#                          _    _  _ ___ ___  ___
#         __ _ _ __ _ ____| |_ | \| |_ _|   \/ __|
#        / _` | '_/ _` / _| ' \| .` || || |) \__ \
#        \__,_|_| \__,_\__|_||_|_|\_|___|___/|___/
#=====[ arachNIDS event signatures export for PAKEMON ]====
#
# These signatures have been generated dynamically and exported
# from arachNIDS (Advanced Reference Archive of Current Heuristics
# for Network Intrusion Detection Systems).  This file can be used
# as a configuration file with the PAKEMON IDS to detect attacks or
# suspicious activity on your network.
#
# NOTE: Due to limitations in the PAKEMON signature language, not
#       all arachNIDS entries could be used to create signatures.
#
# Please see http://whitehats.com/ids/ for signature details/credit.
#
# vision@whitehats.com
#
######### Export date: Fri Oct  6 01:08:34 PDT 2000
# manual changes: I commented out some rules that didn't translate well

IDS1/ADMw0rm-ftp-retrieval tcp * 21 "USER w0rm|0D0A|"
IDS10/portmap-request-rstatd udp * 111 "|01 86 A0 00 00|"
IDS11/finger-cybercop-redirection tcp * 79 "|40 6C 6F 63 61 6C 68 6F 73 74 0A|"
IDS119/SMTP-exploit555 tcp * 25 "mail from|3a20227c|"
IDS12/portmap-request-ypserv udp * 111 "|01 86 A4 00 00|"
IDS120/SMTP-exploit41 tcp * 25 "rcpt to|3a 20 7c 20 73 65 64 20 27 31 2C 2F 5E 24 2F 64 27 7c|"
IDS121/SMTP-exploit564 tcp * 25 "rcpt to|3a| decode"
IDS122/SMTP-exploit565 tcp * 25 "MAIL FROM|3a207c|/usr/ucb/tail"
IDS123/SMTP-exploit8610 tcp * 25 "Croot|0d0a|Mprog, P=/bin/"
IDS124/SMTP-exploit8610ha tcp * 25 "Croot|09090909090909|Mprog, P=/bin"
IDS125/portmap-request-ypupdated udp * 111 "|01 86 BC 00 00|"
IDS128/web-cgi-phf tcp * 80 "phf"
IDS13/portmap-request-mountd udp * 111 "|01 86 A5 00 00|"
IDS130/finger-.@host tcp * 79 "|2E 0A 20 20 20 20|"
IDS131/finger-0@host tcp * 79 "|30 0A 20 20 20 20|"
IDS132/finger-cybercop-query tcp * 79 "|0A 20 20 20 20 20|"
IDS133/portmap-request-rusers udp * 111 "|01 86 A2 00 00|"
IDS134/ftp-tar-parameters tcp * 21 "RETR --use-compress-program"
IDS136/rpc-rusers-query udp * 32770: "|00 00 00 00 00 00 00 02 00 01 86 A2|"
IDS137/TFTP-parent_directory udp * 69 ".."
