|
Signature ID
|
Signature Name
|
Signature Engine
|
|
1000-0
|
IP options-Bad Option List
|
atomic-ip
|
|
1001-0
|
IP options-Record Packet Route
|
atomic-ip
|
|
1002-0
|
IP options-Timestamp
|
atomic-ip
|
|
1003-0
|
IP options-Provide s,c,h,tcc
|
atomic-ip
|
|
1004-0
|
IP options-Loose Source Route
|
atomic-ip
|
|
1005-0
|
IP options-SATNET ID
|
atomic-ip
|
|
1006-0
|
IP options-Strict Source Route
|
atomic-ip
|
|
1007-0
|
IPv6 over IPv4
|
atomic-ip
|
|
1101-0
|
Unknown IP Protocol
|
atomic-ip
|
|
1102-0
|
Impossible IP Packet
|
atomic-ip
|
|
1104-0
|
IP Localhost Source Spoof
|
atomic-ip
|
|
1107-0
|
RFC 1918 Addresses Seen
|
atomic-ip
|
|
1108-0
|
IP Packet with Proto 11
|
atomic-ip
|
|
1109-0
|
Cisco IOS Interface DoS
|
atomic-ip
|
|
1109-1
|
Cisco IOS Interface DoS
|
atomic-ip
|
|
1109-2
|
Cisco IOS Interface DoS
|
atomic-ip
|
|
1109-3
|
Cisco IOS Interface DoS
|
atomic-ip
|
|
1201-0
|
IP Fragment Overlap
|
normalizer
|
|
1202-0
|
IP Fragment Overrun - Datagram Too Long
|
normalizer
|
|
1203-0
|
IP Fragment Overwrite - Data is Overwritten
|
normalizer
|
|
1204-0
|
IP Fragment Missing Initial Fragment
|
normalizer
|
|
1205-0
|
IP Fragment Too Many Datagrams
|
normalizer
|
|
1206-0
|
IP Fragment Too Small
|
normalizer
|
|
1207-0
|
IP Fragment Too Many Fragments in a Datagram
|
normalizer
|
|
1208-0
|
IP Fragment Incomplete Datagram
|
normalizer
|
|
2000-0
|
ICMP Echo Reply
|
atomic-ip
|
|
2001-0
|
ICMP Host Unreachable
|
atomic-ip
|
|
2001-1
|
ICMP Host Unreachable
|
atomic-ip
|
|
2002-0
|
ICMP Source Quench
|
atomic-ip
|
|
2003-0
|
ICMP Redirect
|
atomic-ip
|
|
2004-0
|
ICMP Echo Request
|
atomic-ip
|
|
2005-0
|
ICMP Time Exceeded for a Datagram
|
atomic-ip
|
|
2006-0
|
ICMP Parameter Problem on Datagram
|
atomic-ip
|
|
2007-0
|
ICMP Timestamp Request
|
atomic-ip
|
|
2008-0
|
ICMP Timestamp Reply
|
atomic-ip
|
|
2009-0
|
ICMP Information Request
|
atomic-ip
|
|
2010-0
|
ICMP Information Reply
|
atomic-ip
|
|
2011-0
|
ICMP Address Mask Request
|
atomic-ip
|
|
2012-0
|
ICMP Address Mask Reply
|
atomic-ip
|
|
2150-0
|
Fragmented ICMP Traffic
|
atomic-ip
|
|
2151-0
|
Large ICMP Traffic
|
atomic-ip
|
|
2154-0
|
Ping of Death Attack
|
atomic-ip
|
|
2155-0
|
Modem DoS
|
string-icmp
|
|
2156-0
|
Nachi Worm ICMP Echo Request
|
string-icmp
|
|
2157-0
|
ICMP Hard Error DoS
|
atomic-ip
|
|
2157-1
|
ICMP Hard Error DoS
|
atomic-ip
|
|
2157-2
|
ICMP Hard Error DoS
|
atomic-ip
|
|
2158-0
|
Nachi Worm ICMP Echo Request
|
atomic-ip
|
|
2201-0
|
IGMP over fragmented IP
|
atomic-ip
|
|
2202-0
|
IGMP Invalid Packet DoS
|
atomic-ip
|
|
3038-0
|
Fragmented NULL TCP Packet
|
atomic-ip
|
|
3039-0
|
Fragmented Orphaned FIN packet
|
atomic-ip
|
|
3040-0
|
TCP NULL Packet
|
atomic-ip
|
|
3041-0
|
TCP SYN/FIN Packet
|
atomic-ip
|
|
3042-0
|
Orphaned Fin Packet
|
atomic-ip
|
|
3043-0
|
Fragmented SYN/FIN Packet
|
atomic-ip
|
|
3050-0
|
Half-open SYN Attack
|
normalizer
|
|
3051-0
|
TCP Connection Window Size RST DoS
|
