diff --git a/README.md b/README.md index f5c0e33..1c85c31 100644 --- a/README.md +++ b/README.md @@ -21,7 +21,6 @@ A collection of delicious docker recipes. - [ ] caddy - [ ] dsniff - [ ] ettercap -- [ ] freegeoip - [ ] freelan - [ ] gitbook - [ ] gitolite @@ -32,8 +31,6 @@ A collection of delicious docker recipes. - [ ] libreswan - [ ] mitmproxy - [ ] nagios -- [ ] nfs -- [ ] openldap - [ ] openswan - [ ] postfix - [ ] pritunl @@ -46,8 +43,12 @@ A collection of delicious docker recipes. ## Big Data +- [x] airflow +- [x] ambari - [x] kafka-arm - [x] kafka-manager +- [x] prestodb (official) +- [x] prestosql (community) - [x] superset-arm - [x] zookeeper-arm @@ -70,11 +71,13 @@ A collection of delicious docker recipes. ## Daemon - [x] alpine-arm :+1: +- [x] apacheds - [x] aria2 :+1: - [x] audiowaveform - [x] cadvisor - [x] casperjs :+1: - [x] collectd +- [x] freegeoip - [x] freeradius - [x] frp :cn: - [x] graphite @@ -91,10 +94,12 @@ A collection of delicious docker recipes. - [x] motion-arm :+1: - [x] nginx - [x] nifi +- [x] ntopng - [x] nullmailer - [x] nullmailer-arm - [x] openhab - [x] openssh +- [x] ot-frontend-arm - [x] ot-recorder - [x] ot-recorder-arm - [x] piknik @@ -161,7 +166,6 @@ A collection of delicious docker recipes. - [x] json-server - [x] mantisbt - [x] mediagoblin -- [x] netdata - [x] nginad - [x] nodebb :+1: - [x] openrefine @@ -180,6 +184,7 @@ A collection of delicious docker recipes. ## Security +- [x] aircrack-ng-arm - [x] bro - [x] clamav - [x] dsniff @@ -187,6 +192,7 @@ A collection of delicious docker recipes. - [x] grr - [x] hydra - [x] iptables +- [x] kismet - [x] routersploit - [x] snort :beetle: - [x] sslsplit @@ -200,7 +206,9 @@ A collection of delicious docker recipes. - [x] fteproxy-arm :+1: - [x] hans - [x] haproxy-arm +- [x] i2pd :ru: - [x] kcptun :cn: +- [x] mtproxy - [x] mysql-proxy - [x] ngrok :+1: - [x] obfsproxy @@ -223,6 +231,7 @@ A collection of delicious docker recipes. ## VPN +- [x] n2n :+1: - [x] ocserv :+1: - [x] openconnect - [x] openconnect-arm @@ -234,6 +243,7 @@ A collection of delicious docker recipes. - [x] strongswan :+1: - [x] tinc :+1: - [x] tinc-arm :+1: +- [x] wiregurad :beetle: - [x] xl2tpd ## DNS @@ -248,50 +258,75 @@ A collection of delicious docker recipes. ## 3rd-party +- [x] docker.bintray.io/jfrog/artifactory-oss - [x] tutum/builder +- [x] browserless/chrome - [x] certbot +- [x] codercom/code-server +- [x] confluentinc/cp-kafka-mqtt +- [x] confluentinc/cp-kafka-rest +- [x] streamsets/datacollector - [x] cachethq/docker -- [x] puckel/docker-airflow - [x] drone/drone - [x] drupal - [x] elastalert - [x] elk +- [x] flogo/flogo-docker +- [x] mher/flower - [x] ghost - [x] gitlab/gitlab-ce +- [x] atlassianlabs/gostatsd +- [x] gitea/gitea :cn: - [x] gliderlabs/logspout - [x] gliderlabs/registrator - [ ] glot - [ ] bash - [ ] python -- [x] gogs :cn: +- [x] gogs/gogs :cn: - [x] haproxy +- [x] jmxtrans/jmxtrans - [x] wurstmeister/kafka +- [x] netdata/netdata - [x] nextcloud +- [x] sonatype/nexus3 - [x] jazzdd/phpvirtualbox - [x] jenkins +- [x] sonatype/nexus3 - [x] jupyter/notebook - [x] kylemanna/openvpn +- [x] metabase/metabase - [x] metasploitframework/metasploit-framework :skull: - [x] minio/minio - [x] mongo - [x] neo4j +- [x] erichough/nfs-server - [x] odoo +- [x] osixia/openldap +- [x] campbellsoftwaresolutions/osticket - [x] owncloud - [x] phpmyadmin +- [x] pihole/pihole - [x] portainer/portainer :+1: - [x] postgres +- [x] postgrest/postgrest - [x] registry - [x] rocket.chat -- [x] scrapinghub/splash +- [x] rundeck/rundeck +- [x] wonderfall/searx - [ ] selenium - [ ] hub - [ ] node-firefox - [x] standalone-firefox +- [x] sentry +- [x] scrapinghub/splash - [x] amancevice/superset - [x] v2ray/official :cn: - [x] centurylink/watchtower +- [x] anapsix/webdis - [x] wekanteam/wekan +- [x] yourls - [x] zookeeper +- [x] elkozmon/zoonavigator ## auto-completion diff --git a/aircrack-ng-arm/Dockerfile b/aircrack-ng-arm/Dockerfile new file mode 100644 index 0000000..6e27e97 --- /dev/null +++ b/aircrack-ng-arm/Dockerfile @@ -0,0 +1,9 @@ +# +# Dockerfile for aircrack-ng-arm +# + +FROM easypi/alpine-arm + +RUN apk add --no-cache aircrack-ng bash coreutils tmux + +ENTRYPOINT ["sleep", "inf"] diff --git a/aircrack-ng-arm/README.md b/aircrack-ng-arm/README.md new file mode 100644 index 0000000..a2d8559 --- /dev/null +++ b/aircrack-ng-arm/README.md @@ -0,0 +1,13 @@ +aircrack-ng +=========== + +```bash +$ docker-compose up -d +$ docker-compose exec aircrack bash +>>> airmon-ng +>>> airmon-ng start wlan1 +>>> ifconfig +>>> airodump-ng wlan1mon +>>> airmon-ng stop wlan1mon +>>> exit +``` diff --git a/aircrack-ng-arm/docker-compose.yml b/aircrack-ng-arm/docker-compose.yml new file mode 100644 index 0000000..8affd7c --- /dev/null +++ b/aircrack-ng-arm/docker-compose.yml @@ -0,0 +1,7 @@ +aircrack: + image: easypi/aircrack-ng-arm + cap_add: + - NET_ADMIN + net: host + tty: true + restart: unless-stopped diff --git a/airflow/Dockerfile b/airflow/Dockerfile new file mode 100644 index 0000000..c4f41c1 --- /dev/null +++ b/airflow/Dockerfile @@ -0,0 +1,43 @@ +# +# Dockerfile for airflow +# + +FROM python:3.7-alpine + +ENV AIRFLOW_VERSION=1.10.5 +ENV AIRFLOW_EXTRAS=async,all_dbs,celery,crypto,devel_hadoop,jdbc,ldap,password,redis,s3,samba,slack,ssh,statsd +ENV AIRFLOW_HOME=/opt/airflow +ENV AIRFLOW_CONFIG=/opt/airflow/airflow.cfg + +RUN set -xe \ + && apk add --no-cache \ + build-base \ + cyrus-sasl-dev \ + freetds \ + freetds-dev \ + krb5-dev \ + libffi-dev \ + mariadb-dev \ + postgresql-dev \ + python3-dev \ + && pip install cython numpy psycopg2-binary \ + && pip install apache-airflow[${AIRFLOW_EXTRAS}]==${AIRFLOW_VERSION} \ + && pip install "websocket-client>=0.35,<0.55.0" \ + && apk del \ + build-base \ + cyrus-sasl-dev \ + freetds-dev \ + krb5-dev \ + libffi-dev \ + mariadb-dev \ + postgresql-dev \ + python3-dev \ + && rm -rf /root/.cache/pip + +WORKDIR ${AIRFLOW_HOME} +VOLUME ${AIRFLOW_HOME} + +EXPOSE 8080 + +ENTRYPOINT ["airflow"] +CMD ["--help"] diff --git a/airflow/README.md b/airflow/README.md index 531e131..4883433 100644 --- a/airflow/README.md +++ b/airflow/README.md @@ -1,6 +1,8 @@ airflow ======= +![](https://airflow.apache.org/_images/pin_large.png) + ## How It Works ``` @@ -20,13 +22,31 @@ airflow ## Quick Start ```bash -# On Master -$ docker-compose up -d -$ chmod 777 data/airflow/dags -$ docker-compose exec webserver cp -r /usr/local/lib/python3.6/site-packages/airflow/example_dags dags +$ docker stack deploy -c docker-stack.yaml airflow +$ docker service update --replicas-max-per-node=1 airflow_worker +$ docker service update --replicas 3 airflow_worker -# On Workers -$ docker-compose up -d -$ chmod 777 data/airflow/dags -$ docker-compose exec worker cp -r /usr/local/lib/python3.6/site-packages/airflow/example_dags dags +$ docker stack services airflow +$ docker service ps airflow_webserver +$ docker exec -it airflow_webserver.1.xxxxxx sh +>>> airflow create_user -r Admin -u admin -e admin@borderxlab.com -f Super -l Admin -p secret +>>> airflow list_users +╒══════╤════════════╤══════════════════════╤══════════════╤═════════════╤═════════╕ +│ Id │ Username │ Email │ First name │ Last name │ Roles │ +╞══════╪════════════╪══════════════════════╪══════════════╪═════════════╪═════════╡ +│ 1 │ admin │ admin@borderxlab.com │ Super │ Admin │ [Admin] │ +╘══════╧════════════╧══════════════════════╧══════════════╧═════════════╧═════════╛ +>>> exit + +$ curl http://localhost:8080/ +$ curl http://localhost:5555/ ``` + +> :warning: You need to prepare nfs server with `airflow.cfg`. + +``` +$ python -c 'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())' +CD2wL7G0zt1SLuO4JQpLJuHtBaBEcXWKbQyvkvf2cZ8= +``` + +> :warning: You should set another value to `fernet_key` in `airflow.cfg` to improve security. diff --git a/airflow/data/airflow.cfg b/airflow/data/airflow.cfg new file mode 100644 index 0000000..265ed4d --- /dev/null +++ b/airflow/data/airflow.cfg @@ -0,0 +1,829 @@ +[core] +# The folder where your airflow pipelines live, most likely a +# subfolder in a code repository +# This path must be absolute +dags_folder = /opt/airflow/dags + +# The folder where airflow should store its log files +# This path must be absolute +base_log_folder = /opt/airflow/logs + +# Airflow can store logs remotely in AWS S3, Google Cloud Storage or Elastic Search. +# Users must supply an Airflow connection id that provides access to the storage +# location. If remote_logging is set to true, see UPDATING.md for additional +# configuration requirements. +remote_logging = False +remote_log_conn_id = +remote_base_log_folder = +encrypt_s3_logs = False + +# Logging level +logging_level = INFO +fab_logging_level = WARN + +# Logging class +# Specify the class that will specify the logging configuration +# This class has to be on the python classpath +# logging_config_class = my.path.default_local_settings.LOGGING_CONFIG +logging_config_class = + +# Log format +# Colour the logs when the controlling terminal is a TTY. +colored_console_log = True +colored_log_format = [%%(blue)s%%(asctime)s%%(reset)s] {%%(blue)s%%(filename)s:%%(reset)s%%(lineno)d} %%(log_color)s%%(levelname)s%%(reset)s - %%(log_color)s%%(message)s%%(reset)s +colored_formatter_class = airflow.utils.log.colored_log.CustomTTYColoredFormatter + +log_format = [%%(asctime)s] {%%(filename)s:%%(lineno)d} %%(levelname)s - %%(message)s +simple_log_format = %%(asctime)s %%(levelname)s - %%(message)s + +# Log filename format +log_filename_template = {{ ti.dag_id }}/{{ ti.task_id }}/{{ ts }}/{{ try_number }}.log +log_processor_filename_template = {{ filename }}.log +dag_processor_manager_log_location = /opt/airflow/logs/dag_processor_manager/dag_processor_manager.log + +# Hostname by providing a path to a callable, which will resolve the hostname +# The format is "package:function". For example, +# default value "socket:getfqdn" means that result from getfqdn() of "socket" package will be used as hostname +# No argument should be required in the function specified. +# If using IP address as hostname is preferred, use value "airflow.utils.net:get_host_ip_address" +hostname_callable = socket:getfqdn + +# Default timezone in case supplied date times are naive +# can be utc (default), system, or any IANA timezone string (e.g. Europe/Amsterdam) +default_timezone = utc + +# The executor class that airflow should use. Choices include +# SequentialExecutor, LocalExecutor, CeleryExecutor, DaskExecutor, KubernetesExecutor +executor = CeleryExecutor + +# The SqlAlchemy connection string to the metadata database. +# SqlAlchemy supports many different database engine, more information +# their website +sql_alchemy_conn = postgresql+psycopg2://airflow:airflow@postges:5432/airflow + +# The encoding for the databases +sql_engine_encoding = utf-8 + +# If SqlAlchemy should pool database connections. +sql_alchemy_pool_enabled = True + +# The SqlAlchemy pool size is the maximum number of database connections +# in the pool. 0 indicates no limit. +sql_alchemy_pool_size = 5 + +# The maximum overflow size of the pool. +# When the number of checked-out connections reaches the size set in pool_size, +# additional connections will be returned up to this limit. +# When those additional connections are returned to the pool, they are disconnected and discarded. +# It follows then that the total number of simultaneous connections the pool will allow is pool_size + max_overflow, +# and the total number of "sleeping" connections the pool will allow is pool_size. +# max_overflow can be set to -1 to indicate no overflow limit; +# no limit will be placed on the total number of concurrent connections. Defaults to 10. +sql_alchemy_max_overflow = 10 + +# The SqlAlchemy pool recycle is the number of seconds a connection +# can be idle in the pool before it is invalidated. This config does +# not apply to sqlite. If the number of DB connections is ever exceeded, +# a lower config value will allow the system to recover faster. +sql_alchemy_pool_recycle = 1800 + +# How many seconds to retry re-establishing a DB connection after +# disconnects. Setting this to 0 disables retries. +sql_alchemy_reconnect_timeout = 300 + +# The schema to use for the metadata database +# SqlAlchemy supports databases with the concept of multiple schemas. +sql_alchemy_schema = + +# The amount of parallelism as a setting to the executor. This defines +# the max number of task instances that should run simultaneously +# on this airflow installation +parallelism = 32 + +# The number of task instances allowed to run concurrently by the scheduler +dag_concurrency = 16 + +# Are DAGs paused by default at creation +dags_are_paused_at_creation = True + +# The