-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathIDS规则单文件全部导入.rules
More file actions
858 lines (856 loc) · 177 KB
/
Copy pathIDS规则单文件全部导入.rules
File metadata and controls
858 lines (856 loc) · 177 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量--规则1触发";flow:to_server,established; content:"User-Agent: antSword"; classtype:webshell-activity; priority:1; sid:1000004;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具defaule流量--规则2触发";flow:to_server,established; content:"ini_set"; classtype:webshell-activity; priority:1; sid:1000005;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具defaule流量--规则3触发";flow:to_server,established; content:"%40ini_set(%22display_errors"; classtype:webshell-activity; priority:1; sid:1000006;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量rot13流量--规则1触发";flow:to_server,established; content:"vav_frg"; classtype:webshell-activity; priority:1; sid:1000007;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量rot13流量--规则2触发";flow:to_server,established; content:"@frg_gvzr_yvzvg"; classtype:webshell-activity; priority:1; sid:1000008;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量base64流量--规则1触发";flow:to_server,established; content:"QGluaV9zZXQoImRpc3BsYXlfZXJyb3Jz"; classtype:webshell-activity; priority:1; sid:1000009;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量base64流量--规则2触发";flow:to_server,established; content:"c2V0X3RpbWVfbGltaXQ"; classtype:webshell-activity; priority:1; sid:1000010;rev:1;)
alert http any any -> any any (msg:"检测到蚁剑webshell工具流量chr流量--规则1触发";flow:to_server,established; content:"%40eVAl(cHr"; classtype:webshell-activity; priority:1; sid:1000011;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_EVAL_XOR_BASE64流量--规则1触发";flow:to_server,established; content:"eval%28base64_decode"; content:"key="; classtype:webshell-activity; priority:1; sid:1000012;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_EVAL_XOR_BASE64流量--规则2触发";flow:to_server,established; content:"eval%28base64_decode%28strrev%28urldecode"; content:"key="; classtype:webshell-activity; priority:1; sid:1000013;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量--规则3触发";flow:to_server,established; content:"text/html,application/xhtml+xml,application/xml"; content:"q=0.9,image/webp,"; content:"q=0.8"; classtype:webshell-activity; priority:1; sid:1000014;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量--规则4触发";flow:to_server,established; content:"Accept-Language: zh-CN,zh"; content:"q=0.8,zh-TW"; content:"q=0.7,zh-HK"; content:"q=0.5,en-US"; content:"q=0.3,en"; content:"q=0.2"; classtype:webshell-activity; priority:1; sid:1000015;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_XOR_BASE64流量--规则1触发";flow:to_server,established; content:"pass=DlMRWA1cL1gOVDc1MjRhVDxVCV8RXQ%3D%3D"; classtype:webshell-activity; priority:1; sid:1000016;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_XOR_BASE64流量--规则2触发";flow:to_server,established; content:"pass=pass=DlMRWA1cL1gOVDc2MjRhRwZFEQ%3D%3D"; classtype:webshell-activity; priority:1; sid:1000017;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_XOR_BASE64流量--规则3触发";flow:to_server,established; content:"pass=R0YEQgNVBE0GQ0YPU0YTUhoeTAtvMkVmMHRmD1NGE1IaHkwLbzIHTA1SQVtdWkFBFlhNFBJVEhAYPD8SEhRBVA9ZB1EOGEV8MWN4YXUPbDluPEUQQhgTXCdUU2FLRxVWDnAQXgEQSAJuOxUSEhRFbDBzNg1EXwRNMFRGQVtbDxtKDW"; classtype:webshell-activity; priority:1; sid:1000018;rev:1;)
alert http any any -> any any (msg:"检测到哥斯拉webshell工具流量PHP_XOR_BASE64流量--规则4触发";flow:to_server,established; content:"pass=fL1tMGI4YTljzn78f8Wo%2F"; classtype:webshell-activity; priority:1; sid:1000019;rev:1;)
alert http any any -> any any (msg:"检测到冰蝎流量特征--规则1触发";flow:to_server,established; content:"Accept-Language: zh-CN,zh";content:"q=0.9,en-US";content:"q=0.8,en";content:"q=0.7";content:"Cookie: PHPSESSID="; classtype:webshell-activity; priority:1; sid:1000138;rev:1;)
alert http any any -> any any (msg:"检测到天蝎webshell工具流量--规则2触发";flow:to_server,established; content:"application/octet-stream";content:"X-Forwarded-For:"; classtype:webshell-activity; priority:1; sid:1000140;rev:1;)
alert http any any -> any any (msg:"检测到天蝎webshell工具流量--规则3触发";flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 10.0";content:"Win64";content:"x64;) AppleWebKit/537.36 (KHTML, like Gecko;) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.57"; classtype:webshell-activity; priority:1; sid:1000141;rev:1;)
alert http any any -> any any (msg:"检测到SQLMAP工具流量";flow:to_server,established; content:"User-Agent: sqlmap";classtype:sql-injection; priority:1; sid:1000020;rev:1;)
alert http any any -> any any (msg:"检测到SQLMAP工具流量";flow:to_server,established; content:"https://sqlmap.org";classtype:sql-injection; priority:1; sid:1000021;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取1";flow:to_server,established; content:"../../../../../../etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000022;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取2";flow:to_server,established; content:"/etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000023;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取3";flow:to_server,established; content:"../etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000024;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取4";flow:to_server,established; content:"../";content:"GET";classtype:file-read-attempt; priority:2; sid:1000025;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取1";flow:to_server,established; content:"../../../../../../etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000375;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取2";flow:to_server,established; content:"/etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000376;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取3";flow:to_server,established; content:"../etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000377;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取4";flow:to_server,established; content:"../";content:"POST";classtype:file-read-attempt; priority:2; sid:1000378;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取6";flow:to_server,established; content:"../etc/shadow";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000027;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取7";flow:to_server,established; content:"/etc/shadow";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000028;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取8";flow:to_server,established; content:"..././";content:"GET";classtype:file-read-attempt; priority:2; sid:1000029;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取9";flow:to_server,established; content:"....//";content:"GET";classtype:file-read-attempt; priority:2; sid:1000030;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取10";flow:to_server,established; content:"./index.php";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000031;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取11";flow:to_server,established; content:"..%2f..%2f..%2fetc%2fshadow";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000032;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取12";flow:to_server,established; content:"..%2f..%2f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000033;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取13";flow:to_server,established; content:"..%2f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000034;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取14";flow:to_server,established; content:"....//....//etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000035;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取15";flow:to_server,established; content:"....//etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000036;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取16";flow:to_server,established; content:"....//";content:"GET";classtype:file-read-attempt; priority:2; sid:1000037;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取17";flow:to_server,established; content:"..../";content:"GET";classtype:file-read-attempt; priority:2; sid:1000038;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取18";flow:to_server,established; content:".%00./.%00./etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000039;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取19";flow:to_server,established; content:"%00./etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000040;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取20";flow:to_server,established; content:".%00./.%00./";content:"GET";classtype:file-read-attempt; priority:2; sid:1000041;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取21";flow:to_server,established; content:".%00./";content:"GET";classtype:file-read-attempt; priority:2; sid:1000042;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取22";flow:to_server,established; content:"%2e%2e%2f%2e%2e%2fetc%2fpasswd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000043;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取23";flow:to_server,established; content:"..%252f..%252fetc%252fpasswd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000044;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取24";flow:to_server,established; content:"php://filter/convert.base64-encode/resource=/etc/passwd";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000045;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取25";flow:to_server,established; content:"../../../../../../";content:"GET";classtype:file-read-attempt; priority:2; sid:1000046;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取26";flow:to_server,established; content:"../";content:"GET";classtype:file-read-attempt; priority:2; sid:1000047;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取6";flow:to_server,established; content:"../etc/shadow";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000379;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取7";flow:to_server,established; content:"/etc/shadow";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000380;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取8";flow:to_server,established; content:"..././";content:"POST";classtype:file-read-attempt; priority:2; sid:1000381;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取9";flow:to_server,established; content:"....//";content:"POST";classtype:file-read-attempt; priority:2; sid:1000382;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取10";flow:to_server,established; content:"./index.php";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000383;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取11";flow:to_server,established; content:"..%2f..%2f..%2fetc%2fshadow";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000384;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取12";flow:to_server,established; content:"..%2f..%2f";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000385;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取13";flow:to_server,established; content:"..%2f";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000386;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取14";flow:to_server,established; content:"....//....//etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000387;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取15";flow:to_server,established; content:"....//etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000388;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取16";flow:to_server,established; content:"....//";content:"POST";classtype:file-read-attempt; priority:2; sid:1000389;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取17";flow:to_server,established; content:"..../";content:"POST";classtype:file-read-attempt; priority:2; sid:1000390;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取18";flow:to_server,established; content:".%00./.%00./etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000391;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取19";flow:to_server,established; content:"%00./etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000392;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取20";flow:to_server,established; content:".%00./.%00./";content:"POST";classtype:file-read-attempt; priority:2; sid:1000393;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取21";flow:to_server,established; content:".%00./";content:"POST";classtype:file-read-attempt; priority:2; sid:1000394;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取22";flow:to_server,established; content:"%2e%2e%2f%2e%2e%2fetc%2fpasswd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000395;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取23";flow:to_server,established; content:"..%252f..%252fetc%252fpasswd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000396;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取24";flow:to_server,established; content:"php://filter/convert.base64-encode/resource=/etc/passwd";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000397;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取25";flow:to_server,established; content:"../../../../../../";content:"POST";classtype:file-read-attempt; priority:2; sid:1000398;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取26";flow:to_server,established; content:"../";content:"POST";classtype:file-read-attempt; priority:2; sid:1000399;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取28";flow:to_server,established; content:"..././";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000049;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取30";flow:to_server,established; content:"..%2f..%2f..%2f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000051;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取31";flow:to_server,established; content:"..%2f..%2f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000052;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取32";flow:to_server,established; content:"....//....//";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000053;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取33";flow:to_server,established; content:"....//";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000054;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取34";flow:to_server,established; content:"..../";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000055;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取35";flow:to_server,established; content:".%00./.%00./";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000056;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取36";flow:to_server,established; content:"%00./";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000057;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取37";flow:to_server,established; content:"%2e%2e%2f%2e%2e%2f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000058;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取38";flow:to_server,established; content:"..%252f..%252f";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000059;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取39";flow:to_server,established; content:"php://filter/convert.base64-encode/resource=/";content:"GET"; nocase;classtype:file-read-attempt; priority:2; sid:1000060;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取28";flow:to_server,established; content:"..././";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000400;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取30";flow:to_server,established; content:"..%2f..%2f..%2f";content:"POST";classtype:file-read-attempt; priority:2; nocase; sid:1000401;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取31";flow:to_server,established; content:"..%2f..%2f";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000402;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取32";flow:to_server,established; content:"....//....//";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000403;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取33";flow:to_server,established; content:"....//";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000404;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取34";flow:to_server,established; content:"..../";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000405;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取35";flow:to_server,established; content:".%00./.%00./";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000406;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取36";flow:to_server,established; content:"%00./";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000407;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取37";flow:to_server,established; content:"%2e%2e%2f%2e%2e%2f";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000408;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取38";flow:to_server,established; content:"..%252f..%252f";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000409;rev:1;)
