1# $Id$ 2# GENERATORS -> msg map 3# Format: generatorid || alertid || MSG 4 51 || 1 || snort general alert 62 || 1 || tag: Tagged Packet 73 || 1 || snort dynamic alert 8100 || 1 || spp_portscan: Portscan Detected 9100 || 2 || spp_portscan: Portscan Status 10100 || 3 || spp_portscan: Portscan Ended 11101 || 1 || spp_minfrag: minfrag alert 12102 || 1 || http_decode: Unicode Attack 13102 || 2 || http_decode: CGI NULL Byte Attack 14102 || 3 || http_decode: large method attempted 15102 || 4 || http_decode: missing uri 16102 || 5 || http_decode: double encoding detected 17102 || 6 || http_decode: illegal hex values detected 18102 || 7 || http_decode: overlong character detected 19103 || 1 || spp_defrag: Fragmentation Overflow Detected 20103 || 2 || spp_defrag: Stale Fragments Discarded 21104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded 22104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted 23105 || 1 || spp_bo: Back Orifice Traffic Detected 24105 || 2 || spp_bo: Back Orifice Client Traffic Detected 25105 || 3 || spp_bo: Back Orifice Server Traffic Detected 26105 || 4 || spp_bo: Back Orifice Snort Buffer Attack 27106 || 1 || spp_rpc_decode: Fragmented RPC Records 28106 || 2 || spp_rpc_decode: Multiple Records in one packet 29106 || 3 || spp_rpc_decode: Large RPC Record Fragment 30106 || 4 || spp_rpc_decode: Incomplete RPC segment 31106 || 5 || spp_rpc_decode: Zero-length RPC Fragment 32110 || 1 || spp_unidecode: CGI NULL Attack 33110 || 2 || spp_unidecode: Directory Traversal 34110 || 3 || spp_unidecode: Unknown Mapping 35110 || 4 || spp_unidecode: Invalid Mapping 36111 || 1 || spp_stream4: Stealth Activity Detected 37111 || 2 || spp_stream4: Evasive Reset Packet 38111 || 3 || spp_stream4: Retransmission 39111 || 4 || spp_stream4: Window Violation 40111 || 5 || spp_stream4: Data on SYN Packet 41111 || 6 || spp_stream4: Full XMAS Stealth Scan 42111 || 7 || spp_stream4: SAPU Stealth Scan 43111 || 8 || spp_stream4: FIN Stealth Scan 44111 || 9 || spp_stream4: NULL Stealth Scan 45111 || 10 || spp_stream4: NMAP XMAS Stealth Scan 46111 || 11 || spp_stream4: VECNA Stealth Scan 47111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection 48111 || 13 || spp_stream4: SYN FIN Stealth Scan 49111 || 14 || spp_stream4: TCP forward overlap detected 50111 || 15 || spp_stream4: TTL Evasion attempt 51111 || 16 || spp_stream4: Evasive retransmitted data attempt 52111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt 53111 || 18 || spp_stream4: Multiple acked 54111 || 19 || spp_stream4: Shifting to Emergency Session Mode 55111 || 20 || spp_stream4: Shifting to Suspend Mode 56111 || 21 || spp_stream4: TCP Timestamp option has value of zero 57111 || 22 || spp_stream4: Too many overlapping TCP packets 58111 || 23 || spp_stream4: Packet in established TCP stream missing ACK 59111 || 24 || spp_stream4: Evasive FIN Packet 60111 || 25 || spp_stream4: SYN on established 61112 || 1 || spp_arpspoof: Directed ARP Request 62112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC 63112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST 64112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack 65113 || 1 || spp_frag2: Oversized Frag 66113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack 67113 || 3 || spp_frag2: TTL evasion detected 68113 || 4 || spp_frag2: overlap detected 69113 || 5 || spp_frag2: Duplicate first fragments 70113 || 6 || spp_frag2: memcap exceeded 71113 || 7 || spp_frag2: Out of order fragments 72113 || 8 || spp_frag2: IP Options on Fragmented Packet 73113 || 9 || spp_frag2: Shifting to Emegency Session Mode 74113 || 10 || spp_frag2: Shifting to Suspend Mode 75114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected 76114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected 77114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected 78114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected 79115 || 1 || spp_asn1: Indefinite ASN.1 length encoding 80115 || 2 || spp_asn1: Invalid ASN.1 length encoding 81115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow 82115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow 83115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length 84116 || 1 || snort_decoder: WARNING: Not IPv4 datagram 85116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN 86116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len 87116 || 4 || snort_decoder: WARNING: Bad IPv4 Options 88116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options 89116 || 6 || snort_decoder: WARNING: IP dgm len > captured len 90116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes 91116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5 92116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload 93116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths 94116 || 55 || snort_decoder: WARNING: Truncated Tcp Options 95116 || 56 || snort_decoder: WARNING: T/TCP Detected 96116 || 57 || snort_decoder: WARNING: Obsolete TCP options 97116 || 58 || snort_decoder: WARNING: Experimental TCP options 98116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14) 99116 || 95 || snort_decoder: WARNING: Truncated UDP Header 100116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8 