maximum number of active DAG runs per DAG +max_active_runs_per_dag = 16 + +# Whether to load the examples that ship with Airflow. It's good to +# get started, but you probably want to set this to False in a production +# environment +load_examples = False + +# Where your Airflow plugins are stored +plugins_folder = /opt/airflow/plugins + +# Secret key to save connection passwords in the db +fernet_key = CD2wL7G0zt1SLuO4JQpLJuHtBaBEcXWKbQyvkvf2cZ8= + +# Whether to disable pickling dags +donot_pickle = False + +# How long before timing out a python file import while filling the DagBag +dagbag_import_timeout = 30 + +# The class to use for running task instances in a subprocess +task_runner = StandardTaskRunner + +# If set, tasks without a `run_as_user` argument will be run with this user +# Can be used to de-elevate a sudo user running Airflow when executing tasks +default_impersonation = + +# What security module to use (for example kerberos): +security = + +# If set to False enables some unsecure features like Charts and Ad Hoc Queries. +# In 2.0 will default to True. +secure_mode = False + +# Turn unit test mode on (overwrites many configuration options with test +# values at runtime) +unit_test_mode = False + +# Name of handler to read task instance logs. +# Default to use task handler. +task_log_reader = task + +# Whether to enable pickling for xcom (note that this is insecure and allows for +# RCE exploits). This will be deprecated in Airflow 2.0 (be forced to False). +enable_xcom_pickling = True + +# When a task is killed forcefully, this is the amount of time in seconds that +# it has to cleanup after it is sent a SIGTERM, before it is SIGKILLED +killed_task_cleanup_time = 60 + +# Whether to override params with dag_run.conf. If you pass some key-value pairs through `airflow backfill -c` or +# `airflow trigger_dag -c`, the key-value pairs will override the existing ones in params. +dag_run_conf_overrides_params = False + +# Worker initialisation check to validate Metadata Database connection +worker_precheck = False + +# When discovering DAGs, ignore any files that don't contain the strings `DAG` and `airflow`. +dag_discovery_safe_mode = True + + +[cli] +# In what way should the cli access the API. The LocalClient will use the +# database directly, while the json_client will use the api running on the +# webserver +api_client = airflow.api.client.local_client + +# If you set web_server_url_prefix, do NOT forget to append it here, ex: +# endpoint_url = http://localhost:8080/myroot +# So api will look like: http://localhost:8080/myroot/api/experimental/... +endpoint_url = http://localhost:8080 + +[api] +# How to authenticate users of the API +auth_backend = airflow.api.auth.backend.default + +[lineage] +# what lineage backend to use +backend = + +[atlas] +sasl_enabled = False +host = +port = 21000 +username = +password = + +[operators] +# The default owner assigned to each new operator, unless +# provided explicitly or passed via `default_args` +default_owner = airflow +default_cpus = 1 +default_ram = 512 +default_disk = 512 +default_gpus = 0 + +[hive] +# Default mapreduce queue for HiveOperator tasks +default_hive_mapred_queue = + +[webserver] +# The base url of your website as airflow cannot guess what domain or +# cname you are using. This is used in automated emails that +# airflow sends to point links to the right web server +base_url = http://localhost:8080 + +# The ip specified when starting the web server +web_server_host = 0.0.0.0 + +# The port on which to run the web server +web_server_port = 8080 + +# Paths to the SSL certificate and key for the web server. When both are +# provided SSL will be enabled. This does not change the web server port. +web_server_ssl_cert = +web_server_ssl_key = + +# Number of seconds the webserver waits before killing gunicorn master that doesn't respond +web_server_master_timeout = 120 + +# Number of seconds the gunicorn webserver waits before timing out on a worker +web_server_worker_timeout = 120 + +# Number of workers to refresh at a time. When set to 0, worker refresh is +# disabled. When nonzero, airflow periodically refreshes webserver workers by +# bringing up new ones and killing old ones. +worker_refresh_batch_size = 1 + +# Number of seconds to wait before refreshing a batch of workers. +worker_refresh_interval = 30 + +# Secret key used to run your flask app +secret_key = temporary_key + +# Number of workers to run the Gunicorn web server +workers = 4 + +# The worker class gunicorn should use. Choices include +# sync (default), eventlet, gevent +worker_class = sync + +# Log files for the gunicorn webserver. '-' means log to stderr. +access_logfile = - +error_logfile = - + +# Expose the configuration file in the web server +# This is only applicable for the flask-admin based web UI (non FAB-based). +# In the FAB-based web UI with RBAC feature, +# access to configuration is controlled by role permissions. +expose_config = False + +# Set to true to turn on authentication: +# https://airflow.apache.org/security.html#web-authentication +authenticate = False + +# Filter the list of dags by owner name (requires authentication to be enabled) +filter_by_owner = False + +# Filtering mode. Choices include user (default) and ldapgroup. +# Ldap group filtering requires using the ldap backend +# +# Note that the ldap server needs the "memberOf" overlay to be set up +# in order to user the ldapgroup mode. +owner_mode = user + +# Default DAG view. Valid values are: +# tree, graph, duration, gantt, landing_times +dag_default_view = tree + +# Default DAG orientation. Valid values are: +# LR (Left->Right), TB (Top->Bottom), RL (Right->Left), BT (Bottom->Top) +dag_orientation = LR + +# Puts the webserver in demonstration mode; blurs the names of Operators for +# privacy. +demo_mode = False + +# The amount of time (in secs) webserver will wait for initial handshake +# while fetching logs from other worker machine +log_fetch_timeout_sec = 5 + +# By default, the webserver shows paused DAGs. Flip this to hide paused +# DAGs by default +hide_paused_dags_by_default = False + +# Consistent page size across all listing views in the UI +page_size = 100 + +# Use FAB-based webserver with RBAC feature +rbac = True + +# Define the color of navigation bar +navbar_color = #007A87 + +# Default dagrun to show in UI +default_dag_run_display_number = 25 + +# Enable werkzeug `ProxyFix` middleware +enable_proxy_fix = False + +# Set secure flag on session cookie +cookie_secure = False + +# Set samesite policy on session cookie +cookie_samesite = + +# Default setting for wrap toggle on DAG code and TI log views. +default_wrap = False + +# Send anonymous user activity to your analytics tool +# analytics_tool = # choose from google_analytics, segment, or metarouter +# analytics_id = XXXXXXXXXXX + +[email] +email_backend = airflow.utils.email.send_email_smtp + + +[smtp] +# If you want airflow to send emails on retries, failure, and you want to use +# the airflow.utils.email.send_email_smtp function, you have to configure an +# smtp server here +smtp_host = localhost +smtp_starttls = True +smtp_ssl = False +# Uncomment and set the user/pass settings if you want to use SMTP AUTH +# smtp_user = airflow +# smtp_password = airflow +smtp_port = 25 +smtp_mail_from = airflow@example.com + + +[celery] +# This section only applies if you are using the CeleryExecutor in +# [core] section above + +# The app name that will be used by celery +celery_app_name = airflow.executors.celery_executor + +# The concurrency that will be used when starting workers with the +# "airflow worker" command. This defines the number of task instances that +# a worker will take, so size up your workers based on the resources on +# your worker box and the nature of your tasks +worker_concurrency = 16 + +# The maximum and minimum concurrency that will be used when starting workers with the +# "airflow worker" command (always keep minimum processes, but grow to maximum if necessary). +# Note the value should be "max_concurrency,min_concurrency" +# Pick these numbers based on resources on worker box and the nature of the task. +# If autoscale option is available, worker_concurrency will be ignored. +# http://docs.celeryproject.org/en/latest/reference/celery.bin.worker.html#cmdoption-celery-worker-autoscale +# worker_autoscale = 16,12 + +# When you start an airflow worker, airflow starts a tiny web server +# subprocess to serve the workers local log files to the airflow main +# web server, who then builds pages and sends them to users. This defines +# the port on which the logs are served. It needs to be unused, and open +# visible from the main web server to connect into the workers. +worker_log_server_port = 8793 + +# The Celery broker URL. Celery supports RabbitMQ, Redis and experimentally +# a sqlalchemy database. Refer to the Celery documentation for more +# information. +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#broker-settings +broker_url = redis://redis:6379/1 + +# The Celery result_backend. When a job finishes, it needs to update the +# metadata of the job. Therefore it will post a message on a message bus, +# or insert it into a database (depending of the backend) +# This status is used by the scheduler to update the state of the task +# The use of a database is highly recommended +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#task-result-backend-settings +result_backend = db+postgresql://airflow:airflow@postges/airflow + +# Celery Flower is a sweet UI for Celery. Airflow has a shortcut to start +# it `airflow flower`. This defines the IP that Celery Flower runs on +flower_host = 0.0.0.0 + +# The root URL for Flower +# Ex: flower_url_prefix = /flower +flower_url_prefix = + +# This defines the port that Celery Flower runs on +flower_port = 5555 + +# Securing Flower with Basic Authentication +# Accepts user:password pairs separated by a comma +# Example: flower_basic_auth = user1:password1,user2:password2 +flower_basic_auth = + +# Default queue that tasks get assigned to and that worker listen on. +default_queue = default + +# How many processes CeleryExecutor uses to sync task state. +# 0 means to use max(1, number of cores - 1) processes. +sync_parallelism = 0 + +# Import path for celery configuration options +celery_config_options = airflow.config_templates.default_celery.DEFAULT_CELERY_CONFIG + +# In case of using SSL +ssl_active = False +ssl_key = +ssl_cert = +ssl_cacert = + +# Celery Pool implementation. +# Choices include: prefork (default), eventlet, gevent or solo. +# See: +# https://docs.celeryproject.org/en/latest/userguide/workers.html#concurrency +# https://docs.celeryproject.org/en/latest/userguide/concurrency/eventlet.html +pool = prefork + +[celery_broker_transport_options] +# This section is for specifying options which can be passed to the +# underlying celery broker transport. See: +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#std:setting-broker_transport_options + +# The visibility timeout defines the number of seconds to wait for the worker +# to acknowledge the task before the message is redelivered to another worker. +# Make sure to increase the visibility timeout to match the time of the longest +# ETA you're planning to use. +# +# visibility_timeout is only supported for Redis and SQS celery brokers. +# See: +# http://docs.celeryproject.org/en/master/userguide/configuration.html#std:setting-broker_transport_options +# +#visibility_timeout = 21600 + +[dask] +# This section only applies if you are using the DaskExecutor in +# [core] section above + +# The IP address and port of the Dask cluster's scheduler. +cluster_address = 127.0.0.1:8786 +# TLS/ SSL settings to access a secured Dask scheduler. +tls_ca = +tls_cert = +tls_key = + + +[scheduler] +# Task instances listen for external kill signal (when you clear tasks +# from the CLI or the UI), this defines the frequency at which they should +# listen (in seconds). +job_heartbeat_sec = 5 + +# The scheduler constantly tries to trigger new tasks (look at the +# scheduler section in the docs for more information). This defines +# how often the scheduler should run (in seconds). +scheduler_heartbeat_sec = 5 + +# after how much time should the scheduler terminate in seconds +# -1 indicates to run continuously (see also num_runs) +run_duration = -1 + +# after how much time (seconds) a new DAGs should be picked up from the filesystem +min_file_process_interval = 0 + +# How often (in seconds) to scan the DAGs directory for new files. Default to 5 minutes. +dag_dir_list_interval = 300 + +# How often should stats be printed to the logs +print_stats_interval = 30 + +# If the