######################################################################################################################
#sample scan rule against 
#snort(Lightweight Network Intrusion Detection System) 
#snort able to decode url-encoding 
#

#against-snort.uxe
#rule by pilot 
#http://www.monkey.org/~pilot
#
#
#example 1
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"IDS221 - CVE-1999-0612 - Finger CGI access attempt";flags:PA; content:"cgi-bin/finger"; nocase;) 
200 OK-> GET  :/cgi-bin//finger^checked finger against snort-ids;;

#example 2
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BACKDOOR-ATTEMPT - unlg1.1 Attempt";flags:PA; content:"cgi-bin/unlg1.1";) 
200 OK-> HEAD  :/cgi-bin/./un1g1.1^checked cgi-backdoor against snort-ids;;


#example 3  
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 274 - SCAN - Whisker Stealth- Start Stop Web access attempt"; content:"/cfide/administrator/startstop.html"; nocase; flags: PA;) 
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- DBML Parser access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) 
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN - Whisker Stealth Mode 8- Start Stop Web access attempt"; content:"/cfide\\administrator\\startstop.html"; nocase; flags: PA;) 
#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"BUGTRAQ ID 274 ColdFusion server start/stop DoS";flags:PA; content:"cfide/Administrator/startstop.html"; nocase;) 
200 OK-> GET  :/cfide/administrator\\startstop.html^checked Start Stop Web against snort-ids;;

#######################################################################################################################