IDS138/TFTP-root_directory udp * 69 "|00 01|/"
IDS139/SMTP-exploit869a tcp 113 25 "|0a|C|3a|daemon|0a|R"
IDS14/portmap-request-yppasswd udp * 111 "|01 86 A9 00 00|"
IDS140/SMTP-exploit869b tcp 113 25 "|0a|D/"
IDS141/SMTP-exploit869c tcp 113 25 "|0a|Croot|0d0a|Mprog"
IDS142/SMTP-exploit869d tcp 113 25 "|0a|Croot|0a|Mprog"
IDS143/SMTP-MajordomoIFS tcp * 25 "${IFS}"
IDS145/cybercop-os-probe-sfp tcp * 80 "AAAAAAAAAAAAAAAA"
IDS147/imap-x86-linux-buffer-overflow tcp * 143 "|e8 c0ff ffff|/bin/sh"
IDS148/TFTP_write udp * 69 "|00 02|"
IDS149/cybercop-os-probe-pa12 tcp * * "AAAAAAAAAAAAAAAA"
IDS15/portmap-request-status udp * 111 "|01 86 B8 00 00|"
IDS150/cybercop-os-probe-sfu12 tcp * * "AAAAAAAAAAAAAAAA"
IDS151/Ping_BeOS_4.x icmp * * "|00000000000000000000000008090a0b|"
IDS152/Ping_BSDtype icmp * * "|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"
IDS153/Ping_Cisco_IOS_9.x icmp * * "|abcdabcdabcdabcdabcdabcdabcdabcd|"
IDS154/ping-CyberKit_2.2_Windows icmp * * "|aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa|"
IDS155/Ping_Delphi-Piette_Windows icmp * * "|50696e67696e672066726f6d2044656c|"
IDS156/Ping_Flowpoint_2200_DSL_Router icmp * * "|0102030405060708090a0b0c0d0e0f10|"
IDS157/Ping_IPNetMonitor_Macintosh icmp * * "|a9205375737461696e61626c6520536f|"
IDS158/Ping_ISS_Pinger icmp * * "ISSPNGRQ"
IDS159/Ping_Microsoft_Windows icmp * * "|6162636465666768696a6b6c6d6e6f70|"
IDS16/portmap-request-bootparam udp * 111 "|01 86 BA 00 00|"
IDS161/Ping_NetworkToolbox3_Windows icmp * * "|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|"
IDS163/Ping_OpenBSD-Linux icmp * * "|101112131415161718191a1b1c1d1e1f|"
IDS164/Ping_Ping-O-Meter_Windows icmp * * "|4f4d657465724f6265736541726d6164|"
IDS165/Ping_Pinger_Windows icmp * * "|44617461000000000000000000000000|"
IDS166/Ping_Seer_Windows icmp * * "|88042020202020202020202020202020|"
IDS167/Ping_TJPingPro_1.1_Build_2_Windows icmp * * "|544a50696e6750726f206279204a696d|"
IDS168/Ping_Whatsup_Gold_Windows icmp * * "|57686174735570202d2041204e657477|"
IDS169/ping_Win2000 icmp * * "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"
IDS17/portmap-request-cmsd udp * 111 "|01 86 E4 00 00|"
IDS171/ping_zeros icmp * * "|00000000000000000000000000000000|"
IDS172/SMTP-exploit558 tcp * 25 "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|"
IDS177/netbios-name-query udp * 137 "CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA|00 00|"
IDS178/Ping_CyberCop55 icmp * * "|00 00 20 20 20 20 20 20 20 20 20|"
IDS18/portmap-request-admind udp * 111 "|01 86 F7 00 00|"
IDS180/web-netscape-overflow-unixware tcp * 457 "|eb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d|"
IDS181/shellcode-x86-nops tcp * * "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"
IDS185/trin00-daemon-to-master udp * 31335 "*HELLO*"
IDS186/trin00-master-to-daemon-png udp * 27444 "png l44"
IDS19/portmap-request-amountd udp * 111 "|01 87 03 00 00|"
IDS190/stacheldraht_client-check icmp * * "skillz"
IDS192/stacheldraht_client-spoofworks icmp * * "spoofworks"
IDS194/stacheldraht_client-check-gag icmp * * "gesundheit!"