last scheduler heartbeat happened more than scheduler_health_check_threshold ago (in seconds), +# scheduler is considered unhealthy. +# This is used by the health check in the "/health" endpoint +scheduler_health_check_threshold = 30 + +child_process_log_directory = /opt/airflow/logs/scheduler + +# Local task jobs periodically heartbeat to the DB. If the job has +# not heartbeat in this many seconds, the scheduler will mark the +# associated task instance as failed and will re-schedule the task. +scheduler_zombie_task_threshold = 300 + +# Turn off scheduler catchup by setting this to False. +# Default behavior is unchanged and +# Command Line Backfills still work, but the scheduler +# will not do scheduler catchup if this is False, +# however it can be set on a per DAG basis in the +# DAG definition (catchup) +catchup_by_default = True + +# This changes the batch size of queries in the scheduling main loop. +# If this is too high, SQL query performance may be impacted by one +# or more of the following: +# - reversion to full table scan +# - complexity of query predicate +# - excessive locking +# +# Additionally, you may hit the maximum allowable query length for your db. +# +# Set this to 0 for no limit (not advised) +max_tis_per_query = 512 + +# Statsd (https://github.com/etsy/statsd) integration settings +statsd_on = False +statsd_host = localhost +statsd_port = 8125 +statsd_prefix = airflow + +# The scheduler can run multiple threads in parallel to schedule dags. +# This defines how many threads will run. +max_threads = 2 + +authenticate = False + +# Turn off scheduler use of cron intervals by setting this to False. +# DAGs submitted manually in the web UI or with trigger_dag will still run. +use_job_schedule = True + +[ldap] +# set this to ldaps://: +uri = +user_filter = objectClass=* +user_name_attr = uid +group_member_attr = memberOf +superuser_filter = +data_profiler_filter = +bind_user = cn=Manager,dc=example,dc=com +bind_password = insecure +basedn = dc=example,dc=com +cacert = /etc/ca/ldap_ca.crt +search_scope = LEVEL + +# This setting allows the use of LDAP servers that either return a +# broken schema, or do not return a schema. +ignore_malformed_schema = False + +[mesos] +# Mesos master address which MesosExecutor will connect to. +master = localhost:5050 + +# The framework name which Airflow scheduler will register itself as on mesos +framework_name = Airflow + +# Number of cpu cores required for running one task instance using +# 'airflow run --local -p ' +# command on a mesos slave +task_cpu = 1 + +# Memory in MB required for running one task instance using +# 'airflow run --local -p ' +# command on a mesos slave +task_memory = 256 + +# Enable framework checkpointing for mesos +# See http://mesos.apache.org/documentation/latest/slave-recovery/ +checkpoint = False + +# Failover timeout in milliseconds. +# When checkpointing is enabled and this option is set, Mesos waits +# until the configured timeout for +# the MesosExecutor framework to re-register after a failover. Mesos +# shuts down running tasks if the +# MesosExecutor framework fails to re-register within this timeframe. +# failover_timeout = 604800 + +# Enable framework authentication for mesos +# See http://mesos.apache.org/documentation/latest/configuration/ +authenticate = False + +# Mesos credentials, if authentication is enabled +# default_principal = admin +# default_secret = admin + +# Optional Docker Image to run on slave before running the command +# This image should be accessible from mesos slave i.e mesos slave +# should be able to pull this docker image before executing the command. +# docker_image_slave = puckel/docker-airflow + +[kerberos] +ccache = /tmp/airflow_krb5_ccache +# gets augmented with fqdn +principal = airflow +reinit_frequency = 3600 +kinit_path = kinit +keytab = airflow.keytab + + +[github_enterprise] +api_rev = v3 + +[admin] +# UI to hide sensitive variable fields when set to True +hide_sensitive_variable_fields = True + +[elasticsearch] +# Elasticsearch host +host = +# Format of the log_id, which is used to query for a given tasks logs +log_id_template = {dag_id}-{task_id}-{execution_date}-{try_number} +# Used to mark the end of a log stream for a task +end_of_log_mark = end_of_log +# Qualified URL for an elasticsearch frontend (like Kibana) with a template argument for log_id +# Code will construct log_id using the log_id template from the argument above. +# NOTE: The code will prefix the https:// automatically, don't include that here. +frontend = +# Write the task logs to the stdout of the worker, rather than the default files +write_stdout = False +# Instead of the default log formatter, write the log lines as JSON +json_format = False +# Log fields to also attach to the json output, if enabled +json_fields = asctime, filename, lineno, levelname, message + +[elasticsearch_configs] + +use_ssl = False +verify_certs = True + +[kubernetes] +# The repository, tag and imagePullPolicy of the Kubernetes Image for the Worker to Run +worker_container_repository = +worker_container_tag = +worker_container_image_pull_policy = IfNotPresent + +# If True (default), worker pods will be deleted upon termination +delete_worker_pods = True + +# Number of Kubernetes Worker Pod creation calls per scheduler loop +worker_pods_creation_batch_size = 1 + +# The Kubernetes namespace where airflow workers should be created. Defaults to `default` +namespace = default + +# The name of the Kubernetes ConfigMap Containing the Airflow Configuration (this file) +airflow_configmap = + +# For docker image already contains DAGs, this is set to `True`, and the worker will search for dags in dags_folder, +# otherwise use git sync or dags volume claim to mount DAGs +dags_in_image = False + +# For either git sync or volume mounted DAGs, the worker will look in this subpath for DAGs +dags_volume_subpath = + +# For DAGs mounted via a volume claim (mutually exclusive with git-sync and host path) +dags_volume_claim = + +# For volume mounted logs, the worker will look in this subpath for logs +logs_volume_subpath = + +# A shared volume claim for the logs +logs_volume_claim = + +# For DAGs mounted via a hostPath volume (mutually exclusive with volume claim and git-sync) +# Useful in local environment, discouraged in production +dags_volume_host = + +# A hostPath volume for the logs +# Useful in local environment, discouraged in production +logs_volume_host = + +# A list of configMapsRefs to envFrom. If more than one configMap is +# specified, provide a comma separated list: configmap_a,configmap_b +env_from_configmap_ref = + +# A list of secretRefs to envFrom. If more than one secret is +# specified, provide a comma separated list: secret_a,secret_b +env_from_secret_ref = + +# Git credentials and repository for DAGs mounted via Git (mutually exclusive with volume claim) +git_repo = +git_branch = +git_subpath = +# Use git_user and git_password for user authentication or git_ssh_key_secret_name and git_ssh_key_secret_key +# for SSH authentication +git_user = +git_password = +git_sync_root = /git +git_sync_dest = repo +# Mount point of the volume if git-sync is being used. +# i.e. /opt/airflow/dags +git_dags_folder_mount_point = + +# To get Git-sync SSH authentication set up follow this format +# +# airflow-secrets.yaml: +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: airflow-secrets +# data: +# # key needs to be gitSshKey +# gitSshKey: +# --- +# airflow-configmap.yaml: +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: airflow-configmap +# data: +# known_hosts: | +# github.com ssh-rsa <...> +# airflow.cfg: | +# ... +# +# git_ssh_key_secret_name = airflow-secrets +# git_ssh_known_hosts_configmap_name = airflow-configmap +git_ssh_key_secret_name = +git_ssh_known_hosts_configmap_name = + +# To give the git_sync init container credentials via a secret, create a secret +# with two fields: GIT_SYNC_USERNAME and GIT_SYNC_PASSWORD (example below) and +# add `git_sync_credentials_secret = ` to your airflow config under the kubernetes section +# +# Secret Example: +# apiVersion: v1 +# kind: Secret +# metadata: +# name: git-credentials +# data: +# GIT_SYNC_USERNAME: +# GIT_SYNC_PASSWORD: +git_sync_credentials_secret = + +# For cloning DAGs from git repositories into volumes: https://github.com/kubernetes/git-sync +git_sync_container_repository = k8s.gcr.io/git-sync +git_sync_container_tag = v3.1.1 +git_sync_init_container_name = git-sync-clone +git_sync_run_as_user = 65533 + +# The name of the Kubernetes service account to be associated with airflow workers, if any. +# Service accounts are required for workers that require access to secrets or cluster resources. +# See the Kubernetes RBAC documentation for more: +# https://kubernetes.io/docs/admin/authorization/rbac/ +worker_service_account_name = + +# Any image pull secrets to be given to worker pods, If more than one secret is +# required, provide a comma separated list: secret_a,secret_b +image_pull_secrets = + +# GCP Service Account Keys to be provided to tasks run on Kubernetes Executors +# Should be supplied in the format: key-name-1:key-path-1,key-name-2:key-path-2 +gcp_service_account_keys = + +# Use the service account kubernetes gives to pods to connect to kubernetes cluster. +# It's intended for clients that expect to be running inside a pod running on kubernetes. +# It will raise an exception if called from a process not running in a kubernetes environment. +in_cluster = True + +# When running with in_cluster=False change the default cluster_context or config_file +# options to Kubernetes client. Leave blank these to use default behaviour like `kubectl` has. +# cluster_context = +# config_file = + + +# Affinity configuration as a single line formatted JSON object. +# See the affinity model for top-level key names (e.g. `nodeAffinity`, etc.): +# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#affinity-v1-core +affinity = + +# A list of toleration objects as a single line formatted JSON array +# See: +# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#toleration-v1-core +tolerations = + +# **kwargs parameters to pass while calling a kubernetes client core_v1_api methods from Kubernetes Executor +# provided as a single line formatted JSON dictionary string. +# List of supported params in **kwargs are similar for all core_v1_apis, hence a single config variable for all apis +# See: +# https://raw.githubusercontent.com/kubernetes-client/python/master/kubernetes/client/apis/core_v1_api.py +# Note that if no _request_timeout is specified, the kubernetes client will wait indefinitely for kubernetes +# api responses, which will cause the scheduler to hang. The timeout is specified as [connect timeout, read timeout] +kube_client_request_args = {"_request_timeout" : [60,60] } + +# Worker pods security context options +# See: +# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +# Specifies the uid to run the first process of the worker pods containers as +run_as_user = + +# Specifies a gid to associate with all containers in the worker pods +# if using a git_ssh_key_secret_name use an fs_group +# that allows for the key to be read, e.g. 65533 +fs_group = + +[kubernetes_node_selectors] +# The Key-value pairs to be given to worker pods. +# The worker pods will be scheduled to the nodes of the specified key-value pairs. +# Should be supplied in the format: key = value + +[kubernetes_annotations] +# The Key-value annotations pairs to be given to worker pods. +# Should be supplied in the format: key = value + +[kubernetes_environment_variables] +# The scheduler sets the following environment variables into your workers. You may define as +# many environment variables as needed and the kubernetes launcher will set them in the launched workers. +# Environment variables in this section are defined as follows +# = +# +# For example if you wanted to set an environment variable with value `prod` and key +# `ENVIRONMENT` you would follow the following format: +# ENVIRONMENT = prod +# +# Additionally you may override worker airflow settings with the AIRFLOW__
