , " \xe3 \x36 \x00 \x00 \x00 \x01 \x10 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xff \xff \x02 \x00 \x00 \x00 \x02 \x01 \x00 \x01 \x04 \x00 \x54 \x65 \x73 \x74 \x03 \x01 \x00 .* " ] ,
[ 'stream' , " .* \ [Authorization: Basic A== \ ].* " ] ,
[ 'stream' , " RCH0.* " ] ,
[ 'packet' , " play \x2d \x00 ..............(([ \060 - \037 7])|(.[^ \000 ])|(..[^ \000 ])|(...[^ \000 ])).* " ] ,
[ 'stream' , " .* \x0a \ [Max-dotdot \ ][ ]+[0-9][0-9][0-9][0-9].* " ] ,
[ 'packet' , " \x00 \x01 \x00 \x07 .....(.[^ \000 ]|[^ \000 ].).* " ] ,
[ 'packet' , " .* \x45 \x89 \x02 \x00 .... \x00 \x00 \x00 \x20 \x45 \x00 \x00 \x00 " ] ,
[ 'stream' , " .* \ | \ |[0-9] \ | \ | " ] ,
[ 'stream' , " \ [(get|head|post|source) \ ][^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 [^ \012 ]+ \012 .* " ] ,
[ 'stream' , " .* \x05 \x00 \x06 \x01 \x00 \x00 \x00 \x00 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x31 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 .* " ] ,
[ 'stream' , " .* \xa0 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \xc0 \x00 \x00 \x00 \x00 \x00 \x00 \x46 .* " ] ,
[ 'packet' , " 1234567890 " ] ,
[ 'smb-open-filename' , " .* \ u \ [ \\ ci_skads \ ] \ u " ] ,
[ 'stream' , " .* \xb8 \x4a \x9f \x4d \x1c \x7d \xcf \x11 \x86 \x1e \x00 \x20 \xaf \x6e .* " ] ,
[ 'stream' , " .* \xb8 \x4a \x9f \x4d \x1c \x7d \xcf \x11 \x86 \x1e \x00 \x20 \xaf \x6e .* " ] ,
[ 'stream' , " .* \xb8 \x4a \x9f \x4d \x1c \x7d \xcf \x11 \x86 \x1e \x00 \x20 \xaf \x6e .* " ] ,
[ 'packet' , " .* \xb8 \x4a \x9f \x4d \x1c \x7d \xcf \x11 \x86 \x1e \x00 \x20 \xaf \x6e .* " ] ,
[ 'packet' , " .* \xb8 \x4a \x9f \x4d \x1c \x7d \xcf \x11 \x86 \x1e \x00 \x20 \xaf \x6e .* " ] ,
[ 'http-url-parsed-param' , " .* \ .htgroup.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [cgi-bin \ /plusmail \ ] \ ?.*password=.*password1=.*new_login=.* " ] ,
[ 'http-url-parsed-param' , " .* \ [BBBB \ .htr \ ].* " ] ,
[ 'packet' , " [ \010 1- \017 2]+ " ] ,
[ 'packet' , " ............ \x15 .* " ] ,
[ 'packet' , " ............ \x0d .* " ] ,
[ 'packet' , " ............ \x12 .* " ] ,
[ 'packet' , " ....... \x08 \x00 \x04 .* " ] ,
[ 'packet' , " ....... \x08 \x00 \x01 .* " ] ,
[ 'packet' , " ..[^ \00 ][^ \00 ].* " ] ,
[ 'stream' , " .* \xeb \x4b \x5b \x53 \x32 \xe4 \x83 \xc3 \x0b \x4b \x88 \x23 \xb8 \x50 \x77 .* " ] ,
[ 'stream' , " .*PING :1986115026.*001 :irc \ .random \ .org trillian.* " ] ,
[ 'stream' , " .*< \ [a href \ ] ?= ? \" \ . \ . \ / \ . \ . \ /.* " ] ,
[ 'packet' , " \x00 \x01 \ [admin \ .dll \ ].* " ] ,
[ 'packet' , " \x00 \x02 .* " ] ,
[ 'packet' , " .* \ . \ ..* " ] ,
[ 'smtp-data-text-plain' , " XJS \ *C4JDBQADN1 \ .NSBN3 \ *2IDNEN \ *GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL \ *C \ .34X " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [wp5 \ ] " ] ,
[ 'smtp-header-line' , " \ [content-type \ ]:[^ \000 ]+<( \ [script \ ]>|[^ \000 ]+ \ [onLoad=java \ ])[^>]*>.* " ] ,
[ 'stream' , " .*<[^>]* \ [notes \ ]:( | \011 )?( \042 | \047 )?=[ \013 4][ \013 4][^>]*[ \013 4] \ [notes \ .ini \ ][^>]*>.* " ] ,
[ 'stream' , " .*<[^>]* \ [href= \ ](3D)?( \" |')? \ [aim:goaway \ ?message= \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [PC210017 \ .JPG \ ].* " ] ,
[ 'smtp-rcpt' , " .* \ [IMCEASMTP \ ]-[^+]* \ +[^+]* \ +[^@]*@.* " ] ,
[ 'stream' , " .* \012 ( \040 | \011 )* \ [password address= \ ].* \012 ( \040 | \011 )* \ [password address= \ ].* " ] ,
[ 'stream' , " .*MASSINE.* " ] ,
[ 'smtp-command-line' , " .*__safebomb__.* " ] ,
[ 'smtp-header-to' , " x " ] ,
[ 'smtp-command-line' , " .* \ [AUTH( | \011 )+GUEST \ ].* " ] ,
[ 'smtp-header-from' , " .* \ |.* " ] ,
[ 'smtp-from' , " .* \ |.* " ] ,
[ 'smtp-header-to' , " .* \ |.* " ] ,
[ 'smtp-rcpt' , " .* \ |.* " ] ,
[ 'smtp-header-reply-to' , " .* \ |.* " ] ,
[ 'smtp-header-line' , " \ [a \015 *t \015 *t \015 *a \015 *c \015 *h \015 *m \015 *e \015 *n \015 *t \015 * c \015 *o \015 *n \015 *v \015 *e \015 *r \015 *t \015 *e \015 *d \015 * \ ]:.* " ] ,
[ 'smtp-data-text-plain' , " Attachment Converted( \x0d |=0 \ [d \ ]):.* " ] ,
[ 'smtp-data-text-html' , " Attachment Converted( \x0d |=0 \ [d \ ]|=00):.* " ] ,
[ 'smtp-command-line' , " .*( | \x09 )* \ [expn \ ]( | \x09 )+(admin|bin|decode|root|rpmmail).* " ] ,
[ 'smtp-command-line' , " ( | \x09 )* \ [vrfy \ ]( | \x09 )+(bbs|decode|guest|postmaster|root|sybase) " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [pif \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [scr \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [shs \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [vbs \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [com \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [bat \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [ocx \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [cmd \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ [ \ .job \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [CPL \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [ade \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ .386 " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [adp \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [bas \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [chm \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [hlp \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [inf \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [ins \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [isp \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [js \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [jse \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [lnk \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [mde \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [msc \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [msi \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [msp \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [pcd \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [reg \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [sct \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [vb \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [wsc \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [wsf \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [wsh \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [w(al|sz) \ ] " ] ,
[ 'smtp-mime-content-filename' , " .* \ . \ [ht \ ] " ] ,
[ 'smtp-header-line' , " .*; \s + \ [boundary \ ] \s *= \s * \" \" " ] ,
[ 'packet' , " .* \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x63 \x82 \x53 \x63 \x35 [ \001 - \017 ][ \001 - \017 ].* " ] ,
[ 'stream' , " .* \xeb \x49 \x5e \x29 \xc0 \x29 \xdb \x40 \x89 \x46 \x04 \x40 \x89 \x06 \xb0 \x06 \x89 \x46 \x08 \xb0 \x66 \x43 \x89 \xf1 \xcd \x80 \x89 \x06 \xb0 \x02 \x66 \x89 \x46 \x0c \xb0 \x90 \x66 \x89 \x46 \x0e \x8d \x46 \x0c \x89 \x46 \x04 \x29 \xc0 \x89 \x46 \x10 \xb0 \x10 \x89 \x46 \x08 \xb0 \x66 \x43 \xcd \x80 \x29 \xc0 \x40 \x89 \x46 \x04 \xb3 \x04 \xb0 \x66 \xcd \x80 \xeb \x02 \xeb \x4c \x29 \xc0 \x89 \x46 \x04 \x89 \x46 \x08 \xb0 \x66 \x43 \xcd \x80 \x88 \xc3 \x29 \xc9 \xb0 \x3f \xcd \x80 \xb0 \x3f \x41 \xcd \x80 \xb0 \x3f \x41 \xcd \x80 \xb8 \x2e \x62 \x69 \x6e \x40 \x89 \x06 \xb8 \x2e \x73 \x68 \x21 \x40 \x89 \x46 \x04 \x29 \xc0 \x88 \x46 \x07 \x89 \x76 \x08 \x89 \x46 \x0c \xb0 \x0b \x89 \xf3 \x8d \x4e \x08 \x8d \x56 \x0c \xcd \x80 \x29 \xc0 \x40 \xcd \x80 \xe8 \x64 \xff \xff \xff .* " ] ,
[ 'stream' , " \x31 \xc9 \xf7 \xe1 \x51 \x5b \xb0 \xa4 \xcd \x80 \x31 \xc9 \x6a \x02 \x5b \x6a \x3f \x58 \xcd \x80 \x41 \x6a \x3f \x58 \xcd \x80 \x41 \x6a \x3f \x58 \xcd \x80 \xeb \x1f .* " ] ,
[ 'stream' , " \x6d \x6f \x64 \x65 \x20 \x72 \x65 \x61 \x64 \x65 \x72 \x0d \x0a \x67 \x72 \x6f \x75 \x70 \x20 \x74 \x65 \x73 \x74 \x0d \x0a \x70 \x6f \x73 \x74 \x0d \x0a \x4d \x65 \x73 \x73 \x61 \x67 \x65 \x2d \x49 \x44 \x3a \x20 \x3c ...... \x40 a* \x3e \x0d \x0a \x46 \x72 \x6f \x6d \x3a \x20 \x61 \x40 \x61 \x2e \x04 \x80 \x13 \x08 \xec \x83 \x13 \x08 \x0d \x0a \x53 \x65 \x6e \x64 \x65 \x72 \x3a \x20 \x61 \x40 \x61 \x2e \x04 \x80 \x13 \x08 \xec \x83 \x13 \x08 \x0d \x0a \x4e \x65 \x77 \x73 \x67 \x72 \x6f \x75 \x70 \x73 \x3a \x20 \x74 \x65 \x73 \x74 \x0d \x0a \x53 \x75 \x62 \x6a \x65 \x63 \x74 \x3a \x20 \x62 \x6c \x61 \x68 \x0d \x0a \x0d \x0a \x62 \x6c \x61 \x68 \x0d \x0a \x2e \x0d \x0a \x67 \x72 \x6f \x75 \x70 \x20 \x63 \x6f \x6e \x74 \x72 \x6f \x6c \x0d \x0a \x70 \x6f \x73 \x74 \x0d \x0a \x4d \x65 \x73 \x73 \x61 \x67 \x65 \x2d \x49 \x44 \x3a \x20 \x3c ...... \x40 \x74 \x65 \x73 \x74 \x3e \x0d \x0a \x46 \x72 \x6f \x6d \x3a \x20 \x61 \x40 \x62 \x2e \x63 \x0d \x0a \x53 \x65 \x6e \x64 \x65 \x72 \x3a \x20 \x61 \x40 \x62 \x2e \x63 \x0d \x0a \x43 \x6f \x6e \x74 \x72 \x6f \x6c \x3a \x20 \x63 \x61 \x6e \x63 \x65 \x6c \x20 \x3c ...... \x40 a* \x3e \x0d \x0a \x53 \x75 \x62 \x6a \x65 \x63 \x74 \x3a \x20 \x63 \x6d \x73 \x67 \x20 \x63 \x61 \x6e \x63 \x65 \x6c \x20 \x3c ...... \x40 a* \x3e \x0d \x0a \x4e \x65 \x77 \x73 \x67 \x72 \x6f \x75 \x70 \x73 \x3a \x20 \x63 \x6f \x6e \x74 \x72 \x6f \x6c \x0d \x0a .* " ] ,
[ 'stream' , " 100.* \x25 \x2e \x34 \x38 \x37 \x37 \x37 \x75 \x25 \x38 \x35 \x24 \x68 \x6e \x5c \x25 \x2e \x31 \x34 \x32 \x33 \x33 \x75 \x25 \x38 \x36 \x24 \x68 \x6e \x0a .* " ] ,
[ 'stream' , " .* \x68 \x00 \x57 \x72 \x4c \x65 \x68 \x00 \x42 \x31 \x33 \x42 \x57 \x7a \x00 \x01 \x00 .* " ] ,
[ 'stream' , " .* \xff \xd8 .*([ \000 - \037 6].|.[ \000 - \037 6]) \037 7( \037 6| \034 1| \034 2| \035 5) \000 ( \000 | \001 ).* " ] ,
[ 'smb-open-filename' , " .* \ [p \00 ?s \00 ?e \00 ?x \00 ?e \00 ?s \00 ?v \00 ?c \00 ? \ . \00 ?e \00 ?x \00 ?e \ ].* " ] ,
[ 'stream' , " \x07 \ [authors \ ]... \x04 \ [bind \ ].* " ] ,
[ 'packet' , " \x07 \ [authors \ ]... \x04 \ [bind \ ].* " ] ,
[ 'stream' , " .*XC-QUERY-SECURITY.* " ] ,
[ 'stream' , " .* \xb1 \x06 \x51 \xb1 \x01 \x51 \xb1 \x02 \x51 \x89 \xe1 \xb3 \x01 \xb0 \x66 \xcd \x80 \x89 \xc1 \x31 \xc0 \x31 \xdb \x50 \x50 \x50 \x66 \x68 .. \xb3 \x02 \x66 \x53 \x89 \xe2 \xb3 \x10 \x53 \xb3 \x02 \x52 \x51 .* " ] ,
[ 'packet' , " .* \xeb \x02 \xeb \x02 \xeb \x02 .* " ] ,
[ 'stream' , " .* \xeb \x02 \xeb \x02 \xeb \x02 .* " ] ,
[ 'stream' , " .* \ u \xd9 \xee \xd9 \x74 \x24 \xf4 \x5b \x31 \xc9 \xb1 . \x81 \x73 \x17 .... \x83 \xeb \xfc \xe2 \xf4 \ u.* " ] ,