alert http any any -> any any (msg:"检测到可能为任意文件下载/读取39";flow:to_server,established; content:"php://filter/convert.base64-encode/resource=/";content:"POST"; nocase;classtype:file-read-attempt; priority:2; sid:1000410;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix-wvs-test-for-some-inexistent-file";nocase;classtype:vuln-scanner; priority:3; sid:1000061;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"by_wvs";nocase;classtype:vuln-scanner; priority:3; sid:1000062;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000063;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix";nocase;classtype:vuln-scanner; priority:3; sid:1000064;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix_wvs";nocase;classtype:vuln-scanner; priority:3; sid:1000065;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix_test";nocase;classtype:vuln-scanner; priority:3; sid:1000066;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Acunetix-Aspect-Password:";nocase;classtype:vuln-scanner; priority:3; sid:1000067;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Cookie: acunetixCookie";nocase;classtype:vuln-scanner; priority:3; sid:1000068;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Location: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000069;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"X-Forwarded-Host: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000070;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"X-Forwarded-For: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000071;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Host: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000072;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Cookie: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000073;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Cookie: acunetix";nocase;classtype:vuln-scanner; priority:3; sid:1000074;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Accept: acunetix/wvs";nocase;classtype:vuln-scanner; priority:3; sid:1000075;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Origin: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000076;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Referer: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000077;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Via: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000078;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Accept-Language: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000079;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Client-IP: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000080;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"HTTP_AUTH_PASSWD: acunetix";nocase;classtype:vuln-scanner; priority:3; sid:1000081;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"User-Agent: acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000082;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Acunetix-Aspect-Queries";nocase;classtype:vuln-scanner; priority:3; sid:1000083;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"Acunetix-Aspect:";nocase;classtype:vuln-scanner; priority:3; sid:1000084;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix_wvs_security_test";nocase;classtype:vuln-scanner; priority:3; sid:1000085;rev:1;)
alert http any any -> any any (msg:"检测到AWVS扫描器特征流量";flow:to_server,established; content:"acunetix";nocase;classtype:vuln-scanner; priority:3; sid:1000086;rev:1;)
alert http any any -> any any (msg:"检测到NESSUS扫描器特征流量";flow:to_server,established; content:"nessus";nocase;classtype:vuln-scanner; priority:3; sid:1000087;rev:1;)
alert http any any -> any any (msg:"检测到NESSUS扫描器特征流量";flow:to_server,established; content:"x_forwarded_for: nessus";nocase;classtype:vuln-scanner; priority:3; sid:1000088;rev:1;)
alert http any any -> any any (msg:"检测到NESSUS扫描器特征流量";flow:to_server,established; content:"referer: nessus";nocase;classtype:vuln-scanner; priority:3; sid:1000089;rev:1;)
alert http any any -> any any (msg:"检测到NESSUS扫描器特征流量";flow:to_server,established; content:"host: nessus";nocase;classtype:vuln-scanner; priority:3; sid:1000090;rev:1;)
alert http any any -> any any (msg:"检测到APPSCAN扫描器特征流量";flow:to_server,established; content:"Appscan";nocase;classtype:vuln-scanner; priority:3; sid:1000091;rev:1;)
alert http any any -> any any (msg:"检测到APPSCAN扫描器特征流量";flow:to_server,established; content:"Content-Type: Appscan";nocase;classtype:vuln-scanner; priority:3; sid:1000092;rev:1;)
alert http any any -> any any (msg:"检测到APPSCAN扫描器特征流量";flow:to_server,established; content:"Content-Type: AppScanHeader";nocase;classtype:vuln-scanner; priority:3; sid:1000093;rev:1;)
alert http any any -> any any (msg:"检测到APPSCAN扫描器特征流量";flow:to_server,established; content:"Accept: Appscan";nocase;classtype:vuln-scanner; priority:3; sid:1000094;rev:1;)
alert http any any -> any any (msg:"检测到APPSCAN扫描器特征流量";flow:to_server,established; content:"User-Agent:Appscan";nocase;classtype:vuln-scanner; priority:3; sid:1000095;rev:1;)
alert http any any -> any any (msg:"检测到Rsas绿盟极光扫描器流量特征";flow:to_server,established; content:"nsfocus";nocase;classtype:vuln-scanner; priority:3; sid:1000096;rev:1;)
alert http any any -> any any (msg:"检测到Rsas绿盟极光扫描器流量特征";flow:to_server,established; content:"User-Agent: Rsas";nocase;classtype:vuln-scanner; priority:3; sid:1000097;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"User-Agent: Dirbuster";nocase;classtype:dir-scan; priority:3; sid:1000098;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"Dirbuster";nocase;classtype:dir-scan; priority:3; sid:1000099;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"(http://www.owasp.prg/index.php";nocase;classtype:dir-scan; priority:3; sid:1000100;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"(www.owasp.prg";nocase;classtype:dir-scan; priority:3; sid:1000101;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"(http://www.owasp.org/index.php";nocase;classtype:dir-scan; priority:3; sid:1000102;rev:1;)
alert http any any -> any any (msg:"检测到dirbuster目录爆破测试";flow:to_server,established; content:"www.owasp.org";nocase;classtype:dir-scan; priority:3; sid:1000103;rev:1;)
alert http any any -> any any (msg:"检测到gobuster目录爆破测试";flow:to_server,established; content:"User-Agent: gobuster";nocase;classtype:dir-scan; priority:3; sid:1000104;rev:1;)
alert http any any -> any any (msg:"检测到gobuster目录爆破测试";flow:to_server,established; content:"gobuster";nocase;classtype:dir-scan; priority:3; sid:1000105;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则1命中";flow:to_server,established; content:"XXE";content:"ENTITY";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000106;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则2命中";flow:to_server,established; content:"xxe";content:"ENTITY";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000107;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则3命中";flow:to_server,established; content:"&xxe";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000108;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则4命中";flow:to_server,established; content:"<!ENTITY";content:"SYSTEM";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000109;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则5命中";flow:to_server,established; content:"<!ENTITY";content:"SYSTEM";content:"POST";content:"data://text/plain";content:"base64";nocase;classtype:xxe-attack; priority:1; sid:1000110;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入--规则6命中";flow:to_server,established; content:"<!ENTITY";content:"SYSTEM";content:"php://filter/read";nocase;content:"POST";classtype:xxe-attack; priority:1; sid:1000111;rev:1;)
alert http any any -> any any (msg:"检测到引用外部实体dtd文件--规则7命中";flow:to_server,established; content:".dtd";nocase;content:"POST";classtype:xxe-attack; priority:1; sid:1000112;rev:1;)
alert http any any -> any any (msg:"检测到XML实体注入DOS攻击--规则8命中";flow:to_server,established; content:"<!ENTITY";content:"lol1";content:"&lol";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000113;rev:1;)
alert http any any -> any any (msg:"检测到SVG XXE--规则9命中";flow:to_server,established; content:"<svg";content:"<image";content:"expect://";content:"POST";nocase;classtype:xxe-attack; priority:1; sid:1000114;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.bak文件访问";flow:to_server,established; content:".bak";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000115;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.sql文件访问";flow:to_server,established; content:".sql";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000116;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.back文件访问";flow:to_server,established; content:".back";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000117;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.env文件访问";flow:to_server,established; content:".env";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000118;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.key文件访问";flow:to_server,established; content:".key";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000119;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.pem文件访问";flow:to_server,established; content:".pem";http_uri;classtype:sensitive-file-access;priority:3; sid:1000120;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.gitconfig文件访问";flow:to_server,established; content:".gitconfig";http_uri;;nocase;classtype:sensitive-file-access;priority:3; sid:1000121;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.DS_Store文件访问";flow:to_server,established; content:".DS_Store";http_uri;;nocase;classtype:sensitive-file-access;priority:3; sid:1000122;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.zip文件访问";flow:to_server,established; content:".zip";http_uri;;nocase;classtype:sensitive-file-access;priority:3; sid:1000123;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.tar.gz文件访问";flow:to_server,established; content:".tar.gz";http_uri;;nocase;classtype:sensitive-file-access;priority:3; sid:1000124;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.7z文件访问";flow:to_server,established; content:".7z";http_uri;;nocase;classtype:sensitive-file-access;priority:3; sid:1000125;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.rar文件访问";flow:to_server,established; content:".rar";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000126;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.dump文件访问";flow:to_server,established; content:".dump";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000127;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.log文件访问";flow:to_server,established; content:".log";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000128;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.config文件访问";flow:to_server,established; content:".config";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000129;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.conf文件访问";flow:to_server,established; content:".conf";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000130;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.inc文件访问";flow:to_server,established; content:".inc";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000131;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.xlsx文件访问";flow:to_server,established; content:".xlsx";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000132;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.docx文件访问";flow:to_server,established; content:".docx";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000133;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.db文件访问";flow:to_server,established; content:".db";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000134;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.sqlite文件访问";flow:to_server,established; content:".sqlite";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000135;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.doc文件访问";flow:to_server,established; content:".doc";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000136;rev:1;)
alert http any any -> any any (msg:"检测到敏感后缀.xls文件访问";flow:to_server,established; content:".xls";http_uri;nocase;classtype:sensitive-file-access;priority:3; sid:1000137;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则1";flow:to_server,established; pcre:"/(href|src|on\w+;)\s*=\s*[\"']?\s*(javascript|data|vbscript;):/i";content:"GET";classtype:xss-attack;priority:2; sid:1000142;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则2";flow:to_server,established; content:"javascript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000143;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则3";flow:to_server,established; content:"javascrscriptipt";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000144;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则4";flow:to_server,established; content:"javasjavascriptcript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000145;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则1";flow:to_server,established; pcre:"/(href|src|on\w+;)\s*=\s*[\"']?\s*(javascript|data|vbscript;):/i";content:"POST";classtype:xss-attack;priority:2; sid:1000411;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则2";flow:to_server,established; content:"javascript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000412;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则3";flow:to_server,established; content:"javascrscriptipt";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000413;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则4";flow:to_server,established; content:"javasjavascriptcript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000414;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则6";flow:to_server,established; content:"<style>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000147;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则7";flow:to_server,established; content:"<STYLE>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000148;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则8";flow:to_server,established; content:"<div";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000149;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则9";flow:to_server,established; content:"<img";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000150;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则10";flow:to_server,established; content:"<BODY";content:"GET";nocase;classtype:xss-attack;priority:2; sid:295;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则11";flow:to_server,established; content:"<body";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000152;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规12";flow:to_server,established; content:"<marquee";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000153;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则13";flow:to_server,established; content:"<video";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000154;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则14";flow:to_server,established; content:"<audio";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000155;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则15";flow:to_server,established; content:"<input";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000156;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则16";flow:to_server,established; content:"<script";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000157;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则17";flow:to_server,established; content:"scrscriptipt";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000158;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则18";flow:to_server,established; content:"scriscriptpt";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000159;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则19";flow:to_server,established; content:"scscriptript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000294;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则20";flow:to_server,established; content:"scripscriptt";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000151;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则21";flow:to_server,established; content:"<from>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000296;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规22";flow:to_server,established; content:"<from";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000297;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则23";flow:to_server,established; content:"<iframe>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000298;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规24";flow:to_server,established; content:"<iframe";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000299;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则25";flow:to_server,established; content:"<svg>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000300;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则26";flow:to_server,established; content:"<svg";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000301;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则27";flow:to_server,established; content:"<button>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000302;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则28";flow:to_server,established; content:"<button";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000303;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则29";flow:to_server,established; content:"<p>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000160;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则6";flow:to_server,established; content:"<style>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000415;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则7";flow:to_server,established; content:"<STYLE>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000416;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则8";flow:to_server,established; content:"<div";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000417;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则9";flow:to_server,established; content:"<img";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000418;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则10";flow:to_server,established; content:"<BODY";content:"POST";nocase;classtype:xss-attack;priority:2; sid:419;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则11";flow:to_server,established; content:"<body";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000420;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规12";flow:to_server,established; content:"<marquee";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000421;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则13";flow:to_server,established; content:"<video";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000422;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则14";flow:to_server,established; content:"<audio";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000423;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则15";flow:to_server,established; content:"<input";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000424;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则16";flow:to_server,established; content:"<script";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000425;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则17";flow:to_server,established; content:"scrscriptipt";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000426;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则18";flow:to_server,established; content:"scriscriptpt";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000427;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则19";flow:to_server,established; content:"scscriptript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