__ +# formatting as supported by airflow normally. + +[kubernetes_secrets] +# The scheduler mounts the following secrets into your workers as they are launched by the +# scheduler. You may define as many secrets as needed and the kubernetes launcher will parse the +# defined secrets and mount them as secret environment variables in the launched workers. +# Secrets in this section are defined as follows +# = = +# +# For example if you wanted to mount a kubernetes secret key named `postgres_password` from the +# kubernetes secret object `airflow-secret` as the environment variable `POSTGRES_PASSWORD` into +# your workers you would follow the following format: +# POSTGRES_PASSWORD = airflow-secret=postgres_credentials +# +# Additionally you may override worker airflow settings with the AIRFLOW__
__ +# formatting as supported by airflow normally. + +[kubernetes_labels] +# The Key-value pairs to be given to worker pods. +# The worker pods will be given these static labels, as well as some additional dynamic labels +# to identify the task. +# Should be supplied in the format: key = value diff --git a/airflow/data/dags/.gitkeep b/airflow/data/dags/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/airflow/data/dags/__init__.py b/airflow/data/dags/__init__.py new file mode 100644 index 0000000..e69de29 diff --git a/airflow/data/dags/tutorial.py b/airflow/data/dags/tutorial.py new file mode 100644 index 0000000..e994c1c --- /dev/null +++ b/airflow/data/dags/tutorial.py @@ -0,0 +1,104 @@ +# -*- coding: utf-8 -*- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +""" +### Tutorial Documentation +Documentation that goes along with the Airflow tutorial located +[here](https://airflow.apache.org/tutorial.html) +""" +from datetime import timedelta + +import airflow +from airflow import DAG +from airflow.operators.bash_operator import BashOperator + +# These args will get passed on to each operator +# You can override them on a per-task basis during operator initialization +default_args = { + 'owner': 'Airflow', + 'depends_on_past': False, + 'start_date': airflow.utils.dates.days_ago(2), + 'email': ['airflow@example.com'], + 'email_on_failure': False, + 'email_on_retry': False, + 'retries': 1, + 'retry_delay': timedelta(minutes=5), + # 'queue': 'bash_queue', + # 'pool': 'backfill', + # 'priority_weight': 10, + # 'end_date': datetime(2016, 1, 1), + # 'wait_for_downstream': False, + # 'dag': dag, + # 'sla': timedelta(hours=2), + # 'execution_timeout': timedelta(seconds=300), + # 'on_failure_callback': some_function, + # 'on_success_callback': some_other_function, + # 'on_retry_callback': another_function, + # 'sla_miss_callback': yet_another_function, + # 'trigger_rule': 'all_success' +} + +dag = DAG( + 'tutorial', + default_args=default_args, + description='A simple tutorial DAG', + schedule_interval=timedelta(days=1), +) + +# t1, t2 and t3 are examples of tasks created by instantiating operators +t1 = BashOperator( + task_id='print_date', + bash_command='date', + dag=dag, +) + +t1.doc_md = """\ +#### Task Documentation +You can document your task using the attributes `doc_md` (markdown), +`doc` (plain text), `doc_rst`, `doc_json`, `doc_yaml` which gets +rendered in the UI's Task Instance Details page. +![img](http://montcs.bloomu.edu/~bobmon/Semesters/2012-01/491/import%20soul.png) +""" + +dag.doc_md = __doc__ + +t2 = BashOperator( + task_id='sleep', + depends_on_past=False, + bash_command='sleep 5', + dag=dag, +) + +templated_command = """ +{% for i in range(5) %} + echo "{{ ds }}" + echo "{{ macros.ds_add(ds, 7)}}" + echo "{{ params.my_param }}" +{% endfor %} +""" + +t3 = BashOperator( + task_id='templated', + depends_on_past=False, + bash_command=templated_command, + params={'my_param': 'Parameter I passed in'}, + dag=dag, +) + +t1 >> [t2, t3] diff --git a/airflow/data/default_airflow.cfg b/airflow/data/default_airflow.cfg new file mode 100644 index 0000000..8d9d360 --- /dev/null +++ b/airflow/data/default_airflow.cfg @@ -0,0 +1,860 @@ +# -*- coding: utf-8 -*- +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + + +# This is the template for Airflow's default configuration. When Airflow is +# imported, it looks for a configuration file at $AIRFLOW_HOME/airflow.cfg. If +# it doesn't exist, Airflow uses this template to generate it by replacing +# variables in curly braces with their global values from configuration.py. + +# Users should not modify this file; they should customize the generated +# airflow.cfg instead. + + +# ----------------------- TEMPLATE BEGINS HERE ----------------------- + +[core] +# The folder where your airflow pipelines live, most likely a +# subfolder in a code repository +# This path must be absolute +dags_folder = {AIRFLOW_HOME}/dags + +# The folder where airflow should store its log files +# This path must be absolute +base_log_folder = {AIRFLOW_HOME}/logs + +# Airflow can store logs remotely in AWS S3, Google Cloud Storage or Elastic Search. +# Users must supply an Airflow connection id that provides access to the storage +# location. If remote_logging is set to true, see UPDATING.md for additional +# configuration requirements. +remote_logging = False +remote_log_conn_id = +remote_base_log_folder = +encrypt_s3_logs = False + +# Logging level +logging_level = INFO +fab_logging_level = WARN + +# Logging class +# Specify the class that will specify the logging configuration +# This class has to be on the python classpath +# logging_config_class = my.path.default_local_settings.LOGGING_CONFIG +logging_config_class = + +# Log format +# Colour the logs when the controlling terminal is a TTY. +colored_console_log = True +colored_log_format = [%%(blue)s%%(asctime)s%%(reset)s] {{%%(blue)s%%(filename)s:%%(reset)s%%(lineno)d}} %%(log_color)s%%(levelname)s%%(reset)s - %%(log_color)s%%(message)s%%(reset)s +colored_formatter_class = airflow.utils.log.colored_log.CustomTTYColoredFormatter + +log_format = [%%(asctime)s] {{%%(filename)s:%%(lineno)d}} %%(levelname)s - %%(message)s +simple_log_format = %%(asctime)s %%(levelname)s - %%(message)s + +# Log filename format +log_filename_template = {{{{ ti.dag_id }}}}/{{{{ ti.task_id }}}}/{{{{ ts }}}}/{{{{ try_number }}}}.log +log_processor_filename_template = {{{{ filename }}}}.log +dag_processor_manager_log_location = {AIRFLOW_HOME}/logs/dag_processor_manager/dag_processor_manager.log + +# Hostname by providing a path to a callable, which will resolve the hostname +# The format is "package:function". For example, +# default value "socket:getfqdn" means that result from getfqdn() of "socket" package will be used as hostname +# No argument should be required in the function specified. +# If using IP address as hostname is preferred, use value "airflow.utils.net:get_host_ip_address" +hostname_callable = socket:getfqdn + +# Default timezone in case supplied date times are naive +# can be utc (default), system, or any IANA timezone string (e.g. Europe/Amsterdam) +default_timezone = utc + +# The executor class that airflow should use. Choices include +# SequentialExecutor, LocalExecutor, CeleryExecutor, DaskExecutor, KubernetesExecutor +executor = SequentialExecutor + +# The SqlAlchemy connection string to the metadata database. +# SqlAlchemy supports many different database engine, more information +# their website +sql_alchemy_conn = sqlite:///{AIRFLOW_HOME}/airflow.db + +# The encoding for the databases +sql_engine_encoding = utf-8 + +# If SqlAlchemy should pool database connections. +sql_alchemy_pool_enabled = True + +# The SqlAlchemy pool size is the maximum number of database connections +# in the pool. 0 indicates no limit. +sql_alchemy_pool_size = 5 + +# The maximum overflow size of the pool. +# When the number of checked-out connections reaches the size set in pool_size, +# additional connections will be returned up to this limit. +# When those additional connections are returned to the pool, they are disconnected and discarded. +# It follows then that the total number of simultaneous connections the pool will allow is pool_size + max_overflow, +# and the total number of "sleeping" connections the pool will allow is pool_size. +# max_overflow can be set to -1 to indicate no overflow limit; +# no limit will be placed on the total number of concurrent connections. Defaults to 10. +sql_alchemy_max_overflow = 10 + +# The SqlAlchemy pool recycle is the number of seconds a connection +# can be idle in the pool before it is invalidated. This config does +# not apply to sqlite. If the number of DB connections is ever exceeded, +# a lower config value will allow the system to recover faster. +sql_alchemy_pool_recycle = 1800 + +# How many seconds to retry re-establishing a DB connection after +# disconnects. Setting this to 0 disables retries. +sql_alchemy_reconnect_timeout = 300 + +# The schema to use for the metadata database +# SqlAlchemy supports databases with the concept of multiple schemas. +sql_alchemy_schema = + +# The amount of parallelism as a setting to the executor. This defines +# the max number of task instances that should run simultaneously +# on this airflow installation +parallelism = 32 + +# The number of task instances allowed to run concurrently by the scheduler +dag_concurrency = 16 + +# Are DAGs paused by default at creation +dags_are_paused_at_creation = True + +# The maximum number of active DAG runs per DAG +max_active_runs_per_dag = 16 + +# Whether to load the examples that ship with Airflow. It's good to +# get started, but you probably want to set this to False in a production +# environment +load_examples = True + +# Where your Airflow plugins are stored +plugins_folder = {AIRFLOW_HOME}/plugins + +# Secret key to save connection passwords in the db +fernet_key = {FERNET_KEY} + +# Whether to disable pickling dags +donot_pickle = False + +# How long before timing out a python file import while filling the DagBag +dagbag_import_timeout = 30 + +# The class to use for running task instances in a subprocess +task_runner = StandardTaskRunner + +# If set, tasks without a `run_as_user` argument will be run with this user +# Can be used to de-elevate a sudo user running Airflow when executing tasks +default_impersonation = + +# What security module to use (for example kerberos): +security = + +# If set to False enables some unsecure features like Charts and Ad Hoc Queries. +# In 2.0 will default to True. +secure_mode = False + +# Turn unit test mode on (overwrites many configuration options with test +# values at runtime) +unit_test_mode = False + +# Name of handler to read task instance logs. +# Default to use task handler. +task_log_reader = task + +# Whether to enable pickling for xcom (note that this is insecure and allows for +# RCE exploits). This will be deprecated in Airflow 2.0 (be forced to False). +enable_xcom_pickling = True + +# When a task is killed forcefully, this is the amount of time in seconds that +# it has to cleanup after it is sent a SIGTERM, before it is SIGKILLED +killed_task_cleanup_time = 60 + +# Whether to override params with dag_run.conf. If you pass some key-value pairs through `airflow backfill -c` or +# `airflow trigger_dag -c`, the key-value pairs will override the existing ones in params. +dag_run_conf_overrides_params = False + +# Worker initialisation check to validate Metadata Database connection +worker_precheck = False + +# When discovering DAGs, ignore any files that don't contain the strings `DAG` and `airflow`. +dag_discovery_safe_mode = True + + +[cli] +# In what way should the cli access the API. The LocalClient will use the +# database directly, while the json_client will use the api running on the +# webserver +api_client = airflow.api.client.local_client + +# If you set web_server_url_prefix, do NOT forget to append it here, ex: +# endpoint_url = http://localhost:8080/myroot +# So api will look like: http://localhost:8080/myroot/api/experimental/... +endpoint_url = http://localhost:8080 + +[api] +# How to authenticate users of the API +auth_backend = airflow.api.auth.backend.default + +[lineage] +# what lineage backend to use +backend = + +[atlas] +sasl_enabled = False +host = +port = 21000 +username = +password = + +[operators] +# The default owner assigned to each new operator, unless +# provided explicitly or passed via `default_args` +default_owner = airflow +default_cpus = 1 +default_ram = 512 +default_disk = 512 +default_gpus = 0 + +[hive] +# Default mapreduce queue for HiveOperator tasks +default_hive_mapred_queue = + +[webserver] +# The base url of your website as airflow cannot guess what domain or +# cname you are using. This is used in automated emails that +# airflow sends to point links to the right web server +base_url = http://localhost:8080 + +# The ip specified when starting the web server +web_server_host = 0.0.0.0 + +# The port on which to run the web server +web_server_port = 8080 + +# Paths to the SSL certificate and key for the web server. When both are +# provided SSL will be enabled. This does not change the web server port. +web_server_ssl_cert = +web_server_ssl_key = + +# Number of seconds the webserver waits before killing gunicorn master that doesn't respond +web_server_master_timeout = 120 + +# Number of seconds the gunicorn webserver waits before timing out on a worker +web_server_worker_timeout = 120 + +# Number of workers to refresh at a time. When set to 0, worker refresh is +# disabled. When nonzero, airflow periodically refreshes webserver workers by +# bringing up new ones and killing old ones. +worker_refresh_batch_size = 1 + +# Number of seconds to wait before refreshing a batch of workers. +worker_refresh_interval = 30 + +# Secret key used to run your flask app +secret_key = temporary_key + +# Number of workers to run the Gunicorn web server +workers = 4 + +# The worker class gunicorn should use. Choices include +# sync (default), eventlet, gevent +worker_class = sync + +# Log files for the gunicorn webserver. '-' means log to stderr. +access_logfile = - +error_logfile = - + +# Expose the configuration file in the web server +# This is only applicable for the flask-admin based web UI (non FAB-based). +# In the FAB-based web UI with RBAC feature, +# access to configuration is controlled by role permissions. +expose_config = False + +# Set to true to turn on authentication: +# https://airflow.apache.org/security.html#web-authentication +authenticate = False + +# Filter the list of dags by owner name (requires authentication to be enabled) +filter_by_owner = False + +# Filtering mode. Choices include user (default) and ldapgroup. +# Ldap group filtering requires using the ldap backend +# +# Note that the ldap server needs the "memberOf" overlay to be set up +# in order to user the ldapgroup mode. +owner_mode = user + +# Default DAG view. Valid values are: +# tree, graph, duration, gantt, landing_times +dag_default_view = tree + +# Default DAG orientation. Valid values are: +# LR (Left->Right), TB (Top->Bottom), RL (Right->Left), BT (Bottom->Top) +dag_orientation = LR + +# Puts the webserver in demonstration mode; blurs the names of Operators for +# privacy. +demo_mode = False + +# The amount of time (in secs) webserver will wait for initial handshake +# while fetching logs from other worker machine +log_fetch_timeout_sec = 5 + +# By default, the webserver shows paused DAGs. Flip this to hide paused +# DAGs by default +hide_paused_dags_by_default = False + +# Consistent page size across all listing views in the UI +page_size = 100 + +# Use FAB-based webserver with RBAC feature +rbac = False + +# Define the color of navigation bar +navbar_color = #007A87 + +# Default dagrun to show in UI +default_dag_run_display_number = 25 + +# Enable werkzeug `ProxyFix` middleware +enable_proxy_fix = False + +# Set secure flag on session cookie +cookie_secure = False + +# Set samesite policy on session cookie +cookie_samesite = + +# Default setting for wrap toggle on DAG code and TI log views. +default_wrap = False + +# Send anonymous user activity to your analytics tool +# analytics_tool = # choose from google_analytics, segment, or metarouter +# analytics_id = XXXXXXXXXXX + +[email] +email_backend = airflow.utils.email.send_email_smtp + + +[smtp] +# If you want airflow to send emails on retries, failure, and you want to use +# the airflow.utils.email.send_email_smtp function, you have to configure an +# smtp server here +smtp_host = localhost +smtp_starttls = True +smtp_ssl = False +# Uncomment and set the user/pass settings if you want to use SMTP AUTH +# smtp_user = airflow +# smtp_password = airflow +smtp_port = 25 +smtp_mail_from = airflow@example.com + + +[celery] +# This section only applies if you are using the CeleryExecutor in +# [core] section above + +# The app name that will be used by celery +celery_app_name = airflow.executors.celery_executor + +# The concurrency that will be used when starting workers with the +# "airflow worker" command. This defines the number of task instances that +# a worker will take, so size up your workers based on the resources on +# your worker box and the nature of your tasks +worker_concurrency = 16 + +# The maximum and minimum concurrency that will be used when starting workers with the +# "airflow worker" command (always keep minimum processes, but grow to maximum if necessary). +# Note the value should be "max_concurrency,min_concurrency" +# Pick these numbers based on resources on worker box and the nature of the task. +# If autoscale option is available, worker_concurrency will be ignored. +# http://docs.celeryproject.org/en/latest/reference/celery.bin.worker.html#cmdoption-celery-worker-autoscale +# worker_autoscale = 16,12 + +# When you start an airflow worker, airflow starts a tiny web server +# subprocess to serve the workers local log files to the airflow main +# web server, who then builds pages and sends them to users. This defines +# the port on which the logs are served. It needs to be unused, and open +# visible from the main web server to connect into the workers. +worker_log_server_port = 8793 + +# The Celery broker URL. Celery supports RabbitMQ, Redis and experimentally +# a sqlalchemy database. Refer to the Celery documentation for more +# information. +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#broker-settings +broker_url = sqla+mysql://airflow:airflow@localhost:3306/airflow + +# The Celery result_backend. When a job finishes, it needs to update the +# metadata of the job. Therefore it will post a message on a message bus, +# or insert it into a database (depending of the backend) +# This status is used by the scheduler to update the state of the task +# The use of a database is highly recommended +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#task-result-backend-settings +result_backend = db+mysql://airflow:airflow@localhost:3306/airflow + +# Celery Flower is a sweet UI for Celery. Airflow has a shortcut to start +# it `airflow flower`. This defines the IP that Celery Flower runs on +flower_host = 0.0.0.0 + +# The root URL for Flower +# Ex: flower_url_prefix = /flower +flower_url_prefix = + +# This defines the port that Celery Flower runs on +flower_port = 5555 + +# Securing Flower with Basic Authentication +# Accepts user:password pairs separated by a comma +# Example: flower_basic_auth = user1:password1,user2:password2 +flower_basic_auth = + +# Default queue that tasks get assigned to and that worker listen on. +default_queue = default + +# How many processes CeleryExecutor uses to sync task state. +# 0 means to use max(1, number of cores - 1) processes. +sync_parallelism = 0 + +# Import path for celery configuration options +celery_config_options = airflow.config_templates.default_celery.DEFAULT_CELERY_CONFIG + +# In case of using SSL +ssl_active = False +ssl_key = +ssl_cert = +ssl_cacert = + +# Celery Pool implementation. +# Choices include: prefork (default), eventlet, gevent or solo. +# See: +# https://docs.celeryproject.org/en/latest/userguide/workers.html#concurrency +# https://docs.celeryproject.org/en/latest/userguide/concurrency/eventlet.html +pool = prefork + +[celery_broker_transport_options] +# This section is for specifying options which can be passed to the +# underlying celery broker transport. See: +# http://docs.celeryproject.org/en/latest/userguide/configuration.html#std:setting-broker_transport_options + +# The visibility timeout defines the number of seconds to wait for the worker +# to acknowledge the task before the message is redelivered to another worker. +# Make sure to increase the visibility timeout to match the time of the longest +# ETA you're planning to use. +# +# visibility_timeout is only supported for Redis and SQS celery brokers. +# See: +# http://docs.celeryproject.org/en/master/userguide/configuration.html#std:setting-broker_transport_options +# +#visibility_timeout = 21600 + +[dask] +# This section only applies if you are using the DaskExecutor in +# [core] section above + +# The IP address and port of the Dask cluster's scheduler. +cluster_address = 127.0.0.1:8786 +# TLS/ SSL settings to access a secured Dask scheduler. +tls_ca = +tls_cert = +tls_key = + + +[scheduler] +# Task instances listen for external kill signal (when you clear tasks +# from the CLI or the UI), this defines the frequency at which they should +# listen (in seconds). +job_heartbeat_sec = 5 + +# The scheduler constantly tries to trigger new tasks (look at the +# scheduler section in the docs for more information). This defines +# how often the scheduler should run (in seconds). +scheduler_heartbeat_sec = 5 + +# after how much time should the scheduler terminate in seconds +# -1 indicates to run continuously (see also num_runs) +run_duration = -1 + +# after how much time (seconds) a new DAGs should be picked up from the filesystem +min_file_process_interval = 0 + +# How often (in seconds) to scan the DAGs directory for new files. Default to 5 minutes. +dag_dir_list_interval = 300 + +# How often should stats be printed to the logs +print_stats_interval = 30 + +# If the last scheduler heartbeat happened more than scheduler_health_check_threshold ago (in seconds), +# scheduler is considered unhealthy. +# This is used by the health check in the "/health" endpoint +scheduler_health_check_threshold = 30 + +child_process_log_directory = {AIRFLOW_HOME}/logs/scheduler + +# Local task jobs periodically heartbeat to the DB. If the job has +# not heartbeat in this many seconds, the scheduler will mark the +# associated task instance as failed and will re-schedule the task. +scheduler_zombie_task_threshold = 300 + +# Turn off scheduler catchup by setting this to False. +# Default behavior is unchanged and +# Command Line Backfills still work, but the scheduler +# will not do scheduler catchup if this is False, +# however it can be set on a per DAG basis in the +# DAG definition (catchup) +catchup_by_default = True + +# This changes the batch size of queries in the scheduling main loop. +# If this is too high, SQL query performance may be impacted by one +# or more of the following: +# - reversion to full table scan +# - complexity of query predicate +# - excessive locking +# +# Additionally, you may hit the maximum allowable query length for your db. +# +# Set this to 0 for no limit (not advised) +max_tis_per_query = 512 + +# Statsd (https://github.com/etsy/statsd) integration settings +statsd_on = False +statsd_host = localhost +statsd_port = 8125 +statsd_prefix = airflow + +# The scheduler can run multiple threads in parallel to schedule dags. +# This defines how many threads will run. +max_threads = 2 + +authenticate = False + +# Turn off scheduler use of cron intervals by setting this to False. +# DAGs submitted manually in the web UI or with trigger_dag will still run. +use_job_schedule = True + +[ldap] +# set this to ldaps://: +uri = +user_filter = objectClass=* +user_name_attr = uid +group_member_attr = memberOf +superuser_filter = +data_profiler_filter = +bind_user = cn=Manager,dc=example,dc=com +bind_password = insecure +basedn = dc=example,dc=com +cacert = /etc/ca/ldap_ca.crt +search_scope = LEVEL + +# This setting allows the use of LDAP servers that either return a +# broken schema, or do not return a schema. +ignore_malformed_schema = False + +[mesos] +# Mesos master address which MesosExecutor will connect to. +master = localhost:5050 + +# The framework name which Airflow scheduler will register itself as on mesos +framework_name = Airflow + +# Number of cpu cores required for running one task instance using +# 'airflow run --local -p ' +# command on a mesos slave +task_cpu = 1 + +# Memory in MB required for running one task instance using +# 'airflow run --local -p ' +# command on a mesos slave +task_memory = 256 + +# Enable framework checkpointing for mesos +# See http://mesos.apache.org/documentation/latest/slave-recovery/ +checkpoint = False + +# Failover timeout in milliseconds. +# When checkpointing is enabled and this option is set, Mesos waits +# until the configured timeout for +# the MesosExecutor framework to re-register after a failover. Mesos +# shuts down running tasks if the +# MesosExecutor framework fails to re-register within this timeframe. +# failover_timeout = 604800 + +# Enable framework authentication for mesos +# See http://mesos.apache.org/documentation/latest/configuration/ +authenticate = False + +# Mesos credentials, if authentication is enabled +# default_principal = admin +# default_secret = admin + +# Optional Docker Image to run on slave before running the command +# This image should be accessible from mesos slave i.e mesos slave +# should be able to pull this docker image before executing the command. +# docker_image_slave = puckel/docker-airflow + +[kerberos] +ccache = /tmp/airflow_krb5_ccache +# gets augmented with fqdn +principal = airflow +reinit_frequency = 3600 +kinit_path = kinit +keytab = airflow.keytab + + +[github_enterprise] +api_rev = v3 + +[admin] +# UI to hide sensitive variable fields when