101116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length 102116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length 103116 || 105 || snort_decoder: WARNING: ICMP Header Truncated 104116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated 105116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated 106116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem 107116 || 109 || snort_decoder: WARNING: Truncated ARP Packet 108116 || 110 || snort_decoder: WARNING: Truncated EAP Header 109116 || 111 || snort_decoder: WARNING: EAP Key Truncated 110116 || 112 || snort_decoder: WARNING: EAP Header Truncated 111116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected 112116 || 130 || snort_decoder: WARNING: Bad VLAN Frame 113116 || 131 || snort_decoder: WARNING: Bad LLC header 114116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info 115116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header 116116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info 117116 || 140 || snort_decoder: WARNING: Bad Token Ring Header 118116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header 119116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header 120116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header 121116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP 122116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP 123116 || 160 || snort_decoder: WARNING: GRE header length > payload length 124116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet 125116 || 162 || snort_decoder: WARNING: Invalid GRE version 126116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header 127116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header 128116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length 129116 || 170 || snort_decoder: WARNING: Bad MPLS Frame 130116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header 131116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header 132116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header 133116 || 174 || snort_decoder: WARNING: Bad use of label 3 134116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header 135116 || 176 || snort_decoder: WARNING: Too Many MPLS headers 136116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated 137116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4 138116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length 139116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits 140116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes 141116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0 142116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit 143116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 144116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header 145116 || 273 || snort_decoder: WARNING: IPV6 truncated header 146116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len 147116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len 148116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0 149116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address 150116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address 151116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type 152116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value 153116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field 154116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header 155116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers 156116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280 157116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code 158116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0 159116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0 160116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0 161116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour 162116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack 163116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header 164116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present 165116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header 166116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header. 167116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers 168116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present 169116 || 298 || snort_decoder: WARNING: GTP header length is invalid 170116 || 300 || snort_decoder: WARNING: Too many levels for decoding 171116 || 400 || snort_decoder: WARNING: XMAS Attack Detected 172116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected 173116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected 174116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address 175116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL 176116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) 177116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero 178116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum 179116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address 180116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address 181116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address 