000428;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则20";flow:to_server,established; content:"scripscriptt";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000429;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则21";flow:to_server,established; content:"<from>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000430;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规22";flow:to_server,established; content:"<from";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000431;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则23";flow:to_server,established; content:"<iframe>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000432;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规24";flow:to_server,established; content:"<iframe";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000433;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则25";flow:to_server,established; content:"<svg>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000434;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则26";flow:to_server,established; content:"<svg";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000435;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则27";flow:to_server,established; content:"<button>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000436;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则28";flow:to_server,established; content:"<button";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000437;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则29";flow:to_server,established; content:"<p>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000438;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则31";flow:to_server,established; content:"<details>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000162;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则32";flow:to_server,established; content:"<details";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000163;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规33";flow:to_server,established; content:"<select>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000164;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则34";flow:to_server,established; content:"<select";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000165;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则35";flow:to_server,established; content:"<textarea>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000166;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则36";flow:to_server,established; content:"<textarea";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000167;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则37";flow:to_server,established; content:"<keygen>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000168;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则38";flow:to_server,established; content:"<keygen";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000169;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则39";flow:to_server,established; content:"<marquee>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000170;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则40";flow:to_server,established; content:"<marquee";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000171;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则41";flow:to_server,established; content:"<isindex>";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000172;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则42";flow:to_server,established; content:"<isindex";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000173;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则43";flow:to_server,established; content:"<link";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000174;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则31";flow:to_server,established; content:"<details>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000439;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则32";flow:to_server,established; content:"<details";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000440;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规33";flow:to_server,established; content:"<select>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000441;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则34";flow:to_server,established; content:"<select";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000442;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则35";flow:to_server,established; content:"<textarea>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000443;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则36";flow:to_server,established; content:"<textarea";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000444;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则37";flow:to_server,established; content:"<keygen>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000445;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则38";flow:to_server,established; content:"<keygen";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000446;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则39";flow:to_server,established; content:"<marquee>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000447;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则40";flow:to_server,established; content:"<marquee";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000448;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则41";flow:to_server,established; content:"<isindex>";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000449;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则42";flow:to_server,established; content:"<isindex";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000450;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则43";flow:to_server,established; content:"<link";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000451;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则44";flow:to_server,established; content:"onerror";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000175;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则45";flow:to_server,established; content:"oncuechange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000176;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则46";flow:to_server,established; content:"oncopy";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000177;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则47";flow:to_server,established; content:"oncut";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000178;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则48";flow:to_server,established; content:"ondblclick";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000179;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则49";flow:to_server,established; content:"ondrag";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000180;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则50";flow:to_server,established; content:"ondragend";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000181;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则51";flow:to_server,established; content:"ondragenter";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000182;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则52";flow:to_server,established; content:"ondragleave";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000183;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则53";flow:to_server,established; content:"ondurationchange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000184;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则54";flow:to_server,established; content:"onemptied";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000185;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则55";flow:to_server,established; content:"onended";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000186;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则56";flow:to_server,established; content:"onfocus";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000187;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则57";flow:to_server,established; content:"ongotpointercapture";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000188;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则58";flow:to_server,established; content:"onhashchange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000189;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则59";flow:to_server,established; content:"oninput";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000190;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则60";flow:to_server,established; content:"oninvalid";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000191;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则61";flow:to_server,established; content:"onkeydown";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000192;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则62";flow:to_server,established; content:"onkeypress";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000193;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则63";flow:to_server,established; content:"onkeyup";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000194;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则64";flow:to_server,established; content:"onload";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000195;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则65";flow:to_server,established; content:"onloadeddat;content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000196;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则66";flow:to_server,established; content:"onloadedmetadata";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000197;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则67";flow:to_server,established; content:"onloadstart";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000198;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则68";flow:to_server,established; content:"onlostpointercapture";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000199;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则69";flow:to_server,established; content:"onmousedown";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000200;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则70";flow:to_server,established; content:"onmouseenter";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000201;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则71";flow:to_server,established; content:"onmouseleave";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000202;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则72";flow:to_server,established; content:"onmousemove";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000203;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则73";flow:to_server,established; content:"onmouseout";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000204;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则74";flow:to_server,established; content:"onmouseover";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000205;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则75";flow:to_server,established; content:"onmouseup";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000206;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则76";flow:to_server,established; content:"onmousewhee";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000207;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则77";flow:to_server,established; content:"onoffline";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000208;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则78";flow:to_server,established; content:"ononline";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000209;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则79";flow:to_server,established; content:"onpagehide";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000210;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则80";flow:to_server,established; content:"onpageshow";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000211;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则81";flow:to_server,established; content:"onpaste";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000212;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则82";flow:to_server,established; content:"onpause";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000213;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则83";flow:to_server,established; content:"onplay";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000214;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则84";flow:to_server,established; content:"onplaying";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000215;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则85";flow:to_server,established; content:"onpointercancel";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000216;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则86";flow:to_server,established; content:"onpointerdown";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000217;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则87";flow:to_server,established; content:"onpointerenter";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000218;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则88";flow:to_server,established; content:"onpointerleave";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000219;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则89";flow:to_server,established; content:"onpointerdown";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000220;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则90";flow:to_server,established; content:"onpointermove";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000221;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则91";flow:to_server,established; content:"onemptied";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000222;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则92";flow:to_server,established; content:"onformdata";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000223;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规93";flow:to_server,established; content:"onfullscreenchange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000224;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则94";flow:to_server,established; content:"oninput";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000225;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则95";flow:to_server,established; content:"oninvalid";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000226;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则96";flow:to_server,established; content:"onkeypress";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000227;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则97";flow:to_server,established; content:"onkeyup";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000228;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则98";flow:to_server,established; content:"onloadeddata";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000229;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则99";flow:to_server,established; content:"onloadedmetadata";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000230;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则100";flow:to_server,established; content:"onmouseenter";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000231;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则101";flow:to_server,established; content:"onmouseleave";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000304;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则102";flow:to_server,established; content:"onmousemove";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000233;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则103";flow:to_server,established; content:"onmouseout";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000234;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则104";flow:to_server,established; content:"onmouseup";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000235;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则105";flow:to_server,established; content:"onmousewheel";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000236;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则106";flow:to_server,established; content:"onpaste";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000237;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则107";flow:to_server,established; content:"onpause";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000238;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则108";flow:to_server,established; content:"onplay";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000239;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则109";flow:to_server,established; content:"onplaying";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000240;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则110";flow:to_server,established; content:"onprogress";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000241;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则111";flow:to_server,established; content:"onratechange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000242;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则112";flow:to_server,established; content:"onreset";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000243;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则113";flow:to_server,established; content:"onresize";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000244;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则114";flow:to_server,established; content:"onscroll";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000245;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则115";flow:to_server,established; content:"onsearch";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000246;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则116";flow:to_server,established; content:"onseeked";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000247;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则117";flow:to_server,established; content:"onseeking";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000248;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则118