"Fossies" - the Fresh Open Source Software Archive

Member "snort-2.9.17/etc/gen-msg.map" (16 Oct 2020, 33171 Bytes) of package /linux/misc/snort-2.9.17.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "gen-msg.map": 2.9.16.1_vs_2.9.17.

    1 # $Id$
    2 # GENERATORS -> msg map
    3 # Format: generatorid || alertid || MSG
    4 
    5 1 || 1 || snort general alert
    6 2 || 1 || tag: Tagged Packet
    7 3 || 1 || snort dynamic alert
    8 100 || 1 || spp_portscan: Portscan Detected
    9 100 || 2 || spp_portscan: Portscan Status
   10 100 || 3 || spp_portscan: Portscan Ended
   11 101 || 1 || spp_minfrag: minfrag alert
   12 102 || 1 || http_decode: Unicode Attack
   13 102 || 2 || http_decode: CGI NULL Byte Attack
   14 102 || 3 || http_decode: large method attempted
   15 102 || 4 || http_decode: missing uri
   16 102 || 5 || http_decode: double encoding detected
   17 102 || 6 || http_decode: illegal hex values detected
   18 102 || 7 || http_decode: overlong character detected
   19 103 || 1 || spp_defrag: Fragmentation Overflow Detected
   20 103 || 2 || spp_defrag: Stale Fragments Discarded
   21 104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
   22 104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
   23 105 || 1 || spp_bo: Back Orifice Traffic Detected
   24 105 || 2 || spp_bo: Back Orifice Client Traffic Detected
   25 105 || 3 || spp_bo: Back Orifice Server Traffic Detected
   26 105 || 4 || spp_bo: Back Orifice Snort Buffer Attack
   27 106 || 1 || spp_rpc_decode: Fragmented RPC Records
   28 106 || 2 || spp_rpc_decode: Multiple Records in one packet
   29 106 || 3 || spp_rpc_decode: Large RPC Record Fragment
   30 106 || 4 || spp_rpc_decode: Incomplete RPC segment
   31 106 || 5 || spp_rpc_decode: Zero-length RPC Fragment
   32 110 || 1 || spp_unidecode: CGI NULL Attack
   33 110 || 2 || spp_unidecode: Directory Traversal
   34 110 || 3 || spp_unidecode: Unknown Mapping
   35 110 || 4 || spp_unidecode: Invalid Mapping
   36 111 || 1 || spp_stream4: Stealth Activity Detected
   37 111 || 2 || spp_stream4: Evasive Reset Packet
   38 111 || 3 || spp_stream4: Retransmission
   39 111 || 4 || spp_stream4: Window Violation
   40 111 || 5 || spp_stream4: Data on SYN Packet
   41 111 || 6 || spp_stream4: Full XMAS Stealth Scan
   42 111 || 7 || spp_stream4: SAPU Stealth Scan
   43 111 || 8 || spp_stream4: FIN Stealth Scan
   44 111 || 9 || spp_stream4: NULL Stealth Scan
   45 111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
   46 111 || 11 || spp_stream4: VECNA Stealth Scan
   47 111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
   48 111 || 13 || spp_stream4: SYN FIN Stealth Scan
   49 111 || 14 || spp_stream4: TCP forward overlap detected
   50 111 || 15 || spp_stream4: TTL Evasion attempt
   51 111 || 16 || spp_stream4: Evasive retransmitted data attempt
   52 111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt
   53 111 || 18 || spp_stream4: Multiple acked
   54 111 || 19 || spp_stream4: Shifting to Emergency Session Mode
   55 111 || 20 || spp_stream4: Shifting to Suspend Mode
   56 111 || 21 || spp_stream4: TCP Timestamp option has value of zero
   57 111 || 22 || spp_stream4: Too many overlapping TCP packets
   58 111 || 23 || spp_stream4: Packet in established TCP stream missing ACK
   59 111 || 24 || spp_stream4: Evasive FIN Packet
   60 111 || 25 || spp_stream4: SYN on established
   61 112 || 1 || spp_arpspoof: Directed ARP Request
   62 112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
   63 112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
   64 112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
   65 113 || 1 || spp_frag2: Oversized Frag
   66 113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
   67 113 || 3 || spp_frag2: TTL evasion detected
   68 113 || 4 || spp_frag2: overlap detected
   69 113 || 5 || spp_frag2: Duplicate first fragments
   70 113 || 6 || spp_frag2: memcap exceeded
   71 113 || 7 || spp_frag2: Out of order fragments
   72 113 || 8 || spp_frag2: IP Options on Fragmented Packet
   73 113 || 9 || spp_frag2: Shifting to Emegency Session Mode
   74 113 || 10 || spp_frag2: Shifting to Suspend Mode
   75 114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
   76 114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
   77 114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
   78 114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
   79 115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
   80 115 || 2 || spp_asn1: Invalid ASN.1 length encoding
   81 115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
   82 115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
   83 115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
   84 116 || 1 || snort_decoder: WARNING: Not IPv4 datagram
   85 116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN
   86 116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len
   87 116 || 4 || snort_decoder: WARNING: Bad IPv4 Options
   88 116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options
   89 116 || 6 || snort_decoder: WARNING: IP dgm len > captured len