182116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address 183116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address 184116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address 185116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address 186116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address 187116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address 188116 || 417 || snort_decoder: WARNING: ICMP4 source quence 189116 || 418 || snort_decoder: WARNING: ICMP4 type other 190116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload 191116 || 420 || snort_decoder: WARNING: TCP SYN with FIN 192116 || 421 || snort_decoder: WARNING: TCP SYN with RST 193116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session 194116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST 195116 || 424 || snort_decoder: WARNING: truncated eth header 196116 || 425 || snort_decoder: WARNING: truncated IP4 header 197116 || 426 || snort_decoder: WARNING: truncated ICMP4 header 198116 || 427 || snort_decoder: WARNING: truncated ICMP6 header 199116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit 200116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit 201116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set 202116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded 203116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address 204116 || 433 || snort_decoder: WARNING: DDOS shaft synflood 205116 || 434 || snort_decoder: WARNING: ICMP PING NMAP 206116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1 207116 || 436 || snort_decoder: WARNING: ICMP redirect host 208116 || 437 || snort_decoder: WARNING: ICMP redirect net 209116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts 210116 || 439 || snort_decoder: WARNING: ICMP Source Quench 211116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner 212116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited 213116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited 214116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited 215116 || 444 || snort_decoder: WARNING: MISC IP option set 216116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet 217116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic 218116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic 219116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set 220116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol 221116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol 222116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt 223116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt 224116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof 225116 || 454 || snort_decoder: WARNING: PGM NAK overflow 226116 || 455 || snort_decoder: WARNING: IGMP options dos 227116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers 228116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code 229116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack 230116 || 459 || snort_decoder: WARNING: zero length fragment 231116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2 232116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header 233116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch 234116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length 235116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length 236116 || 467 || snort_decoder: WARNING: truncated FabricPath header 237117 || 1 || spp_portscan2: Portscan detected 238118 || 1 || spp_conversation: Bad IP protocol 239119 || 1 || http_inspect: ASCII ENCODING 240119 || 2 || http_inspect: DOUBLE DECODING ATTACK 241119 || 3 || http_inspect: U ENCODING 242119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING 243119 || 5 || http_inspect: BASE36 ENCODING 244119 || 6 || http_inspect: UTF-8 ENCODING 245119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING 246119 || 8 || http_inspect: MULTI_SLASH ENCODING 247119 || 9 || http_inspect: IIS BACKSLASH EVASION 248119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL 249119 || 11 || http_inspect: DIRECTORY TRAVERSAL 250119 || 12 || http_inspect: APACHE WHITESPACE (TAB) 251119 || 13 || http_inspect: NON-RFC HTTP DELIMITER 252119 || 14 || http_inspect: NON-RFC DEFINED CHAR 253119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY 254119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING 255119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED 256119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL 257119 || 19 || http_inspect: LONG HEADER 258119 || 20 || http_inspect: MAX HEADERS 259119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS 260119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED 261119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER 262119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED 263119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS 264119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION 265119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS 266119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS 267119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION 268119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT 269119 || 31 || http_inspect: UNKNOWN METHOD 270119 || 32 || http_inspect: SIMPLE REQUEST 271119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI 272119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS 273119 || 36 || http_inspect: INVALID RANGE UNIT FORMAT 274119 || 37 || http_inspect: RANGE FIELD PRESENT IN NON GET METHOD 275119 || 38 || http_inspect: ERROR IN RANGE FIELD OF REQUEST HEADER 276120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT 277120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE 278120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 279120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE 280120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET 281120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED 282120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS 283120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE 284120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 285120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED 286120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA 287120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE 288120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE 289120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE 290120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES 291120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION 292120 || 17 || http_inspect: PDF FILE PARSE FAILURE 293120 || 18 || http_inspect: PROTOCOL-OTHER HTTP server response before client request 294120 || 19 || http_inspect: MULTIPLE CONTENT LENGTH IN HTTP RESPONSE 295120 || 20 || http_inspect: MULTIPLE CONTENT ENCODING IN HTTP RESPONSE 296120 || 21 || http_inspect: MULTIPLE COLON BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER 297120 || 22 || http_inspect: INVALID CHARACTER BETWEEN KEY AND VALUE IN HTTP RESPONSE HEADER 298120 || 23 || http_inspect: TRANSFER ENCODING:CHUNKED IN HTTP 1.0 REQUEST/RESPONSE HEADER 299120 || 24 || http_inspect: PARTIAL DECOMPRESSION FAILURE IN HTTP RESPONSE BODY 300120 || 25 || http_inspect: INVALID HEADER FOLDING 301120 || 26 || http_inspect: JUNK LINE BEFORE HTTP RESPONSE HEADER 302120 || 27 || http_inspect: NO END OF HEADER IN HTTP RESPONSE 303120 || 28 || http_inspect: INVALID CHUNK SIZE OR CHUNK SIZE FOLLOWED BY JUNK CHARACTERS 304120 || 29 || http_inspect: INVALID VERSION IN HTTP RESPONSE HEADER 305120 || 30 || http_inspect: INVALID CONTENT RANGE UNIT FORMAT 306120 || 31 || http_inspect: ERROR IN RANGE FIELD OF RESPONSE HEADER 307120 || 32 || http_inspect: RANGE FIELD NOT PRESENT IN GET METHOD, BUT RESPONSE WITH PARTIAL CONTENT 308121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded 309121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded 310121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded 311121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded 312122 || 1 || portscan: TCP Portscan 313122 || 2 || portscan: TCP Decoy Portscan 314122 || 3 || portscan: TCP Portsweep 315122 || 4 || portscan: TCP Distributed Portscan 316122 || 5 || portscan: TCP Filtered Portscan 317122 || 6 || portscan: TCP Filtered Decoy Portscan 318122 || 7 || portscan: TCP Filtered Portsweep 319122 || 8 || portscan: TCP Filtered Distributed Portscan 320122 || 9 || portscan: IP Protocol Scan 321122 || 10 || portscan: IP Decoy Protocol Scan 322122 || 11 || portscan: IP Protocol Sweep 323122 || 12 || portscan: IP Distributed Protocol Scan 324122 || 13 || portscan: IP Filtered Protocol Scan 325122 || 14 || portscan: IP Filtered Decoy Protocol Scan 326122 || 15 || portscan: IP Filtered Protocol Sweep 327122 || 16 || portscan: IP Filtered Distributed Protocol Scan 328122 || 17 || portscan: UDP Portscan 329122 || 18 || portscan: UDP Decoy Portscan 330122 || 19 || portscan: UDP Portsweep 331122 || 20 || portscan: UDP Distributed Portscan 332122 || 21 || portscan: UDP Filtered Portscan 333122 || 22 || portscan: UDP Filtered Decoy Portscan 334122 || 23 || portscan: UDP Filtered Portsweep 335122 || 24 || portscan: UDP Filtered Distributed Portscan 336122 || 25 || portscan: ICMP Sweep 337122 || 26 || portscan: ICMP Filtered Sweep 338122 || 27 || portscan: Open Port 339123 || 1 || frag3: IP Options on fragmented packet 340123 || 2 || frag3: Teardrop attack 341123 || 3 || frag3: Short fragment, possible DoS attempt 342123 || 4 || frag3: Fragment packet ends after defragmented packet 343123 || 5 || frag3: Zero-byte fragment 344123 || 6 || frag3: Bad fragment size, packet size is negative 345123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 346123 || 8 || frag3: Fragmentation overlap 347123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow 348123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack 349123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly 350123 || 12 || frag3: Number of overlapping fragments exceed configured limit 351123 || 13 || frag3: Fragments smaller than configured min_fragment_length 352124 || 1 || smtp: Attempted command buffer overflow 353124 || 2 || smtp: Attempted data header buffer overflow 354124 || 3 || smtp: Attempted response buffer overflow 355124 || 4 || smtp: Attempted specific command buffer overflow 356124 || 5 || smtp: Unknown command 357124 || 6 || smtp: Illegal command 358124 || 7 || smtp: Attempted header name buffer overflow 359124 || 8 || smtp: Attempted X-Link2State command buffer overflow 360124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. 