";flow:to_server,established; content:"onselect";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000249;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则119";flow:to_server,established; content:"onstalled";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000250;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则120";flow:to_server,established; content:"onsubmit";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000251;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则121";flow:to_server,established; content:"onsuspend";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000252;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则122";flow:to_server,established; content:"ontimeupdate";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000253;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则123";flow:to_server,established; content:"ontoggle";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000254;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则124";flow:to_server,established; content:"ontouchcancel";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000255;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则125";flow:to_server,established; content:"ontouchend";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000256;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则126";flow:to_server,established; content:"ontouchmove";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000257;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则127";flow:to_server,established; content:"ontouchstart";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000258;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则128";flow:to_server,established; content:"ontransitionend";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000259;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则129";flow:to_server,established; content:"onunload";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000260;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则130";flow:to_server,established; content:"onselect";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000261;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则131";flow:to_server,established; content:"onsubmit";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000262;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则132";flow:to_server,established; content:"ontimeupdate";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000263;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则133";flow:to_server,established; content:"ontoggle";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000264;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则134";flow:to_server,established; content:"onvolumechange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000265;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则135";flow:to_server,established; content:"onwaiting";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000266;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则136";flow:to_server,established; content:"onafterprint";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000267;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则137";flow:to_server,established; content:"onanimationcancel";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000268;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则138";flow:to_server,established; content:"onanimationend";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000269;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则139";flow:to_server,established; content:"onanimationiteration";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000270;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则140";flow:to_server,established; content:"onanimationstart";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000271;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则141";flow:to_server,established; content:"onauxclick";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000272;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则142";flow:to_server,established; content:"onbeforeprint";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000273;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则143";flow:to_server,established; content:"onbeforeunload";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000274;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则144";flow:to_server,established; content:"onblur";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000275;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则145";flow:to_server,established; content:"oncancel";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000276;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则146";flow:to_server,established; content:"oncanplay";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000277;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则147";flow:to_server,established; content:"oncanplaythrough";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000278;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则148";flow:to_server,established; content:"onchange";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000279;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则149";flow:to_server,established; content:"onclick";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000280;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则150";flow:to_server,established; content:"onclose";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000281;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则151";flow:to_server,established; content:"oncontextmenu";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000282;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则152";flow:to_server,established; content:"alert";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000283;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则153";flow:to_server,established; content:"console.log";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000284;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则44";flow:to_server,established; content:"onerror";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000452;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则45";flow:to_server,established; content:"oncuechange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000453;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则46";flow:to_server,established; content:"oncopy";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000454;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则47";flow:to_server,established; content:"oncut";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000455;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则48";flow:to_server,established; content:"ondblclick";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000456;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则49";flow:to_server,established; content:"ondrag";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000457;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则50";flow:to_server,established; content:"ondragend";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000458;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则51";flow:to_server,established; content:"ondragenter";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000459;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则52";flow:to_server,established; content:"ondragleave";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000460;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则53";flow:to_server,established; content:"ondurationchange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000461;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则54";flow:to_server,established; content:"onemptied";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000462;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则55";flow:to_server,established; content:"onended";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000463;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则56";flow:to_server,established; content:"onfocus";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000464;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则57";flow:to_server,established; content:"ongotpointercapture";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000465;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则58";flow:to_server,established; content:"onhashchange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000466;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则59";flow:to_server,established; content:"oninput";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000467;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则60";flow:to_server,established; content:"oninvalid";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000468;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则61";flow:to_server,established; content:"onkeydown";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000469;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则62";flow:to_server,established; content:"onkeypress";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000470;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则63";flow:to_server,established; content:"onkeyup";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000471;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则64";flow:to_server,established; content:"onload";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000472;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则65";flow:to_server,established; content:"onloadeddata";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000473;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则66";flow:to_server,established; content:"onloadedmetadata";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000474;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则67";flow:to_server,established; content:"onloadstart";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000475;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则68";flow:to_server,established; content:"onlostpointercapture";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000476;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则69";flow:to_server,established; content:"onmousedown";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000477;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则70";flow:to_server,established; content:"onmouseenter";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000478;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则71";flow:to_server,established; content:"onmouseleave";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000479;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则72";flow:to_server,established; content:"onmousemove";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000480;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则73";flow:to_server,established; content:"onmouseout";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000481;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则74";flow:to_server,established; content:"onmouseover";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000482;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则75";flow:to_server,established; content:"onmouseup";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000483;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则76";flow:to_server,established; content:"onmousewhee";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000484;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则77";flow:to_server,established; content:"onoffline";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000485;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则78";flow:to_server,established; content:"ononline";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000486;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则79";flow:to_server,established; content:"onpagehide";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000487;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则80";flow:to_server,established; content:"onpageshow";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000488;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则81";flow:to_server,established; content:"onpaste";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000489;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则82";flow:to_server,established; content:"onpause";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000490;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则83";flow:to_server,established; content:"onplay";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000491;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则84";flow:to_server,established; content:"onplaying";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000492;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则85";flow:to_server,established; content:"onpointercancel";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000493;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则86";flow:to_server,established; content:"onpointerdown";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000494;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则87";flow:to_server,established; content:"onpointerenter";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000495;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则88";flow:to_server,established; content:"onpointerleave";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000496;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则89";flow:to_server,established; content:"onpointerdown";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000497;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则90";flow:to_server,established; content:"onpointermove";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000498;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则91";flow:to_server,established; content:"onemptied";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000499;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则92";flow:to_server,established; content:"onformdata";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000500;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规93";flow:to_server,established; content:"onfullscreenchange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000501;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则94";flow:to_server,established; content:"oninput";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000502;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则95";flow:to_server,established; content:"oninvalid";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000503;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则96";flow:to_server,established; content:"onkeypress";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000504;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则97";flow:to_server,established; content:"onkeyup";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000505;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则98";flow:to_server,established; content:"onloadeddata";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000506;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则99";flow:to_server,established; content:"onloadedmetadata";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000507;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则100";flow:to_server,established; content:"onmouseenter";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000508;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则101";flow:to_server,established; content:"onmouseleave";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000509;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则102";flow:to_server,established; content:"onmousemove";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000510;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则103";flow:to_server,established; content:"onmouseout";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000511;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则104";flow:to_server,established; content:"onmouseup";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000512;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则105";flow:to_server,established; content:"onmousewheel";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000513;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则106";flow:to_server,established; content:"onpaste";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000514;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则107";flow:to_server,established; content:"onpause";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000515;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则108";flow:to_server,established; content:"onplay";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000516;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则109";flow:to_server,established; content:"onplaying";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000517;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则110";flow:to_server,established; content:"onprogress";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000518;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则111";flow:to_server,established; content:"onratechange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000519;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则112";flow:to_server,established; content:"onreset";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000520;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则113";flow:to_server,established; content:"onresize";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000521;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则114";flow:to_server,established; content:"onscroll";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000522;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则115";flow:to_server,established; content:"onsearch";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000523;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则116";flow:to_server,established; content:"onseeked";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000524;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则117";flow:to_server,established; content:"onseeking";