[ 'packet' , " .* \xc0 \x02 \x7a \x69 \x90 \x90 \x90 \x90 \xc0 \xd5 \xbf \xef \xb8 \xd5 \xbf \xef \ /bin.* " ] ,
[ 'stream' , " .* \xc0 \x02 \x7a \x69 \x90 \x90 \x90 \x90 \xc0 \xd5 \xbf \xef \xb8 \xd5 \xbf \xef \ /bin.* " ] ,
[ 'packet' , " .* \x8d \x0e \x89 \x4e \x08 \x89 \x46 \x0c \x8d \x4e \x08 \x50 \x51 \x56 \x50 \xb0 \x3b \xcd \x80 \xe8 \xe5 \xff \xff \xff \ /bin.* " ] ,
[ 'stream' , " .* \x8d \x0e \x89 \x4e \x08 \x89 \x46 \x0c \x8d \x4e \x08 \x50 \x51 \x56 \x50 \xb0 \x3b \xcd \x80 \xe8 \xe5 \xff \xff \xff \ /bin.* " ] ,
[ 'packet' , " .* \x84 \xff \xff \xff [ \037 1- \037 7].* " ] ,
[ 'packet' , " .* \x30 \x81 \xaf \x02 \x01 \x00 \x04 \x06 \x70 \x75 \x62 \x6c \x69 \x63 \xa0 \x81 \xa1 \x02 \x02 \x09 \x28 \x02 \x01 \x00 \x02 \x01 \x00 \x30 \x81 \x94 \x30 \x81 \x91 \x06 \x81 \x8c \x4d ( \x73 \x25 )+ \x73 \x81 \xff \xff \xff \xff \xff \xff \xff \xff \x7f \x05 .* " ] ,
[ 'snmp-oid' , " \x2b \x06 \x01 \x04 \x01 \x82 \x37 \x01 \x02 \x05 \x03 .* " ] ,
[ 'snmp-community' , " NoGaH$@! " ] ,
[ 'snmp-community' , " secret " ] ,
[ 'stream' , " .*((http: \ / \ /217 \ .107 \ .218 \ .147 \ /msits.exe \047 ;)|(function getRealShell \ ( \ ))|(84;66;86;5;73;119;71;89;95)|( \ [%41%44%4F%44%42%2E \ ])|( \ [%53%74%72%65%61%6D \ ])).* " ] ,
[ 'http-text-html' , " .*<applet CODE= \" BlackBox \ .class \" width=1 height=1>< \ /APPLET>.* " ] ,
[ 'smtp-header-from' , " .*nongmin_cn.* " ] ,
[ 'stream' , " .*qazwsx.hsq;* " ] ,
[ 'stream' , " .*qaswsx.* " ] ,
[ 'ftp-username' , " w0rm " ] ,
[ 'stream' , " connected.* " ] ,
[ 'packet' , " .* \x00 # .* " ] ,
[ 'packet' , " .*Ahhhh My Mouth Is Open.* " ] ,
[ 'packet' , " 03.* " ] ,
[ 'packet' , " 02.* " ] ,
[ 'packet' , " 20.* " ] ,
[ 'packet' , " 60.* " ] ,
[ 'packet' , " 121.* " ] ,
[ 'packet' , " 39.* " ] ,
[ 'packet' , " 41.* " ] ,
[ 'packet' , " 23.* " ] ,
[ 'packet' , " 13.* " ] ,
[ 'packet' , " 12[^1]?.* " ] ,
[ 'packet' , " 24.* " ] ,
[ 'packet' , " 110.* " ] ,
[ 'packet' , " 117.* " ] ,
[ 'packet' , " 118.* " ] ,
[ 'packet' , " 35.* " ] ,
[ 'packet' , " 21.* " ] ,
[ 'packet' , " 09.* " ] ,
[ 'packet' , " 100.* " ] ,
[ 'packet' , " 26.* " ] ,
[ 'packet' , " 32.* " ] ,
[ 'packet' , " 33.* " ] ,
[ 'packet' , " 31.* " ] ,
[ 'packet' , " 04.* " ] ,
[ 'packet' , " 30.* " ] ,
[ 'packet' , " 199.* " ] ,
[ 'packet' , " 88.* " ] ,
[ 'packet' , " 40.* " ] ,
[ 'packet' , " .*KeyLogger Shut Down.* " ] ,
[ 'packet' , " .*KeyLogger Is Enabled On port.* " ] ,
[ 'packet' , " 38.* " ] ,
[ 'packet' , " 07.* " ] ,
[ 'packet' , " 36.* " ] ,
[ 'packet' , " 64.* " ] ,
[ 'packet' , " 17.* " ] ,
[ 'packet' , " 89.* " ] ,
[ 'packet' , " 911.* " ] ,
[ 'packet' , " 125.* " ] ,
[ 'packet' , " 15.* " ] ,
[ 'packet' , " 14.* " ] ,
[ 'packet' , " 63.* " ] ,
[ 'packet' , " 91.* " ] ,
[ 'packet' , " 92.* " ] ,
[ 'packet' , " .*shutd0wnM0therF \ * \ * \ *eR.* " ] ,
[ 'packet' , " 10.* " ] ,
[ 'packet' , " 70.* " ] ,
[ 'packet' , " 22.* " ] ,
[ 'packet' , " 71.* " ] ,
[ 'packet' , " 25.* " ] ,
[ 'packet' , " 34.* " ] ,
[ 'packet' , " 13.* " ] ,
[ 'packet' , " 37.* " ] ,
[ 'packet' , " 370.* " ] ,
[ 'packet' , " 16.* " ] ,
[ 'packet' , " .*Retreaving.* " ] ,
[ 'packet' , " .*KeyLogger Is Enabled On port.* " ] ,
[ 'packet' , " .*FTP Server changed to.* " ] ,
[ 'packet' , " .*Comp Name.* " ] ,
[ 'packet' , " .*Wrong Password.* " ] ,
[ 'packet' , " .*Volume Serial Number.* " ] ,
[ 'packet' , " .*Host.* " ] ,
[ 'packet' , " .* \x00 # .* " ] ,
[ 'packet' , " A.* " ] ,
[ 'stream' , " .*host.* " ] ,
[ 'stream' , " .*NetSphere.* " ] ,
[ 'stream' , " .*NetSphere.* " ] ,
[ 'stream' , " .*Wtzup User.* " ] ,
[ 'packet' , " srv_infoSERVER INFO: \x0d \x0a \x0d Filename: .* " ] ,
[ 'stream' , " .*--.* " ] ,
[ 'stream' , " .*--.* " ] ,
[ 'packet' , " ( \xce \x63 \xd1 \xd2 \x16 \xe7 \x13 \xcf | \ *! \ *QWTY \ ?| \x9e \xf4 \xc2 \xeb \x87 \x89 \xa2 \x04 ).* " ] ,
[ 'http-header' , " \ [server \ ]: BO \ /.* " ] ,
[ 'smtp-rcpt' , " funguscrack@hotmail.com " ] ,
[ 'packet' , " \x1d \xa3 \x2b \x85 \x4f \x55 \x00 \xbb \x37 \xf8 \xab \x30 .* " ] ,
[ 'packet' , " \xce \x63 \xd1 \xd2 \x16 \xe7 \x13 \xcf . \xa5 \xa5 \x86 . \x75 \x4b \x99 .* " ] ,
[ 'packet' , " . \x00 \x00 \x00 .* " ] ,
[ 'packet' , " .*Alvgus's Trojan Server.* " ] ,
[ 'stream' , " .*Connected To Amanda.* " ] ,
[ 'stream' , " .*AOL Admin Server.* " ] ,
[ 'stream' , " .*(RQS|PAS|GNT|DIE|UPL|RBT|WDR|SDR|RUN|INV).* " ] ,
[ 'stream' , " .*Execute[A-Z][a-z]+.* " ] ,
[ 'stream' , " .*Basic Hell - .* " ] ,
[ 'packet' , " .* \x00 Bla Ver [1-6] \ .o0 \x00 .* " ] ,
[ 'stream' , " .*B \ .R \ .E \ .A \ .C \ .H Server.* " ] ,
[ 'packet' , " \ *VERBuHa [0-9] \ ..* " ] ,
[ 'stream' , " Crazzynet.* " ] ,
[ 'packet' , " Exploiter (Server )?[0-9] \ .[0-9] \ .? Port.* " ] ,
[ 'stream' , " NaZWA UZYTKOWNIKA.* " ] ,
[ 'stream' , " ForCed EnTrY .* " ] ,
[ 'stream' , " access ok \x20 .* " ] ,
[ 'stream' , " ver:Ghost version .* " ] ,
[ 'packet' , " (0020|0021|0030|0031|0040|0041|0050|0051|0060|0061|025|027|0220) " ] ,
[ 'stream' , " .*(H01|T01|V01|C01|M01|Q03|J01|P03) \x08 .* " ] ,
[ 'stream' , " Conectado! \x0d \x0a .* " ] ,
[ 'packet' , " (001|015|038.*|060|065.*) " ] ,
[ 'stream' , " .*InCommand (v )?[0-9] \ .[0-9].* " ] ,
[ 'stream' , " Insane Network vs [0-9] \ .[0-9].* " ] ,
[ 'stream' , " verpc,.* " ] ,
[ 'stream' , " Leszcz [0-9].* " ] ,
[ 'stream' , " .* \x29 \x00 \x00 \x00 \x00 \x00 \x03 \x00 \x09 \x00 \x00 \x00 .* \x0c \x00 \x00 \x00 v[0-9] \ ..* " ] ,
[ 'packet' , " (swapmouse|normalmouse|taskbargizle|taskbargoster|ctrlaltdelyok|ctrlaltdelvar) " ] ,
[ 'stream' , " \013 3OK \013 5 \ ([^ \005 1]* \ ) version [0-9] \ ..* " ] ,
[ 'packet' , " (List|Closewindow [0-9]+|MouseMove.*) " ] ,
[ 'stream' , " .*Mavericks Matrix .* " ] ,
[ 'stream' , " .*start hide.* " ] ,
[ 'stream' , " Michal [0-9] \ .[0-9]+ \x0d .* " ] ,
[ 'packet' , " ({[A-z]: \\ |clrrmt|reqfiledir|K[A-z]: \\ .*) " ] ,
[ 'stream' , " .*Millenium [0-9] \ .[0-9].* " ] ,
[ 'packet' , " RQS [0-9] " ] ,
[ 'stream' , " .*Mneah Remote Control, .* " ] ,
[ 'stream' , " ver(BETA [0-9]|[0-9] \ .[0-9]).* " ] ,
[ 'stream' , " .*220 MoonPie 1 \ .3 \x0d \x0a .* " ] ,
[ 'ftp-banner' , " MoonPie FTP-Server " ] ,
[ 'stream' , " .*(KEY=.*)?Connected to.* " ] ,
[ 'packet' , " (Computer|User|WinInfo|TIME) " ] ,
[ 'stream' , " .*NSServer-s.* " ] ,
[ 'stream' , " .* \ [NetSpy Version \ ] [0-9] \ .[0-9] \x0d \x0a .* " ] ,
[ 'packet' , " con[0-9] \ .[0-9][0-9]? " ] ,
[ 'packet' , " ([0-5]|F)([0-9]|[A-F])[0-9]? " ] ,
[ 'stream' , " PhuCk y0u \x0d \x0a .* " ] ,
[ 'stream' , " # 01 # [0-9].* " ] ,
[ 'stream' , " Oblivion [0-0] \ .[0-9]+ ready \ ..* " ] ,
[ 'stream' , " .*Optix Pro.* " ] ,
[ 'stream' , " 02[0-2][0-9]?[0-9]?( \ .[0-9][0-9]?[0-9]?)+.* " ] ,
[ 'stream' , " cmd=[a-z]+ var1=.* " ] ,
[ 'packet' , " (001|0060|0061|060|065[A-z]:.*|061) " ] ,
[ 'stream' , " phAse zero server.* " ] ,
[ 'stream' , " .*The Phoenix is ready.* " ] ,
[ 'stream' , " .*PitFall Ativo !!!.* " ] ,
[ 'stream' , " Conectado a [^ \012 ]+ - The Prayer .* " ] ,
[ 'packet' , " Execute[A-z]+.* " ] ,
[ 'stream' , " Accept,.* " ] ,
[ 'stream' , " 210 Prosiak v.* " ] ,
[ 'stream' , " psychward (revised|final).* " ] ,
[ 'stream' , " son-of-pw .* " ] ,
[ 'packet' , " (0031|0030|060|001) " ] ,
[ 'packet' , " R0X_[A-Z]+.* " ] ,
[ 'stream' , " .*R3C Server.* " ] ,
[ 'stream' , " MSG You have connected to.* " ] ,
[ 'stream' , " Remote Hack [0-9] \ .[0-9]+ Server.* " ] ,
[ 'stream' , " .*(hidestart|showstart|hidetaskbar|showtaskbar|message|swapon|swapoff|ftpon|ftpoff).* " ] ,
[ 'stream' , " Connected to.* " ] ,
[ 'stream' , " ServerSocket Connect \ . \ . \ . " ] ,
[ 'stream' , " .*Schneckenkorn.* " ] ,
[ 'stream' , " {E}([A-Z]|[a-z]):.* " ] ,
[ 'stream' , " .*(YES, connected|the tHing ).* " ] ,
[ 'stream' , " ID[0-9][0-9]?[0-9]?( \ .[0-9][0-9]?[0-9]?)+;.* " ] ,
[ 'packet' , " (run|del):.* " ] ,
[ 'stream' , " <(SYSTMTIME|REQSTFILE|UPLOADING)>.* " ] ,
[ 'stream' , " Truva Server.* " ] ,
[ 'stream' , " .*ULTOR'S TROJAN.* " ] ,
[ 'stream' , " .*23L'esclave.* " ] ,
[ 'stream' , " (Undetected |STL(Undetected|Udt)).* " ] ,
[ 'stream' , " Vagr Nocker .* " ] ,
[ 'stream' , " Vampire v[0-9] \ .[0-9] Server On-Line.* " ] ,
[ 'stream' , " .*phAse Zero.* " ] ,
[ 'packet' , " .*activate.* " ] ,
[ 'packet' , " .*logged in.* " ] ,
[ 'stream' , " \x0b \x00 \x00 \x00 \x07 \x00 \x00 \x00 Connect.* " ] ,
[ 'stream' , " \x32 \x00 \x00 \x00 \x06 \x00 \x00 \x00 Drives \x24 \x00 .* " ] ,
[ 'stream' , " .*GirlFriend.* " ] ,
[ 'stream' , " .* \ [ypi0ca \ ].* " ] ,
[ 'stream' , " .* \ [ypi0ca \ ].* " ] ,
[ 'stream' , " .* \ [Access Granted \ . \ . \ . \ ].* " ] ,
[ 'stream' , " .* \ [GateCrasher \ ].* " ] ,
[ 'stream' , " ( \x85 .? \x13 \x3c \x9e \xa2 .*)|( \x04 \x01 ..[^ \000 ]...).* " ] ,
[ 'stream' , " ( \x85 .? \x13 \x3c \x9e \xa2 .*)|( \x04 \x01 ..[^ \000 ]...).* " ] ,
[ 'stream' , " .*GET .* " ] ,
[ 'stream' , " \000 # waste \000 .* " ] ,
[ 'line' , " 221 Goodbye, have a good infection : \ ). " ] ,
[ 'stream' , " .*GetInfo.* " ] ,
[ 'stream' , " .*GetInfo.* " ] ,
[ 'stream' , " .*NetBus.* " ] ,
[ 'stream' , " .*NetBus.* " ] ,
[ 'stream' , " .*WHATISIT.* " ] ,
[ 'stream' , " .*FTPON.* " ] ,
[ 'stream' , " .*FTP Port open.* " ] ,
[ 'stream' , " .*pINg.* " ] ,
[ 'stream' , " .*@@.* " ] ,
[ 'packet' , " .*l44adsl.* " ] ,
[ 'packet' , " .*aaa .* " ] ,
[ 'packet' , " .*rsz .* " ] ,
[ 'packet' , " .*shi .* " ] ,
[ 'packet' , " .*xyz .* " ] ,
[ 'irc-join-chan' , " # b3eblebr0x " ] ,
[ 'packet' , " stream \ /.* " ] ,
[ 'packet' , " ping.* " ] ,
[ 'http-header-content-type' , " multipart \ /form-data; boundary=---------------------------123 " ] ,
[ 'http-header' , " authorization: (%n%n%n%n)+ " ] ,
[ 'http-url-parsed-param' , " .*: \ /+[^ \012 ]* \013 3( \ ?.*| \ /.*| # .*) " ] ,
[ 'http-url-parsed-param' , " .*: \ /+[^ \012 ]* \013 3:[^:]*[^ \013 5]*( \ ?.*| \ /.*| # .*) " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ .(bat|cmd) \ ?& \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [(a|NULL|test) \ .ida \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [_vti_bin \ /fpcount \ .exe \ ]( \ ?| \ /)[^ \012 ]* \ [digits \ ]=[1-9][0-9][0-9].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /IISADMPWD \ /((aexp|anot).*|achg) \ .htr \ ].* " ] ,