   90 116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes
   91 116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5
   92 116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload
   93 116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths
   94 116 || 55 || snort_decoder: WARNING: Truncated Tcp Options
   95 116 || 56 || snort_decoder: WARNING: T/TCP Detected
   96 116 || 57 || snort_decoder: WARNING: Obsolete TCP options
   97 116 || 58 || snort_decoder: WARNING: Experimental TCP options
   98 116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14)
   99 116 || 95 || snort_decoder: WARNING: Truncated UDP Header
  100 116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8
  101 116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length
  102 116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length
  103 116 || 105 || snort_decoder: WARNING: ICMP Header Truncated
  104 116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated
  105 116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated
  106 116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem
  107 116 || 109 || snort_decoder: WARNING: Truncated ARP Packet
  108 116 || 110 || snort_decoder: WARNING: Truncated EAP Header
  109 116 || 111 || snort_decoder: WARNING: EAP Key Truncated
  110 116 || 112 || snort_decoder: WARNING: EAP Header Truncated
  111 116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected
  112 116 || 130 || snort_decoder: WARNING: Bad VLAN Frame
  113 116 || 131 || snort_decoder: WARNING: Bad LLC header
  114 116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info
  115 116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header
  116 116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info
  117 116 || 140 || snort_decoder: WARNING: Bad Token Ring Header
  118 116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header
  119 116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header
  120 116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header
  121 116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP
  122 116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP
  123 116 || 160 || snort_decoder: WARNING: GRE header length > payload length
  124 116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet
  125 116 || 162 || snort_decoder: WARNING: Invalid GRE version
  126 116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header
  127 116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header
  128 116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length
  129 116 || 170 || snort_decoder: WARNING: Bad MPLS Frame
  130 116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header
  131 116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header
  132 116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header
  133 116 || 174 || snort_decoder: WARNING: Bad use of label 3
  134 116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header
  135 116 || 176 || snort_decoder: WARNING: Too Many MPLS headers
  136 116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated
  137 116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4
  138 116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length
  139 116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits
  140 116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes
  141 116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0
  142 116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit
  143 116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6
  144 116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header
  145 116 || 273 || snort_decoder: WARNING: IPV6 truncated header
  146 116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len
  147 116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len
  148 116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0
  149 116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address
  150 116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address
  151 116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type
  152 116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value
  153 116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field
  154 116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header
  155 116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers
  156 116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280
  157 116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code 
  158 116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0
  159 116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0
  160 116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0
  161 116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour
  162 116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack
  163 116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header
  164 116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present
  165 116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header
  166 116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header.