set to True +hide_sensitive_variable_fields = True + +[elasticsearch] +# Elasticsearch host +host = +# Format of the log_id, which is used to query for a given tasks logs +log_id_template = {{dag_id}}-{{task_id}}-{{execution_date}}-{{try_number}} +# Used to mark the end of a log stream for a task +end_of_log_mark = end_of_log +# Qualified URL for an elasticsearch frontend (like Kibana) with a template argument for log_id +# Code will construct log_id using the log_id template from the argument above. +# NOTE: The code will prefix the https:// automatically, don't include that here. +frontend = +# Write the task logs to the stdout of the worker, rather than the default files +write_stdout = False +# Instead of the default log formatter, write the log lines as JSON +json_format = False +# Log fields to also attach to the json output, if enabled +json_fields = asctime, filename, lineno, levelname, message + +[elasticsearch_configs] + +use_ssl = False +verify_certs = True + +[kubernetes] +# The repository, tag and imagePullPolicy of the Kubernetes Image for the Worker to Run +worker_container_repository = +worker_container_tag = +worker_container_image_pull_policy = IfNotPresent + +# If True (default), worker pods will be deleted upon termination +delete_worker_pods = True + +# Number of Kubernetes Worker Pod creation calls per scheduler loop +worker_pods_creation_batch_size = 1 + +# The Kubernetes namespace where airflow workers should be created. Defaults to `default` +namespace = default + +# The name of the Kubernetes ConfigMap Containing the Airflow Configuration (this file) +airflow_configmap = + +# For docker image already contains DAGs, this is set to `True`, and the worker will search for dags in dags_folder, +# otherwise use git sync or dags volume claim to mount DAGs +dags_in_image = False + +# For either git sync or volume mounted DAGs, the worker will look in this subpath for DAGs +dags_volume_subpath = + +# For DAGs mounted via a volume claim (mutually exclusive with git-sync and host path) +dags_volume_claim = + +# For volume mounted logs, the worker will look in this subpath for logs +logs_volume_subpath = + +# A shared volume claim for the logs +logs_volume_claim = + +# For DAGs mounted via a hostPath volume (mutually exclusive with volume claim and git-sync) +# Useful in local environment, discouraged in production +dags_volume_host = + +# A hostPath volume for the logs +# Useful in local environment, discouraged in production +logs_volume_host = + +# A list of configMapsRefs to envFrom. If more than one configMap is +# specified, provide a comma separated list: configmap_a,configmap_b +env_from_configmap_ref = + +# A list of secretRefs to envFrom. If more than one secret is +# specified, provide a comma separated list: secret_a,secret_b +env_from_secret_ref = + +# Git credentials and repository for DAGs mounted via Git (mutually exclusive with volume claim) +git_repo = +git_branch = +git_subpath = +# Use git_user and git_password for user authentication or git_ssh_key_secret_name and git_ssh_key_secret_key +# for SSH authentication +git_user = +git_password = +git_sync_root = /git +git_sync_dest = repo +# Mount point of the volume if git-sync is being used. +# i.e. {AIRFLOW_HOME}/dags +git_dags_folder_mount_point = + +# To get Git-sync SSH authentication set up follow this format +# +# airflow-secrets.yaml: +# --- +# apiVersion: v1 +# kind: Secret +# metadata: +# name: airflow-secrets +# data: +# # key needs to be gitSshKey +# gitSshKey: +# --- +# airflow-configmap.yaml: +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: airflow-configmap +# data: +# known_hosts: | +# github.com ssh-rsa <...> +# airflow.cfg: | +# ... +# +# git_ssh_key_secret_name = airflow-secrets +# git_ssh_known_hosts_configmap_name = airflow-configmap +git_ssh_key_secret_name = +git_ssh_known_hosts_configmap_name = + +# To give the git_sync init container credentials via a secret, create a secret +# with two fields: GIT_SYNC_USERNAME and GIT_SYNC_PASSWORD (example below) and +# add `git_sync_credentials_secret = ` to your airflow config under the kubernetes section +# +# Secret Example: +# apiVersion: v1 +# kind: Secret +# metadata: +# name: git-credentials +# data: +# GIT_SYNC_USERNAME: +# GIT_SYNC_PASSWORD: +git_sync_credentials_secret = + +# For cloning DAGs from git repositories into volumes: https://github.com/kubernetes/git-sync +git_sync_container_repository = k8s.gcr.io/git-sync +git_sync_container_tag = v3.1.1 +git_sync_init_container_name = git-sync-clone +git_sync_run_as_user = 65533 + +# The name of the Kubernetes service account to be associated with airflow workers, if any. +# Service accounts are required for workers that require access to secrets or cluster resources. +# See the Kubernetes RBAC documentation for more: +# https://kubernetes.io/docs/admin/authorization/rbac/ +worker_service_account_name = + +# Any image pull secrets to be given to worker pods, If more than one secret is +# required, provide a comma separated list: secret_a,secret_b +image_pull_secrets = + +# GCP Service Account Keys to be provided to tasks run on Kubernetes Executors +# Should be supplied in the format: key-name-1:key-path-1,key-name-2:key-path-2 +gcp_service_account_keys = + +# Use the service account kubernetes gives to pods to connect to kubernetes cluster. +# It's intended for clients that expect to be running inside a pod running on kubernetes. +# It will raise an exception if called from a process not running in a kubernetes environment. +in_cluster = True + +# When running with in_cluster=False change the default cluster_context or config_file +# options to Kubernetes client. Leave blank these to use default behaviour like `kubectl` has. +# cluster_context = +# config_file = + + +# Affinity configuration as a single line formatted JSON object. +# See the affinity model for top-level key names (e.g. `nodeAffinity`, etc.): +# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#affinity-v1-core +affinity = + +# A list of toleration objects as a single line formatted JSON array +# See: +# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.12/#toleration-v1-core +tolerations = + +# **kwargs parameters to pass while calling a kubernetes client core_v1_api methods from Kubernetes Executor +# provided as a single line formatted JSON dictionary string. +# List of supported params in **kwargs are similar for all core_v1_apis, hence a single config variable for all apis +# See: +# https://raw.githubusercontent.com/kubernetes-client/python/master/kubernetes/client/apis/core_v1_api.py +# Note that if no _request_timeout is specified, the kubernetes client will wait indefinitely for kubernetes +# api responses, which will cause the scheduler to hang. The timeout is specified as [connect timeout, read timeout] +kube_client_request_args = {{"_request_timeout" : [60,60] }} + +# Worker pods security context options +# See: +# https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + +# Specifies the uid to run the first process of the worker pods containers as +run_as_user = + +# Specifies a gid to associate with all containers in the worker pods +# if using a git_ssh_key_secret_name use an fs_group +# that allows for the key to be read, e.g. 65533 +fs_group = + +[kubernetes_node_selectors] +# The Key-value pairs to be given to worker pods. +# The worker pods will be scheduled to the nodes of the specified key-value pairs. +# Should be supplied in the format: key = value + +[kubernetes_annotations] +# The Key-value annotations pairs to be given to worker pods. +# Should be supplied in the format: key = value + +[kubernetes_environment_variables] +# The scheduler sets the following environment variables into your workers. You may define as +# many environment variables as needed and the kubernetes launcher will set them in the launched workers. +# Environment variables in this section are defined as follows +# = +# +# For example if you wanted to set an environment variable with value `prod` and key +# `ENVIRONMENT` you would follow the following format: +# ENVIRONMENT = prod +# +# Additionally you may override worker airflow settings with the AIRFLOW__
__ +# formatting as supported by airflow normally. + +[kubernetes_secrets] +# The scheduler mounts the following secrets into your workers as they are launched by the +# scheduler. You may define as many secrets as needed and the kubernetes launcher will parse the +# defined secrets and mount them as secret environment variables in the launched workers. +# Secrets in this section are defined as follows +# = = +# +# For example if you wanted to mount a kubernetes secret key named `postgres_password` from the +# kubernetes secret object `airflow-secret` as the environment variable `POSTGRES_PASSWORD` into +# your workers you would follow the following format: +# POSTGRES_PASSWORD = airflow-secret=postgres_credentials +# +# Additionally you may override worker airflow settings with the AIRFLOW__
__ +# formatting as supported by airflow normally. + +[kubernetes_labels] +# The Key-value pairs to be given to worker pods. +# The worker pods will be given these static labels, as well as some additional dynamic labels +# to identify the task. +# Should be supplied in the format: key = value diff --git a/airflow/data/logs/.gitkeep b/airflow/data/logs/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/airflow/data/plugins/.gitkeep b/airflow/data/plugins/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/airflow/docker-compose-master.yml b/airflow/deprecated/docker-compose-master.yml similarity index 93% rename from airflow/docker-compose-master.yml rename to airflow/deprecated/docker-compose-master.yml index 5b7e5e8..7bf89f6 100644 --- a/airflow/docker-compose-master.yml +++ b/airflow/deprecated/docker-compose-master.yml @@ -24,7 +24,7 @@ services: restart: always webserver: - image: puckel/docker-airflow:1.9.0-4 + image: puckel/docker-airflow:1.10.4 command: webserver hostname: master ports: @@ -52,7 +52,7 @@ services: restart: always scheduler: - image: puckel/docker-airflow:1.9.0-4 + image: puckel/docker-airflow:1.10.4 command: scheduler volumes: - ./data/airflow/dags:/usr/local/airflow/dags @@ -66,7 +66,7 @@ services: restart: always flower: - image: puckel/docker-airflow:1.9.0-4 + image: puckel/docker-airflow:1.10.4 command: flower ports: - "5555:5555" diff --git a/airflow/docker-compose-worker.yml b/airflow/deprecated/docker-compose-worker.yml similarity index 91% rename from airflow/docker-compose-worker.yml rename to airflow/deprecated/docker-compose-worker.yml index 5fdb254..28276d1 100644 --- a/airflow/docker-compose-worker.yml +++ b/airflow/deprecated/docker-compose-worker.yml @@ -3,7 +3,7 @@ version: '2.1' services: worker: - image: puckel/docker-airflow:1.9.0-4 + image: puckel/docker-airflow:1.10.4 command: worker hostname: worker1 ports: diff --git a/airflow/docker-stack.yaml b/airflow/docker-stack.yaml new file mode 100644 index 0000000..4e080f3 --- /dev/null +++ b/airflow/docker-stack.yaml @@ -0,0 +1,110 @@ +version: "3.7" + +services: + + redis: + image: redis:alpine + command: --save 900 1 + ports: + - "6379:6379" + volumes: + - /data/redis:/data + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + + postgres: + image: postgres:alpine + ports: + - "5432:5432" + volumes: + - /data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=airflow + - POSTGRES_PASSWORD=airflow + - POSTGRES_DB=airflow + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + + webserver: + image: vimagick/airflow + command: webserver + ports: + - "8080:8080" + volumes: + - airflow_data:/opt/airflow + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + depends_on: + - postgres + - redis + + scheduler: + image: vimagick/airflow + command: scheduler + volumes: + - airflow_data:/opt/airflow + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + depends_on: + - webserver + + flower: + image: vimagick/airflow + command: flower + ports: + - "5555:5555" + volumes: + - airflow_data:/opt/airflow + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + depends_on: + - webserver + + worker: + image: vimagick/airflow + command: worker + volumes: + - airflow_data:/opt/airflow + deploy: + replicas: 0 + placement: + constraints: + - node.role == worker + restart_policy: + condition: on-failure + depends_on: + - webserver + +volumes: + + airflow_data: + driver: local + driver_opts: + type: nfs + o: "addr=10.0.0.1,nolock,soft,rw" + device: ":/export/airflow" diff --git a/airflow/systemd/airflow b/airflow/systemd/airflow new file mode 100644 index 0000000..eea7a66 --- /dev/null +++ b/airflow/systemd/airflow @@ -0,0 +1,24 