IDS196/trin00-attacker-to-master tcp * 27665 "betaalmostdone"
IDS197/trin00-master-to-daemon udp * 27444 "l44adsl"
IDS2/mworm-ftp-retrieval tcp * 21 "USER mw|0D0A|"
IDS20/portmap-request-sadmind udp * 111 "|01 87 88 00 00|"
IDS200/web-IIS_encoding tcp * 80 "|25 31 75|"
IDS204/NT_NULL_session tcp * 139 "|00 00 00 00 57 00 69 00 6E 00 64 00 6F 00 77 00 73 00 20 00 4E 00 54 00 20 00 31 00 33 00 38 00 31|"
IDS205/web-phorum-admin tcp * 80 "admin.php3"
IDS206/web-phorum-auth tcp * 80 "PHP_AUTH_USER=boogieman"
IDS207/web-phorum-code tcp * 80 "code.php3"
IDS208/web-phorum-read tcp * 80 "read.php3"
IDS209/web-phorum-violation tcp * 80 "violation.php3"
IDS21/portmap-request-nisd udp * 111 "|01 87 cc 00 00|"
IDS210/web-cgi-w3-msql tcp * 80 "w3-msql"
IDS211/web-cgi-w3-msql-solx86 tcp * 80 "/bin/shA-cA/usr/openwin"
IDS212/dns-zone-transfer tcp * 53 "|FC|"
IDS213/ftp-passwd-retrieval tcp * 21 "passwd"
IDS215/client-netscape47-overflow-retrieved tcp 80 * "|33 C9 B1 10 3F E9 06 51 3C FA 47 33 C0 50 F7 D0 50|"
IDS217/rpc-amd-overflow tcp * 634:1400 "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"
IDS218/web-cgi-test-cgi tcp * 80 "test-cgi"
IDS219/web-cgi-perl-exe tcp * 80 "perl.exe"
IDS22/portmap-request-pcnfsd udp * 111 "|02 49 f1 00 00|"
IDS220/web-cgi-snork tcp * 80 "snork.bat"
IDS221/web-cgi-finger tcp * 80 "finger"
IDS224/web-cgi-nph-test-cgi tcp * 80 "nph-test-cgi"
IDS225/web-cgi-anyform tcp * 80 "anyform"
IDS226/web-cgi-formmail tcp * 80 "formmail"
IDS227/web-cgi-scriptalias tcp * 80 "///"
IDS228/web-cgi-guestbook tcp * 80 "guestbook"
IDS229/insecure-timbuktu-password tcp * 1417 "|05 00 3E|"
IDS23/portmap-request-rexd udp * 111 "|01 86 B1 00 00|"
IDS230/web-cgi-space-wildcard tcp * 80 "|2A 20|"
IDS231/web-cgi-win-c-sample tcp * 80 "win-c-sample.exe"
IDS232/web-cgi-php-slash tcp * 80 "php.cgi?/"
IDS234/web-cgi-wrap tcp * 80 "wrap?/"
IDS235/web-cgi-handler tcp * 80 "handler"
IDS237/web-webhits tcp * 80 ".htw"
IDS239/pcanywhere-start udp * 5632 "ST"
IDS24/portmap-request-ttdbserv udp * 111 "|01 86 F3 00 00|"
IDS241/rpc.ttdbserv-solaris-kill tcp * 32771:34000 "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"
IDS242/rpc.ttdbserv-solaris-overflow tcp * 32771:34000 "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"
IDS243/web-cgi-pipe tcp * 80 "|7C|"
IDS244/web-compaq-insight-dot-dot tcp * 2301 "../"
IDS245/smtp-cmail-buffer-overflow tcp * 25 "VRFY AAAAAAAAAAA"
IDS248/web-frontpage-pws-fourdots tcp * 80 "..../"
IDS25/portmap-request-selection_svc udp * 111 "|01 86 AF 00 00|"
IDS250/web-coldfusion-openfile tcp * 80 "openfile.cfm"
IDS251/finger-redirection tcp * 79 "@"
IDS255/ddos-shaft-handler-to-agent udp * 18753 "alive tijgu"
IDS257/dos-aix-ftpd tcp * 21 "CEL"
IDS258/web-cgi-get32.exe tcp * 80 "get32.exe"
IDS259/web-http-alibaba-overflow tcp * 80 "POST"
