Home/Network IDS rules
IDS / IPS

Network IDS rules

1,237 rules · Snort / Suricata signatures
Network intrusion-detection signatures from open rulesets (ET Open, Snort Community, abuse.ch). These match malicious traffic patterns on the wire. A rule name links to its upstream reference where the ruleset publishes one; rules without a public reference show as plain text.
Ruleset All et-opensnort-community
Class All trojan-activitydomain-c2bad-unknownweb-application-attackmisc-activitycommand-and-controlattempted-adminexploit-kitsocial-engineeringcredential-theftattempted-usertargeted-activityattempted-reconpup-activity

Rules

50 shown of 1,237
et-open attempted-user
ET WEB_SERVER SQL sp_password attempt
sid 2000105 format suricata
et-open attempted-user
ET WEB_SERVER SQL sp_delete_alert attempt
sid 2000106 format suricata
et-open attempted-user
ET WEB_CLIENT Apple Quicktime RTSP Content-Type overflow attempt
sid 2007704 format suricata
et-open attempted-user
ET EXPLOIT SQL sp_configure - configuration change
sid 2008517 format suricata
et-open attempted-user
ET EXPLOIT SQL sp_configure attempt
sid 2008518 format suricata
et-open attempted-user
ET SCADA CitectSCADA ODBC Overflow Attempt
sid 2008542 format suricata
et-open attempted-user
ET FTP Possible FTP Daemon Username SELECT FROM SQL Injection Attempt
sid 2009981 format suricata T1190 ↗
et-open attempted-user
ET FTP Possible FTP Daemon Username DELETE FROM SQL Injection Attempt
sid 2009982 format suricata T1190 ↗
et-open attempted-user
ET FTP Possible FTP Daemon Username INSERT INTO SQL Injection Attempt
sid 2009983 format suricata T1190 ↗
et-open attempted-user
ET FTP Possible FTP Daemon Username UPDATE SET SQL Injection Attempt
sid 2009984 format suricata T1190 ↗
et-open attempted-user
ET FTP Possible FTP Daemon Username UNION SELECT SQL Injection Attempt
sid 2009985 format suricata T1190 ↗
et-open attempted-user
ET EXPLOIT xp_enumerrorlogs access
sid 2010001 format suricata
et-open attempted-user
ET EXPLOIT xp_readerrorlogs access
sid 2010002 format suricata
et-open attempted-user
ET EXPLOIT xp_enumdsn access
sid 2010003 format suricata
et-open attempted-user
ET WEB_SERVER SQL sp_start_job attempt
sid 2010004 format suricata
et-open attempted-user
ET ACTIVEX Possible AOL SuperBuddy ActiveX Control Remote Code Execution Attempt
sid 2010039 format suricata T1190 ↗
et-open attempted-user
ET FTP Possible FTP Daemon Username INTO OUTFILE SQL Injection Attempt
sid 2010081 format suricata T1190 ↗
et-open attempted-user
ET ACTIVEX Multiple Altiris Products AeXNSConsoleUtilities.dll ActiveX Control BrowseAndSaveFile Method Buffer Overflow Attempt Function Call
sid 2010245 format suricata
et-open attempted-user
ET WEB_SERVER Possible Cisco Adaptive Security Appliance Web VPN FTP or CIFS Authentication Form Phishing Attempt
sid 2010457 format suricata
et-open attempted-user
ET WEB_SERVER Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt
sid 2010460 format suricata
et-open attempted-user
ET WEB_CLIENT Possible Adobe Multimedia Doc.media.newPlayer Memory Corruption Attempt
sid 2010495 format suricata
et-open attempted-user
ET WEB_SPECIFIC_APPS Cisco Adaptive Security Appliance WebVPN Cross Site Scripting Attempt
sid 2010505 format suricata
et-open attempted-user
ET WEB_SPECIFIC_APPS Cisco BBSM Captive Portal AccesCodeStart.asp Cross-Site Scripting Attempt
sid 2010506 format suricata
et-open attempted-user
ET WEB_CLIENT Possible Adobe Reader and Acrobat Forms Data Format Remote Security Bypass Attempt
sid 2010664 format suricata