[ 'http-url-parsed-param' , " \ / \ [_AuthChangeUrl \ ? \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [.asp::$data \ ].* " ] ,
[ 'http-request' , " \ [POST \ ] \ / \ [msadc \ /msadcs \ .dll \ /(VbBusObj \ .VbBusObjCls \ .GetRecordset|AdvancedDataFactory \ .Query) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /catalog_type \ .asp \ ?ProductType= \ | \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /exchange \ /LogonFrm \ .asp \ ?.*mailbox=%%% \ ].* " ] ,
[ 'http-request' , " PUT \ [ \ /users \ / \ ][^.]* \ . \ [asp \ ].* " ] ,
[ 'http-url-parsed-param' , " \ / \ [scripts \ /iisadmin \ /ism \ .dll \ ?http \ /dir \ ].* " ] ,
[ 'http-url' , " \ / \ [scripts \ ] \ /[^ \012 ]* \ . \ .((%c1%9c)|(%c0%af)) \ . \ . \ /.* " ] ,
[ 'stream' , " \ [POST \ /ext \ .dll HTTP \ /1 \ .. \ ] \x0d \x0a Content-Length: 1 \x0d \x0a \x0d \x0a AAA*.* " ] ,
[ 'http-header-host' , " .* \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " \ [ \ /scripts \ /tools \ /newdsn \ .exe \ ] \ ?[^ ]*newdb=CREATE_DB.* " ] ,
[ 'http-url' , " .*%20HTTP \ /1 \ .[0-9](%0 \ [d \ ])?%0 \ [a \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ .bat \" \ +.* " ] ,
[ 'http-request' , " \ [POST \ ] \ /scripts \ /nsiislog \ .dll.* " ] ,
[ 'http-url' , " \ / \ [scripts \ ][^>]*[^.]+ \ . \ [bat \ ] \" \ + \" ?& \ +.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [gwweb \ .exe \ ? \ ][^ \000 ]* \ [help \ ]= \ /? \ . \ . \ /.* " ] ,
[ 'http-url-parsed' , " \ /exec \ /show \ /config \ /cr " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /vti_bin \ /.* \ /?fp(30|4a)reg \ .dl \ ].* " ] ,
[ 'http-url-parsed' , " \ /app_sta \ .stm " ] ,
[ 'http-url-parsed' , " \ [ \ /cgi-bin \ /config \ .bin \ ] " ] ,
[ 'http-url' , " .* \x90 \xeb \x03 \x5d \xeb \x05 \xe8 \xf8 \xff \xff \xff \x83 \xc5 \x15 \x90 \x90 \x90 \x8b \xc5 \x33 \xc9 \x66 \xb9 \x10 \x03 \x50 \x80 \x30 \x97 \x40 \xe2 \xfa \x7e \x8e \x95 \x97 \x97 \xcd \x1c \x4d \x14 \x7c \x90 \xfd \x68 \xc4 " ] ,
[ 'stream' , " .* \xeb \x1b \x5e \x31 \xdb \x89 \x5e \x07 \x89 \x5e \x0c \x88 \x5e \x11 \x31 \xc0 \xb0 \x3b \x8d \x7e \x07 \x89 \xf9 \x53 \x51 \x56 \x56 \xeb \x10 \xe8 \xe0 \xff .* " ] ,
[ 'stream' , " .*GET \ / \x90 * \xeb \x5f \x9a \xff \xff \xff \xff \x07 \xff \xc3 \x5e \x31 \xc0 \x89 .* " ] ,
[ 'stream' , " AAAAAAAAAAAAAAAAAAAAAAA+.* " ] ,
[ 'http-url' , " .*( \x90 )* \xeb \x72 \x5e \x29 \xc0 \x89 \x46 \x10 \x40 \x89 \xc3 \x89 \x46 \x0c \x40 \x89 \x46 \x08 \x8d \x4e \x08 \xb0 \x66 \xcd \x80 \x43 \xc6 \x46 \x10 \x10 \x66 \x89 \x5e \x14 \x88 \x46 \x08 \x29 \xc0 \x89 \xc2 \x89 \x46 \x18 \xb0 \x90 \x66 \x89 \x46 \x16 \x8d \x4e \x14 \x89 \x4e \x0c \x8d \x4e \x08 \xb0 \x66 \xcd \x80 \x89 \x5e .* " ] ,
[ 'stream' , " .*POST ( \x82 \xe4 \x04 \x08 )+ \x0d \x0a ( \x53 )+.* " ] ,
[ 'http-request' , " ( \xc0 \xf4 \xff \xbf )+[N]+ \x89 \xe5 \x31 \xd2 \xb2 .* " ] ,
[ 'http-request' , " GET \ /( \x2d )+ \x5a \xb4 \x40 \x20 \x48 \x54 \x54 \x50 \x2f \x31 \x2e \x30 \x0d \x0a \x55 \x73 \x65 \x72 \x2d \x41 \x67 \x65 \x6e \x74 \x3a \x20 \xeb \x67 \x5e \x8b \xec \x8b \x06 \x66 \x33 \xc0 \x8b \xd8 \x03 \x40 \x3c \x8b \x40 \x78 \x03 \xc3 \x8b \x78 \x20 \x8d \x3c \x3b \x03 \x1f \x33 \xd2 \x33 \xc9 \x43 \x38 \x13 \x75 \x01 \x41 \x81 .* " ] ,
[ 'http-header-accept-encoding' , " .*( \x90 )+ \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \xb0 \x2e \xcd \x80 \x31 \xdb \xf7 \xe3 \xb0 \x66 \x53 \x43 \x53 \x43 \x53 \x89 \xe1 \x4b .* " ] ,
[ 'http-url' , " \ [ \ /cgi-bin \ /webc \ .(cgi|exe) \ /(~|%7e)carl \ /g \ / \ ].* " ] ,
[ 'http-request' , " [^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].* " ] ,
[ 'http-url' , " .* \ . \ [(pdf|fdf|xfdf|xdp|xfd) \ ]%00.* " ] ,
[ 'http-url-parsed' , " \ [ \ /vgn \ /style \ ].* " ] ,
[ 'http-url' , " \ /a+ \x01 \x01 \x01 \x01 .* " ] ,
[ 'http-url' , " \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ /[a-z]: \ winnt.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /visadmin \ .exe \ ?user=guest \ ] " ] ,
[ 'http-request' , " REVLOG \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ [Template \ ] \ /[^ ]* \ . \ [xml \ ] \ ?[^ ]* \ [contenttype=text \ ].* " ] ,
[ 'http-header-host' , " .*( \046 | \057 | \077 | \017 4).* " ] ,
[ 'http-url-parsed-param' , " .*(<| \ [%3c \ ]) \ [img \ ][^ \000 ]* \ [src \ ]( | \011 )*=( | \011 )*( \042 | \047 )? \ [javascript \ ]:.* " ] ,
[ 'http-url-parsed-param' , " .* \ /mailbox \ .php3 \ ?actionID=6&server=x&imapuser=x';[^ \012 ]* \ +--&pass=x.* " ] ,
[ 'http-url-parsed-param' , " .*( \ [RawCustomSearchField|rawdocdata) \ .asp \ ] \ ?[^;];execmaster \ .dbo \ .(xp_cmdshell|sp_grantlogin).* " ] ,
[ 'http-url-parsed-param' , " .* \ [SiteAdmin \ .ASP \ ] \ ?[^ \012 ]*& \ [GroupName \ ]=.*';.* " ] ,
[ 'http-header' , " .*& \ [(userid|password) \ ]=[^&]*%27.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ . \ . \ . \ . \ . \ . \ . \ . \ . \ . \ ..* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [webcart \ /.*(orders \ /checks \ .txt|config \ /import \ .txt|config \ /mountain \ .cfg) \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /cgi-bin \ /console \ .exe \ ?.*page_size= \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /cgi-bin \ /cs \ .exe \ ?.*action= \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /scripts \ /slxweb \ .dll \ /admin \ ?.*command= \ ].* " ] ,
[ 'http-url-parsed' , " .* \ / \ [officescan \ /cgi \ /jdkRqNotify \ .exe \ ] " ] ,
[ 'http-url' , " \ /<script>window \ .location= \" \ /https-admserv \ /bin \ /perl \ /importInfo%3Fdir=.* " ] ,
[ 'http-header-user-agent' , " webmin " ] ,
[ 'line' , " .* \xeb \x0b \x3c \x66 \x61 \x6b \x65 \x68 \x61 \x6c \x6f \x3f \x3e \x31 \xc0 \x50 \x40 \x89 \xc3 \x50 \x40 \x50 \x89 \xe1 \xb0 \x66 \xcd \x80 \x31 \xd2 \x52 \x66 \x68 \x23 \x83 \x43 \x66 \x53 \x89 \xe1 \x6a \x10 \x51 \x50 \x89 \xe1 .* " ] ,
[ 'http-text-html' , " .*< \ [OBJECT \ ][^>]* \ [classid= \" CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF \" \ ][^>]*>.* " ] ,
[ 'http-text-html' , " .*(m|& # 109;|M|& # 77;)(h|H|& # 72;|& # 104;)(t|T|& # 84;|& # 116;)(m|& # 109;|M|& # 77;)(l|L|& # 76;|& # 108;)(:|& # 58)((f|F|& # 70;|& # 102;)(i|I|& # 73;|& # 105;)(l|L|& # 76;|& # 108;)(e|E|& # 69;|& # 101;)|(r|R|& # 82;|& # 114;)(e|E|& # 69;|& # 101;)(s|S|& # 83;|& # 115;)|(m|M|& # 77;|& # 109;)(i|I|& # 73;|& # 105;)(d|D|& # 68;|& # 100;))(:|& # 58;)( \ /|& # 47;)( \ /|& # 47;)[^!]*!(h|H|& # 72;|& # 104;)(t|T|& # 84;|& # 116;)(t|T|& # 84;|& # 116;)(p|P|& # 80;|& # 112;).* " ] ,
[ 'http-text-html' , " .* \ [mhtml: \ ](( \ [file \ ]| \ [res \ ]| \ [mid \ ]): \ / \ /[^!]*!${[^}]*}|${[^}]*}[^!]*!( \ [http \ ]| \ [ftp \ ])).* " ] ,
[ 'http-text-html' , " .*< \ [object \ ][^>]* \ [classid=( \042 | \047 )clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B \ ]( \042 | \047 )[^>]*>.* " ] ,
[ 'http-header' , " \ [location \ ]:[ ]* \ [URL \ ]:( \ [ms-its \ ]| \ [res \ ]):.* " ] ,
[ 'http-text-html' , " .* \ [showHelp \ ][ ]*( \ ([ ]*( \" |')?|( \" |'))(mk:@MSITStore:| \ [res: \ / \ / \ ]| \ [(ms-)?its: \ ]).* " ] ,
[ 'stream' , " .*qxco7=document \ .cookie;function gc099 \ (n21 \ ).* " ] ,
[ 'http-text-html' , " .*< \ [iframe \ ] [^>]* \ [src \ ]( \040 | \011 )*=( \040 | \011 )*( \" |')? \\ \\ .* " ] ,
[ 'http-text-html' , " .*< \ [a \ ][^>]+ \ [folder \ ]( \011 | \040 )*=( \011 | \040 )*('| \" )? \ [shell \ ]:.* " ] ,
[ 'http-text-html' , " .*< \ [script \ ].*< \ [frameset \ ][^>]+ \ [this \ .focus \ ] \ ( \ ).* " ] ,
[ 'http-text-html' , " .*< \ [a \ ][^>]+ \ [mailto: \ ]( \041 |[ \043 - \046 ]|[ \050 - \075 ]|[ \076 - \017 6])*&( \ [quot \ ]| # 34);[^>]*>.* " ] ,
[ 'http-text-html' , " .*<[^>]* \ [href= \ ]( \" |')? \ [shell:user profile \\ \ ].* " ] ,
[ 'http-text-html' , " .*< \ [object \ ][^>]* \ [clsid:26676CDD-DD35-4AF2-8751CC25DC468EF2 \ ].* \ .LaunchURL \ (.* " ] ,
[ 'http-text-html' , " .*< \ [object \ ][^>]* \ [clsid:0534CF61-83C5-4765-B19B-45F7A4E135D0 \ ].* \ .LaunchCustomRuleWizard \ (.* " ] ,
[ 'http-text-html' , " .* \ u \ [getClass \ ( \ ) \ .forName \ (('| \" )?(sun|javax? \ .security|javax? \ .rmi|javax? \ .transaction|org|javax? \ .nio \ .channels) \ ] \ u.* " ] ,
[ 'http-data' , " \xff \xd8 .* \037 7( \037 6| \034 1| \034 2| \035 5) \000 ( \000 | \001 ).* " ] ,
[ 'http-text-html' , " .*<[^>]*=( \" |')? \ [help:runscript \ ]=[^ ]* \ . \ [scpt \ ][^>]*>.* " ] ,
[ 'http-text-html' , " .*<[^>]*=( | \0 90)*( \047 | \042 )?( | \0 90)* \ [HCP: \ / \ /system \ /DVDUpgrd \ /dvdupgrd \ .htm \ ] \ ?[^>]+>.* " ] ,
[ 'http-url-parsed-param' , " .* \ /cgi-bin \ /campas.*( \ X0A \ X|%0(a|A)).* " ] ,
[ 'http-url-parsed-param' , " .* \ /cgi-bin \ /jj[^ \012 ]*(HTTPdRocKs|SDGROCKS).* " ] ,
[ 'http-url-parsed' , " \ /cgi-bin \ /phf.* " ] ,
[ 'http-data' , " .* \ [AnyFormTo \ ]=[^&]*(;|% \ [3b \ ]).* " ] ,
[ 'http-url-parsed-param' , " .* \ /process_bug \ .cgi?.*=.*;.* " ] ,
[ 'http-url-parsed-param' , " .* \ /classifieds \ .cgi \ ?[^ ]+return=.+@.+ \ ..+( \ . \ . \ /| \ /).* " ] ,
[ 'http-url' , " .* \ /cvsweb \ .cgi \ /.* \ /;.* " ] ,
[ 'http-url' , " .*site_searcher \ .cgi \ ?page= \ |.* " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-sys \ /guestbook \ .cgi( \ ?| \ /)user=cpanel&template \ ]= \ |.* " ] ,
[ 'http-url-parsed-param' , " .* \ . \ [(bat|cmd) \ ]( \ ?| \ /) \x7c .* " ] ,
[ 'http-url-parsed-param' , " .* \ [(insert into \ ]| \ [(select|update) \ ] [^;]* \ [(from|set) \ ] [^;]* \ [where \ ]| \ [delete from) \ ].* " ] ,
[ 'http-request' , " .* \ .(php|cgi) \ ?.* \ =[^&]*[ \" \' \ `][^&]*[; \ |][^&]*[ \" \' \ `].* " ] ,
[ 'http-url' , " .*( \x90 )+ \xeb \x72 \x5e \x29 \xc0 \x89 \x46 \x10 \x40 \x89 \xc3 \x89 \x46 \x0c \x40 \x89 \x46 \x08 \x8d \x4e \x08 .* " ] ,
[ 'http-url' , " .*( \x90 )+ \xeb \x72 \x5e \x29 \xc0 \x89 \x46 \x10 \x40 .* " ] ,
[ 'http-header-host' , " .* \ . \ . \ /.* " ] ,
[ 'http-authorization' , " (super:5777364|superman:21241036) \00 ? \00 ? " ] ,
[ 'http-url-parsed' , " \ / \ [frame_debug \ .asp \ ] " ] ,
[ 'http-url-parsed-param' , " \ /cgi-bin \ /handler \ /.*;.+ \ ?.* " ] ,
[ 'http-url-parsed-param' , " .* \ /pfdispaly \ .cgi \ ?'%0A " ] ,
[ 'http-url-parsed-param' , " \ /cgi-bin \ /webdist \ .cgi \ ?.*distloc=.*; " ] ,
[ 'http-url-parsed-param' , " .* \ /passwd \ .php3 \ ?.* \ [(%2F|%3B|;| \ +) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [include_once \ .php \ ] \ ?[^ ]* \ [inc_prefix \ ]=(http|ftp): \ / \ /.* " ] ,