IDS26/nfs-showmount tcp * 32771: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"
IDS260/dos-annex-terminal tcp * 80 "ping?query"
IDS262/dos-ascend-reboot udp * 9 "|4e414d454e414d45|"
IDS263/backdoor-cdk tcp * 79 "ypi0ca"
IDS264/dos-ath0 icmp * * "+++ath0"
IDS265/web-cgi-cgitest tcp * 80 "cgitest.exe|0d0a|user"
IDS266/smtp-chameleon-overflow tcp * 25 "HELP "
IDS267/delegate-proxy-overflow tcp * 8080 "whois|3a|//"
IDS268/web-coldfusion-application.cfm tcp * 80 "application.cfm"
IDS269/web-coldfusion-onrequestend.cfm tcp * 80 "onrequestend.cfm"
IDS270/web-netscape-dir-index-wp tcp * 80 "?wp-"
IDS271/web-iis-dvwssr tcp * 80 "dvwssr.dll"
IDS272/web-piranha-passwd.php3 tcp * 80 "passwd.php3"
IDS273/sniffit-overflow-linux tcp * 25 "from|3A 90 90 90 90 90 90 90 90 90 90 90|"
IDS274/nntp-overflow-cassandra tcp * 119 "AUTHINFO USER"
IDS275/http-cisco-crash tcp * 80 "|20 2F 25 25|"
IDS277/named-probe-iquery udp * 53 "|0980 0000 0001 0000 0000|"
IDS278/named-probe-version udp * 53 "|07|version|04|bind"
IDS281/PING_Sniffer_Pro_NAI_Windows_NT icmp * * "|43696e636f30313233343536373839|"
IDS282/shellcode-sparc-setuid0 tcp * * "|82102017 91d02008|"
IDS283/shellcode-x86-setuid0 tcp * * "|b017 cd80|"
IDS284/shellcode-x86-setgid0 tcp * * "|b0b5 cd80|"
IDS285/ftp-wuftp260-siteexec-probe tcp * 21 "SITE EXEC %p"
IDS286/ftp-wuftp260-siteexec tcp * 21 "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"
IDS287/ftp-wuftp260-venglin-linux tcp * 21 "|31c031db 31c9b046 cd80 31c031db|"
IDS288/ftp-wuftp260-venglin-bsd tcp * 21 "|31c0 50 50 50 b07e cd80 31db 31c0|"
IDS290/http-cgi-infosearch-fname tcp * 80 "fname=|7c|"
IDS291/shellcode-x86-stealth-nop tcp * * "|eb 02 eb 02 eb 02|"
IDS292/http-frontpage-shtml.dll tcp * 80 "_vti_bin/shtml.dll"
IDS294/trojan-netscape-java-serversocket tcp 80 * "java/net/ServerSocket|00|"
#IDS296/http-whisker-splicing-attack-space tcp * 80 "|20|"
IDS297/http-directory-traversal1 tcp * 80 "../"
IDS298/http-directory-traversal2 tcp * 80 "..\\"
IDS300/PCCS-Mysql_Database_Admin_Tool tcp * 80 "pccsmysqladm/incs/dbconnect.inc"
IDS301/nessus-404-check tcp * 80 "GET /nessus_is_probing_you_"
IDS302/printer-hp-display-hack tcp * 9001 "@PJL RDYMSG DISPLAY = "
IDS303/ident-version-probe tcp * 113 "VERSION|0A|"
#IDS304/SGI_telnetd_format_bug tcp * 23 "_RLD"
IDS305/web-IIS_Translate_F tcp * 80 "Translate|3a| F"
IDS306/trojan-Y3K-Rat-1.3 udp 5881 5882 "Y3K"
IDS307/ping-webtrends-scanner icmp * * "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"
IDS308/Webtrends_Scanner_UDP_Probe udp * * "|0A 68 65 6C 70 0A 71 75 69 74 0A|"
IDS309/scanner-webtrends-HTTP_Probe tcp * 80 "User-Agent|3a| Webtrends Security Analyzer|0d0a|"
IDS31/SMTP-expn-root tcp * 25 "expn root"
IDS310/scanner-L3retriever-HTTP_Probe tcp * 80 "User-Agent|3a| Java1.2.1|0d0a|"
IDS311/scanner-L3retriever-ping icmp * * "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"