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000525;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则118";flow:to_server,established; content:"onselect";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000526;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则119";flow:to_server,established; content:"onstalled";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000527;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则120";flow:to_server,established; content:"onsubmit";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000528;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则121";flow:to_server,established; content:"onsuspend";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000529;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则122";flow:to_server,established; content:"ontimeupdate";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000530;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则123";flow:to_server,established; content:"ontoggle";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000531;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则124";flow:to_server,established; content:"ontouchcancel";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000532;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则125";flow:to_server,established; content:"ontouchend";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000533;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则126";flow:to_server,established; content:"ontouchmove";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000534;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则127";flow:to_server,established; content:"ontouchstart";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000535;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则128";flow:to_server,established; content:"ontransitionend";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000536;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则129";flow:to_server,established; content:"onunload";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000537;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则130";flow:to_server,established; content:"onselect";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000538;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则131";flow:to_server,established; content:"onsubmit";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000539;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则132";flow:to_server,established; content:"ontimeupdate";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000540;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则133";flow:to_server,established; content:"ontoggle";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000541;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则134";flow:to_server,established; content:"onvolumechange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000542;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则135";flow:to_server,established; content:"onwaiting";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000543;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则136";flow:to_server,established; content:"onafterprint";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000544;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则137";flow:to_server,established; content:"onanimationcancel";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000545;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则138";flow:to_server,established; content:"onanimationend";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000546;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则139";flow:to_server,established; content:"onanimationiteration";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000547;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则140";flow:to_server,established; content:"onanimationstart";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000548;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则141";flow:to_server,established; content:"onauxclick";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000549;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则142";flow:to_server,established; content:"onbeforeprint";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000550;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则143";flow:to_server,established; content:"onbeforeunload";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000551;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则144";flow:to_server,established; content:"onblur";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000552;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则145";flow:to_server,established; content:"oncancel";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000553;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则146";flow:to_server,established; content:"oncanplay";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000554;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则147";flow:to_server,established; content:"oncanplaythrough";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000555;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则148";flow:to_server,established; content:"onchange";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000556;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则149";flow:to_server,established; content:"onclick";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000557;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则150";flow:to_server,established; content:"onclose";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000558;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则151";flow:to_server,established; content:"oncontextmenu";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000559;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则152";flow:to_server,established; content:"alert";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000560;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则153";flow:to_server,established; content:"console.log";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000561;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则154";flow:to_server,established; pcre:"/href\s*=\s*[\"']?\s*(j\s*a\s*v\s*a\s*&#(?:0*115|0*73;)\;?\s*c\s*r\s*i\s*p\s*t\s*;):/i";content:"GET";classtype:xss-attack;priority:2; sid:1000285;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则155";flow:to_server,established; content:"vbscript:MsgBox";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000286;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则156";flow:to_server,established; content:"vbscript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000287;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则157";flow:to_server,established; content:"String.fromCharCode";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000288;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则158";flow:to_server,established; content:"javascript&colon";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000289;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则159";flow:to_server,established; content:"javasc&NewLine";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000290;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则160";flow:to_server,established; content:"javas&Tab";content:"cript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000291;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则161";flow:to_server,established; content:"jav ascript";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000292;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则162";flow:to_server,established; content:"vbscript:MsgBox";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000293;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则163";flow:to_server,established; content:"vbscript:MsgBox";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000305;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则164";flow:to_server,established; content:"confirm";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000306;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则165";flow:to_server,established; content:"javascript:eval";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000307;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则166";flow:to_server,established; content:"|64 61 74 61 3a 74 65 78 74 2f 68 74 6d 6c 3b 62 61 73 65 36 34|";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000308;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则167";flow:to_server,established; content:"<img STYLE=";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000309;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则168";flow:to_server,established; content:"<A STYLE=";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000310;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则169";flow:to_server,established; pcre:"/(?:alert|\x61\x6c\x65\x72\x74|\\u0061\\u006c\\u0065\\u0072\\u0074;)/i";content:"GET";classtype:xss-attack;priority:2; sid:1000311;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则170";flow:to_server,established; content:"windows";content:"script";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000312;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则171";flow:to_server,established; content:"document.cookie";content:"GET";nocase;classtype:xss-attack;priority:2; sid:1000313;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则154";flow:to_server,established; pcre:"/href\s*=\s*[\"']?\s*(j\s*a\s*v\s*a\s*&#(?:0*115|0*73;)\;?\s*c\s*r\s*i\s*p\s*t\s*;):/i";content:"POST";classtype:xss-attack;priority:2; sid:1000562;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则155";flow:to_server,established; content:"vbscript:MsgBox";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000563;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则156";flow:to_server,established; content:"vbscript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000564;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则157";flow:to_server,established; content:"String.fromCharCode";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000565;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则158";flow:to_server,established; content:"javascript&colon";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000566;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则159";flow:to_server,established; content:"javasc&NewLine";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000567;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则160";flow:to_server,established; content:"javas&Tab";content:"cript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000568;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则161";flow:to_server,established; content:"jav ascript";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000569;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则162";flow:to_server,established; content:"vbscript:MsgBox";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000570;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则163";flow:to_server,established; content:"vbscript:MsgBox";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000571;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则164";flow:to_server,established; content:"confirm";nocase;content:"POST";classtype:xss-attack;priority:2; sid:1000572;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则165";flow:to_server,established; content:"javascript:eval";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000573;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则166";flow:to_server,established; content:"|64 61 74 61 3a 74 65 78 74 2f 68 74 6d 6c 3b 62 61 73 65 36 34|";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000574;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则167";flow:to_server,established; content:"<img STYLE=";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000575;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则168";flow:to_server,established; content:"<A STYLE=";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000576;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则169";flow:to_server,established; pcre:"/(?:alert|\x61\x6c\x65\x72\x74|\\u0061\\u006c\\u0065\\u0072\\u0074;)/i";content:"POST";classtype:xss-attack;priority:2; sid:1000577;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则170";flow:to_server,established; content:"windows";content:"script";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000578;rev:1;)
alert http any any -> any any (msg:"检测到XSS攻击特征--命中规则171";flow:to_server,established; content:"document.cookie";content:"POST";nocase;classtype:xss-attack;priority:2; sid:1000579;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征1";flow:to_server,established; content:"union";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000314;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征2";flow:to_server,established; content:"select";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000315;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征3";flow:to_server,established; content:"group_concat";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000316;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征4";flow:to_server,established; content:"table_name";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000317;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征5";flow:to_server,established; content:"information_schema";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000318;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征6";flow:to_server,established; content:"information_schema.tables";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000319;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征7";flow:to_server,established; content:"table_schema";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000320;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征8";flow:to_server,established; content:"database(;)";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000321;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征9";flow:to_server,established; content:"union select";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000322;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征10";flow:to_server,established; content:"column_name";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000323;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征11";flow:to_server,established; content:"information_schema.columns";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000324;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征12";flow:to_server,established; content:"' and";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000325;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征13";flow:to_server,established; content:"' or";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000326;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征1";flow:to_server,established; content:"union";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000580;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征2";flow:to_server,established; content:"select";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000581;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征3";flow:to_server,established; content:"group_concat";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000582;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征4";flow:to_server,established; content:"table_name";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000583;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征5";flow:to_server,established; content:"information_schema";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000584;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征6";flow:to_server,established; content:"information_schema.tables";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000585;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征7";flow:to_server,established; content:"table_schema";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000586;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征8";flow:to_server,established; content:"database(;)";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000587;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征9";flow:to_server,established; content:"union select";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000588;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征10";flow:to_server,established; content:"column_name";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000589;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征11";flow:to_server,established; content:"information_schema.columns";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000590;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征12";flow:to_server,established; content:"' and";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000591;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征13";flow:to_server,established; content:"' or";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000592;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征15";flow:to_server,established; content:"\" and";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000328;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征16";flow:to_server,established; content:"\"' or";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000329;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征17";flow:to_server,established; content:"uunionnion";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000330;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征18";flow:to_server,established; content:"ununionion";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000331;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征19";flow:to_server,established; content:"uniunionon";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000332;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征20";flow:to_server,established; content:"uniounionn";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000333;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征21";flow:to_server,established; content:"sselectelect";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000334;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征22";flow:to_server,established; content:"seselectlect";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000335;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征23";flow:to_server,established; content:"selselectect";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000336;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征24";flow:to_server,established; content:"seleselectct";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000337;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征25";flow:to_server,established; content:"selecselectt";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000338;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征15";flow:to_server,established; content:"\" and";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000593;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征16";flow:to_server,established; content:"\"' or";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000594;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征17";flow:to_server,established; content:"uunionnion";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000595;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征18";flow:to_server,established; content:"ununionion";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000596;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征19";flow:to_server,established; content:"uniunionon";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000597;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征20";flow:to_server,established; content:"uniounionn";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000598;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征21";flow:to_server,established; content:"sselectelect";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000599;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征22";flow:to_server,established; content:"seselectlect";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000600;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征23";flow:to_server,established; content:"selselectect";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000601;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征24";flow:to_server,established; content:"seleselectct";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000602;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征25";flow:to_server,established; content:"selecselectt";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000603;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征28";flow:to_server,established; content:"substr";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000341;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征29";flow:to_server,established; pcre:"/sleep\s*\(\s*[\d.]