[ 'http-header-user-agent' , " tirpitz " ] ,
[ 'http-url-parsed-param' , " .* \ [Sources \ /Packages \ .php \ ?sourcedir=http \ ]: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [hit \ .php \ ?url_hit=http \ ]: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ /includes \ /(header|footer) \ .php3 \ ?[^ ]*my_(footer|header)=http: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [admin \ /(system|exec) \ .php3 \ ?cmd \ ]=.* " ] ,
[ 'http-url-parsed-param' , " .* \ /index \ .php( \ ?| \ /)theme= \ . \ .( \ /|%2 \ [F \ ]).* " ] ,
[ 'http-url-parsed' , " .* \ / \ [mail \ ] \ / \ [admin \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [zentrack \ /index \ .php \ ]( \ ?| \ /)[^ \012 ]* \ [configFile \ ]= \ [http \ ]: \ / \ /.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [lib \ .inc \ .php \ ] \ ?[^ ]* \ [pm_path=http \ ]: \ / \ /.* " ] ,
[ 'http-data' , " .*form-data;[^ \012 ]*name= \" ([ \000 - \041 ]|[ \043 - \013 2]|[ \013 4- \037 7])* \013 3.*Content-Type:[ ]+ \ . \ . \ /.* " ] ,
[ 'http-data' , " .* \ [Content-Disposition: form-data; \ ][^ \012 ]* \ [filename= \ ] \" ? \ . \ .( \ /| \\ ).* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [sendtofriend \ ] \ . \ [php \ ] \ ?[^ \00 ]* \ [mid \ ]=[^&]*'+.* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [admin \ .php3 \ ?.*(step=4|option=pass).*(step=4|option=pass) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /read \ .php3 \ ] \ ?[^ \012 ]* \ [sSQL \ ]=.* " ] ,
[ 'http-url-parsed-param' , " \ / \ [phorum \ /plugin \ /replace \ /plugin.php?.*PHORUM[[]settings_dir \ ][]].* " ] ,
[ 'http-url-parsed-param' , " .*quick_reply \ .php \ ?phpbb_root_path=http: \ / \ /.* " ] ,
[ 'http-request' , " \ [GET \ ] \ /init \ .php \ ?.*(HTTP_(GET|POST|COOKIE)_VARS|HTTP_POST_FILES)=.* " ] ,
[ 'http-url' , " .*GALLERY_EMBEDDED_INSIDE(_TYPE)?.* " ] ,
[ 'stream' , " .* \xff \xf4 \xff \xfd \x06 .* " ] ,
[ 'stream' , " .* \ /viewsource \ /template \ .html \ ?.* " ] ,
[ 'stream' , " .* \ /viewsource \ /template \ .html \ ?.* " ] ,
[ 'http-url-parsed' , " \ /graphics \ /sml3com%s%s%s " ] ,
[ 'packet' , " .*NAMENAME \xff PASS.* " ] ,
[ 'stream' , " .* \x0a .* " ] ,
[ 'http-url' , " .* \ /%% " ] ,
[ 'stream' , " .* \xff \xf3 \xff \xf3 \xff \xf3 \xff \xf3 \xff \xf3 .* " ] ,
[ 'http-url-parsed-param' , " \ /? \ [Gozila \ .cgi \ ] \ ? " ] ,
[ 'packet' , " .*NAMENAME..?PASSWORD.* " ] ,
[ 'http-url-parsed' , " .* \ /OPTIONS( |%20)([^ ]|[^ \056 ])+ \ . \ [HTML \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [setinfo \ .hts \ ] \ ?[^?]* \ [setinclude \ ]=[^?]*( \ . \ . \ /)+[^?]* " ] ,
[ 'packet' , " ( \x00 | \x02 ) \x00 .* " ] ,
[ 'stream' , " .* \x68 \x2f \x62 \x69 \x6e \x5f \x6a \x70 \x58 \x66 \x50 \x66 \x68 \x2f \x63 \x57 \x54 \x5b \x31 \xf6 \x56 \x54 \x5a \x68 \x2f \x61 \x73 \x68 \x59 \x51 \x57 \x54 \x5d \x56 \x51 \x68 \x2f \x74 \x6d \x70 \x54 \x59 \x56 \x51 \x55 \x53 \x54 \x51 \x5d \x59 \xb0 \x02 \xcd \x80 \x39 \xc6 \x75 \x06 \xb0 \x0b \xcd \x80 \xeb \x1a \x31 \xdb \x4b \x56 \x54 \x59 \x31 \xd2 \x6a \x07 \x58 \xcd \x80 \x31 \xc9 \x66 \xb9 \x6d \x09 \x55 \x5b \x6a \x0f \x58 \xcd \x80 \x6a \x01 \x58 \xcd \x80 \x90 \x90 \x90 \x90 \xa0 \x01 \x07 \x08 \x29 \x0a \x35 \x33 \x30 \x20 \x6c \x6f \x6f \x6b \x20 \x77 \x68 \x61 \x74 \x20 \x69 \x20 \x64 \x69 \x64 \x20 \x74 \x6f \x20 \x79 \x6f \x75 \x0a .* " ] ,
[ 'stream' , " RETR \" \ |.* " ] ,
[ 'ftp-pathname' , " (spt \ .dat|rom-0) " ] ,
[ 'ftp-sitestring' , " .*kakaka \ .zip " ] ,
[ 'ftp-pathname' , " .* \ / \ / \ . \ . \ /.* " ] ,
[ 'ftp-password' , " wh00t.* " ] ,
[ 'ftp-password' , " h0tb0x " ] ,
[ 'ftp-password' , " lrkr0x " ] ,
[ 'ftp-password' , " satori " ] ,
[ 'ftp-password' , " .* \x31 \xc0 \x50 \x50 \x50 \xb0 \x7e \xcd \x80 \x31 \xdb \x31 \xc0 .* " ] ,
[ 'ftp-pathname' , " .* \x31 \xc0 \x31 \xdb \x31 \xc9 \xb0 \x46 \xcd \x80 \x31 \xc0 \x31 \xdb .* " ] ,
[ 'ftp-password' , " .*-broken@shattered \ .hopes.* " ] ,
[ 'ftp-password' , " .*hi@blahblah \ .net.* " ] ,
[ 'ftp-sitestring' , " \ [EXEC \ ] (%5$p|%20d \ |%).* " ] ,
[ 'ftp-pathname' , " ~{.* " ] ,
[ 'ftp-username' , " %x%x%x " ] ,
[ 'stream' , " .* \xb4 \x20 \xb4 \x21 \x8b \xcc \x83 \xe9 \x04 \x8b \x19 \x33 \xc9 \x66 \xb9 \x10 .* " ] ,
[ 'ftp-username' , " themosthax0ruserthatthisw0rldhaseverseen.* " ] ,
[ 'stream' , " .*(size [^ \001 2]+ \001 2.+ size [^ \001 2]+ \001 2.+size)+.* " ] ,
[ 'ftp-pathname' , " \ /dadasjasojdasj \ /adhjaodhahasohasaoihroaha.* " ] ,
[ 'telnet-user' , " \ [4Dgifts \ ] " ] ,
[ 'telnet-user' , " \ [ezsetup \ ] " ] ,
[ 'telnet-user' , " \ [OutOfBox \ ] " ] ,
[ 'stream' , " .*TENmanUFactOryPOWER.* " ] ,
[ 'telnet-user' , " userNotUsed " ] ,
[ 'telnet-user' , " copyright " ] ,
[ 'stream' , " .* \x04 \x04 \x04 \x04 \x04 \x04 \x04 \x04 \x04 \x04 .* " ] ,
[ 'stream' , " .* \x0D \x0A [[]Yes[]] \x0D \x0A \xFF \xFE \x08 \xFF \xFD \x26 .* " ] ,
[ 'stream' , " .* \xff \xf6 \xff \xfb \x08 \xff \xfb \x26 .* " ] ,
[ 'stream' , " .* \xf0 \x00 \x00 \x00 \x58 \x55 \x89 \xe5 \x81 \xec \x2c \x00 \x00 \x00 \x89 \x45 \xd4 \xc7 \x45 \xfc \x00 \x00 \xe6 \x77 \x8b \x45 \xfc \x66 \x81 \x38 \x4d \x5a \x75 \x7c \x05 \x3c \x00 \x00 \x00 \x8b \x18 \x03 .* " ] ,
[ 'stream' , " DESCRIBE.*( \ / \ . \ . \ / \ . \ .)+.* \ . \ [smi RTSP \ /1.0 \ ] \x0d \x0a \x0d \x0a .* " ] ,
[ 'smtp-header-to' , " .*(hacker117@163 \ .com|54love@fescomail \ .net).* " ] ,
[ 'stream' , " ( \021 1| \022 3| \026 1| \027 3| \035 4| \036 6| \002 5)( \002 3| \002 4) \x00 \x00 .* " ] ,
[ 'smtp-data-line' , " .*(AHMAZQByAHYAYwAuAGUAeAB|AGwAcwBlAHIAdgBjAC4AZQB4|AbABzAGUAcgB2AGMALgBlAHg).* " ] ,
[ 'http-url' , " \ / \ [default \ .ida \ ?XXXXXXXXXX+%u9090%u6858%ucbd3%u \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [message \ .zip \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [wendy \ .zip \ ] " ] ,
[ 'stream' , " tftp -i [0-9]+ \ .[0-9]+ \ .[0-9]+ \ .[0-9]+ GET ms(blast|laugh) \ .exe.* " ] ,
[ 'stream' , " .*HKLM \\ System \\ CurrentControlSet \\ Services \\ NetDDE \\ Start.* " ] ,
[ 'stream' , " .*HKLM \\ software \\ microsoft \\ mssqlserver \\ client \\ connectto \\ dsquery.* " ] ,
[ 'packet' , " \x5c \xbf \x01 \x29 \xca \x62 \xeb \xf1 " ] ,
[ 'smtp-data-text-html' , " <xml id=(3D)? \" oExec \" > " ] ,
[ 'stream' , " .*RETR [0-9]+_up.exe.* " ] ,
[ 'stream' , " .*>>cmd \ .ftp&echo anonymous>>cmd \ .ftp&echo user&echo bin>>cmd \ .ftp&echo get .* " ] ,
[ 'stream' , " \ [get \ ] \ /[0-9][0-9][0-9][0-9][0-9][0-9] \ . \ [php \ ].* " ] ,
[ 'smtp-data-line' , " bQ1naQ8wU3T9tZ \ +9BW5nczNNb2R1NTlOYW0f \ +7eDR1ByO0FkZHJlc3MPU3lzdH \ +b \ /fZlbURp " ] ,
[ 'stream' , " C " ] ,
[ 'tftp-filename' , " \ [hello \ .all \ ] " ] ,
[ 'stream' , " tftp -i [0-9]+ \ .[0-9]+ \ .[0-9]+ \ .[0-9]+ GET h3110 \ .411 package \ .exe & package \ .exe & exit \x0a \x00 .* " ] ,
[ 'smb-open-filename' , " .*( \ [slacke-worm \ .exe \ ]| \ [ \x00 s \x00 l \x00 a \x00 c \x00 k \x00 e \x00 - \x00 w \x00 o \x00 r \x00 m \x00 \ . \x00 e \x00 x \x00 e \ ]).* " ] ,
[ 'stream' , " .* \x0B \x01 \x06 \x00 \x00 \x20 \x01 \x00 \x00 \x10 \x00 \x00 \x00 \xE0 \x06 \x00 \x20 \x01 \x08 \x00 \x00 \xF0 \x06 \x00 \x00 \x10 \x08 \x00 \x00 \x00 \x40 \x00 \x00 \x10 \x00 \x00 \x00 \x02 \x00 \x00 \x04 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x04 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x20 \x08 \x00 \x00 \x10 \x00 \x00 \x00 \x00 \x00 \x00 \x02 \x00 \x00 \x00 \x00 \x00 \x10 \x00 \x00 \x10 \x00 \x00 \x00 \x00 \x10 \x00 \x00 \x10 \x00 \x00 \x00 \x00 \x00 \x00 \x10 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x10 \x08 \x00 \x64 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x64 \x11 \x08 \x00 \x0C .* \x55 \x50 \x58 \x30 \x00 \x00 \x00 \x00 \x00 \xE0 \x06 \x00 \x00 \x10 \x00 \x00 .* " ] ,
[ 'smb-copy-filename' , " .*R \x00 I \x00 C \x00 H \x00 E \x00 D \x00 2 \x00 0.* " ] ,
[ 'stream' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \xeb \x10 \x5a \x4a \x33 \xc9 \x66 \xb9 \x7d \x01 \x80 \x34 \x0a \x99 \xe2 \xfa \xeb \x05 \xe8 \xeb .* " ] ,
[ 'stream' , " echo open [0-9]+ \ .[0-9]+ \ .[0-9]+ \ .[0-9]+ [0-9]+ > o&echo user 1 1 >> o &echo get bling \ .exe >> o &echo quit >> o &ftp -n -s:o &bling \ .exe.* " ] ,
[ 'packet' , " .*hel32hkernQhounthickChGetTf \xb9 llQh32.* \x45 \xcc \x50 \x8b \x45 \xc0 \x50 \xff .* " ] ,
[ 'stream' , " .*User Access Verification.*Your PassWord:.* " ] ,
[ 'stream' , " .* \x20 \x03 \xb3 \xb2 \x19 \x11 \xaa \x80 \x3c \x46 \xfe \x61 \x34 \x86 \xc2 \x68 \x30 \x18 \x56 \x0d \x95 \x75 \xac \x52 \x23 \x16 \x42 \xb1 \x24 \x8b \xa0 \xc8 \x11 \xac \x2b \xbb \xb2 \x4d \x92 \x20 \x40 \xb6 \xc6 \x67 \xb7 \x59 \x6a \x29 \xba \xa5 \x50 \x19 \x1d \x91 \xc9 \xb3 \xd3 \x50 \xed \xa5 \xe7 \x5c \xc4 \x6f .* " ] ,
[ 'smb-open-filename' , " .*( \ [M \000 ?o \000 ?F \000 ?e \000 ?i \000 ? \ . \000 ?v \000 ?e \000 ?r \ ]| \ [S \000 ?c \000 ?a \000 ?r \000 ?d \000 ?s \000 ?v \000 ?r \000 ?3 \000 ?2 \000 ? \ . \000 ? \000 ?e \000 ?x \000 ?e \ ]| \ [l \000 ?a \000 ?s \000 ?v \000 ?r \000 ?3 \000 ?2 \000 ? \ . \000 ?e \000 ?x \000 ?e \ ]).* " ] ,
[ 'http-url' , " .*%u5951%u6841%u7533%u0018%u754F%u7405%u4E03.* " ] ,
[ 'dns-type-name' , " \x00 \x01 (cheese \ .dns4biz \ .org|butter \ .dns4biz \ .org|chilly \ .no-ip \ .info|kwill \ .hopto \ .org) " ] ,
[ 'stream' , " SNAF.* " ] ,
[ 'stream' , " USER x \012 PASS x \012 PORT \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'http-data' , " id=crutop&vvpupkin.* " ] ,
[ 'stream' , " .*CONNECT_DATA( \x20 | \x09 | \x0a | \x0d )*=( \x20 | \x09 | \x0a | \x0d )* \ (( \x20 | \x09 | \x0a | \x0d )* \ (( \x20 | \x09 | \x0a | \x0d )*COMMAND( \x20 | \x09 | \x0a | \x0d )*=( \x20 | \x09 | \x0a | \x0d )*SERVICE_CURLOAD.* " ] ,
[ 'http-url' , " .* \ [S%F(F|9)S \ .OWA \ ].* " ] ,
[ 'stream' , " .* \x01 \x31 \xDB \xCD \x80 \xE8 \x5B \xFF \xFF \xFF .* " ] ,
[ 'stream' , " .* \ [x \00 p \00 _ \00 c \00 m \00 d \00 s \00 h \00 e \00 l \00 l \00 \ ].* " ] ,
[ 'stream' , " .* \ [x \00 p \00 _ \00 c \00 m \00 d \00 s \00 h \00 e \00 l \00 l \00 \ ].* " ] ,
[ 'stream' , " .* \ [s \00 p \00 _ \00 s \00 t \00 a \00 r \00 t \00 _ \00 j \00 o \00 b \00 \ ].* " ] ,
[ 'stream' , " .* \ [s \00 p \00 _ \00 s \00 t \00 a \00 r \00 t \00 _ \00 j \00 o \00 b \00 \ ].* " ] ,
[ 'stream' , " .*xp_dirtree N'%..%..%.....*'.* " ] ,
[ 'stream' , " .* \ [SELECT pwdencrypt \ (REPLICATE \ ] \ ('.',([3-9][0-9][0-9]|[1-9][0-9][0-9][0-9]+) \ ) \ ).* " ] ,