IDS314/trojan-probe-hack-a-tack udp 31790 31789 "A"
IDS317/ftp-site-exec tcp * 21 "site exec"
IDS318/ftp-cwd~root tcp * 21 "cwd ~root"
IDS319/ftp-forward tcp * 21 ".forward"
IDS32/SMTP-expn-decode tcp * 25 "expn decode"
IDS320/ftp-linux-nullpass tcp * 21 "pass null|0d|"
IDS321/ftp-linux-nulluser tcp * 21 "user null|0d|"
IDS322/ftp-nopassword tcp * 21 "pass |0d|"
IDS323/ftp-pass-h0tb0x tcp * 21 "pass h0tb0x"
IDS324/ftp-pass-wh00t tcp * 21 "pass wh00t"
IDS325/ftp-shosts tcp * 21 ".shosts"
IDS326/ftp-user-root tcp * 21 "user root"
IDS327/ftp-user-warez tcp * 21 "user warez"
IDS328/ftp-rhosts tcp * 21 ".rhosts"
IDS329/SCAN-SATAN-FTPcheck tcp * 21 "pass -satan"
IDS330/SCAN-SAINT-FTPcheck tcp * 21 "pass -saint"
IDS331/SCAN-ISS-FTPcheck tcp * 21 "pass -iss@iss"
IDS332/SCAN-ADM-FTPcheck tcp * 21 "PASS ddd@|0a|"
IDS333/SNMP-NT-UserList udp * 161 "|2b 06 10 40 14 d1 02 19|"
IDS334/NETBIOS-SMB-IPC$access tcp * 139 "|5c00|I|00|P|00|C|00|$|000000|IPC|00|"
IDS335/NETBIOS-SMB-IPC$access-alternate tcp * 139 "\\IPC$|00 41 3a 00|"
IDS336/NETBIOS-SMB-D$access tcp * 139 "\\D$|00 41 3a 00|"
IDS337/NETBIOS-SMB-CD... tcp * 139 "\\...|00 00 00|"
IDS338/NETBIOS-SMB-CD.. tcp * 139 "\\..|2f 00 00 00|"
IDS339/NETBIOS-SMB-C$access tcp * 139 "\\C$|00 41 3a 00|"
IDS340/NETBIOS-SMB-ADMIN$access tcp * 139 "\\ADMIN$|00 41 3a 00|"
IDS341/NETBIOS-Samba-clientaccess tcp * 139 "|00|Unix|00|Samba"
IDS342/OVERFLOW-LinuxCommonTCP tcp * * "|90 90 90 e8 c0 ff ff ff|/bin/sh"
IDS343/OVERFLOW-LinuxCommonUDP udp * * "|90 90 90 e8 c0 ff ff ff|/bin/sh"
IDS344/OVERFLOW-NOOP-Solaris-udp udp * * "|801c 4011 801c 4011 801c 4011 801c 4011|"
IDS345/OVERFLOW-NOOP-Sparc-udp udp * * "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"
IDS346/OVERFLOW-NOOP-Sparc-udp2 udp * * "|a61c c013 a61c c013 a61c c013 a61c c013|"
IDS347/OVERFLOW-NOOP-SGI-udp udp * * "|240f 1234 240f 1234 240f 1234 240f 1234|"
IDS348/OVERFLOW-NOOP-SGI-udp2 udp * * "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"
IDS349/OVERFLOW-NOOP-HP-udp udp * * "|0821 0280 0821 0280 0821 0280 0821 0280|"
IDS350/OVERFLOW-NOOP-HP-udp2 udp * * "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|"
IDS351/OVERFLOW-NOOP-AIX-udp udp * * "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"
IDS352/OVERFLOW-NOOP-Digital-udp udp * * "|47 ff  04 1f 47 ff  04 1f 47 ff  04 1f 47 ff 04 1f|"
IDS353/OVERFLOW-NOOP-Solaris-tcp tcp * * "|801c 4011 801c 4011 801c 4011 801c 4011|"
IDS354/OVERFLOW-NOOP-Sparc-tcp tcp * * "|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"
IDS355/OVERFLOW-NOOP-Sparc-tcp2 tcp * * "|a61c c013 a61c c013 a61c c013 a61c c013|"
IDS356/OVERFLOW-NOOP-SGI-tcp tcp * * "|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"
IDS357/OVERFLOW-NOOP-SGI-tcp2 tcp * * "|240f 1234 240f 1234 240f 1234 240f 1234|"