+\s*\;)/i";content:"GET";classtype:sql-injection;priority:1; sid:1000342;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征30";flow:to_server,established; content:"sleep";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000343;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征31";flow:to_server,established; content:"selectascii";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000344;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征32";flow:to_server,established; content:"sustring";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000345;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征33";flow:to_server,established; content:"limit";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征34";flow:to_server,established; content:"order";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征35";flow:to_server,established; content:"order by";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征36";flow:to_server,established; content:"limit";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征37";flow:to_server,established; content:"limit";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征38";flow:to_server,established; content:"limit";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000346;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征39";flow:to_server,established; content:"--+";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000347;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征40";flow:to_server,established; content:"-- ";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000348;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征41";flow:to_server,established; content:"%23";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000349;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征28";flow:to_server,established; content:"substr";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000604;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征29";flow:to_server,established; pcre:"/sleep\s*\(\s*[\d.]+\s*\;)/i";content:"POST";classtype:sql-injection;priority:1; sid:1000605;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征30";flow:to_server,established; content:"sleep";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000606;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征31";flow:to_server,established; content:"selectascii";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000607;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征32";flow:to_server,established; content:"sustring";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000608;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征33";flow:to_server,established; content:"limit";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000609;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征34";flow:to_server,established; content:"order";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000610;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征35";flow:to_server,established; content:"order by";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000611;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征36";flow:to_server,established; content:"limit";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000612;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征37";flow:to_server,established; content:"limit";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000613;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征38";flow:to_server,established; content:"limit";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000614;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征39";flow:to_server,established; content:"--+";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000615;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征40";flow:to_server,established; content:"-- ";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000616;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征41";flow:to_server,established; content:"%23";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000617;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征43";flow:to_server,established; content:"updatexml";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000351;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征44";flow:to_server,established; content:"extractvalue";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000352;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征45";flow:to_server,established; content:"into outfile";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000353;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征46";flow:to_server,established; content:"load_file";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000354;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征47";flow:to_server,established; content:"into";content:"outfile";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000355;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征48";flow:to_server,established; content:"1=1";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000359;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征49";flow:to_server,established; content:"='1";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000360;rev:1;)
#alert http any any -> any any (msg:"检测到SQL注入攻击特征50";flow:to_server,established; content:"=\"1";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000361;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征51";flow:to_server,established; content:"#%23";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000362;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征52";flow:to_server,established; content:"%27or%27";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000363;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征53";flow:to_server,established; content:"%27or";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000364;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征54";flow:to_server,established; content:"%27or";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000365;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征55";flow:to_server,established; content:"%27and";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000366;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征56";flow:to_server,established; content:"%27and%27";content:"GET";nocase;classtype:sql-injection;priority:1; sid:1000367;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征43";flow:to_server,established; content:"updatexml";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000618;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征44";flow:to_server,established; content:"extractvalue";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000619;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征45";flow:to_server,established; content:"into outfile";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000620;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征46";flow:to_server,established; content:"load_file";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000621;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征47";flow:to_server,established; content:"into";content:"outfile";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000622r;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征48";flow:to_server,established; content:"1=1";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000623;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征49";flow:to_server,established; content:"='1";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000624;rev:1;)
#alert http any any -> any any (msg:"检测到SQL注入攻击特征50";flow:to_server,established; content:"=\"1";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000625;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征51";flow:to_server,established; content:"#%23";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000626;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征52";flow:to_server,established; content:"%27or%27";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000627;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征53";flow:to_server,established; content:"%27or";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000628;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征54";flow:to_server,established; content:"%27or";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000629;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征55";flow:to_server,established; content:"%27and";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000670;rev:1;)
alert http any any -> any any (msg:"检测到SQL注入攻击特征56";flow:to_server,established; content:"%27and%27";content:"POST";nocase;classtype:sql-injection;priority:1; sid:1000671;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段eval";flow:to_server,established; content:"eval";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000672;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段system";flow:to_server,established; content:"system";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000673;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段exec";flow:to_server,established; content:"exec";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000674;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段shell_exec";flow:to_server,established; content:"shell_exec";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000675;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段popen";flow:to_server,established; content:"popen";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000676;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段proc_open";flow:to_server,established; content:"proc_open";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000677;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段pcntl_exec";flow:to_server,established; content:"pcntl_exec";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000678;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段phpinfo";flow:to_server,established; content:"phpinfo";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000679;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段assert";flow:to_server,established; content:"assert";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000680;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段os.system";flow:to_server,established; content:"os.system";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000681;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/sh";flow:to_server,established; content:"/bin/sh";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000682;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/bash";flow:to_server,established; content:"/bin/bash";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000683;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/dash";flow:to_server,established; content:"/bin/dash";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000684;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段whoami";flow:to_server,established; content:"whoami";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000685;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ifconfig";flow:to_server,established; content:"ifconfig";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000686;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ipconfig";flow:to_server,established; content:"ipconfig";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000687;rev:1;)
#alert http any any -> any any (msg:"检测到敏感字段ls";flow:to_server,established; content:"ls";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000688;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段dir";flow:to_server,established; content:"dir";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000689;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段wget";flow:to_server,established; content:"wget";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000690;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段curl";flow:to_server,established; content:"curl";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000691;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段cmd.exe";flow:to_server,established; content:"cmd.exe";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000692;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段powershell";flow:to_server,established; content:"powershell";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000693;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段systeminfo";flow:to_server,established; content:"systeminfo";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000694;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段net user";flow:to_server,established; content:"net user";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000695;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段useradd";flow:to_server,established; content:"useradd";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000696;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rundll32";flow:to_server,established; content:"rundll32";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000697;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rm -rf";flow:to_server,established; content:"rm -rf";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000698;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段mkdir";flow:to_server,established; content:"mkdir";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000699;rev:1;)
#alert http any any -> any any (msg:"检测到敏感字段ping";flow:to_server,established; content:"ping";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000700;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段nslookup";flow:to_server,established; content:"nslookup";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000701;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段eval";flow:to_server,established; content:"eval";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000702;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段system";flow:to_server,established; content:"system";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000703;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段exec";flow:to_server,established; content:"exec";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000704;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段shell_exec";flow:to_server,established; content:"shell_exec";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000705;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段popen";flow:to_server,established; content:"popen";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000706;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段proc_open";flow:to_server,established; content:"proc_open";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000707;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段pcntl_exec";flow:to_server,established; content:"pcntl_exec";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000708;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段phpinfo";flow:to_server,established; content:"phpinfo";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000709;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段assert";flow:to_server,established; content:"assert";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000710;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段os.system";flow:to_server,established; content:"os.system";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000711;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/sh";flow:to_server,established; content:"/bin/sh";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000712;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/bash";flow:to_server,established; content:"/bin/bash";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000713;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段/bin/dash";flow:to_server,established; content:"/bin/dash";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000714;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段whoami";flow:to_server,established; content:"whoami";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000715;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ifconfig";flow:to_server,established; content:"ifconfig";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000716;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ipconfig";flow:to_server,established; content:"ipconfig";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000717;rev:1;)