361124 || 10 || smtp: Base64 Decoding failed 362124 || 11 || smtp: Quoted-Printable Decoding failed 363124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed 364124 || 13 || smtp: Unix-to-Unix Decoding failed 365124 || 14 || smtp: Cyrus SASL authentication attack 366125 || 1 || ftp_pp: Telnet command on FTP command channel 367125 || 2 || ftp_pp: Invalid FTP command 368125 || 3 || ftp_pp: FTP parameter length overflow 369125 || 4 || ftp_pp: FTP malformed parameter 370125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter 371125 || 6 || ftp_pp: FTP response length overflow 372125 || 7 || ftp_pp: FTP command channel encrypted 373125 || 8 || ftp_pp: FTP bounce attack 374125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel 375126 || 1 || telnet_pp: Telnet consecutive AYT overflow 376126 || 2 || telnet_pp: Telnet data encrypted 377126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End 378128 || 1 || ssh: Gobbles exploit 379128 || 2 || ssh: SSH1 CRC32 exploit 380128 || 3 || ssh: Server version string overflow 381128 || 4 || ssh: Protocol mismatch 382128 || 5 || ssh: Bad message direction 383128 || 6 || ssh: Payload size incorrect for the given payload 384128 || 7 || ssh: Failed to detect SSH version string 385129 || 1 || stream5: SYN on established session 386129 || 2 || stream5: Data on SYN packet 387129 || 3 || stream5: Data sent on stream not accepting data 388129 || 4 || stream5: TCP Timestamp is outside of PAWS window 389129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 390129 || 6 || stream5: Window size (after scaling) larger than policy allows 391129 || 7 || stream5: Limit on number of overlapping TCP packets reached 392129 || 8 || stream5: Data sent on stream after TCP Reset 393129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address 394129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address 395129 || 11 || stream5: TCP Data with no TCP Flags set 396129 || 12 || stream5: TCP Small Segment Threshold Exceeded 397129 || 13 || stream5: TCP 4-way handshake detected 398129 || 14 || stream5: TCP Timestamp is missing 399129 || 15 || stream5: Reset outside window 400129 || 16 || stream5: FIN number is greater than prior FIN 401129 || 17 || stream5: ACK number is greater than prior FIN 402129 || 18 || stream5: Data sent on stream after TCP Reset received 403129 || 19 || stream5: TCP window closed before receiving data 404129 || 20 || stream5: TCP session without 3-way handshake 405130 || 1 || dcerpc: Maximum memory usage reached 406131 || 1 || dns: Obsolete DNS RData Type 407131 || 2 || dns: Experimental DNS RData Type 408131 || 3 || dns: Client RData TXT Overflow 409133 || 1 || dcerpc2: Memory cap exceeded 410133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type 411133 || 3 || dcerpc2: SMB - Bad SMB message type 412133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2) 413133 || 5 || dcerpc2: SMB - Bad word count or structure size for command 414133 || 6 || dcerpc2: SMB - Bad byte count for command 415133 || 7 || dcerpc2: SMB - Bad format type for command 416133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command 417133 || 9 || dcerpc2: SMB - Zero total data count in command 418133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length 419133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length 420133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count 421133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size 422133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size 423133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected 424133 || 16 || dcerpc2: SMB - Byte count less than command data size 425133 || 17 || dcerpc2: SMB - Invalid command data size for byte count 426133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses 427133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses 428133 || 20 || dcerpc2: SMB - Excessive command chaining 429133 || 21 || dcerpc2: SMB - Multiple chained login requests 430133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests 431133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff 432133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect 433133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe 434133 || 26 || dcerpc2: SMB - Invalid share access 435133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version 436133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version 437133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type 438133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size 439133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed 440133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified 441133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified 442133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client 443133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size 444133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind 445133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request 446133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request 447133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request 448133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version 449133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type 450133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size 451133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number 452#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen 453#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen 454#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding 455#133 || 47 || dcerpc2: SMB - Excessive command compounding 456133 || 48 || dcerpc2: SMB - Zero data count 457133 || 49 || dcerpc2: SMB - Data count mismatch 458133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded 459133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID 460133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated 461133 || 53 || dcerpc2: SMB - Deprecated command used 462133 || 54 || dcerpc2: SMB - Unusual command used 463133 || 55 || dcerpc2: SMB - Invalid setup count 464133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session 465133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system 466133 || 58 || dcerpc2: SMB - File offset provided is greater than file size specified 467133 || 59 || dcerpc2: SMB - Nextcommand specified in SMB2 header is beyond payload boundary 468134 || 1 || ppm: rule tree disabled 469134 || 2 || ppm: rule tree enabled 470134 || 3 || ppm: packet aborted 471135 || 1 || internal: syn received 472135 || 2 || internal: session established 473135 || 3 || internal: session cleared 474136 || 1 || reputation: Packet is blacklisted 475136 || 2 || reputation: Packet is whitelisted 476137 || 1 || spp_ssl: Invalid Client HELLO after Server HELLO Detected 477137 || 2 || spp_ssl: Invalid Server HELLO without Client HELLO Detected 478137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected 479137 || 4 || spp_ssl: Large Heartbeat Response Detected 480138 || 2 || sensitive_data: sensitive data - Credit card numbers 481138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes 482138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes 483138 || 5 || sensitive_data: sensitive data - eMail addresses 484138 || 6 || sensitive_data: sensitive data - U.S. phone numbers 485139 || 1 || sensitive_data: sensitive data global threshold exceeded 486140 || 1 || sip: Maximum sessions reached 487140 || 2 || sip: Empty request URI 488140 || 3 || sip: URI is too long 489140 || 4 || sip: Empty call-Id 490140 || 5 || sip: Call-Id is too long 491140 || 6 || sip: CSeq number is too large or negative 492140 || 7 || sip: Request name in CSeq is too long 493140 || 8 || sip: Empty From header 494140 || 9 || sip: From header is too long 495140 || 10 || sip: Empty To header 496140 || 11 || sip: To header is too long 497140 || 12 || sip: Empty Via header 498140 || 13 || sip: Via header is too long 499140 || 14 || sip: Empty Contact 500140 || 15 || sip: Contact is too long 501140 || 16 || sip: Content length is too large or negative 502140 || 17 || sip: Multiple SIP messages in a packet 503140 || 18 || sip: Content length mismatch 504140 || 19 || sip: Request name is invalid 505140 || 20 || sip: Invite replay attack 506140 || 21 || sip: Illegal session information modification 507140 || 22 || sip: Response status code is not a 3 digit number 508140 || 23 || sip: Empty Content type 509140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid 510140 || 25 || sip: Mismatch in Method of request and the CSEQ header 511140 || 26 || sip: The method is unknown 512140 || 27 || sip: Maximum dialogs in a session reached 513141 || 1 || imap: Unknown IMAP4 command 514141 || 2 || imap: Unknown IMAP4 response 515141 || 3 || imap: No memory available for decoding. Memcap exceeded. 516141 || 4 || imap: Base64 Decoding failed 517141 || 5 || imap: Quoted-Printable Decoding failed 518141 || 6 || imap: Non-Encoded MIME attachment Extraction failed 519141 || 7 || imap: Unix-to-Unix Decoding failed 520142 || 1 || pop: Unknown POP3 command 521142 || 2 || pop: Unknown POP3 response 522142 || 3 || pop: No memory available for decoding. Memcap exceeded. 523142 || 4 || pop: Base64 Decoding failed 524142 || 5 || pop: Quoted-Printable Decoding failed 525142 || 6 || pop: Non-Encoded MIME attachment Extraction failed 526142 || 7 || pop: Unix-to-Unix Decoding failed 527143 || 1 || gtp: Message length is invalid 528143 || 2 || gtp: Information element length is invalid 529143 || 3 || gtp: Information elements are out of order 530144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function. 531144 || 2 || modbus: Modbus protocol ID is non-zero. 532144 || 3 || modbus: Reserved Modbus function code in use. 533145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC. 534145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped. 535145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly. 536145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message. 537145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address. 538145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code. 539