et-open attempted-user
ET ACTIVEX Possible NOS Microsystems Adobe Reader/Acrobat getPlus Get_atlcomHelper ActiveX Control Multiple Stack Overflows Remote Code Execution Attempt
sid 2010665 format suricata T1190 ↗
et-open attempted-user
ET ACTIVEX Adobe browser document ActiveX DoS Function call Attempt
sid 2010705 format suricata
et-open attempted-user
ET ACTIVEX Adobe browser document ActiveX DoS Attempt
sid 2010726 format suricata
et-open attempted-user
ET ACTIVEX SoftArtisans XFile FileManager ActiveX stack overfow Function call Attempt
sid 2010745 format suricata
et-open attempted-user
ET ACTIVEX SoftArtisans XFile FileManager ActiveX Buildpath method stack overflow Attempt
sid 2010746 format suricata
et-open attempted-user
ET ACTIVEX SoftArtisans XFile FileManager ActiveX GetDriveName method stack overflow Attempt
sid 2010747 format suricata
et-open attempted-user
ET ACTIVEX SoftArtisans XFile FileManager ActiveX DriveExists method stack overflow Attempt
sid 2010748 format suricata
et-open attempted-user
ET ACTIVEX SoftArtisans XFile FileManager ActiveX DeleteFile method stack overflow Attempt
sid 2010749 format suricata
et-open attempted-user
ET WEB_CLIENT VLC Media Player .ass File Buffer Overflow Attempt
sid 2010758 format suricata
et-open attempted-user
ET WEB_CLIENT Possible Microsoft Internet Explorer URI Validation Remote Code Execution Attempt
sid 2010798 format suricata T1190 ↗
et-open attempted-user
ET WEB_CLIENT VLC Media Player smb URI Handling Remote Buffer Overflow Attempt
sid 2010813 format suricata
et-open attempted-user
ET ACTIVEX Viscom Movie Player Pro SDK ActiveX DrawText method Buffer Overflow Function Call
sid 2010944 format suricata
et-open attempted-user
ET WEB_SPECIFIC_APPS Yahoo CD Player ActiveX Open Stack Overflow Attempt
sid 2010945 format suricata
et-open attempted-user
ET WEB_SPECIFIC_APPS JcomBand toolbar ActiveX Control isRegistered Property Buffer Overflow Attempt
sid 2010976 format suricata
et-open attempted-user
ET ACTIVEX Microsoft Internet Explorer Tabular DataURL ActiveX Control Memory Corruption Attempt
sid 2011007 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX SendCommand Method Buffer Overflow Attempt
sid 2011200 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX Login Method Buffer Oveflow Attempt
sid 2011201 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX Snapshot Method Buffer Overflow Attempt
sid 2011202 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX _DownloadPBOpen Method Buffer Overflow Attempt
sid 2011203 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX _DownloadPBClose Method Buffer Overflow Attempt
sid 2011204 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX _DownloadPBControl Method Buffer Overflow Attempt
sid 2011205 format suricata
et-open attempted-user
ET ACTIVEX AVTECH Software ActiveX Buffer Overflow Function Call
sid 2011206 format suricata
et-open attempted-user
ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call
sid 2011208 format suricata
et-open attempted-user
ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share Possible DLL Preloading Exploit Attempt
sid 2011457 format suricata
et-open attempted-user
ET WEB_CLIENT RealPlayer FLV Parsing Integer Overflow Attempt
sid 2011485 format suricata
et-open attempted-user
ET WEB_CLIENT Possible Adobe Acrobat and Reader Pushstring Memory Corruption Attempt
sid 2011500 format suricata
Showing 1-50 of 1,237
Prev 1 Next
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Privacy policy Terms of service
threatengine.sh