[ 'stream' , " \x12 \x01 \x00 \x34 \x00 \x00 \x00 \x00 \x00 \x00 \x15 \x00 \x06 \x01 \x00 \x1b \x00 \x01 \x02 \x00 \x1c \x00 \x0c \x03 \x00 \x28 \x00 \x04 \xff \x08 \x00 \x02 \x10 \x00 \x00 \x00 .* \x00 \x24 \x01 \x00 \x00 .* " ] ,
[ 'stream' , " \x12 \x01 \x00 \x34 \x00 \x00 \x00 \x00 \x00 \x00 \x15 \x00 \x06 \x01 \x00 \x1b \x00 \x01 \x02 \x00 \x1c \x00 \x0c \x03 \x00 \x28 \x00 \x04 \xff \x08 \x00 \x02 \x10 \x00 \x00 \x00 ( \x58 )+ \x00 \x24 \x01 \x00 \x00 .* " ] ,
[ 'stream' , " .* \ [x \00 p \00 _ \00 (e \00 x \00 e \00 c \00 r \00 e \00 s \00 u \00 l \00 t \00 s \00 e \00 t \00 |p \00 r \00 i \00 n \00 t \00 s \00 t \00 a \00 t \00 e \00 m \00 e \00 n \00 t \00 s|d \00 i \00 s \00 p \00 l \00 a \00 y \00 p \00 a \00 r \00 a \00 m \00 s \00 t \00 m \00 t) \ ].* " ] ,
[ 'packet' , " .* \x04 \x41 \x41 \x41 \x41 .* " ] ,
[ 'packet' , " \x08 [^:]*:.* " ] ,
[ 'packet' , " \x04 .................................................................* " ] ,
[ 'packet' , " \x10 \x00 \x00 .* " ] ,
[ 'stream' , " .* \ [cash_words \ ] \ (.-[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+. \ );.* " ] ,
[ 'stream' , " .* \x31 \xc0 \x31 \xdb \x31 \xc9 \x31 \xd2 \xb0 \x66 \xb3 \x01 \x51 \xb1 \x06 \x51 \xb1 \x01 \x51 \xb1 \x02 \x51 \x8d \x0c \x24 \xcd \x80 \xb3 \x02 \xb1 \x02 \x31 \xc9 \x51 \x51 \x51 .* " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 (([ \031 0- \037 7] \x71 \x1c \x07 )|(.[ \016 2- \037 7] \x1c \x07 )|(..[ \003 5- \037 7] \x07 )|(...[ \001 1- \037 7])).* " ] ,
[ 'packet' , " .* \x0d \x00 .. \x09 \x00 \x00 \x00 [^ \000 ]* \xff \xff \xff \xfe .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [x-mas.exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [badass.exe \ ] \" .* " ] ,
[ 'line' , " .*BubbleBoy is back!.* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [links \ .vbs \ ] \" .* " ] ,
[ 'line' , " \ [X-Spanska \ ]:( | \x09 )*. \ [Yes \ ] " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [irok \ .exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [pics4you \ .exe \ ] \" .* " ] ,
[ 'line' , " \ [subject \ ]: ble bla. bee.* " ] ,
[ 'line' , " \ [subject \ ]: I Love You ; \ ).* " ] ,
[ 'line' , " \ [subject \ ]: Matrix has you \ . \ . \ ..* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [myjuliet \ .chm \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [myromeo \ .exe \ ] \" .* " ] ,
[ 'line' , " \ [subject \ ]: From shake-beer.* " ] ,
[ 'line' , " \ [subject \ ]: Sorry \ . \ . \ . Hey you !.* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [navidad \ .exe \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [setup \ .exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [the_fly \ .chm \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [toadie \ .exe \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [666test \ .vbs \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [tune \ .vbs \ ]* \" .* " ] ,
[ 'line' , " .*begin .* \ . \ [vbs \ ].* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [dinheiro \ .doc \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [money \ .doc \ ]* \" .* " ] ,
[ 'smtp-mime-content-filename' , " \ [badass.exe \ ] " ] ,
[ 'smtp-header-subject' , " .*BubbleBoy is back!.* " ] ,
[ 'smtp-mime-content-filename' , " \ [links \ ] \ . \ [vbs \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [file_zippati \ .exe \ ] " ] ,
[ 'smtp-header-line' , " X-Spanska:( | \x09 )*.Yes " ] ,
[ 'smtp-mime-content-filename' , " \ [irok \ .exe \ ] " ] ,
[ 'smtp-data-line' , " .* \ [Software provided by \ X5B \ XMATRiX \ X5D \ X \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [pics4you \ .exe \ ] " ] ,
[ 'smtp-data-line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [myjuliet \ .chm \ ] \" .* " ] ,
[ 'smtp-data-line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [myromeo \ .exe \ ] \" .* " ] ,
[ 'smtp-header-subject' , " Sorry \ . \ . \ . Hey you !.* " ] ,
[ 'smtp-mime-content-filename' , " \ [navidad \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [readme \ .exe \ ]| \ [sample \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [xpass \ .xls \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [icq_greetings \ .exe \ ] " ] ,
[ 'smtp-header-subject' , " Pikachu Pokemon.* " ] ,
[ 'smtp-mime-content-filename' , " \ [setup \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [the_fly \ .chm \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [666test \ .vbs \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [tune \ .vbs \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [kak \ .hta \ ] " ] ,
[ 'stream' , " .*LRCQID7dIDFEECggDSLm9df8C \ /zSNKDBBAAoGA0AEUQ \ +FEN23f7doqAT \ /dCQk \ /xWcEQmDxCTD.* " ] ,
[ 'smtp-mime-content-filename' , " ( \ [About_Me \ ]| \ [driver \ ]| \ [enjoy \ ]| \ [Source \ ]| \ [Interesting \ ]| \ [README \ ]| \ [images \ ]| \ [Pics \ .ZIP \ ]| \ [Doom3 Preview \ ]| \ [you_are_fat \ ]!*) \ .( \ [exe \ ]| \ [scr \ ]| \ [pif \ ]) " ] ,
[ 'smtp-mime-content-filename' , " .* \ .( \ [doc|txt|xl.|gif|jpg|zip|enc|end|ps|pdf|dot|etf|rtf|ex_|ex$|ram|rm|bak|bas|bdf|bga|bhz|lha|lzh|arc|arj|cdx|csv|cal|dat|pcm|wav|mpg|mpeg|avi|wmv|mp3|mpe|anus \ ]) \s * \ . \s *( \ [386|ADE|ADP|ANI|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DO.|EXE|GRP|HLP|HTA|INF|INS|ISP|JOB|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|WMF|WSC|WSF|WSH|WSZ|XL. \ ]) " ] ,
[ 'smtp-header-subject' , " Important information for you \ . Read it immediately ! " ] ,
[ 'stream' , " .*(enRN( \x0d \x0a )?di5x( \x0d \x0a )?eXk3|dnp0( \x0d \x0a )?TXYu( \x0d \x0a )?cXl5|dXZ6( \x0d \x0a )?dE12( \x0d \x0a )?LnF5).* " ] ,
[ 'stream' , " .*(HwoL( \x0d \x0a )?cGdz( \x0d \x0a )?emJh|XB8K( \x0d \x0a )?C3Bn( \x0d \x0a )?c3pi|G1wf( \x0d \x0a )?Cgtw( \x0d \x0a )?Z3N6).* " ] ,
[ 'stream' , " .*(TSUR( \x0d \x0a )?ce0U( \x0d \x0a )?2RkI|XHtF( \x0d \x0a )?NkZC( \x0d \x0a )?NUUy|TFNJ( \x0d \x0a )?RFx7( \x0d \x0a )?RTZG).* " ] ,
[ 'stream' , " .*(PUkg( \x0d \x0a )?YW0g( \x0d \x0a )?Ikly|PT1J( \x0d \x0a )?IGFt( \x0d \x0a )?ICJJ|SSBh( \x0d \x0a )?bSAi( \x0d \x0a )?SXJ6).* " ] ,
[ 'stream' , " .*(NShF( \x0d \x0a )?OXU6( \x0d \x0a )?el1n|RTl1( \x0d \x0a )?Onpd( \x0d \x0a )?Z \ /YO|KEU5( \x0d \x0a )?dTp6( \x0d \x0a )?XWf2).* " ] ,
[ 'stream' , " .*aW5nB7oGdbA7FU11aA9GtlgQQWEPSert \ /0Nvb2xoZWxwMzJTbjxzaG87trUNlI8tRGSDAJML.* " ] ,
[ 'smtp-data-text-html' , " <OBJECT STYLE= \" display:none \" DATA= \" http: \ / \ /[0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]? \ .[0-9][0-9]?[0-9]?:81 \ /[0-9][0-9][0-9][0-9][0-9][0-9] \ .php \" > " ] ,
[ 'smtp-header-subject' , " (ble bla, bee)|(I Love You ; \ ))|(sorry \ . \ . \ .)|(Hey you !)|(Matrix has you \ . \ . \ .)|(my picture)|(from shake-beer) " ] ,
[ 'smtp-header-subject' , " (Good Times|Market share tipoff \ . \ . \ .|New Developments|WWIII!) " ] ,
[ 'smtp-mime-content-filename' , " \ [baby \ .exe \ ]| \ [bboy \ .exe \ ]| \ [boss \ .exe \ ]| \ [casper \ .exe \ ]| \ [chestburst \ .exe \ ]| \ [cooler1 \ .exe \ ]| \ [cooler3 \ .exe \ ]| \ [copier \ .exe \ ]| \ [cupid2 \ .exe \ ]| \ [farter \ .exe \ ]| \ [fborfw \ .exe \ ]| \ [g-zilla.exe \ ]| \ [gadget \ .exe \ ]| \ [goal \ .exe \ ]| \ [goal1 \ .exe \ ]| \ [hog \ .exe \ ]| \ [irnglant \ .exe \ ]| \ [monica \ .exe \ ]| \ [panther \ .exe \ ]| \ [party \ .exe \ ]| \ [pirate \ .exe \ ]| \ [saddam \ .exe \ ]| \ [theobbq \ .exe \ ]| \ [video \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [money \ .doc \ ]| \ [dinheiro \ .doc \ ] " ] ,
[ 'stream' , " .* \ X80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 \ X.* " ] ,
[ 'stream' , " .* \x00 \x00 \x04 \x00 \ /... \xfc \xff \xff \xff \xfc \xff \xff \xff \xa1 \xff \xff \xbf \xf8 \xe2 \xff \xbf \x20 \xd9 \x05 \x08 [A-z]+.* " ] ,
[ 'packet' , " .*( \x90 )+ \xeb \x3c \x5e \x31 \xc0 \x88 \x46 \xfa \x89 \x46 \xf5 \x89 \xf7 \x83 \xc7 \x10 \x89 .* " ] ,
[ 'packet' , " .*AAAABBBBABCDBBBBABCF.* " ] ,
[ 'packet' , " .* \xeb \x3d \x9a \xff \xff \xff \xff \x07 \xff .*|.* \x20 \xbf \xff \xff \x20 \xbf \xff \xff \x7f \xff \xff \xff .* " ] ,
[ 'packet' , " .*ADM_METHOD \x00 \x00 \x00 \x00 \x00 \x09 \x00 \x00 \x00 \x16 \x00 \x00 \x00 \x15 \ . \ . \ /.* " ] ,
[ 'stream' , " .*uid=[0-9]+ \ ([^)]+ \ ).* " ] ,
[ 'packet' , " .. \x85 \x00 \x00 \x00 \x00 . \x00 \x00 \x00 \x00 [ \041 - \037 7]. \x00 (( \001 )|( \040 )) \x00 \x01 .* " ] ,
[ 'stream' , " .* \x04 \x42 \x45 \x41 \x56 \x00 \x04 \x42 \x45 \x41 \x56 \x49 \x53 \x00 \x01 \x08 \x00 \x79 \x65 \x70 \x20 \x79 \x65 \x70 \x00 \x00 .* " ] ,
[ 'stream' , " .* \x5C \x00 \x5C \x00 \x2A \x00 \x53 \x00 \x4D \x00 \x42 \x00 \x53 \x00 \x45 \x00 \x52 \x00 \x56 \x00 \x45 \x00 \x52 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xFF \xFF \xFF \xFF \x00 \x00 \x00 \x00 .* " ] ,
[ 'stream' , " .* \xeb \x2f \x5f \xeb \x4a \x5e \x89 \xfb \x89 \x3e \x89 \xf2 .* " ] ,
[ 'packet' , " .. \x40 \x00 ...... \x00 \x01 .* " ] ,
[ 'stream' , " .* \" [^ \" ]* \ [https? \ ]: \ / \ /[^ ]*(%00| \x00 |%01| \x01 |%09| \x09 )[^ ]*@[^ \" ]* \" .* " ] ,
[ 'stream' , " .*< \ [OBJECT \ ][^>]* \ [classid= \" CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF \" \ ][^>]*>.* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [doc \ .vbs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [gif \ .vbs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [jpg \ .vbs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [pif \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [scr \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [shs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [txt \ .vbs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [vbs \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [xls \ .vbs \ ] \" .* " ] ,