#alert http any any -> any any (msg:"检测到敏感字段ls";flow:to_server,established; content:"ls";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000718;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段dir";flow:to_server,established; content:"dir";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000719;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段wget";flow:to_server,established; content:"wget";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000720;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段curl";flow:to_server,established; content:"curl";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000721;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段cmd.exe";flow:to_server,established; content:"cmd.exe";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000722;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段powershell";flow:to_server,established; content:"powershell";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000723;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段systeminfo";flow:to_server,established; content:"systeminfo";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000724;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段net user";flow:to_server,established; content:"net user";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000725;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段useradd";flow:to_server,established; content:"useradd";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000726;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rundll32";flow:to_server,established; content:"rundll32";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000727;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rm -rf";flow:to_server,established; content:"rm -rf";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000728;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段mkdir";flow:to_server,established; content:"mkdir";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000729;rev:1;)
#alert http any any -> any any (msg:"检测到敏感字段ping";flow:to_server,established; content:"ping";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000730;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段nslookup";flow:to_server,established; content:"nslookup";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000731;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rmi://";flow:to_server,established; content:"rmi";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000766;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段rmi://";flow:to_server,established; content:"rmi";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000767;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ldap://";flow:to_server,established; content:"ldap";content:"POST";nocase;classtype:sensitive-str;priority:3; sid:1000768;rev:1;)
alert http any any -> any any (msg:"检测到敏感字段ldap://";flow:to_server,established; content:"ldap";content:"GET";nocase;classtype:sensitive-str;priority:3; sid:1000769;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".php";nocase;classtype:file-upload-attempt;priority:2; sid:1000770;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".php3";nocase;classtype:file-upload-attempt;priority:2; sid:1000771;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".php5";nocase;classtype:file-upload-attempt;priority:2; sid:1000772;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".htaccess";nocase;classtype:file-upload-attempt;priority:2; sid:1000773;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".user.ini";nocase;classtype:file-upload-attempt;priority:2; sid:1000774;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"php";nocase;classtype:file-upload-attempt;priority:2; sid:1000775;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"php3";nocase;classtype:file-upload-attempt;priority:2; sid:1000776;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"php5";nocase;classtype:file-upload-attempt;priority:2; sid:1000777;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"htaccess";nocase;classtype:file-upload-attempt;priority:2; sid:1000778;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:".jsp";nocase;classtype:file-upload-attempt;priority:2; sid:1000779;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"jsp";nocase;classtype:file-upload-attempt;priority:2; sid:1000780;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"asp";nocase;classtype:file-upload-attempt;priority:2; sid:1000781;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"aspx";nocase;classtype:file-upload-attempt;priority:2; sid:1000782;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"::$DATA";nocase;classtype:file-upload-attempt;priority:2; sid:1000783;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"passthru";nocase;classtype:file-upload-attempt;priority:2; sid:1000784;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"passthru";nocase;classtype:file-upload-attempt;priority:2; sid:1000785;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"exec";nocase;classtype:file-upload-attempt;priority:2; sid:1000786;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"system";nocase;classtype:file-upload-attempt;priority:2; sid:1000787;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"phpinfo";nocase;classtype:file-upload-attempt;priority:2; sid:1000788;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"eval";nocase;classtype:file-upload-attempt;priority:2; sid:1000789;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"shell_exec";nocase;classtype:file-upload-attempt;priority:2; sid:1000790;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"java.lang.Runtime.exec";nocase;classtype:file-upload-attempt;priority:2; sid:1000791;rev:1;)
alert http any any -> any any (msg:"检测到恶意文件上传";flow:to_server,established; content:"filename=";content:"POST";content:"form-data";content:"Content-Disposition";content:"java.lang.ProcessBuilder.start";nocase;classtype:file-upload-attempt;priority:2; sid:1000792;rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到CobaltStrike 流量"; content:"/submit.php?id=";http_uri;nocase;classtype:C2_trojan-activity;priority:1; sid:1000368;rev:1;)
alert tls any any -> any any (msg:"检测到 Cobalt Strike Client JA3 特征 (4d5efa96609dc906f796e63cff009c2a;)";flow:established,to_server; ja3.hash;content:"4d5efa96609dc906f796e63cff009c2a";reference:url,github.com/salesforce/ja3;classtype:C2_trojan-activity;priority:1; sid:1000369;rev:1;metadata:created_at 2025_08_04, threat_type C2; ;)
alert tls any any -> any any (msg:"检测到 Cobalt Strike Client JA3特征 (db36bad574044a5104a59b0c676991ef;)";flow:established,to_server;ja3.hash;content:"db36bad574044a5104a59b0c676991ef";reference:url,github.com/salesforce/ja3;classtype:C2_trojan-activity;priority:1; sid:1000370;rev:1;metadata:created_at 2025_08_04, threat_type C2; ;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到 Cobalt Strike Client JA3 特征";ja3s.hash; pcre:"/b742b407517bac9536a77a7b0fee28e9|fd4bc6cea4877646ccd62f0792ec0b62/";classtype:C2_trojan-activity;priority:1; sid:1000854;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到 Cobalt Strike Client JA3 特征";ja3s.hash; pcre:"/b742b407517bac9536a77a7b0fee28e9|fd4bc6cea4877646ccd62f0792ec0b62/";classtype:C2_trojan-activity;priority:1; sid:1000855;rev:1;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到 Cobalt Strike Client JA3 特征";ja3.hash; pcre:"/72a589da586844d7f0818ce684948eea|652358a663590cfc624787f06b82d9ae|4d93395b1c1b9ad28122fb4d09f28c5e|a0e9f5d64349fb13191bc781f81f42e1/";classtype:C2_trojan-activity;priority:1; sid:1000856;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到 Cobalt Strike Client JA3 特征";ja3.hash; pcre:"/72a589da586844d7f0818ce684948eea|652358a663590cfc624787f06b82d9ae|4d93395b1c1b9ad28122fb4d09f28c5e|a0e9f5d64349fb13191bc781f81f42e1/";classtype:C2_trojan-activity;priority:1; sid:1000857;rev:1;)
alert tls any any -> any any (msg:"检测到 Cobalt Strike Server JA3S 特征 (15af977ce25de452b96affa2addb1036;)";flow:established,from_server;ja3s.hash;content:"15af977ce25de452b96affa2addb1036";reference:url,github.com/salesforce/ja3;classtype:C2_trojan-activity;priority:1; sid:1000371;rev:1;metadata:created_at 2025_08_04, threat_type C2;rev:1;)
alert tls any any -> any any (msg:"检测到 Cobalt Strike Server JA3S 特征(2253c82f03b621c5144709b393fde2c9;)";flow:established,from_server;ja3s.hash;content:"2253c82f03b621c5144709b393fde2c9";reference:url,github.com/salesforce/ja3;classtype:C2_trojan-activity;priority:1; sid:1000372;rev:1;metadata:created_at 2025_08_04, threat_type C2;rev:1;)
alert tcp any any -> any any (msg:"检测到MSF meterpreter流量";content:"MSF_LICENSE.license.Excellent";classtype:C2_trojan-activity;priority:1; sid:1000373;rev:1;)
alert tcp any any -> any any (msg:"检测到MSF meterpreter流量";content:"|4D 53 46 5F 4C 49 43 45 4E 53 45 00 6C|";classtype:C2_trojan-activity;priority:1; sid:1000374;rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 50050 (msg:"检测到Cobalt Strike 50050默认端口通信流量";classtype:C2_trojan-activity;priority:1; sid:1000850;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50050 (msg:"检测到Cobalt Strike 50050默认端口通信流量";classtype:C2_trojan-activity;priority:1; sid:1000851;rev:1;)
alert tcp any any -> any any (msg: "Sliver HTTP woff request"; flow:to_server,established;content:".woff";http_uri;pcre: "/\/(static|assets|fonts|locales)(.*?)((attribute_text_w01_regular|ZillaSlab-Regular\.subset\.bbc33fb47cf6|ZillaSlab-Bold\.subset\.e96c15f68c68|Inter-Regular|Inter-Medium)\.woff)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000875;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tcp any any -> any any (msg: "Sliver HTTP js request"; flow:to_server,established;content:"GET";http_method;nocase;content:".js";http_uri;pcre: "/\/(js|umd|assets|bundle|bundles|scripts|script|javascripts|javascript|jscript)(.*?)((bootstrap|bootstrap.min|jquery.min|jquery|route|app|app.min|array|backbone|script|email)\.js)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000876;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tcp any any -> any any (msg: "Sliver HTTP html request&getsessionID"; flow:to_server,established;content:"POST";http_method;nocase;content:".html";http_uri;pcre: "/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.html)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000877;flowbits:set,name;flowbits:noalert;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tcp any any <> any any (msg: "Sliver HTTP html response&set-cookie";flow:to_client,established;content:"Set-Cookie";http_header;pcre:"/^Set-Cookie\:\s*(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)\=[a-z0-9]{32}\;\s*HttpOnly$/i";sid:1000878;flowbits:isset,name;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tcp any any -> any any (msg: "Sliver HTTP php request"; flow:to_server,established;content:"POST";http_method;nocase;content:".php";http_uri;pcre: "/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.php)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000879;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tcp any any -> any any (msg: "Sliver HTTP png request"; flow:to_server,established;content:".png";http_uri;pcre: "/\/(static|www|assets|images|icons|image|icon|png)(.*?)((favicon|sample|example)\.png)\?[a-z_]{1,2}=[a-z0-9_]{1,10}/i";sid:1000880;classtype:C2_trojan-activity;priority:1; rev:1;)
alert tls any any -> any any (msg:"sliver https debian"; ja3.hash; content:"19e29534fd49dd27d09234e639c4057e"; classtype:misc-activity; sid:1000881; rev:1;)
alert tls any any -> any any (msg:"sliver https"; ja3.hash; content:"f4febc55ea12b31ae17cfb7e614afda8";classtype:C2_trojan-activity;priority:1; sid:1000882;rev:1;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Sliver JA3 特征";flow:to_server,established;ja3.hash; content:"19e29534fd49dd27d09234e639c4057e";nocase;classtype:C2_trojan-activity;priority:1; sid:1000838; rev:1;rev:1;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Sliver JA3 特征";flow:to_server,established;ja3.hash; content:"19e29534fd49dd27d09234e639c4057e";nocase;classtype:C2_trojan-activity;priority:1; sid:1000839; rev:1;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"Sliver JA3 特征";flow:to_client,established;ja3.hash; content:"19e29534fd49dd27d09234e639c4057e";nocase;classtype:C2_trojan-activity;priority:1; sid:1000840; rev:1;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET any (msg:"Sliver JA3 特征";flow:to_client,established;ja3.hash; content:"19e29534fd49dd27d09234e639c4057e";nocase;classtype:C2_trojan-activity;priority:1; sid:1000841; rev:1;rev:1;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Sliver JA3s 特征";flow:to_server,established;ja3s.hash; content:"f4febc55ea12b31ae17cfb7e614afda8";nocase;classtype:C2_trojan-activity;priority:1; sid:1000842; rev:1;rev:1;)
alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"Sliver JA3s 特征";flow:to_server,established;ja3s.hash; content:"f4febc55ea12b31ae17cfb7e614afda8";nocase;classtype:C2_trojan-activity;priority:1; sid:1000843; rev:1;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET (msg:"Sliver JA3s 特征";flow:to_client,established;ja3s.hash; content:"f4febc55ea12b31ae17cfb7e614afda8";nocase;classtype:C2_trojan-activity;priority:1; sid:1000844; rev:1;rev:1;)
alert tls $EXTERNAL_NET any -> $HOME_NET (msg:"Sliver JA3s 特征";flow:to_client,established;ja3s.hash; content:"f4febc55ea12b31ae17cfb7e614afda8";nocase;classtype:C2_trojan-activity;priority:1; sid:1000845; rev:1;rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到CVE-2016-4437 Shiro反序列化利用工具Pyke-shiro 0.3流量"; content:"BrY3jhHrh6";nocase;classtype:java-deserialization;priority:1; sid:1000732;rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到CVE-2016-4437 Shiro反序列化利用工具shiro_attack-4.7.0流量"; content:"=$$$";nocase;classtype:java-deserialization;priority:1; sid:1000733;rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到CVE-2016-4437 Shiro反序列化利用工具shiro_attack-4.7.0流量"; content:"$$$";nocase;classtype:java-deserialization;priority:1; sid:1000734;rev:1;)
alert http any any -> any any (msg:"检测到CVE-2020-11989 Shiro权限绕过流量特征"; content:"%25%32%66";http_uri;classtype:unauthorized-access;priority:1; sid:1000735;rev:1;)
alert http any any -> any any (msg:"检测到CVE-2020-11989 Shiro权限绕过流量特征"; content:"/%25%32%66";http_uri;classtype:unauthorized-access;priority:1; sid:1000736;rev:1;)
alert http any any -> any any (msg:"检测到Shiro-认证绕过漏洞CVE-2020-1957流量特征"; content:"..;";http_uri;classtype:unauthorized-access;priority:1; sid:1000737;rev:1;)
alert http any any -> any any (msg:"检测到Shiro-认证绕过漏洞CVE-2020-1957流量特征"; content:"/..;/";http_uri;classtype:unauthorized-access;priority:1; sid:1000738;rev:1;)
alert http any any -> any any (msg:"检测到Shiro-认证绕过漏洞CVE-2020-1957流量特征"; content:"/..;";http_uri;classtype:unauthorized-access;priority:1; sid:1000739;rev:1;)
alert http any any -> any any (msg:"检测到Shiro-认证绕过漏洞CVE-2020-1957流量特征"; content:"..;/";http_uri;classtype:unauthorized-access;priority:1; sid:1000740;rev:1;)
alert http any any -> any any (msg:"检测到Shiro身份验证绕过漏洞CVE-2020-11989流量特征"; content:"/%3b";http_uri;classtype:unauthorized-access;priority:1; sid:1000741;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"@type";classtype:java-deserialization;priority:1; sid:1000742;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"java.lang.AutoCloseable";classtype:java-deserialization;priority:1; sid:1000743;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"java.net.InetAddress";classtype:java-deserialization;priority:1; sid:1000744;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"java.net.URL";classtype:java-deserialization;priority:1; sid:1000745;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.sun.rowset.JdbcRowSetImpl";classtype:java-deserialization;priority:1; sid:1000746;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.sun.rowset.JdbcRowSetImpl";content:"ldap://";nocase;classtype:java-deserialization;priority:1; sid:1000747;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.sun.rowset.JdbcRowSetImpl";content:"@type";content:"dataSourceName";content:"ldap";nocase;classtype:java-deserialization;priority:1; sid:1000748;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"\u0040\u0074\u0079\u0070\u0065":"\u0063\u006f\u006d\u002e\u0073\u0075\u006e\u002e\u0072\u006f\u0077\u0073\u0074\u002e\u004a\u0064\u0062\u0063\u0052\u006f\u0077\u0053\u0065\u0049\u006d\u0070\u006c","\u0064\u0061\u0074\u0061\u0053\u006f\u0075\u0072\u0063\u0065\u004e\u0061\u006d\u0065";classtype:java-deserialization;priority:1; sid:1000749;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"Lcom.sun.rowset.JdbcRowSetImpl";contnet:"dataSourceName";content:"ldap";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000750;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"LLcom.sun.rowset.JdbcRowSetImpl";content:"dataSourceName";content:"ldap";nocase;classtype:java-deserialization;priority:1; sid:1000751;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"autoCommit";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000752;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"org.apache.ibatis.datasource.jndi.JndiDataSourceFactory";content:"@type";content:"data_source";nocase;classtype:java-deserialization;priority:1; sid:1000753;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"org.apache.xbean.propertyeditor.JndiConverter";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000754;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"org.apache.ignite.cache.jta.jndi.CacheJndiTmLookup";content:"@type";content:"jndiNames";nocase;classtype:java-deserialization;priority:1; sid:1000755;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"br.com.anteros.dbcp.AnterosDBCPConfig";content:"@type";content:"metricRegistry";nocase;classtype:java-deserialization;priority:1; sid:1000756;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000757;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"java.util.Properties";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000758;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"org.apache.shiro.realm.jndi.JndiRealmFactory";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000759;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.caucho.config.types.ResourceRef";content:"@type";content:"lookupName";nocase;classtype:java-deserialization;priority:1; sid:1000760;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000761;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig";content:"@type";nocase;classtype:java-deserialization;priority:1; sid:1000762;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"metricRegistry";content:"@type";content:"rmi";nocase;classtype:java-deserialization;priority:1; sid:1000763;rev:1;)