  167 116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers
  168 116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present
  169 116 || 298 || snort_decoder: WARNING: GTP header length is invalid
  170 116 || 300 || snort_decoder: WARNING: Too many levels for decoding 
  171 116 || 400 || snort_decoder: WARNING: XMAS Attack Detected
  172 116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected
  173 116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected
  174 116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address
  175 116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL
  176 116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set)
  177 116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero
  178 116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum
  179 116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address
  180 116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address
  181 116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address
  182 116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address
  183 116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address
  184 116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address
  185 116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address
  186 116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address
  187 116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address
  188 116 || 417 || snort_decoder: WARNING: ICMP4 source quence
  189 116 || 418 || snort_decoder: WARNING: ICMP4 type other
  190 116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload
  191 116 || 420 || snort_decoder: WARNING: TCP SYN with FIN
  192 116 || 421 || snort_decoder: WARNING: TCP SYN with RST
  193 116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session
  194 116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST
  195 116 || 424 || snort_decoder: WARNING: truncated eth header
  196 116 || 425 || snort_decoder: WARNING: truncated IP4 header
  197 116 || 426 || snort_decoder: WARNING: truncated ICMP4 header
  198 116 || 427 || snort_decoder: WARNING: truncated ICMP6 header
  199 116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit
  200 116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit
  201 116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set
  202 116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded
  203 116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address
  204 116 || 433 || snort_decoder: WARNING: DDOS shaft synflood
  205 116 || 434 || snort_decoder: WARNING: ICMP PING NMAP
  206 116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1
  207 116 || 436 || snort_decoder: WARNING: ICMP redirect host
  208 116 || 437 || snort_decoder: WARNING: ICMP redirect net
  209 116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts
  210 116 || 439 || snort_decoder: WARNING: ICMP Source Quench
  211 116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner
  212 116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited
  213 116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited
  214 116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited
  215 116 || 444 || snort_decoder: WARNING: MISC IP option set
  216 116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet
  217 116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic
  218 116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic
  219 116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set
  220 116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol
  221 116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol
  222 116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt
  223 116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt
  224 116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof
  225 116 || 454 || snort_decoder: WARNING: PGM NAK overflow
  226 116 || 455 || snort_decoder: WARNING: IGMP options dos
  227 116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers
  228 116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code 
  229 116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack
  230 116 || 459 || snort_decoder: WARNING: zero length fragment
  231 116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2
  232 116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header
  233 116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch
  234 116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length
  235 116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length
  236 116 || 467 || snort_decoder: WARNING: truncated FabricPath header
  237 117 || 1 || spp_portscan2: Portscan detected
  238 118 || 1 || spp_conversation: Bad IP protocol
  239 119 || 1 || http_inspect: ASCII ENCODING
  240 119 || 2 || http_inspect: DOUBLE DECODING ATTACK
  241 119 || 3 || http_inspect: U ENCODING
  242 119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
  243 119 || 5 || http_inspect: BASE36 ENCODING
  244 119 || 6 || http_inspect: UTF-8 ENCODING
  245 119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
  246 119 || 8 || http_inspect: MULTI_SLASH ENCODING
  247 119 || 9 || http_inspect: IIS BACKSLASH EVASION
  248 119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
  249 119 || 11 || http_inspect: DIRECTORY TRAVERSAL
  250 119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
  251 119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
  252 119 || 14 || http_inspect: NON-RFC DEFINED CHAR
  253 119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
  254 119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
  255 119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
  256 119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL
  257 119 || 19 || http_inspect: LONG HEADER
  258 119 || 20 || http_inspect: MAX HEADERS
  259 119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS
  260 119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED
  261 119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER
  262 119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED 
  263 119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS
  264 119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION
  265 119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
  266 119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS
  267 119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION
  268 119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT
  269 119 || 31 || http_inspect: UNKNOWN METHOD
  270 119 || 32 || http_inspect: SIMPLE REQUEST
  271 119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI 
  272 119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS
  273 119 || 36 || http_inspect: INVALID RANGE UNIT FORMAT
  274 119 || 37 || http_inspect: RANGE FIELD PRESENT IN NON GET METHOD
  275 119 || 38 || http_inspect: ERROR IN RANGE FIELD OF REQUEST HEADER
  276 120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
  277 120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE
  278 120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
  279 120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
  280 120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET
  281 120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED
  282 120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS
  283 120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE
  284 120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
  285 120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED
  286 120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA
  287 120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE
  288 120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE
  289 120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE
  290 120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES
  291 120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION
  292 120 || 17 || http_inspect: PDF FILE PARSE FAILURE
  293 120 || 18 || http_inspect: PROTOCOL-OTHER HTTP server response before client request
  294 120 || 19 || http_inspect: MULTIPLE CONTENT LENGTH IN HTTP RESPONSE
  295 120 || 20 || http_inspect: MULTIPLE CONTENT ENCODING IN HTTP RESPONSE
  296 120 || 21 || http_inspect: MULTIPLE COLON BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER
  297 120 || 22 || http_inspect: INVALID CHARACTER BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER
  298 120 || 23 || http_inspect: TRANSFER ENCODING:CHUNKED IN HTTP 1.0 REQUEST/RESPONSE HEADER
  299 120 || 24 || http_inspect: PARTIAL DECOMPRESSION FAILURE IN HTTP RESPONSE BODY
  300 120 || 25 || http_inspect: INVALID HEADER FOLDING
  301 120 || 26 || http_inspect: JUNK LINE BEFORE HTTP RESPONSE HEADER
  302 120 || 27 || http_inspect: NO END OF HEADER IN HTTP RESPONSE
  303 120 || 28 || http_inspect: INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS 
  304 120 || 29 || http_inspect: INVALID VERSION IN HTTP RESPONSE HEADER 
  305 120 || 30 || http_inspect: INVALID CONTENT RANGE UNIT FORMAT 
  306 120 || 31 || http_inspect: ERROR IN RANGE FIELD OF RESPONSE HEADER 
  307 121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
  308 121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
  309 121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
  310 121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded
  311 122 || 1 || portscan: TCP Portscan
  312 122 || 2 || portscan: TCP Decoy Portscan
  313 122 || 3 || portscan: TCP Portsweep
  314 122 || 4 || portscan: TCP Distributed Portscan
  315 122 || 5 || portscan: TCP Filtered Portscan
  316 122 || 6 || portscan: TCP Filtered Decoy Portscan
  317 122 || 7 || portscan: TCP Filtered Portsweep
  318 122 || 8 || portscan: TCP Filtered Distributed Portscan
  319 122 || 9 || portscan: IP Protocol Scan
  320 122 || 10 || portscan: IP Decoy Protocol Scan
  321 122 || 11 || portscan: IP Protocol Sweep
  322 122 || 12 || portscan: IP Distributed Protocol Scan
  323 122 || 13 || portscan: IP Filtered Protocol Scan
  324 122 || 14 || portscan: IP Filtered Decoy Protocol Scan
  325 122 || 15 || portscan: IP Filtered Protocol Sweep
  326 122 || 16 || portscan: IP Filtered Distributed Protocol Scan
  327 122 || 17 || portscan: UDP Portscan
  328 122 || 18 || portscan: UDP Decoy Portscan
  329 122 || 19 || portscan: UDP Portsweep
  330 122 || 20 || portscan: UDP Distributed Portscan
  331 122 || 21 || portscan: UDP Filtered Portscan
  332 122 || 22 || portscan: UDP Filtered Decoy Portscan
  333 122 || 23 || portscan: UDP Filtered Portsweep
  334 122 || 24 || portscan: UDP Filtered Distributed Portscan
  335 122 || 25 || portscan: ICMP Sweep
  336 122 || 26 || portscan: ICMP Filtered Sweep
  337 122 || 27 || portscan: Open Port
  338 123 || 1 || frag3: IP Options on fragmented packet
  339 123 || 2 || frag3: Teardrop attack
  340 123 || 3 || frag3: Short fragment, possible DoS attempt
  341 123 || 4 || frag3: Fragment packet ends after defragmented packet
  342 123 || 5 || frag3: Zero-byte fragment
  343 123 || 6 || frag3: Bad fragment size, packet size is negative
  344 123 || 7 || frag3: Bad fragment size, packet size is greater than 65536
  345 123 || 8 || frag3: Fragmentation overlap
  346 123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow
  347 123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack
  348 123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly
  349 123 || 12 || frag3: Number of overlapping fragments exceed configured limit
  350 123 || 13 || frag3: Fragments smaller than configured min_fragment_length
  351 124 || 1 || smtp: Attempted command buffer overflow
  352 124 || 2 || smtp: Attempted data header buffer overflow
  353 124 || 3 || smtp: Attempted response buffer overflow
  354 124 || 4 || smtp: Attempted specific command buffer overflow
  355 124 || 5 || smtp: Unknown command
  356 124 || 6 || smtp: Illegal command
  357 124 || 7 || smtp: Attempted header name buffer overflow
  358 124 || 8 || smtp: Attempted X-Link2State command buffer overflow
  359 124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded.