atomic-ip
|
|
3051-1
|
TCP Connection Window Size RST DoS
|
atomic-ip
|
|
3100-0
|
SMTP RCPT TO: Bounce
|
state
|
|
3101-0
|
Sendmail Invalid Recipient
|
state
|
|
3102-0
|
Sendmail Invalid Sender
|
state
|
|
3103-0
|
Sendmail Reconnaissance
|
state
|
|
3103-1
|
Sendmail Reconnaissance
|
state
|
|
3104-0
|
Archaic Sendmail Attacks
|
state
|
|
3104-1
|
Archaic Sendmail Attacks
|
state
|
|
3105-0
|
Sendmail Decode Alias
|
state
|
|
3106-0
|
Mail Spam
|
state
|
|
3107-0
|
Majordomo Execute Attack
|
state
|
|
3108-0
|
SMTP MIME Content Overflow
|
state
|
|
3109-0
|
Long SMTP Command
|
state
|
|
3109-1
|
Long SMTP Command
|
state
|
|
3110-0
|
Suspicious Mail Attachment
|
state
|
|
3111-0
|
W32 Sircam Malicious Code
|
string-tcp
|
|
3111-1
|
W32 Sircam Malicious Code
|
string-tcp
|
|
3112-0
|
Lotus Domino Mail Loop DoS
|
state
|
|
3113-0
|
Email Attachment with Malicious Payload
|
string-tcp
|
|
3113-1
|
Email Attachment with Malicious Payload
|
string-tcp
|
|
3114-0
|
FetchMail Arbitrary Code Execution
|
string-tcp
|
|
3115-0
|
Sendmail Data Header Overflow
|
state
|
|
3115-3
|
Sendmail Data Header Overflow
|
state
|
|
3116-0
|
Netbus
|
string-tcp
|
|
3117-0
|
KLEZ Worm
|
string-tcp
|
|
3117-1
|
KLEZ worm
|
string-tcp
|
|
3118-0
|
rwhoisd format string
|
string-tcp
|
|
3119-0
|
WS_FTP STAT Overflow
|
string-tcp
|
|
3120-0
|
ANTS Virus
|
string-tcp
|
|
3120-1
|
ANTS Virus
|
string-tcp
|
|
3121-0
|
Vintra MailServer EXPN DoS
|
string-tcp
|
|
3122-0
|
SMTP EXPN root Recon
|
string-tcp
|
|
3123-0
|
NetBus Pro Traffic
|
atomic-ip
|
|
3124-0
|
Sendmail prescan Memory Corruption
|
state
|
|
3125-0
|
Postfix 1.1.12 envelope address DoS
|
state
|
|
3126-0
|
Postfix bounce scan
|
state
|
|
3128-0
|
Exchange xexch50 overflow
|
state
|
|
3128-1
|
Exchange xexch50 overflow
|
string-tcp
|
|
3129-0
|
Mimail Virus C Variant File Attachment
|
state
|
|
3130-0
|
Mimail Virus I Variant File Attachment
|
string-tcp
|
|
3131-0
|
Mimail Virus L Variant File Attachment
|
string-tcp
|
|
3132-0
|
Novarg / Mydoom Virus Mail Attachment
|
string-tcp
|
|
3132-1
|
Novarg / Mydoom Virus Mail Attachment
|
string-tcp
|
|
3133-0
|
Novarg / Mydoom Virus Mail Attachment Variant B
|
string-tcp
|
|
3133-1
|
Novarg / Mydoom Virus Mail Attachment Variant B
|
string-tcp
|
|
3134-0
|
DoomJuice Worm network probe
|
string-tcp
|
|
3135-0
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-1
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-2
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-3
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-4
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-5
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-6
|
MyDoom Virus Activity
|
string-tcp
|
|
3135-7
|
MyDoom Virus Activity
|
string-tcp
|
|
3136-0
|
Netsky Virus Activity
|
string-tcp
|
|
3136-1
|
Netsky Virus Activity
|
string-tcp
|
|
3136-2
|
Netsky Virus Activity
|
string-tcp
|
|
3136-3
|
Netsky Virus Activity
|
string-tcp
|
|
3136-4
|
|