[ 'line' , " ( \ [Content-Disposition: attachment \ ];)?( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [cmd \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [chm \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [crt \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [hlp \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [ins \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [isp \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [js \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [jse \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [mdb \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [mde \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [msc \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [msi \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [pcd \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [sct \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [url \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [vb \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [vbe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [wsc \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [wsf \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" .* \ . \ [wsh \ ] \" .* " ] ,
[ 'stream' , " .* \xe8 . \xff \xff \xff \ /bin \ /.* " ] ,
[ 'line' , " .* \x89 \xd8 \x40 \xcd \x80 \xe8 \xdc \xff \xff \xff .* " ] ,
[ 'stream' , " .* \xeb \x34 \x5e \x8d \x1E \x89 \x5e \x0b \x31 \xd2 \x89 \x56 \x07 .* " ] ,
[ 'stream' , " .* \xeb \x35 \x5E \x80 \x46 \x01 \x30 \x80 \x46 \x02 \x30 \x80 \x46 \x03 \x30 .* " ] ,
[ 'stream' , " .* \xeb \x38 \x5e \x89 \xf3 \x89 \xd8 \x80 \x46 \x01 \x20 \x80 \x46 \x02 .* " ] ,
[ 'stream' , " .* \xeb \x58 \x5E \x31 \xdb \x83 \xc3 \x08 \x83 \xc3 \x02 \x88 \x5e \x26 .* " ] ,
[ 'line' , " 1 LSUB \" \" {1064}.* " ] ,
[ 'stream' , " .* \x2a \x20 \x41 \x55 \x54 \x48 \x45 \x4e \x54 \x49 \x43 \x41 \x54 \x45 \x20 \x7b \x31 \x30 \x32 \x38 \x7d \x0a \x90 * \xeb \x21 \x5e \x31 \xdb \x89 \x5e \x07 \x89 \x5e \x0c \x88 \x5e \x11 \x31 \xc0 \xb0 \x3b \xbf \x30 \x30 \x30 \x30 \x29 \x7e \x01 \x29 \x7e \x03 \x53 \x53 \x56 \x56 \xeb \x10 \xe8 \xda \xff \xff \xff .* " ] ,
[ 'stream' , " .*x82 partial 1 body \x5b ( \x41 \x41 )+ \xeb \x38 \x5e \x80 \x46 \x01 \x50 \x80 \x46 \x02 \x50 \x80 \x46 \x03 \x50 \x80 \x46 \x05 \x50 \x80 \x46 \x06 .* " ] ,
[ 'stream' , " .*A0666 PARTIAL 1 BODY \x5b ( \x90 )+ \x55 \x89 \xe5 \x55 \x89 \xe5 \x83 \xec \x28 \xc6 \x45 \xd8 \x2f \xc6 \x45 \xdc \x2f \xc6 \x45 \xd9 \x5f \xc6 \x45 \xda \x5a \xc6 \x45 \xdb \x5f \xc6 \x45 \xdd \x5f \xc6 \x45 \xde \x5f \x83 \x45 \xd9 \x03 .* " ] ,
[ 'stream' , " .* \x78 \x20 \x6c \x6f \x67 \x69 \x6e \x20 \x7b \x34 \x32 \x39 \x34 \x39 \x36 \x37 \x32 \x39 \x35 \x7d \x0d \x0a \xc3 \xb0 \xc3 \xaf \xc3 \xbf \xc2 \xbf \xc2 \x90 \xc3 \xaf \xc3 \xbf \xc2 \xbf \xc3 \xbc \xc3 \xbf \xc3 \xbf \xc3 \xbf \xc3 \xbc .* " ] ,
[ 'stream' , " .* \x00 \x01 \x57 \x00 \x00 \x00 \x18 . \xFF \xFF \xFF \xFF \x00 \x00 .* " ] ,
[ 'stream' , " .* \xe8 . \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'stream' , " SSH-1 \ .1-A* \xb8 \x00 \x03 \xff \xe0 \x00 A* \x90 * \x00 \xbb \x12 \x00 \x0a \x00 \x90 * \xeb \x03 \x5d \xeb \x05 \xe8 \xf8 \xff \xff \xff \x83 \xc5 .* " ] ,
[ 'ssh-header' , " .*( # RHL|SISQO|AcidBurns|Born|God|Joker|Owned|Protected|Shadow|SloboZ|U-B00T's_BACKDOOR|hai|X.X.X|GOBBLES|KobrAs@Undernet.Org|check_ssh_1.17|7.7.7).* " ] ,
[ 'stream' , " .*(uname|bin \ /ls|bin \ /id|bin \ /nc|bin \ /g?cc|bin \ /mail|ifconfig|bin \ /(k|ba|c|tc|z)?sh).* " ] ,
[ 'stream' , " .*uid=[0-9]+ \ ([^)]+ \ ).* " ] ,
[ 'stream' , " \ [(GET|HEAD|POST) \ ] \ /?( \ . \ .( \ /| \\ ))+.* " ] ,
[ 'line' , " 227 ...............................................[^ \035 3]+ \xeb \x40 \x5e \x31 \xc0 \x88 .* " ] ,
[ 'http-url-parsed-param' , " \ / \ [cgi-bin \ ] \ / \ [readfile \ ] \ . \ [tcl \ ] \ ? \ [file \ ]=.* \ /( \ [etc \ ]| \ [usr \ ]| \ [bin \ ]| \ [sbin \ ]| \ [var \ /log \ ]).* " ] ,
[ 'stream' , " [^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].* " ] ,
[ 'packet' , " -soa [^ \012 ]+%(%|d|D|i|o|u|x|X|f|e|g|E|s|c| \013 3|p|n).* " ] ,
[ 'stream' , " .*-805289688=%31%C0%89%C3%B0%02%CD%80%38%C3%74%05%8D%43%01%CD%80%31%C0%89%45%10%40.* " ] ,
[ 'stream' , " .* \ [(is-modified|unchanged) \ ] [^ \012 ]* \012 \ [(is-modified|unchanged) \ ] [^ \012 ]* \012 \ [(is-modified|unchanged) \ ] [^ \012 ]* \012 \ [(is-modified|unchanged) \ ] [^ \012 ]* \012 \ [(is-modified|unchanged) \ ] [^ \012 ]* \012 .* " ] ,
[ 'packet' , " \x00 \x09 .........................[ \010 0- \020 0].* " ] ,
[ 'stream' , " .* \x31 \x30 \x30 \x30 \x33 \x2e \x68 \x74 \x74 \x70 \x3a \x2f \x2f ( \x90 )+ \x30 \x9b \xbf \xef \x90 \xeb \x1f \x5e \x31 \xc0 \x89 .* " ] ,
[ 'stream' , " .* \x00 \x00 domain HELL \x00 .* " ] ,
[ 'stream' , " .* \xff \xff \x4b \x41 \x44 \x4d \x30 \x2e \x30 \x41 \x00 \x00 \xfb \x03 \x00 \x40 \x06 \x08 \x00 \x40 .* " ] ,
[ 'stream' , " .* \x70 \xf9 \xff \xbf \x70 \xf9 \xff \xbf \x70 \xf9 \xff \xbf \x72 \xf9 \xff \xbf \x25 \x2e \x66 \x25 \x2e \x66 \x25 \x2e \x66 \x25 \x2e \x66 .* " ] ,
[ 'stream' , " .* \x40 \x82 \x82 \x82 \x82 \x24 \xd2 \x04 \x08 \x82 \x82 \x82 \x82 \x25 \xd2 \x04 \x08 \x82 \x82 \x82 \x82 \x26 \xd2 \x04 \x08 \x82 \x82 \x82 \x82 \x27 \xd2 \x04 \x08 \x25 \x31 \x31 \x24 \x32 \x33 \x36 \x78 \x25 \x31 \x32 \x24 \x6e \x25 \x31 .* " ] ,
[ 'packet' , " \x3e \x3e \x3e \x0a \x80 \xf7 \xff \xbf \xff \xff \xff \xff \x81 \xf7 \xff \xbf \xff \xff \xff \xff \x82 \xf7 \xff \xbf \xff \xff \xff \xff \x83 \xf7 \xff \xbf \x25 \x30 \x38 \x78 .* " ] ,
[ 'stream' , " .* \x31 \xc0 \x31 \xdb \x31 \xc9 \x51 \xb1 \x06 \x51 \xb1 \x01 \x51 \xb1 \x02 \x51 \x89 \xe1 \xb3 \x01 \xb0 \x66 \xcd \x80 \x89 \xc2 \x31 \xc0 \x31 \xc9 \x51 \x51 .* " ] ,
[ 'stream' , " \x05 \x00 \x0b \x03 \x10 \x00 \x00 \x00 \x48 \x00 \x00 \x00 \x02 \x00 \x00 \x00 \xd0 \x16 \xd0 \x16 \x00 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x60 \x9e \xe7 \xb9 \x52 \x3d \xce \x11 \xaa \xa1 \x00 \x00 \x69 \x01 \x29 \x3f \x02 \x00 \x02 \x00 \x04 \x5d \x88 \x8a \xeb \x1c \xc9 \x11 \x9f \xe8 \x08 \x00 \x2b \x10 \x48 \x60 \x02 \x00 \x00 \x00 \x05 \x00 \x00 \x01 \x10 \x00 \x00 \x00 \xd0 \x16 \x00 \x00 \x8f \x00 \x00 \x00 \x20 \x27 \x01 \x00 \x00 \x00 \x02 \x00 \xf0 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xf0 \x00 \x00 \x00 .* \x88 \x13 \x00 \x00 \x00 \x00 \x00 \x00 \x88 \x13 \x00 \x00 .* " ] ,
[ 'stream' , " .* \ [Plonked by Dave Aitel \ ].* " ] ,
[ 'stream' , " .* \x5c \x00 \x6c \x00 \x6f \x00 \x63 \x00 \x61 \x00 \x74 \x00 \x6f \x00 \x72 \x00 .* \x39 \x04 \x00 \x00 \x00 \x00 \x00 \x00 \x39 \x04 \x00 \x00 \x2f \x00 \x2e \x00 \x3a \x00 \x2f \x00 .* " ] ,
[ 'smb-native-lanman' , " Metasploit Framework " ] ,
[ 'stream' , " .*ADMROCKS.* " ] ,
[ 'packet' , " .*ADMROCKS.* " ] ,
[ 'line' , " [^ ]*%[0-9]*n " ] ,
[ 'tftp-filename' , " .*AA(A)+ \ .(AA)+ \xff \xff \xff \xff \xeb \x27 \x8b \x34 \x24 \x33 \xc9 \x33 .* " ] ,
[ 'tftp-filename' , " \ /.* " ] ,
[ 'stream' , " .* \x01 a \\ \ . \ . \\ \ . \ . \\ winnt \\ repair \\ sam.* " ] ,
[ 'line' , " 550 .* \ [cannot mail \ ].* \ [to programs \ ].* " ] ,
[ 'smtp-data-text-html' , " .* \ [https? \ ]: \ / \ /[^ ]*(%00| \x00 |%01| \x01 |%09| \x09 )[^ ]*@.* " ] ,
[ 'smtp-data-text-html' , " .*< \ [a \ ][^>]+ \ [mailto: \ ]( \041 |[ \043 - \046 ]|[ \050 - \075 ]|[ \076 - \017 6])*&( \ [quot \ ]| # 34);.* " ] ,
[ 'stream' , " .*<[^>]*=( | \0 90)*( \047 | \042 )?( | \0 90)* \ [HCP: \ / \ /system \ /DVDUpgrd \ /dvdupgrd \ .htm \ ] \ ?[^>]+>.* " ] ,
[ 'stream' , " .*<[^>]* \ [href= \ ]( \" |')? \ [shell:user profile \\ \ ].* " ] ,
[ 'smtp-mime-content-data' , " \xff \xd8 .* \037 7( \037 6| \034 1| \034 2| \035 5) \000 ( \000 | \001 ).* " ] ,
[ 'smtp-header-reply-to' , " .*( \ ${ \ [ifs \ ]}| \ /bin \ /).* " ] ,
[ 'stream' , " .* \x31 \xc0 \x89 \xc3 \x89 \xc1 \x89 \xc2 \xb2 \x3f \x88 \xd0 \xb3 \x05 \xcd \x80 \x89 \xd0 \x41 \xcd \x80 \x89 \xd0 \x41 \xcd \x80 \xeb \x1d \x5e \x29 \xc0 \x88 \x46 \x07 \x89 \x46 \x0c \x89 \x76 \x08 \xb0 \x0b \x87 \xf3 \x8d \x4b \x08 \x8d \x53 \x0c \xcd \x80 \x29 \xc0 \x40 \xcd \x80 \xe8 \xde \xff \xff \xff .* " ] ,
[ 'smtp-header-from' , " .*(ABCDEFGHIJKLMNOPQRSTUVWXYZabc| \x55 \x54 \x5d \x33 \xff \x57 \xc6 \x45 \xfc \x63 \xc6 \x45 \xfd \x6d \xc6 \x45 \xfe \x64 \x57 \xc6 ).* " ] ,
[ 'smtp-rcpt' , " .* \xff \xff \xff \xff .* " ] ,
[ 'smtp-command-line' , " .* \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff \x5c \xff .* " ] ,
[ 'smtp-header-line' , " .*charset( | \x09 )*=( | \x09 )* \" \" .* " ] ,
[ 'smtp-command-line' , " .* \xeb \x45 \xeb \x20 \x5b \xfc \x33 \xc9 \xb1 \xaf \x8b \xf3 \x80 \x2b .* " ] ,
[ 'smtp-rcpt' , " ( \ [uu \ ])? \ [decode \ ] " ] ,
[ 'stream' , " .*< \ [META http-equiv=refresh content= \" 1; & # 13;& # 10;url=file: \ / \ /C: \ WINDOWS \ Application Data \ Qualcomm \ Eudora \ Embedded \ .* \ .mhtml \" \ ]>.* " ] ,
[ 'smtp-command-line' , " ( | \x09 )* \ [etrn \ ].* " ] ,
[ 'smtp-data-text-html' , " .*<([a-z]|[A-Z])+[^>]+ \ [hcp \ ]: \ / \ /([ \000 - \041 ]|[ \043 - \046 ]|[ \050 - \037 7])*( \" |& \ [quot \ ];|& # 34;)([ \000 - \041 ]|[ \043 - \046 ]|[ \050 - \037 7])*- \ [url \ ][ ]+( \" |& \ [quot \ ];|& # 34;).* " ] ,
[ 'smtp-command-line' , " ( \ [HELO \ ]| \ [RCPT TO \ ])[^ \00 ]*%( \ .?[0-9][0-9]?($| \ *)*)?[a-z].* " ] ,
[ 'packet' , " .*( \x90 )+ \x31 \xc0 \x31 \xdb \xb0 \x02 \xcd \x80 \x39 \xd8 \x75 \x2d \x31 \xc0 \x50 \x66 \x68 \x2d \x46 \x89 .* " ] ,
[ 'packet' , " .*( \x0c | \x51 )..*% \ [(n|h|s|x) \ ].* " ] ,
[ 'stream' , " .* \x41 \x39 \x30 \xc0 \xa8 \x01 \x01 \x2f \x62 \x69 \x6e \x2f \x73 \x68 \x00 .* " ] ,
[ 'stream' , " .*(XXXX% \ .172u%300 \ $n| \xE8 \x94 \xFF \xFF \xFF \ /bin \ /sh).* " ] ,
[ 'stream' , " .* \xe8 . \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \x5e \xb0 \x02 \x89 \x06 \xfe \xc8 \x89 \x46 \x04 \xb0 \x06 \x89 \x46 .* " ] ,
[ 'stream' , " .* \xeb \x56 \x5E \x56 \x56 \x56 \x31 \xd2 \x88 \x56 \x0b \x88 \x56 \x1e .* " ] ,
[ 'stream' , " .* \xeb \x40 \x5E \x31 \xc0 \x40 \x89 \x46 \x04 \x89 \xc3 \x40 \x89 \x06 .* " ] ,
[ 'stream' , " .* \x01 \x03 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x02 \x02 \xe8 .* " ] ,
[ 'stream' , " .* \xeb \x2c \x5b \x89 \xd9 \x80 \xc1 \x06 \x39 \xd9 \x7c \x07 \x80 \x01 .* " ] ,
[ 'stream' , " .* \xff \xff \xff \x2f \x42 \x49 \x4e \x2f \x53 \x48 \x00 .* " ] ,
[ 'stream' , " .* \x7F \xFF \xFB \x78 \x7F \xFF \xFB \x78 \x7F \xFF \xFB \x78 \x7F \xFF \xFB \x78 .* \x40 \x8A \xFF \xC8 \x40 \x82 \xFF \xD8 \x3B \x36 \xFE \x03 \x3B \x76 \xFE \x02 .* " ] ,
[ 'stream' , " .* \xeb \x23 \x5e \x33 \xc0 \x88 \x46 \xfa \x89 \x46 \xf5 \x89 \x36 .* " ] ,
[ 'packet' , " .* \xA0 \x09 \x30 \x07 \xA1 \x05 \x23 \x03 \x03 \x01 [ \001 - \007 ].* " ] ,
[ 'stream' , " .* \xeb \x7f \x5d \x55 \xfe \x4d . \xfe \x4d . \xfe \x4d .* " ] ,
[ 'line' , " .* \xeb \x49 \x5e \x29 \xc0 \x29 \xdb \x40 \x89 \x46 \x04 \x40 \x89 \x06 \xb0 \x06 \x89 \x46 \x08 .* " ] ,