  360 124 || 10 || smtp: Base64 Decoding failed
  361 124 || 11 || smtp: Quoted-Printable Decoding failed
  362 124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed
  363 124 || 13 || smtp: Unix-to-Unix Decoding failed
  364 124 || 14 || smtp: Cyrus SASL authentication attack
  365 125 || 1 || ftp_pp: Telnet command on FTP command channel
  366 125 || 2 || ftp_pp: Invalid FTP command
  367 125 || 3 || ftp_pp: FTP parameter length overflow
  368 125 || 4 || ftp_pp: FTP malformed parameter
  369 125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter
  370 125 || 6 || ftp_pp: FTP response length overflow
  371 125 || 7 || ftp_pp: FTP command channel encrypted
  372 125 || 8 || ftp_pp: FTP bounce attack
  373 125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel
  374 126 || 1 || telnet_pp: Telnet consecutive AYT overflow
  375 126 || 2 || telnet_pp: Telnet data encrypted
  376 126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End
  377 128 || 1 || ssh: Gobbles exploit
  378 128 || 2 || ssh: SSH1 CRC32 exploit
  379 128 || 3 || ssh: Server version string overflow
  380 128 || 4 || ssh: Protocol mismatch
  381 128 || 5 || ssh: Bad message direction
  382 128 || 6 || ssh: Payload size incorrect for the given payload
  383 128 || 7 || ssh: Failed to detect SSH version string
  384 129 || 1 || stream5: SYN on established session
  385 129 || 2 || stream5: Data on SYN packet
  386 129 || 3 || stream5: Data sent on stream not accepting data
  387 129 || 4 || stream5: TCP Timestamp is outside of PAWS window
  388 129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0
  389 129 || 6 || stream5: Window size (after scaling) larger than policy allows
  390 129 || 7 || stream5: Limit on number of overlapping TCP packets reached
  391 129 || 8 || stream5: Data sent on stream after TCP Reset
  392 129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address
  393 129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address
  394 129 || 11 || stream5: TCP Data with no TCP Flags set
  395 129 || 12 || stream5: TCP Small Segment Threshold Exceeded
  396 129 || 13 || stream5: TCP 4-way handshake detected
  397 129 || 14 || stream5: TCP Timestamp is missing
  398 129 || 15 || stream5: Reset outside window
  399 129 || 16 || stream5: FIN number is greater than prior FIN
  400 129 || 17 || stream5: ACK number is greater than prior FIN
  401 129 || 18 || stream5: Data sent on stream after TCP Reset received
  402 129 || 19 || stream5: TCP window closed before receiving data
  403 129 || 20 || stream5: TCP session without 3-way handshake
  404 130 || 1 || dcerpc: Maximum memory usage reached
  405 131 || 1 || dns: Obsolete DNS RData Type
  406 131 || 2 || dns: Experimental DNS RData Type
  407 131 || 3 || dns: Client RData TXT Overflow
  408 133 || 1 || dcerpc2: Memory cap exceeded
  409 133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type
  410 133 || 3 || dcerpc2: SMB - Bad SMB message type
  411 133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2)
  412 133 || 5 || dcerpc2: SMB - Bad word count or structure size for command
  413 133 || 6 || dcerpc2: SMB - Bad byte count for command
  414 133 || 7 || dcerpc2: SMB - Bad format type for command
  415 133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command
  416 133 || 9 || dcerpc2: SMB - Zero total data count in command
  417 133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length
  418 133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length
  419 133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count
  420 133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size
  421 133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size
  422 133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected
  423 133 || 16 || dcerpc2: SMB - Byte count less than command data size
  424 133 || 17 || dcerpc2: SMB - Invalid command data size for byte count
  425 133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses
  426 133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses
  427 133 || 20 || dcerpc2: SMB - Excessive command chaining
  428 133 || 21 || dcerpc2: SMB - Multiple chained login requests
  429 133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests
  430 133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff
  431 133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect
  432 133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe
  433 133 || 26 || dcerpc2: SMB - Invalid share access
  434 133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version
  435 133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version
  436 133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type
  437 133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size
  438 133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed
  439 133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified
  440 133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified
  441 133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client
  442 133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size
  443 133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind
  444 133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request
  445 133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request