IDS358/OVERFLOW-NOOP-HP-tcp tcp * * "|0821 0280 0821 0280 0821 0280 08210 0280|"
IDS359/OVERFLOW-NOOP-HP-tcp2 tcp * * "|0b39 0280 0b39 0280 0b39 0280 0b39 0280|"
IDS360/OVERFLOW-NOOP-AIX-tcp tcp * * "|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"
IDS361/OVERFLOW-NOOP-Digital-tcp tcp * * "|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"
IDS362/shellcode-x86-nops-udp udp * * "|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"
IDS363/SCAN-Cybercop-UDP-bomb udp * 7 "cybercop"
IDS367/telnet-ld_preload tcp * 23 "ld_preload"
IDS368/TELNET_-_ld_library_path tcp * 23 "ld_library_path"
IDS369/telnet-resolv_host_conf tcp * 23 "resolv_host_conf"
IDS370/TELNET_-_Livingston-DoS tcp * 23 "|fff3 fff3 fff3 fff3 fff3|"
IDS371/SCAN-Cybercop-SMTPexpn tcp * 25 "expn cybercop"
IDS372/SCAN-Cybercop-SMTPehlo tcp * 25 "ehlo cybercop|0a|quit|0a|"
IDS373/SMTP-vrfy-decode tcp * 25 "vrfy decode"
IDS374/SCAN-Cybercop-WEB tcp * 25 "get /cybercop"
IDS375/finger-search tcp * 79 "search"
IDS376/finger-root tcp * 79 "root"
IDS377/finger-probe-null tcp * 79 "|00|"
IDS378/finger-probe-0 tcp * 79 "0"
IDS379/finger-pipe-w tcp * 79 "/W|3b|"
IDS380/finger-pipe tcp * 79 "|7c|"
IDS381/FINGER-Bomb tcp * 79 "@@"
IDS382/TFTP-passwd udp * 69 "|0001|/etc/passwd"
IDS383/TFTP-group udp * 69 "|0001|/etc/group"
IDS384/RSH-bin tcp * 513 "bin|00|bin|00|"
IDS385/RSH-echo++ tcp * 513 "echo |22|+ +|22|"
IDS386/RSH-froot tcp * 513 "-froot|00|"
IDS387/rlogin-froot tcp * 514 "-froot|00|"
IDS388/rlogin-echo++ tcp * 514 "echo |22|+ +|22|"
IDS389/RSH-root tcp * 513 "root|00|root|00|"
IDS390/rlogin-bin tcp * 514 "bin|00|bin|00|"
IDS391/rlogin-root tcp * 514 "root|00|root|00|"
IDS392/RSH-LoginFailure tcp * 513 "|01|rlogind|3a| Permission denied."
IDS393/RSH-LoginFailure2 tcp * 513 "login incorrect"
IDS394/RLOGIN-LoginFailure tcp * 514 "|01|rlogind|3a| Permission denied."
IDS395/X-xopen tcp * 6000 "|6c00 0b00 0000 0000 0000 0000|"
IDS396/X-MITcookie tcp * 6000 "MIT-MAGIC-COOKIE-1"
IDS397/BackOrifice1-scan udp * 31337 "|ce63 d1d2 16e7 13cf 38a5 a586|"
IDS398/BackOrifice1-dir udp * 31337 "|ce63 d1d2 16e7 13cf 3ca5 a586|"
IDS399/BackOrifice1-info udp * 31337 "|ce63 d1d2 16e7 13cf 39a5 a586|"
IDS403/trojan-netbus-getinfo-12345 tcp * 12345 "GetInfo|0d|"
IDS404/Netbus-getinfo-12346 tcp * 12346 "GetInfo|0d|"
IDS408/XTACACS-logout udp * 49 "|8007 0000 0700 0004 0000 0000 00|"
IDS409/gopher-proxy tcp * 70 "ftp|72|"
IDS410/fw1-authentication tcp * 261 "220 FW-1 Session Authentication"
IDS411/Realaudio-DoS tcp * 7070 "|fff4 fffd 06|"
IDS412/web-cgi-imagemap-overflow tcp * 80 "imagemap.exe?"
IDS413/web-cgi-imagemap-overflow-psh tcp * 80 "imagemap.exe?"
IDS414/delegate-proxy-overflow-psh tcp * 8080 "whois|3a|//"
#IDS415/http-whisker-splicing-attack-tab tcp * 80 "|09|"
IDS9/rpc-rstatd-query udp * 32770: "|00 00 00 00 00 00 00 02 00 01 86 A1|"

#end arachNIDS export