[ 'lpr-command' , " .* \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ / \ /.* " ] ,
[ 'stream' , " .* \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ /.* " ] ,
[ 'stream' , " .* \ /bin \ /(ba|k|c|tc)?sh.* " ] ,
[ 'stream' , " .* \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ /.* " ] ,
[ 'packet' , " .* \xff \xff \ /(usr \ /)?bin \ /.* " ] ,
[ 'packet' , " .* \xff \xff \xff \ /bin \ /sh.* " ] ,
[ 'stream' , " .* \x90 \x1a \xc0 \x0f \x90 \x02 \x20 \x08 \x92 \x02 \x20 \x0f \xd0 \x23 \xbf \xf8 .* " ] ,
[ 'packet' , " .* \x90 \x1a \xc0 \x0f \x90 \x02 \x20 \x08 \x92 \x02 \x20 \x0f \xd0 \x23 \xbf \xf8 .* " ] ,
[ 'stream' , " .* \xeb \x6e \x5e \xc6 \x06 \x9a \x31 \xc9 \x89 \x4e \x01 \xc6 \x46 \x05 .* " ] ,
[ 'packet' , " .* \xeb \x6e \x5e \xc6 \x06 \x9a \x31 \xc9 \x89 \x4e \x01 \xc6 \x46 \x05 .* " ] ,
[ 'stream' , " .* \x31 \xc0 \xb0 \x3f \x31 \xdb \xb3 \xff \x31 \xc9 \xcd \x80 \x31 \xc0 .* " ] ,
[ 'packet' , " .* \x31 \xc0 \xb0 \x3f \x31 \xdb \xb3 \xff \x31 \xc9 \xcd \x80 \x31 \xc0 .* " ] ,
[ 'stream' , " .* \x31 \xc0 \xb0 \x02 \xcd \x80 \x85 \xc0 \x75 \x4c \xeb \x4c \x5e \xb0 .* " ] ,
[ 'packet' , " .* \x31 \xc0 \xb0 \x02 \xcd \x80 \x85 \xc0 \x75 \x4c \xeb \x4c \x5e \xb0 .* " ] ,
[ 'stream' , " .* \x89 \xf7 \x29 \xc7 \x89 \xf3 \x89 \xf9 \x89 \xf2 \xac \x3c \xfe .* " ] ,
[ 'packet' , " .* \x89 \xf7 \x29 \xc7 \x89 \xf3 \x89 \xf9 \x89 \xf2 \xac \x3c \xfe .* " ] ,
[ 'stream' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'packet' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'stream' , " .* \x09 \x80 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x01 \x00 \x00 \x7a \x69 \x03 \x21 \x00 \x90 * \x31 \xdb \x31 \xc0 \xeb \x30 \x5e \x8d \x7e \x10 \x89 \xf9 \x89 \x3e \x8d \x7e \x18 \x89 .* " ] ,
[ 'stream' , " .* \x09 \x80 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x00 \x01 \x00 \x00 \x7a \x69 \x03 \x21 \x00 \x90 * \x31 \xdb \x31 \xc0 \xeb \x38 \x5e \x8b \xfe \x89 \x7e \x3c \x8d \x7e \x14 \x89 \x7e \x40 .* " ] ,
[ 'packet' , " .. \x09 \x80 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x00 .* " ] ,
[ 'http-header-user-agent' , " \ [Autoproxy \ ] " ] ,
[ 'stream' , " .*>net start r_server.* " ] ,
[ 'packet' , " \xb4 \xb4 " ] ,
[ 'stream' , " .*B \ .F \ . Evolution RAT.* " ] ,
[ 'stream' , " .*Mini Oblivion v[0-9] \ .[0-9] Ready.* " ] ,
[ 'stream' , " .*(LISTAPP|FTPON|MOUSE(OFF|ON)|TIME|SPAWN|RUN|VER|EXPLOREFOL|APPDATE|CONFIG|DEVICE|PROGRAMS|PWZ|BIOS(VER|EX)|SCRN|HIDESTART).* " ] ,
[ 'stream' , " .*PitFall Vers \xe3 o TelNet.* " ] ,
[ 'stream' , " (( \x6c )|( \xc7 )|( \xc8 .*)|( \xc9 .*)|( \xca .*)) " ] ,
[ 'stream' , " .*Remote: You are connected to me.* " ] ,
[ 'stream' , " .*connected \ . .* " ] ,
[ 'stream' , " .*version:.DEFCON8.2.1 " ] ,
[ 'stream' , " .* [[]RPL[]]002.* " ] ,
[ 'stream' , " .*YOK2BENNY.* " ] ,
[ 'stream' , " \x00 [^ \0 ]* \x00 bin \x00 .* " ] ,
[ 'stream' , " \x00 [^ \0 ]*( \x00 | \x0d )echo \ + \ ++( \x00 | \x0d ).* " ] ,
[ 'stream' , " \x00 [^ \0 ]* \x00 root \x00 .* " ] ,
[ 'finger-user' , " cmd_rootsh " ] ,
[ 'stream' , " \x30 \x82 .. \x02 \x01 . \x60 \x82 .. \x02 [ \000 5- \037 7].* " ] ,
[ 'http-header-host' , " apache-nosejob \ .c.* " ] ,
[ 'http-header-host' , " apache-scalp \ .c.* " ] ,
[ 'stream' , " POST \ / HTTP \ /1.1 \x0d \x0a Host: Unknown \x0d \x0a X-CCCCCCC: A.*Transfer-Encoding: chunked.* \x0d \x0a ffffff6e \x0d \x0a .* " ] ,
[ 'stream' , " .*TERM=xterm; export TERM=xterm; exec bash -i \x0a .* " ] ,
[ 'http-url' , " [^:]*%(i|o|x|X|s|g|G|n)([ \000 - \071 ]|[ \073 - \076 ]|[ \077 - \037 7])*:.* " ] ,
[ 'http-authorization' , " [^:]*%.* " ] ,
[ 'http-url' , " .* \ [ \ /null \ .printer \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ [(a|NULL|test) \ .idq \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ .asp( \ ?| \ /) \xeb \x06 \xeb \x06 .* " ] ,
[ 'stream' , " .* \x90 \xeb \x03 \x5d \xeb \x05 \xe8 \xf8 \xff \xff \xff \x83 \xc5 \x15 \x90 \x90 \x90 \x8b \xc5 \x33 \xc9 \x66 \xb9 \x10 \x03 \x50 \x80 \x30 \x97 \x40 \xe2 \xfa .* " ] ,
[ 'stream' , " .*NNNNaaaa \ ?cjjs HTTP \ /.* " ] ,
[ 'http-request' , " \ [LOCK \ ] \ /X+ \x25 \x75 \x33 \x30 \x37 \x33 .* " ] ,
[ 'stream' , " .* \ [search \ ] \ /[^ ]* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'http-url-parsed' , " \ [ \ /servlet \ /UploadServlet \ ] " ] ,
[ 'stream' , " \ [POST + \ /_vti_bin \ /_vti_aut \ /fp30reg \ .dll \ ].* \ [Transfer-Encoding: +chunked \ ].* " ] ,
[ 'stream' , " (GET|HEAD|POST) .*%s.* HTTP \ /.* " ] ,
[ 'stream' , " .* \x50 \x4f \x53 \x54 \x20 \x2f \x20 \x48 \x54 \x54 \x50 \x2f \x31 \x2e \x30 \x0a \x43 \x6f \x6e \x74 \x65 \x6e \x74 \x2d \x4c \x65 \x6e \x67 \x74 \x68 \x3a \x20 \x2d \x38 \x30 \x30 \x0a \x0a \x0a \xeb \x0a \x2d \x2d \x6e \x65 \x74 \x72 \x69 .* " ] ,
[ 'http-request' , " .* \x31 \xdb \xf7 \xe3 \x53 \x43 \x53 \x6a \x02 \x89 \xe1 \xb0 \x66 \xcd \x80 \xff \x49 \x02 \x6a \x10 \x51 \x50 \x89 \xe1 \x43 \xb0 \x66 \xcd \x80 \x89 \x41 \x04 \xb3 \x04 \xb0 \x66 \xcd \x80 \x43 \xb0 .* " ] ,
[ 'http-request' , " .*( \x83 \xc4 \x40 \xeb \x74 \x5d \x6a \x06 \x6a \x01 \x6a \x02 \x8d \x1c \x24 \x89 \xd9 \x31 \xdb \xb3 \x01 \x31 \xc0 | \x83 \xc4 \x40 \xeb \x55 \x5d \x6a \x06 \x6a \x01 \x6a \x02 \x31 \xc0 \xb0 \x61 \x50 \xcd \x80 \x89 \xc7 \x83 \xec ).* " ] ,
[ 'http-url-parsed' , " .* \ / \ [c32web \ .exe \ /ChangeAdminPassword \ ] " ] ,
[ 'http-url-parsed' , " .* \ [ \ /cart32 \ .exe \ /cart32clientlist \ ] " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /cgi-bin \ /FtpSave \ .dll \ ? \ ].* " ] ,
[ 'http-text-html' , " .*=( | \x09 | \x0A )*( \" |')( | \x09 | \x0A )*< \ [object \ ][^>]+ \ [classid= \" clsid: \ ][^>]+ \ [codebase \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')( | \x09 | \x0A )*[ \010 3- \017 2]:.* " ] ,
[ 'http-text-html' , " .*=( | \x09 | \x0A )*( \" |')( | \x09 | \x0A )*< \ [object \ ][^>]* \ [codebase \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')( | \x09 | \x0A )*[ \010 3- \017 2]:[^>]* \ [classid \ ]( | \x09 | \x0A )*=( | \x09 | \x0A )*( \" |')( | \x09 | \x0A )* \ [clsid: \ ].* " ] ,
[ 'http-text-html' , " .*<[^>]*=( \047 | \042 )? \ [ssh \ ]: \ / \ /[^>]*%20-(F|R)[^>]*>.* " ] ,
[ 'http-url-parsed-param' , " .* \ [ \ /pals-cgi \ ?.*(palsAction=restart|documentName=).*(palsAction=restart|documentName=) \ ].* " ] ,
[ 'http-url-parsed-param' , " .* \ / \ [wsisa \ .dll \ /WService=.* \ ?WSMadmin \ ].* " ] ,
[ 'http-request' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'http-header' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'ftp-pathname' , " .* \x83 \xec \x04 \x5e \x83 \xc6 \x70 \x83 \xc6 \x28 \xd5 \xe0 \xc0 .* " ] ,
[ 'ftp-password' , " -user@ " ] ,
[ 'ftp-pathname' , " \xeb \x0e \x5e \x56 \x5f \xac \x3c \xa0 \x74 \x0b \x90 \x34 \x98 \xaa \xeb \xf5 .* " ] ,
[ 'ftp-password' , " .*( \x31 \xc0 \x31 \xdb \x31 \xc9 \xb0 \x46 \xcd \x80 \x31 \xc0 \x31 \xdb | \x31 \xc0 \x50 \x50 \x50 \xb0 \x7e \xcd \x80 \x31 \xdb ).* " ] ,
[ 'ftp-pathname' , " ~root " ] ,
[ 'ftp-sitestring' , " exec xx.*( \x25 \x2E \x66 )+.* " ] ,
[ 'ftp-password' , " \x78 \x78 \x90 \x1b \xc0 \x0f \x82 \x10 \x20 \x17 \x91 \xd0 \x20 \x08 \xae \x10 .* " ] ,
[ 'line' , " .* \x90 \x90 \x31 \xc0 \x31 \xdb \xb0 \x17 \xcd \x80 \x31 \xc0 \xb0 \x17 \xcd \x80 \x31 \xc0 \x31 \xdb \xb0 \x2e \xcd \x80 \xeb \x4f \x31 \xc0 \x31 \xc9 \x5e \xb0 \x27 \x8d \x5e \x05 \xfe \xc5 \xb1 \xed \xcd \x80 \x31 \xc0 \x8d \x5e \x05 \xb0 \x3d \xcd \x80 \x31 \xc0 \xbb \xd2 \xd1 \xd0 \xff \xf7 \xdb \x31 \xc9 \xb1 \x10 \x56 \x01 \xce \x89 \x1e \x83 \xc6 \x03 .* " ] ,
[ 'ftp-password' , " h@ck \ .er.* " ] ,
[ 'telnet-subnegotiation' , " .* \x03 \xff \xff \xff \xff \xcc \ /bin \ /.* " ] ,
[ 'telnet-subnegotiation' , " .* \ [ld_library_path \ ].* " ] ,
[ 'telnet-subnegotiation' , " .* \ [ld_preload \ ].* " ] ,
[ 'telnet-subnegotiation' , " .* \ [resolv_host_conf \ ].* " ] ,
[ 'telnet-subnegotiation' , " .*_ \ [rld \ ].* " ] ,
[ 'telnet-subnegotiation' , " .* \x27 \x00 \x00 T \x02 *T \x02 *Y \x02 *P \x02 *R \x02 *O \x02 *M \x02 *P \x02 *T.* " ] ,
[ 'stream' , " .* \x00 \x00 \x44 \x49 \x53 \x50 \x6c \x41 \x59 \x01 \x6d \x61 \x74 \x74 \x65 \x72 \x3a \x30 \x2e \x30 \xff \xf0 \xff \xfd \x01 \xff \xfc \x01 ( \x41 )+.* " ] ,
[ 'stream' , " .* \x53 \x45 \x54 \x55 \x50 \x20 \x2f \xa5 \xec . \x04 \xb5 \xec . \x04 \x8b \x7d \x08 \x33 \xc9 \x33 \x02 \xb2 \x1f \x80 \xc2 \x01 \x66 \x81 \xc1 \x9d \x02 .* " ] ,
[ 'stream' , " .* \x53 \x45 \x54 \x55 \x50 \x20 \x2f \xa9 \xec . \x04 \xb9 \xec . \x04 \x8b \x7d \x08 \x33 \xc9 \x33 \x02 \xb2 \x1f \x80 \xc2 \x01 \x66 \x81 \xc1 \x9d \x02 .* " ] ,
[ 'stream' , " .* \x53 \x45 \x54 \x55 \x50 \x20 \x2f \xa5 \xec . \x03 \xb5 \xec . \x03 \x8b \x7d \x08 \x33 \xc9 \x33 \x02 \xb2 \x1f \x80 \xc2 \x01 \x66 \x81 \xc1 \x9d \x02 .* " ] ,
[ 'stream' , " \x53 \x45 \x54 \x55 \x50 \x20 \x2f \x8b \xfa \x33 \xc9 \xb2 \x35 \x90 \x90 \x90 .* " ] ,
[ 'irc-join-chan' , " # (aaNIya827|ABIGAI285|abvGai68|abvGai689|AIdas865|alEKaN33|alEKaN33|ALexAn7|aMBEr552|AMEXaN544|aMFeR44|anDHeW9|AnDREA861|AnGnL2|AnyeLI5|aOEJaN329|AutoMN232|aUtumN790|BrIana628|BribNa146|bROOME564|BryXE955|CAlHeR44|cHASW30|ChrIsb80|cHRisT319|cqloE581|cvrLoS32|daKOGa641|dakOtA29|dakotz40|dAnirl638|dEsTyn4|dRSTIn5|eatHAN9|Elizrb738|eric259|etHam4|FAIxh452|GAbrie484|GacRIE6|gaRRut550|gaureT85|gaViN9|geBRiE88|GZBriE1|HAAEY40|HlexAN1|huNTwR79|iAN12|iSaBEL1|ISabeL37|IsNBEl41|jada6|jared8|jenfa2|JenNA9|jeRPMi18|JEsUS428|JGREmY1|JHCqUe2|joRdaN3|jOsCua832|JOSE737|jOsE90|JoSEoH51|jOsHPA863|jOSW89|jQHn659|jYsmIN17|KATher354|KATHrc6|KAtzER231).* " ] ,
[ 'irc-join-chan' , " # (KenHET92|KeViN1|kevin678|LauRd150|lauva822|LESLie3|ligueL5|LoGEn1|MaCven441|MAdiSo236|MAIY78|MaMeLi144|marc7|maRISs8|maRy211|MEGaT33|merK4|MGRk176|MIchrL605|mIGUEl4|MjLLY10|MsRK9|mygaN504|nATalH0|NaThAv2|nIChoL12|noah420|paige300|PatrzC3|psAIaH333|Q8DarK|riCEAr797|robERt686|RtBeCC499|SEan31|SHelbY692|SihRrA2|SrIN809|sYDNEe3|TyleR607|vICoOR779|vICTor6|VIctTR7|WArOLi666|WILlIA779|xaVIEE9|xQvIEr151|yaDa61|zHCHar13|ZOE4|zoh3).* " ] ,