alert http any any -> any any (msg:"检测到Fastjson反序列化流量特征";flow:to_server,established; content:"java.lang.Exception";content:"@type";content:"java.lang.Exception";nocase;classtype:java-deserialization;priority:1; sid:1000764;rev:1;)
alert http any any -> any any (msg:"检测到Xstream RCE流量特征";flow:to_server,established; content:"dataSource";content:"rmi";content:"javax.sql.rowset.BaseRowSet";content:"com.sun.rowset.JdbcRowSetImpl";content:"fPullParserConfig";content:"parameter-types";content:"javax.naming.ldap.Rdn_-RdnEntry";nocase;classtype:java-deserialization;priority:1; sid:1000765;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.antpool.com";dns_query; content:"stratum.antpool.com";classtype:coin-mining;priority:4; sid:1000793;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名cn.ss.btc.com";dns_query; content:"cn.ss.btc.com";classtype:coin-mining;priority:4; sid:1000794;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名sz.ss.btc.com";dns_query; content:"sz.ss.btc.com";classtype:coin-mining;priority:4; sid:1000795;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.btcchina.com";dns_query; content:"stratum.btcchina.com";classtype:coin-mining;priority:4; sid:1000796;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.btcc.com";dns_query; content:"stratum.btcc.com";classtype:coin-mining;priority:4; sid:1000797;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名jp-stratum.btcc.com";dns_query; content:"jp-stratum.btcc.com";classtype:coin-mining;priority:4; sid:1000798;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.f2pool.com";dns_query; content:"stratum.f2pool.com";classtype:coin-mining;priority:4; sid:1000799;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum-us.f2pool.com";dns_query; content:"stratum-us.f2pool.com";classtype:coin-mining;priority:4; sid:1000800;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.btc.top";dns_query; content:"stratum.btc.top";classtype:coin-mining;priority:4; sid:1000801;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名bak.btc.top";dns_query; content:"bak.btc.top";classtype:coin-mining;priority:4; sid:1000802;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名btc.viabtc.com";dns_query; content:"btc.viabtc.com";classtype:coin-mining;priority:4; sid:1000803;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.bw.com";dns_query; content:"stratum.bw.com";classtype:coin-mining;priority:4; sid:1000804;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.batpool.com";dns_query; content:"stratum.batpool.com";classtype:coin-mining;priority:4; sid:1000805;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.antpool.com";dns_query; content:"stratum.antpool.com";classtype:coin-mining;priority:4; sid:1000806;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名bch.viabtc.com";dns_query; content:"bch.viabtc.com";classtype:coin-mining;priority:4; sid:1000807;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名utbcer.bw.com";dns_query; content:"utbcer.bw.com";classtype:coin-mining;priority:4; sid:1000808;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名bch.vvpool.com";dns_query; content:"bch.vvpool.com";classtype:coin-mining;priority:4; sid:1000809;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名btg.vvpool.com";dns_query; content:"btg.vvpool.com";classtype:coin-mining;priority:4; sid:1000810;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名sbtc.vvpool.com";dns_query; content:"sbtc.vvpool.com";classtype:coin-mining;priority:4; sid:1000811;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名ubtc.vvpool.com";dns_query; content:"ubtc.vvpool.com";classtype:coin-mining;priority:4; sid:1000812;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum-ltc.antpool.com";dns_query; content:"stratum-ltc.antpool.com";classtype:coin-mining;priority:4; sid:1000813;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名ltc.viabtc.com";dns_query; content:"ltc.viabtc.com";classtype:coin-mining;priority:4; sid:1000814;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名eth.f2pool.com";dns_query; content:"eth.f2pool.com";classtype:coin-mining;priority:4; sid:1000815;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum_ltc.bw.com";dns_query; content:"stratum_ltc.bw.com";classtype:coin-mining;priority:4; sid:1000816;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名pool2.ltc1btc.com";dns_query; content:"pool2.ltc1btc.com";classtype:coin-mining;priority:4; sid:1000817;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum.batpool.com";dns_query; content:"stratum.batpool.com";classtype:coin-mining;priority:4; sid:1000818;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名huabei-pool.ethfans.org";dns_query; content:"huabei-pool.ethfans.org";classtype:coin-mining;priority:4; sid:1000819;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名guangdong-pool.ethfans.org";dns_query; content:"guangdong-pool.ethfans.org";classtype:coin-mining;priority:4; sid:1000820;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名ether.bw.com";dns_query; content:"ether.bw.com";classtype:coin-mining;priority:4; sid:1000821;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum-etc.antpool.com";dns_query; content:"stratum-etc.antpool.com";classtype:coin-mining;priority:4; sid:1000822;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名bwetc.bw.com";dns_query; content:"bwetc.bw.com";classtype:coin-mining;priority:4; sid:1000823;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名etc.f2pool.com";dns_query; content:"etc.f2pool.com";classtype:coin-mining;priority:4; sid:1000824;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名etc1.91pool.com";dns_query; content:"etc1.91pool.com";classtype:coin-mining;priority:4; sid:1000825;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名etc2.91pool.com";dns_query; content:"etc2.91pool.com";classtype:coin-mining;priority:4; sid:1000826;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum-dash.antpool.com";dns_query; content:"stratum-dash.antpool.com";classtype:coin-mining;priority:4; sid:1000827;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名dash.viabtc.com";dns_query; content:"dash.viabtc.com";classtype:coin-mining;priority:4; sid:1000828;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名stratum-zec.antpool.com";dns_query; content:"stratum-zec.antpool.com";classtype:coin-mining;priority:4; sid:1000829;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名zec.viabtc.com"; dns_query; content:"zec.viabtc.com";classtype:coin-mining;priority:4; sid:1000830;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名zcash.pool.ethfans.org";dns_query; content:"zcash.pool.ethfans.org";classtype:coin-mining;priority:4; sid:1000831;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名zec.f2pool.com";dns_query; content:"zec.f2pool.com";classtype:coin-mining;priority:4; sid:1000832;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNS请求矿池域名cn1-zcash.flypool.org";dns_query; content:"cn1-zcash.flypool.org";classtype:coin-mining;priority:4; sid:1000833;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNSlog解析请求域名ceye.io";dns_query; content:"ceye.io";classtype:dns-exfiltrationsid;priority:3; sid:1000834;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNSlog解析请求域名dnslog.cn";dns_query; content:"dnslog.cn";classtype:dns-exfiltrationsid;priority:3; sid:1000835;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNSlog解析请求域名eyes.sh";dns_query; content:"eyes.sh";classtype:dns-exfiltrationsid;priority:3; sid:1000836;rev:1;)
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"检测到DNSlog解析请求域名dig.pm";dns_query; content:"dig.pm";classtype:dns-exfiltrationsid;priority:3; sid:1000837;rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到FRP隧道流量特征";content:"|76 65 72 73 69 6F 6E 22 3A|";content:"|72 75 6E 5F 69 64|";content:"|65 72 5F 75 64 70 5F 70 6F 72 74|";classtype:tunnel-activity;priority:2; sid:1000846;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到FRP隧道流量特征";content:"|76 65 72 73 69 6F 6E 22 3A|";content:"|72 75 6E 5F 69 64|";content:"|65 72 5F 75 64 70 5F 70 6F 72 74|";classtype:tunnel-activity;priority:2; sid:1000847;rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到FRP隧道流量特征"; content:"{\"run_id\":\""; nocase; classtype:tunnel-activity;priority:2; sid:1000852; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到FRP隧道流量特征"; content:"{\"run_id\":\""; nocase; classtype:tunnel-activity;priority:2; sid:1000853; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到FRP隧道流量特征";content:"|76 65 72|";content:"|73 69 6F 6E 22 3A 22|";content:"|68 6F 73 74 6E 61 6D 65|";content:"|22 6F 73|";content:"|75 73 65 72|";content:"|74 69 6D 65 73 74 61 6D 70|";classtype:tunnel-activity;priority:2; sid:1000848;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到FRP隧道流量特征";content:"|76 65 72|";content:"|73 69 6F 6E 22 3A 22|";content:"|68 6F 73 74 6E 61 6D 65|";content:"|22 6F 73|";content:"|75 73 65 72|";content:"|74 69 6D 65 73 74 61 6D 70|";classtype:tunnel-activity;priority:2; sid:1000849;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"检测到Redis流量,执行config get dir 可能为Redis未授权访问流量";content:"|63 6F 6E 66 69 67|";content:"|67 65 74|";content:"|64 69 72|";classtype:unauthorized-access;priority:1;sid:1000859;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"检测到Redis流量,执行Redis危险命令flushall 可能为Redis未授权访问流量";content:"|2A 31 0D 0A 24 38 0D 0A 66 6C 75 73 68 61|";classtype:unauthorized-access;priority:1;sid:1000860;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"检测到Redis流量,执行Redis危险命令config set dir可能为Redis未授权访问流量";content:"|0D 0A 63 6F 6E 66 69 67|";content:"|0D 0A 24 33 0D 0A 73 65 74 0D 0A 24 33 0D 0A 64|";classtype:unauthorized-access;priority:1;sid:1000861;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6379 (msg:"检测到Redis流量,执行Redis危险命令slaveof XX.XX.XX.XX PORT可能为Redis未授权访问主从复制利用流量";content:"|2A 33 0D 0A 24 37 0D 0A 73 6C 61 76 65 6F|";classtype:unauthorized-access;priority:1;sid:1000862;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"检测到Telnet连接"; sid:1000864;rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到NPS工具_TCP隧道流量";content:"|43 6F 6E 6E 54 79 70 65|";content:"|22 3A 22 74 63 70 22 2C|";content:"|22 48 6F 73 74 22 3A 22|";content:"|72 79 70 74 22|";content:"|70 72 65 73 73 22 3A|";content:"|22 52 65 6D 6F 74 65 41|";classtype:tunnel-activity;priority:2; sid:1000866;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到NPS工具_TCP隧道流量";content:"|43 6F 6E 6E 54 79 70 65|";content:"|22 3A 22 74 63 70 22 2C|";content:"|22 48 6F 73 74 22 3A 22|";content:"|72 79 70 74 22|";content:"|70 72 65 73 73 22 3A|";content:"|22 52 65 6D 6F 74 65 41|";classtype:tunnel-activity;priority:2; sid:1000867;rev:1;)
alert http any any -> any any (msg:"检测到HTTP隧道流量-工具Neorge";content:"tunnel";content:"POST";classtype:tunnel-activity;priority:2; sid:1000868;rev:1;)
alert http any any -> any any (msg:"检测到HTTP隧道流量-工具Neorge";content:"tunnel";content:"Cookie: PHPSESSID=";content:"POST";classtype:tunnel-activity;priority:2; sid:1000869;rev:1;)
alert http any any -> any any (msg:"检测到HTTP隧道流量-工具Neorge";content:"tunnel";content:"POST";content:"Accept-Encoding: gzip, deflate";classtype:tunnel-activity;priority:2; sid:1000870;rev:1;)
alert http any any -> any any (msg:"检测到HTTP隧道流量-工具Neorge";content:"tunnel";content:"POST";content:"Cookie:";classtype:tunnel-activity;priority:2; sid:1000871;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到隧道流量-工具Venom";content:"|41 42 43 44 45 46 47 48 56 43 4D 44|";classtype:tunnel-activity;priority:2; sid:1000872;rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到隧道流量-工具Venom";content:"|41 42 43 44 45 46 47 48 56 43 4D 44|";classtype:tunnel-activity;priority:2; sid:1000873;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2020-14882 Weblogic未授权访问RCE特征";content:"/console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession";content:"cmd:";classtype:unauthorized-access;priority:1; sid:1000884;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2020-14882 Weblogic未授权访问RCE特征";content:"/console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession";classtype:unauthorized-access;priority:1; sid:1000885;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2020-14882 Weblogic未授权访问RCE特征";content:"/console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession";content:"cmd:";content:"ADMINCONSOLESESSION";classtype:unauthorized-access;priority:1; sid:1000886;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2020-14882 Weblogic未授权访问RCE特征";content:"/console/css/%252e%252e%252fconsolejndi.portal?test_handle=com.tangosol.coherence.mvel2.sh.ShellSession";content:"cmd:";content:"ADMINCONSOLESESSION";content:"currentThread.interrupt";classtype:unauthorized-access;priority:1; sid:1000886;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2017-10271 Weblogic反序列化RCE特征";content:"wls-wsat";content:"CoordinatorPortType";classtype:java-deserialization;priority:1; sid:1000887;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2017-10271 Weblogic反序列化RCE特征";content:"/wls-wsat/CoordinatorPortType";content:"<soapenv:Envelope xmlns:soapenv";classtype:java-deserialization;priority:1; sid:1000888;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2017-10271 Weblogic反序列化RCE特征";content:"/wls-wsat/CoordinatorPortType";content:"<soapenv:Envelope xmlns:soapenv";content:"<string>";classtype:java-deserialization;priority:1; sid:1000889;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/config.do";classtype:unauthorized-access;priority:1; sid:1000890;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/css/config/keystore";classtype:unauthorized-access;priority:1; sid:1000891;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/css/config/keystore";classtype:unauthorized-access;priority:1; sid:1000892;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/resources/setting/keystore";classtype:unauthorized-access;priority:1; sid:1000893;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/resources/setting/keystore";content:"timestamp";classtype:unauthorized-access;priority:1; sid:1000894;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2018-2894 Weblogic任意文件上传RCE特征";content:"/ws_utc/resources/setting/keystore";classtype:unauthorized-access;priority:1; sid:1000895;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2019-2890 Weblogic反序列化RCE特征";content:"/_async/AsyncResponseService";classtype:java-deserialization;priority:1; sid:1000896;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"CVE-2019-2890 Weblogic反序列化RCE特征";content:"/_async/AsyncResponseService";content:"java.lang.ProcessBuilder";classtype:java-deserialization;priority:1; sid:1000897;rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"检测到CVE-2023-21839 流量特征";content:"|49 44 4C 3A 6F 6D 67 2E 6F 72|";content:"|53 65 6E 64 69 6E|";content:"|77 65 62 6C 6F 67 69 63 2F 63|";classtype:java-deserialization;priority:1; sid:1000898;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2021-44228 Apache Log4j流量特征";content:"jndi:ldap:";content:"/solr/admin/cores";content:"/Basic/ReverseShell/";classtype:rce-attempt;priority:1; sid:1000899;rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"检测到CVE-2021-44228 Apache Log4j流量特征";content:"responseHeader";content:"QTime";content:"org.apache.solr.common.SolrException";content:"org.apache.solr.common.SolrException";classtype:rce-attempt;priority:1; sid:1000900;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2020-17519 Apache Flink 路径穿越漏洞利用";content:"..%252f";classtype:CVE-exploit;priority:1;sid:1000901;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2020-17519 Apache Flink 路径穿越漏洞利用";content:"..%252f";content:"jobmanager";classtype:CVE-exploit;priority:1;sid:1000902;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2020-17519 Apache Flink 路径穿越漏洞利用";content:"..%252f";content:"/jobmanager/logs/";classtype:CVE-exploit;priority:1;sid:1000903;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2021-41773 Apache 路径遍历文件泄露漏洞利用";content:"/%2e%2e/";classtype:CVE-exploit;priority:1;sid:1000904;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2021-41773 Apache 路径遍历文件泄露漏洞利用";content:"/%2e%2e/";content:"/icons/";classtype:CVE-exploit;priority:1;sid:1000905;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2017-15715 Apache 换行符解析漏洞";content:".php%0a";classtype:CVE-exploit;priority:1;sid:1000906;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2017-15715 Apache 换行符解析漏洞";content:".php";content:"form-data";content:"|2E 70 68 70 0A 0D 0A 2D 2D 2D 2D 2D|";classtype:CVE-exploit;priority:1;sid:1000906;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到 Apache 多后缀名解析漏洞";content:".php.";http_uri;classtype:CVE-exploit;priority:1;sid:1000908;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2017-15715 Apache 换行符解析漏洞";content:"POST";content:".php.";content:"form-data";classtype:CVE-exploit;priority:1;sid:1000909;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2021-40438 Apache SSRF漏洞利用";content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";content:"/?unix:AAAAAAAAAAAAAAAAAAAAAAAAA";classtype:CVE-exploit;priority:1;sid:1000910;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到CVE-2021-42013 Apache 路径穿越漏洞利用";content:"/.%%32%65/";classtype:CVE-exploit;priority:1;sid:1000911;rev:1;)
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"检测到Apache SSI 远程命令执行漏洞";content:"form-data";content:"filename=";content:".shtml";content:"<!--#exec";classtype:CVE-exploit;priority:1;sid:1000912;rev:1;)