  446 133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request
  447 133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version
  448 133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type
  449 133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size
  450 133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number
  451 #133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen
  452 #133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen
  453 #133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding
  454 #133 || 47 || dcerpc2: SMB - Excessive command compounding
  455 133 || 48 || dcerpc2: SMB - Zero data count
  456 133 || 49 || dcerpc2: SMB - Data count mismatch
  457 133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded
  458 133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID
  459 133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated
  460 133 || 53 || dcerpc2: SMB - Deprecated command used
  461 133 || 54 || dcerpc2: SMB - Unusual command used
  462 133 || 55 || dcerpc2: SMB - Invalid setup count
  463 133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session
  464 133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system
  465 133 || 58 || dcerpc2: SMB - File offset provided is greater than file size specified
  466 133 || 59 || dcerpc2: SMB - Nextcommand specified in SMB2 header is beyond payload boundary
  467 134 || 1 || ppm: rule tree disabled
  468 134 || 2 || ppm: rule tree enabled
  469 134 || 3 || ppm: packet aborted
  470 135 || 1 || internal: syn received
  471 135 || 2 || internal: session established
  472 135 || 3 || internal: session cleared
  473 136 || 1 || reputation: Packet is blacklisted
  474 136 || 2 || reputation: Packet is whitelisted
  475 137 || 1 || spp_ssl: Invalid Client HELLO after Server HELLO Detected
  476 137 || 2 || spp_ssl: Invalid Server HELLO without Client HELLO Detected
  477 137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected
  478 137 || 4 || spp_ssl: Large Heartbeat Response Detected
  479 138 || 2 || sensitive_data: sensitive data - Credit card numbers
  480 138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes
  481 138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes
  482 138 || 5 || sensitive_data: sensitive data - eMail addresses
  483 138 || 6 || sensitive_data: sensitive data - U.S. phone numbers
  484 139 || 1 || sensitive_data: sensitive data global threshold exceeded
  485 140 || 1 || sip: Maximum sessions reached 
  486 140 || 2 || sip: Empty request URI 
  487 140 || 3 || sip: URI is too long
  488 140 || 4 || sip: Empty call-Id
  489 140 || 5 || sip: Call-Id is too long
  490 140 || 6 || sip: CSeq number is too large or negative
  491 140 || 7 || sip: Request name in CSeq is too long 
  492 140 || 8 || sip: Empty From header
  493 140 || 9 || sip: From header is too long
  494 140 || 10 || sip: Empty To header
  495 140 || 11 || sip: To header is too long
  496 140 || 12 || sip: Empty Via header 
  497 140 || 13 || sip: Via header is too long
  498 140 || 14 || sip: Empty Contact
  499 140 || 15 || sip: Contact is too long
  500 140 || 16 || sip: Content length is too large or negative
  501 140 || 17 || sip: Multiple SIP messages in a packet
  502 140 || 18 || sip: Content length mismatch
  503 140 || 19 || sip: Request name is invalid
  504 140 || 20 || sip: Invite replay attack
  505 140 || 21 || sip: Illegal session information modification
  506 140 || 22 || sip: Response status code is not a 3 digit number
  507 140 || 23 || sip: Empty Content type
  508 140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid
  509 140 || 25 || sip: Mismatch in Method of request and the CSEQ header
  510 140 || 26 || sip: The method is unknown
  511 140 || 27 || sip: Maximum dialogs in a session reached 
  512 141 || 1 || imap: Unknown IMAP4 command
  513 141 || 2 || imap: Unknown IMAP4 response
  514 141 || 3 || imap: No memory available for decoding. Memcap exceeded.
  515 141 || 4 || imap: Base64 Decoding failed
  516 141 || 5 || imap: Quoted-Printable Decoding failed
  517 141 || 6 || imap: Non-Encoded MIME attachment Extraction failed
  518 141 || 7 || imap: Unix-to-Unix Decoding failed
  519 142 || 1 || pop: Unknown POP3 command
  520 142 || 2 || pop: Unknown POP3 response
  521 142 || 3 || pop: No memory available for decoding. Memcap exceeded.
  522 142 || 4 || pop: Base64 Decoding failed
  523 142 || 5 || pop: Quoted-Printable Decoding failed
  524 142 || 6 || pop: Non-Encoded MIME attachment Extraction failed
  525 142 || 7 || pop: Unix-to-Unix Decoding failed
  526 143 || 1 || gtp: Message length is invalid
  527 143 || 2 || gtp: Information element length is invalid
  528 143 || 3 || gtp: Information elements are out of order
  529 144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function.
  530 144 || 2 || modbus: Modbus protocol ID is non-zero.
  531 144 || 3 || modbus: Reserved Modbus function code in use.
  532 145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC.
  533 145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped.
  534 145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly.
  535 145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message.
  536 145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address.
  537 145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code.