[ 'stream' , " .*HKLM \\ System \\ CurrentControlSet \\ Services \\ NetDDE \\ ImagePath.* " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 ........ \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 ........ \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'http-url-parsed' , " \ /(images|0) \ /cinik \ .c.* " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 ........ \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 ........ \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'packet' , " \x00 \x00 \x00 \x00 ........ \x70 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 " ] ,
[ 'smb-open-filename' , " .* \013 4 \000 ?( \ [d \00 ?v \00 ?l \00 ?d \00 ?r \x00 ?3 \x00 ?2 \00 ? \ . \00 ?e \00 ?x \00 ?e \00 ? \ ]| \ [i \00 ?n \00 ?s \00 ?t \00 ? \ . \00 ?e \00 ?x \00 ?e \ ]).* " ] ,
[ 'stream' , " .* \x59 \x49 \x39 \xE0 \xC3 \x1D \xD3 \x4D \xD8 \xF2 \x61 \x73 \x73 \x6B \x47 \x69 \xDA \xB5 \xBC \x05 \x3A \xF0 \xE4 \xC7 \x98 \x76 \xCB \xB4 \x37 \xA4 \x39 \x4A .* " ] ,
[ 'stream' , " .*PONG :aux4 \ .suckit \ .com.* " ] ,
[ 'smb-connect-path' , " \x5c \x00 \x5c \x00 \x31 \x00 \x32 \x00 \x2e \x00 \x33 \x00 \x34 \x00 \x2e \x00 \x35 \x00 \x36 \x00 \x2e \x00 \x37 \x00 \x38 \x00 \x5c \x00 \x49 \x00 \x50 \x00 \x43 \x00 \x24 \x00 " ] ,
[ 'stream' , " .* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \xeb \x02 \xeb \x05 \xe8 \xf9 \xff \xff \xff \x5b \x31 \xc9 \x66 \xb9 \x86 \x06 \x80 \x73 .* " ] ,
[ 'stream' , " .* \ [update user set password \ ]='90909090.* " ] ,
[ 'line' , " .*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [eurocalculator \ .exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [file_zippati \ .exe \ ] \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [fix2001 \ .exe \ ] \" .* " ] ,
[ 'line' , " .* \ [Software provided by \ X5B \ XMATRiX \ X5D \ X \ ].* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" readme.exe \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [xpass \ .xls \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [icq_greeting \ ](s)* \ . \ [exe \ ]* \" .* " ] ,
[ 'line' , " \ [Subject \ ]: Pikachu Pokemon.* " ] ,
[ 'line' , " Subject: C: \\ CoolProgs \\ Pretty Park \ .exe.* " ] ,
[ 'stream' , " .*qazwsx \ .hsq.*SOFTWARE \ Microsoft \ Windows \ Current Version \ Run.* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [suppl \ .doc \ ]* \" .* " ] ,
[ 'line' , " ( | \x09 )*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [timofonica \ .txt \ .vbs \ ] \" .* " ] ,
[ 'line' , " .*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [y2k \ .exe \ ] \" .* " ] ,
[ 'line' , " .*( \ [file \ ])? \ [name \ ]( | \x09 )*=( | \x09 )* \" \ [Zipped_Files.EXE \ ] \" .* " ] ,
[ 'smtp-mime-content-filename' , " \ [x-mas \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [eurocalculator \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [fix2001 \ .exe \ ] " ] ,
[ 'smtp-header-subject' , " \ [C: \\ \\ CoolProgs \\ \\ Pretty Park \ .exe \ ].* " ] ,
[ 'smtp-data-line' , " .* \ [qazwsx \ .hsq \ ].* \ [SOFTWARE \ Microsoft \ Windows \ Current Version \ Run \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [suppl \ .doc \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [timofonica \ .txt \ .vbs \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [toadie \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " begin.* \ . \ [vbs \ ].* " ] ,
[ 'smtp-mime-content-filename' , " \ [wtc \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [y2k \ .exe \ ] " ] ,
[ 'smtp-mime-content-filename' , " \ [Zipped_Files \ .EXE \ ] " ] ,
[ 'stream' , " .* \xeb \x31 \x5e \x89 \x76 \xac | \xeb \x35 \x5e \x89 \x76 \x18 .* " ] ,
[ 'stream' , " .* \x23 \x0D \xF6 \xD2 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x02 \x00 \x01 \x86 \xA0 \x00 \x00 \x00 \x02 \x00 \x00 \x00 \x05 \x00 \x00 \x00 \x01 \x00 \x00 \x00 \x20 \x3D \xD2 \xC9 \x9F \x00 \x00 \x00 \x09 \x6C \x6F \x63 \x61 \x6C \x68 \x6F \x73 \x74 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x01 \x86 \xa0 \x00 \x00 \x00 \x02 \x00 \x00 \x00 \x04 \xFF \xFF \xFF \xFF .* " ] ,
[ 'packet' , " .* \xeb \x4b \x5e \x89 \x76 \xac \x83 \xee \x20 \x8d \x5e \x28 \x83 \xc6 \x20 \x89 \x5e \xb0 \x83 \xee \x20 \x8d \x5e \x2e \x83 \xc6 \x20 \x83 \xc3 \x20 \x83 \xeb \x23 \x89 \x5e \xb4 \x31 \xc0 \x83 \xee \x20 \x88 \x46 \x27 \x88 \x46 \x2a \x83 \xc6 \x20 \x88 \x46 \xab \x89 \x46 \xb8 \xb0 \x2b \x2c \x20 \x89 \xf3 \x8d \x4e .* " ] ,
[ 'packet' , " .* \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x32 \x33 \x36 \x78 \x25 \x6e \x25 \x31 \x33 \x37 \x78 \x25 \x6e \x25 \x31 \x30 \x78 \x25 \x6e \x25 \x31 \x39 \x32 \x78 \x25 \x6e .* " ] ,
[ 'packet' , " .* \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x38 \x78 \x25 \x32 \x33 \x36 \x78 \x25 \x6e \x25 \x31 \x33 \x37 \x78 \x25 \x6e \x25 \x31 \x30 \x78 \x25 .* " ] ,
[ 'stream' , " (.* \ Xff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f ff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f \ X.*| \x20 \xbf \xff \xff \x20 \xbf \xff \xff ) " ] ,
[ 'packet' , " .*( \xc0 \x0f \x80 \x1b \xc0 \x0f \x80 \x1b \xc0 \x0f \x80 \x1b \xc0 \x0f \x20 \xbf \xff \xff \x20 \xbf \xff \xff \x7f \xff \xff \xff \x90 \x03 \xe0 \x5c \x92 \x22 \x20 \x10 \x94 \x1b \xc0 \x0f \xec \x02 \x3f \xf0 \xac \x22 \x80 \x16 \xae \x02 | \x90 \x90 \xeb \x45 \x9a \xff \xff \xff \xff \x07 \xff \xc3 \x5e \x31 \xc0 \x89 \x46 \xb7 \x88 \x46 \xbc \x31 \xc0 \x50 ).* " ] ,
[ 'packet' , " .*ADM_METHOD \x00 \x00 \x00 \x00 \x00 \x09 \x00 \x00 \x00 \x16 \x00 \x00 \x00 \x15 \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ / \ . \ . \ /bin \ /sh.* " ] ,
[ 'stream' , " .* \x90 \x90 \x31 \xdb \x89 \xe7 \x8d \x77 \x10 \x89 \x77 \x04 \x8d \x4f \x20 \x89 \x4f \x08 \xb3 \x10 \x89 \x19 \x31 \xc9 \xb1 \xff \x89 \x0f \x51 \x31 \xc0 \xb0 .* " ] ,
[ 'stream' , " .*(uname| \ /bin \ /|export).* " ] ,
[ 'stream' , " .* \xa0 \x0e \x30 \x0c \x06 \x0a \x2b \x06 \x01 \x04 \x01 \x82 \x37 \x02 \x02 \x0a \xa1 \x05 \x23 \x03 \x03 \x01 [ \001 - \007 ].* " ] ,
[ 'stream' , " .* \x05 \xe0 \xe3 \x1c \x0b \x03 \xb8 \xd7 \xe0 \xe8 \x09 \xfa \x89 \xf9 .* " ] ,
[ 'stream' , " .* \x68 \x5d \x5e \xff \xd5 \xff \xd4 \xff \xf5 \x8b \xf5 \x90 \x66 \x31 .* " ] ,
[ 'pop3-command-line' , " .*. \xff \xff \xff \ /bin \ /.* " ] ,
[ 'stream' , " .* \x56 \x0e \x31 \xc0 \xb0 \x3b \x8d \x7e \x12 \x89 \xf9 \x89 \xf9 .* " ] ,
[ 'line' , " AUTH.* \xeb \x22 \x5e \x89 \xf3 \x89 \xf7 \x83 \xc7 \x07 \x31 \xc0 \xaa \x89 \xf9 \x89 \xf0 \xab \x89 \xfa \x31 \xc0 \xab \xb0 \x08 \x04 \x03 \xcd \x80 \x31 \xdb \x89 \xd8 \x40 \xcd \x80 \xe8 \xd9 \xff \xff \xff .* " ] ,
[ 'line' , " LIST 1 .* \xeb \x22 \x5e \x89 \xf3 \x89 \xf7 \x83 \xc7 \x07 \x31 \xc0 \xaa \x89 \xf9 \x89 \xf0 \xab \x89 \xfa \x31 \xc0 \xab \xb0 \x08 \x04 \x03 \xcd \x80 \x31 \xdb \x89 \xd8 \x40 \xcd \x80 \xe8 \xd9 \xff \xff \xff .* " ] ,
[ 'line' , " XTND .* \xeb \x22 \x5e \x89 \xf3 \x89 \xf7 \x83 \xc7 \x07 \x31 \xc0 \xaa \x89 \xf9 \x89 \xf0 \xab \x89 \xfa \x31 \xc0 \xab \xb0 \x08 \x04 \x03 \xcd \x80 \x31 \xdb \x89 \xd8 \x40 \xcd \x80 \xe8 \xd9 \xff \xff \xff .* " ] ,
[ 'line' , " AUTH .* \xeb \x1b \x5e \x89 \xf3 \x89 \xf7 \x83 \xc7 \x07 \x29 \xc0 \xaa \x89 \xf9 \x89 \xf0 \xab \x89 \xfa \x29 \xc0 \xab \xb0 \x08 \x04 \x03 \xcd \x80 \xe8 \xe0 \xff \xff \xff .* " ] ,
[ 'stream' , " .*( \x41 )+ \xf0 \x00 \x00 \x00 \x58 \x55 \x89 \xe5 \x81 \xec \x2c \x00 \x00 \x00 \x89 \x45 \xd4 \xc7 \x45 \xfc \x00 \x00 \xe7 \x77 \x8b \x45 \xfc \x66 \x81 \x38 \x4d \x5a \x75 \x7c \x05 \x3c \x00 \x00 \x00 \x8b \x18 \x03 \x5d \xfc \x66 \x81 \x3b .* " ] ,
[ 'ssh-header' , " SSH-2 \ .0-G+O+B+L+E+S+.* " ] ,
[ 'ssh-header' , " .*http: \ / \ /anti \ .security \ .is.* " ] ,
[ 'stream' , " .* \ *GOBBLE \ *.* " ] ,
[ 'packet' , " .* \xb1 \x06 \x51 \xb1 \x01 \x51 \xb1 \x02 \x51 \x89 \xe1 \xb3 \x01 \xb0 \x66 \xcd \x80 \x89 \xc1 \x31 \xc0 \x31 \xdb \x50 \x50 \x50 \x66 \x68 .. \xb3 \x02 \x66 \x53 \x89 \xe2 \xb3 \x10 \x53 \xb3 \x02 \x52 \x51 .* " ] ,
[ 'packet' , " ..........[ \061 - \071 ][ \060 - \071 ][ \060 - \071 ]([ \060 - \071 ]| \x62 | \x64 ).* " ] ,
[ 'stream' , " \ [A+BBBB \ ].* " ] ,
[ 'stream' , " \ [DATE \ ] A+.* " ] ,
[ 'packet' , " .*( \x90 )+ \xeb \x72 \x5e \x29 \xc0 \x89 \x46 \x10 \x40 \x89 \xc3 \x89 \x46 \x0c \x40 \x89 \x46 \x08 \x8d \x4e \x08 \xb0 \x66 \xcd .* " ] ,
[ 'stream' , " .* \x01 \x00 \x00 \x00 \x64 \x00 \x00 \x00 \x00 \xd0 \x07 \x0c \x00 \xd0 \x07 \x0c \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \x00 \xd0 \x07 \x43 \x00 \x0c \x00 \x14 \x08 \x01 .* " ] ,
[ 'stream' , " .* \ [FLATLINE'S( )+KWAADWAAR \ ].* " ] ,
[ 'packet' , " .* \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 \x14 .* " ] ,
[ 'stream' , " .* \x08 \x00 \x5c \x00 \x50 \x00 \x49 \x00 \x50 \x00 \x45 \x00 \x5c \x00 \x00 \x00 \x00 \x00 \x05 \x00 \x00 \x03 \x10 \x00 \x00 \x00 . \x08 \x00 \x00 \x01 \x00 \x00 \x00 . \x08 \x00 \x00 \x00 \x00 ( \x1b \x00 | \x19 \x00 ).* \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 \x90 .* " ] ,
[ 'stream' , " .* \x5c \x00 \x5c \x00 \x46 \x00 \x58 \x00 \x4e \x00 \x42 \x00 \x46 \x00 \x58 \x00 \x46 \x00 \x58 \x00 .* \xcc \xe0 \xfd \x7f .* " ] ,
[ 'stream' , " .* \xa0 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \xc0 \x00 \x00 \x00 \x00 \x00 \x00 \x46 .* \x31 \x00 \x32 \x00 \x37 \x00 \x2e \x00 \x30 \x00 \x2e \x00 \x30 \x00 \x2e \x00 .* " ] ,
[ 'stream' , " .* \xa0 \x01 \x00 \x00 \x00 \x00 \x00 \x00 \xc0 \x00 \x00 \x00 \x00 \x00 \x00 \x46 .*( \\ \x00 \\ \x00 l \x00 o \x00 c \x00 a \x00 l \x00 h \x00 o \x00 s \x00 t| \\ \x00 \\ \x00 1 \x00 2 \x00 7 \x00 \ . \x00 0 \x00 \ . \x00 0 \x00 \ . \x00 1).* " ] ,
[ 'stream' , " .* \x5c \x00 \x6c \x00 \x73 \x00 \x61 \x00 \x72 \x00 \x70 \x00 \x63 \x00 .* \x6a \x28 \x19 \x39 \x0c \xb1 \xd0 \x11 \x9b \xa8 \x00 \xc0 \x4f \xd9 \x2e \xf5 .* " ] ,
[ 'packet' , " gstsearch " ] ,
[ 'smtp-rcpt' , " .*ixltd@postone.com.* " ] ,
[ 'smtp-command-line' , " .* \ [(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to) \ ]:([^ \012 ]|[^ \015 ])*(<><><><>| \ ( \ )> \ ( \ )> \ ( \ )>).* " ] ,
[ 'smtp-header-line' , " .* \ [(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to) \ ]:([^ \012 ]|[^ \015 ])*(<><><><>| \ ( \ )> \ ( \ )> \ ( \ )>).* " ] ,
[ 'smtp-data-text-plain' , " .*g0YIG4lGDIhGF4hGGohGRVBW \ /zawO1CQ.* " ] ,
[ 'smtp-command-line' , " .* \ [XEXCH50 \ ][ ]+([1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+|-[0-9]+).* " ] ,
[ 'smtp-command-line' , " ( | \x09 )* \ [debug \ ].* " ] ,
[ 'smtp-command-line' , " ( | \x09 )* \ [wiz \ ]( | \x09 )* " ] ,
[ 'stream' , " .*R( )*<( )* \" ( )* \ |( )* \ /bin \ /.* " ]
]
2006-03-29 23:46:06 +02:00
end
end