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, +# software distributed under the License is distributed on an +# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +# KIND, either express or implied. See the License for the +# specific language governing permissions and limitations +# under the License. + +# This file is the environment file for Airflow. Put this file in /etc/sysconfig/airflow per default +# configuration of the systemd unit files. +# +AIRFLOW_HOME=/home/airflow/airflow +AIRFLOW_CONFIG=/home/airflow/airflow/airflow.cfg +PATH=/home/airflow/.virtualenvs/airflow/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games diff --git a/airflow/systemd/airflow-flower.service b/airflow/systemd/airflow-flower.service new file mode 100644 index 0000000..e8bab93 --- /dev/null +++ b/airflow/systemd/airflow-flower.service @@ -0,0 +1,16 @@ +[Unit] +Description=Airflow celery flower +After=network.target postgresql.service redis-server.service +Wants=postgresql.service redis-server.service + +[Service] +EnvironmentFile=/etc/default/airflow +User=airflow +Group=airflow +Type=simple +ExecStart=/home/airflow/.virtualenvs/airflow/bin/airflow flower --port=5555 +Restart=on-failure +RestartSec=5s + +[Install] +WantedBy=multi-user.target diff --git a/airflow/systemd/airflow-scheduler.service b/airflow/systemd/airflow-scheduler.service new file mode 100644 index 0000000..e17667f --- /dev/null +++ b/airflow/systemd/airflow-scheduler.service @@ -0,0 +1,16 @@ +[Unit] +Description=Airflow scheduler daemon +After=network.target postgresql.service redis-server.service +Wants=postgresql.service redis-server.service + +[Service] +EnvironmentFile=/etc/default/airflow +User=airflow +Group=airflow +Type=simple +ExecStart=/home/airflow/.virtualenvs/airflow/bin/airflow scheduler +Restart=always +RestartSec=5s + +[Install] +WantedBy=multi-user.target diff --git a/airflow/systemd/airflow-webserver.service b/airflow/systemd/airflow-webserver.service new file mode 100644 index 0000000..24e76c1 --- /dev/null +++ b/airflow/systemd/airflow-webserver.service @@ -0,0 +1,18 @@ +[Unit] +Description=Airflow webserver daemon +After=network.target postgresql.service redis-server.service +Wants=postgresql.service redis-server.service + +[Service] +EnvironmentFile=/etc/default/airflow +User=airflow +Group=airflow +Type=simple +RuntimeDirectory=airflow +ExecStart=/home/airflow/.virtualenvs/airflow/bin/airflow webserver --pid /run/airflow/webserver.pid +Restart=on-failure +RestartSec=5s +PrivateTmp=true + +[Install] +WantedBy=multi-user.target diff --git a/airflow/systemd/airflow-worker.service b/airflow/systemd/airflow-worker.service new file mode 100644 index 0000000..b961910 --- /dev/null +++ b/airflow/systemd/airflow-worker.service @@ -0,0 +1,16 @@ +[Unit] +Description=Airflow celery worker daemon +After=network.target postgresql.service redis-server.service +Wants=postgresql.service redis-server.service + +[Service] +EnvironmentFile=/etc/default/airflow +User=airflow +Group=airflow +Type=simple +ExecStart=/home/airflow/.virtualenvs/airflow/bin/airflow worker +Restart=on-failure +RestartSec=10s + +[Install] +WantedBy=multi-user.target diff --git a/ambari/Dockerfile b/ambari/Dockerfile new file mode 100644 index 0000000..5131621 --- /dev/null +++ b/ambari/Dockerfile @@ -0,0 +1,29 @@ +# +# Dockerfile for ambari +# + +FROM ubuntu:18.04 +MAINTAINER EasyPi Software Foundation + +ENV AMBARI_VERSION=2.7.4.0 +ENV AMBARI_SOURCE=http://public-repo-1.hortonworks.com/ambari/ubuntu18/2.x/updates/${AMBARI_VERSION}/ambari.list +ENV JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64 + +RUN set -xe \ + && apt-get update \ + && apt-get install -y curl gnupg libpostgresql-jdbc-java openjdk-8-jdk openssh-client \ + && curl -sSL ${AMBARI_SOURCE} > /etc/apt/sources.list.d/ambari.list \ + && apt-key adv --recv-keys --keyserver keyserver.ubuntu.com B9733A7A07513CAD \ + && apt-get update \ + && apt-get install -y ambari-server \ + && ambari-server setup --jdbc-db=postgres --jdbc-driver=/usr/share/java/postgresql.jar \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /etc/ambari-server/conf + +EXPOSE 8080 + +CMD set -ex \ + && ambari-server start \ + && sleep 5 \ + && tail --pid=$(cat /var/run/ambari-server/ambari-server.pid) -f /var/log/ambari-server/ambari-server.log diff --git a/ambari/README.md b/ambari/README.md new file mode 100644 index 0000000..96c2797 --- /dev/null +++ b/ambari/README.md @@ -0,0 +1,41 @@ +ambari +====== + +The [Apache Ambari][1] project is aimed at making Hadoop management simpler by +developing software for provisioning, managing, and monitoring Apache Hadoop +clusters. [Ambari][2] provides an intuitive, easy-to-use Hadoop management web UI +backed by its RESTful APIs. + +![](https://docs.cloudera.com/common/img/product_icons/icon-ambari.png) + +Make sure that ambari-server is reachable by ambari-agents via DNS. + +## Up and Running + +```bash +$ docker-compose run --rm server bash +>>> ambari-server setup +Customize user account for ambari-server daemon [y/n] (n)? +Do you want to change Oracle JDK [y/n] (n)? +Enter advanced database configuration [y/n] (n)? y +Enter choice (4): +Hostname (postgres): +Port (5432): +Database name (ambari): +Postgres schema (public): +Username (ambari): +Enter Database Password (ambari): +Proceed with configuring remote database connection properties [y/n] (y)? +>>> PGUSER=ambari PGPASSWORD=ambari psql -h postgres -d ambari -f /var/lib/ambari-server/resources/Ambari-DDL-Postgres-CREATE.sql +CREATE TABLE ... +CREATE INDEX ... + +$ docker-compose up -d +Starting ambari_postgres_1 ... done +Starting ambari_server_1 ... done + +$ curl http://localhost:8080/ +``` + +[1]: https://ambari.apache.org/ +[2]: https://docs.cloudera.com/HDPDocuments/Ambari/Ambari-2.7.4.0/index.html diff --git a/ambari/data/ambari/ambari.properties b/ambari/data/ambari/ambari.properties new file mode 100755 index 0000000..d41bdcb --- /dev/null +++ b/ambari/data/ambari/ambari.properties @@ -0,0 +1,118 @@ +# +# Copyright 2011 The Apache Software Foundation +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +agent.package.install.task.timeout=1800 +agent.stack.retry.on_repo_unavailability=false +agent.stack.retry.tries=5 +agent.task.timeout=900 +agent.threadpool.size.max=25 +ambari-server.user=root +ambari.python.wrap=ambari-python-wrap +bootstrap.dir=/var/run/ambari-server/bootstrap +bootstrap.script=/usr/lib/ambari-server/lib/ambari_server/bootstrap.py +bootstrap.setup_agent.script=/usr/lib/ambari-server/lib/ambari_server/setupAgent.py +client.threadpool.size.max=25 +common.services.path=/var/lib/ambari-server/resources/common-services +custom.action.definitions=/var/lib/ambari-server/resources/custom_action_definitions +custom.postgres.jdbc.name=postgresql.jar +extensions.path=/var/lib/ambari-server/resources/extensions +gpl.license.accepted=true +http.cache-control=no-store +http.charset=utf-8 +http.pragma=no-cache +http.strict-transport-security=max-age=31536000 +http.x-content-type-options=nosniff +http.x-frame-options=DENY +http.x-xss-protection=1; mode=block +java.home=/usr/lib/jvm/java-8-openjdk-amd64 +java.releases=jdk1.8 +java.releases.ppc64le= +jce.download.supported=true +jdk.download.supported=true +jdk1.8.desc=Oracle JDK 1.8 + Java Cryptography Extension (JCE) Policy Files 8 +jdk1.8.dest-file=jdk-8u112-linux-x64.tar.gz +jdk1.8.home=/usr/jdk64/ +jdk1.8.jcpol-file=jce_policy-8.zip +jdk1.8.jcpol-url=http://public-repo-1.hortonworks.com/ARTIFACTS/jce_policy-8.zip +jdk1.8.re=(jdk.*)/jre +jdk1.8.url=http://public-repo-1.hortonworks.com/ARTIFACTS/jdk-8u112-linux-x64.tar.gz +kerberos.keytab.cache.dir=/var/lib/ambari-server/data/cache +kerberos.operation.verify.kdc.trust=true +local.database.user=postgres +metadata.path=/var/lib/ambari-server/resources/stacks +mpacks.staging.path=/var/lib/ambari-server/resources/mpacks +pid.dir=/var/run/ambari-server +recommendations.artifacts.lifetime=1w +recommendations.dir=/var/run/ambari-server/stack-recommendations +resources.dir=/var/lib/ambari-server/resources +rolling.upgrade.skip.packages.prefixes= +security.server.disabled.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384|TLS_RSA_WITH_AES_256_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384|TLS_DHE_RSA_WITH_AES_256_CBC_SHA256|TLS_DHE_DSS_WITH_AES_256_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA|TLS_RSA_WITH_AES_256_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA|TLS_ECDH_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_RSA_WITH_AES_256_CBC_SHA|TLS_DHE_DSS_WITH_AES_256_CBC_SHA|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256|TLS_RSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_RSA_WITH_AES_128_CBC_SHA256|TLS_DHE_DSS_WITH_AES_128_CBC_SHA256|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA|TLS_RSA_WITH_AES_128_CBC_SHA|TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA|TLS_ECDH_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_RSA_WITH_AES_128_CBC_SHA|TLS_DHE_DSS_WITH_AES_128_CBC_SHA|TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA|TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA|SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA|TLS_EMPTY_RENEGOTIATION_INFO_SCSV|TLS_DH_anon_WITH_AES_256_CBC_SHA256|TLS_ECDH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_256_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA256|TLS_ECDH_anon_WITH_AES_128_CBC_SHA|TLS_DH_anon_WITH_AES_128_CBC_SHA|TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA|SSL_DH_anon_WITH_3DES_EDE_CBC_SHA|SSL_RSA_WITH_DES_CBC_SHA|SSL_DHE_RSA_WITH_DES_CBC_SHA|SSL_DHE_DSS_WITH_DES_CBC_SHA|SSL_DH_anon_WITH_DES_CBC_SHA|SSL_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA|SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA|SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA|TLS_RSA_WITH_NULL_SHA256|TLS_ECDHE_ECDSA_WITH_NULL_SHA|TLS_ECDHE_RSA_WITH_NULL_SHA|SSL_RSA_WITH_NULL_SHA|TLS_ECDH_ECDSA_WITH_NULL_SHA|TLS_ECDH_RSA_WITH_NULL_SHA|TLS_ECDH_anon_WITH_NULL_SHA|SSL_RSA_WITH_NULL_MD5|TLS_KRB5_WITH_3DES_EDE_CBC_SHA|TLS_KRB5_WITH_3DES_EDE_CBC_MD5|TLS_KRB5_WITH_DES_CBC_SHA|TLS_KRB5_WITH_DES_CBC_MD5|TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA|TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 +security.server.keys_dir=/var/lib/ambari-server/keys +server.connection.max.idle.millis=900000 +server.execution.scheduler.isClustered=false +server.execution.scheduler.maxDbConnections=5 +server.execution.scheduler.maxThreads=5 +server.execution.scheduler.misfire.toleration.minutes=480 +server.fqdn.service.url=http://169.254.169.254/latest/meta-data/public-hostname +server.http.session.inactive_timeout=1800 +server.jdbc.connection-pool=internal +server.jdbc.database=postgres +server.jdbc.database_name=ambari +server.jdbc.driver=org.postgresql.Driver +server.jdbc.hostname=postgres +server.jdbc.port=5432 +server.jdbc.postgres.schema=public +server.jdbc.rca.driver=org.postgresql.Driver +server.jdbc.rca.url=jdbc:postgresql://postgres:5432/ambari +server.jdbc.rca.user.name=ambari +server.jdbc.rca.user.passwd=/etc/ambari-server/conf/password.dat +server.jdbc.url=jdbc:postgresql://postgres:5432/ambari +server.jdbc.user.name=ambari +server.jdbc.user.passwd=/etc/ambari-server/conf/password.dat +server.os_family=ubuntu18 +server.os_type=ubuntu18 +server.persistence.type=remote +server.python.log.level=INFO +server.python.log.name=ambari-server-command.log +server.stages.parallel=true +server.task.timeout=1200 +server.tmp.dir=/var/lib/ambari-server/data/tmp +server.version.file=/var/lib/ambari-server/resources/version +shared.resources.dir=/usr/lib/ambari-server/lib/ambari_commons/resources +skip.service.checks=false +stack.java.home=/usr/lib/jvm/java-8-openjdk-amd64 +stackadvisor.script=/var/lib/ambari-server/resources/scripts/stack_advisor.py +ulimit.open.files=65536 +upgrade.parameter.convert.hive.tables.timeout=86400 +upgrade.parameter.move.hive.tables.timeout=86400 +user.inactivity.timeout.default=0 +user.inactivity.timeout.role.readonly.default=0 +views.ambari.request.connect.timeout.millis=30000 +views.ambari.request.read.timeout.millis=45000 +views.http.cache-control=no-store +views.http.charset=utf-8 +views.http.pragma=no-cache +views.http.strict-transport-security=max-age=31536000 +views.http.x-content-type-options=nosniff +views.http.x-frame-options=SAMEORIGIN +views.http.x-xss-protection=1; mode=block +views.request.connect.timeout.millis=5000 +views.request.read.timeout.millis=10000 +views.skip.home-directory-check.file-system.list=wasb,adls,adl +webapp.dir=/usr/lib/ambari-server/web diff --git a/ambari/data/ambari/krb5JAASLogin.conf b/ambari/data/ambari/krb5JAASLogin.conf new file mode 100755 index 0000000..d266e19 --- /dev/null +++ b/ambari/data/ambari/krb5JAASLogin.conf @@ -0,0 +1,10 @@ +com.sun.security.jgss.krb5.initiate { + com.sun.security.auth.module.Krb5LoginModule required + renewTGT=false + doNotPrompt=true + useKeyTab=true + keyTab="/etc/security/keytabs/ambari.keytab" + principal="ambari@EXAMPLE.COM" + storeKey=true + useTicketCache=false; +}; diff --git a/ambari/data/ambari/log4j.properties b/ambari/data/ambari/log4j.properties new file mode 100755 index 0000000..9c4397f --- /dev/null +++ b/ambari/data/ambari/log4j.properties @@ -0,0 +1,116 @@ +# Copyright 2011 The Apache Software Foundation +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# Define some default values that can be overridden by system properties +# Root logger option +ambari.root.dir= +ambari.log.dir=${ambari.root.dir}/var/log/ambari-server +ambari.log.file=ambari-server.log +ambari.config-changes.file=ambari-config-changes.log +ambari.alerts.file=ambari-alerts.log +ambari.eclipselink.file=ambari-eclipselink.log +ambari.audit.file=ambari-audit.log +ambari.dbcheck.file=ambari-server-check-database.log +ambari.stackmerger.file=ambari-stack-merger.log + +log4j.rootLogger=INFO,file + +# Direct log messages to a log file +log4j.appender.file=org.apache.log4j.RollingFileAppender +log4j.appender.file.File=${ambari.log.dir}/${ambari.log.file} +log4j.appender.file.MaxFileSize=80MB +log4j.appender.file.MaxBackupIndex=60 +log4j.appender.file.layout=org.apache.log4j.PatternLayout +log4j.appender.file.layout.ConversionPattern=%d{ISO8601} %5p [%t] %c{1}:%L - %m%n + +# Log config changes +log4j.logger.configchange=INFO,configchange +log4j.additivity.configchange=false +log4j.appender.configchange=org.apache.log4j.FileAppender +log4j.appender.configchange.File=${ambari.log.dir}/${ambari.config-changes.file} +log4j.appender.configchange.layout=org.apache.log4j.PatternLayout +log4j.appender.configchange.layout.ConversionPattern=%d{ISO8601} %5p - %m%n + +# Log alert state changes +log4j.logger.alerts=INFO,alerts +log4j.additivity.alerts=false +log4j.appender.alerts=org.apache.log4j.FileAppender +log4j.appender.alerts.File=${ambari.log.dir}/${ambari.alerts.file} +log4j.appender.alerts.layout=org.apache.log4j.PatternLayout +log4j.appender.alerts.layout.ConversionPattern=%d{ISO8601} %m%n + +# Log database check process +log4j.logger.org.apache.ambari.server.checks.DatabaseConsistencyChecker=INFO, dbcheck +log4j.additivity.org.apache.ambari.server.checks.DatabaseConsistencyChecker=false +log4j.appender.dbcheck=org.apache.log4j.FileAppender +log4j.appender.dbcheck.File=${ambari.log.dir}/${ambari.dbcheck.file} +log4j.appender.dbcheck.layout=org.apache.log4j.PatternLayout +log4j.appender.dbcheck.layout.ConversionPattern=%d{ISO8601} %5p - %m%n + +log4j.logger.org.apache.ambari.server.checks.DatabaseConsistencyCheckHelper=INFO, dbcheckhelper +log4j.additivity.org.apache.ambari.server.checks.DatabaseConsistencyCheckHelper=false +log4j.appender.dbcheckhelper=org.apache.log4j.FileAppender +log4j.appender.dbcheckhelper.File=${ambari.log.dir}/${ambari.dbcheck.file} +log4j.appender.dbcheckhelper.layout=org.apache.log4j.PatternLayout +log4j.appender.dbcheckhelper.layout.ConversionPattern=%d{ISO8601} %5p - %m%n + +# Log stack merger +log4j.logger.org.apache.ambari.server.stack.StackMerger=INFO,stackmerger,console-stackmerger +log4j.additivity.org.apache.ambari.server.stack.StackMerger=false +log4j.appender.console-stackmerger=org.apache.log4j.ConsoleAppender +log4j.appender.console-stackmerger.layout=org.apache.log4j.PatternLayout +log4j.appender.stackmerger=org.apache.log4j.FileAppender +log4j.appender.stackmerger.File=${ambari.log.dir}/${ambari.stackmerger.file} +log4j.appender.stackmerger.layout=org.apache.log4j.PatternLayout +log4j.appender.stackmerger.layout.ConversionPattern=%d{ISO8601} %5p - %m%n + +# EclipsLink -> slf4j bridge +log4j.logger.eclipselink=TRACE,eclipselink +log4j.additivity.eclipselink=false +log4j.appender.eclipselink=org.apache.log4j.RollingFileAppender +log4j.appender.eclipselink.File=${ambari.log.dir}/${ambari.eclipselink.file} +log4j.appender.eclipselink.MaxFileSize=50MB +log4j.appender.eclipselink.MaxBackupIndex=10 +log4j.appender.eclipselink.layout=org.apache.log4j.PatternLayout +log4j.appender.eclipselink.layout.ConversionPattern=%m%n + +# Jersey +log4j.logger.com.sun.jersey=WARN,file +log4j.logger.org.glassfish.jersey=WARN,file + +# Jetty +log4j.logger.org.eclipse.jetty=WARN,file + +# Audit logging +log4j.logger.audit=INFO,audit +log4j.additivity.audit=false +log4j.appender.audit=org.apache.log4j.rolling.RollingFileAppender +log4j.appender.audit.rollingPolicy=org.apache.log4j.rolling.FixedWindowRollingPolicy +log4j.appender.audit.rollingPolicy.ActiveFileName=${ambari.log.dir}/${ambari.audit.file} +log4j.appender.audit.rollingPolicy.FileNamePattern=${ambari.log.dir}/${ambari.audit.file}-%i.log.gz +log4j.appender.audit.rollingPolicy.maxIndex=13 +log4j.appender.audit.triggeringPolicy=org.apache.log4j.rolling.SizeBasedTriggeringPolicy +log4j.appender.audit.triggeringPolicy.maxFileSize=50000000 +log4j.appender.audit.layout=org.apache.log4j.PatternLayout +log4j.appender.audit.layout.ConversionPattern=%m%n + +log4j.logger.org.apache.hadoop.yarn.client=WARN +log4j.logger.org.apache.ambari.server.security.authorization=WARN + +log4j.logger.org.apache.ambari.server.security.authorization.AuthorizationHelper=INFO +log4j.logger.org.apache.ambari.server.security.authorization.AmbariLdapBindAuthenticator=INFO diff --git a/ambari/data/ambari/metrics.properties b/ambari/data/ambari/metrics.properties new file mode 100755 index 0000000..96748d2 --- /dev/null +++ b/ambari/data/ambari/metrics.properties @@ -0,0 +1,65 @@ +# Copyright 2011 The Apache Software Foundation +# +# Licensed to the Apache Software Foundation (ASF) under one +# or more contributor license agreements. See the NOTICE file +# distributed with this work for additional information +# regarding copyright ownership. The ASF licenses this file +# to you under the Apache License, Version 2.0 (the +# "License"); you may not use this file except in compliance +# with the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + + +#################### Metrics Source Configs ##################### + +#Metric sources : jvm,database +metric.sources=jvm,event + +#### JVM Source Configs ### +source.jvm.class=org.apache.ambari.server.metrics.system.impl.JvmMetricsSource +source.event.class=org.apache.ambari.server.metrics.system.impl.StompEventsMetricsSource +source.jvm.interval=10 + +#### Database Source Configs ### + +# Note : To enable Database metrics source completely, add the following property to ambari.properties as well +# server.persistence.properties.eclipselink.profiler=org.apache.ambari.server.metrics.system.impl.AmbariPerformanceMonitor + +source.database.class=org.apache.ambari.server.metrics.system.impl.DatabaseMetricsSource + +# Ambari performance monitor granularity : NONE / NORMAL / HEAVY / ALL +source.database.performance.monitor.query.weight=HEAVY + +# Collection interval in milliseconds +source.database.monitor.dumptime=60000 + +# Include entities to be tracked. +source.database.monitor.entities=Cluster(.*)Entity,Host(.*)Entity,ExecutionCommandEntity,ServiceComponentDesiredStateEntity,Alert(.*)Entity,StackEntity,StageEntity + +# Include some metrics which have the keyword even if they are not part of requested Entities. +# Examples +# Query Types +# ReadAllQuery,ReadObjectQuery,UpdateObjectQuery,ReportQuery,InsertObjectQuery,ValueReadQuery,DataModifyQuery,DoesExistQuery + +# Query stages +# ObjectBuilding,QueryPreparation,SqlPrepare,SqlGeneration,StatementExecute,RowFetch,ConnectCalls,UnitOfWorkCommit,ClientSessionReleases,ConnectionManagement,CacheHits + +# Sequences +# host_role_command_id_seq,alert_history_id_seq +source.database.monitor.query.keywords.include=CacheMisses + +################################################################ + +############## General Metrics Service Configs ################# + +#ambariserver.hostname.override= + +################################################################ + diff --git a/ambari/data/ambari/password.dat b/ambari/data/ambari/password.dat new file mode 100644 index 0000000..a6bb20c --- /dev/null +++ b/ambari/data/ambari/password.dat @@ -0,0 +1 @@ +ambari \ No newline at end of file diff --git a/ambari/data/ssh/config b/ambari/data/ssh/config new file mode 100644 index 0000000..7608811 --- /dev/null +++ b/ambari/data/ssh/config @@ -0,0 +1,11 @@ +Host ambari-agent1 + HostName 172.16.1.101 + User root + +Host ambari-agent2 + HostName 172.16.1.102 + User root + +Host ambari-agent3 + HostName 172.16.1.102 + User root diff --git a/ambari/docker-compose.yml b/ambari/docker-compose.yml new file mode 100644 index 0000000..535c064 --- /dev/null +++ b/ambari/docker-compose.yml @@ -0,0 +1,31 @@ +version: "3.7" + +services: + + server: + image: vimagick/ambari + hostname: ambari-server + ports: + - "8080:8080" + - "8440:8440" + - "8441:8441" + volumes: + - ./data/ambari:/etc/ambari-server/conf + - ./data/log:/var/log/ambari-server + extra_hosts: + - ambari-agent1:172.16.1.101 + - ambari-agent2:172.16.1.102 + - ambari-agent3:172.16.1.103 + depends_on: + - postgres + restart: unless-stopped + + postgres: + image: postgres:alpine + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=ambari + - POSTGRES_PASSWORD=ambari + - POSTGRES_DB=ambari + restart: unless-stopped diff --git a/apacheds/Dockerfile b/apacheds/Dockerfile new file mode 100644 index 0000000..30d5e44 --- /dev/null +++ b/apacheds/Dockerfile @@ -0,0 +1,40 @@ +# +# Dockerfile for apacheds +# + +FROM debian:buster +MAINTAINER EasyPi Software Foundation + +ENV GOSU_VERSION=1.11 +ENV GOSU_URL=https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-amd64 + +ENV APACHEDS_VERSION=2.0.0.AM25 +ENV APACHEDS_FILE=apacheds-${APACHEDS_VERSION}-amd64.deb +ENV APACHEDS_URL=http://mirrors.advancedhosters.com/apache/directory/apacheds/dist/${APACHEDS_VERSION}/${APACHEDS_FILE} +ENV APACHEDS_USER=apacheds +ENV APACHEDS_GROUP=apacheds +ENV APACHEDS_DATA=/var/lib/apacheds +ENV APACHEDS_INSTANCE=default +ENV APACHEDS_INSTANCE_DIR=${APACHEDS_DATA}/${APACHEDS_INSTANCE} + +RUN set -xe \ + && apt update \ + && apt install -y \ + apt-utils \ + curl \ + ldap-utils \ + openjdk-11-jre-headless \ + procps \ + && curl -sSL ${GOSU_URL} > /usr/local/bin/gosu \ + && chmod +x /usr/local/bin/gosu \ + && gosu nobody true \ + && curl -sSL ${APACHEDS_URL} > ${APACHEDS_FILE} \ + && dpkg -i ${APACHEDS_FILE} \ + && sed -i "/INSTANCES_DIRECTORY/s/-${APACHEDS_VERSION}//" /opt/apacheds-${APACHEDS_VERSION}/bin/apacheds \ + && rm -rf ${APACHEDS_FILE} /var/lib/apt/lists/* + +EXPOSE 10389 10636 + +COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh + +ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/apacheds/README.md b/apacheds/README.md new file mode 100644 index 0000000..db4635f --- /dev/null +++ b/apacheds/README.md @@ -0,0 +1,13 @@ +apacheds +======== + +```yaml +apacheds: + image: vimagick/apacheds + ports: + - "10389:10389" + - "10636:10636" + volumes: + - ./data:/var/lib/apacheds + restart: unless-stopped +``` diff --git a/apacheds/docker-compose.yml b/apacheds/docker-compose.yml new file mode 100644 index 0000000..d61e0b7 --- /dev/null +++ b/apacheds/docker-compose.yml @@ -0,0 +1,8 @@ +apacheds: + image: vimagick/apacheds + ports: + - "10389:10389" + - "10636:10636" + volumes: + - ./data:/var/lib/apacheds + restart: unless-stopped diff --git a/apacheds/docker-entrypoint.sh b/apacheds/docker-entrypoint.sh new file mode 100755 index 0000000..72f60d8 --- /dev/null +++ b/apacheds/docker-entrypoint.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +set -e + +if ! [ -d ${APACHEDS_INSTANCE_DIR} ]; then + cp -r ${APACHEDS_DATA}-${APACHEDS_VERSION}/default ${APACHEDS_INSTANCE_DIR} + chown -R ${APACHEDS_USER}:${APACHEDS_GROUP} ${APACHEDS_INSTANCE_DIR} +fi + +gosu ${APACHEDS_USER} /opt/apacheds-${APACHEDS_VERSION}/bin/apacheds start ${APACHEDS_INSTANCE} + +tail -n 0 -f ${APACHEDS_INSTANCE_DIR}/log/apacheds.log diff --git a/apm-server/README.md b/apm-server/README.md new file mode 100644 index 0000000..0bf9fec --- /dev/null +++ b/apm-server/README.md @@ -0,0 +1,15 @@ +apm-server +========== + +The [APM Server][1] receives data from [APM agents][2] and transforms them into +Elasticsearch documents. It does this by exposing an HTTP server endpoint to +which agents stream the APM data they collect. After the APM Server has +validated and processed events from the APM agents, the server transforms the +data into Elasticsearch documents and stores them in corresponding +Elasticsearch indices. + +The APM Server works in conjunction with APM agents, Elasticsearch, and Kibana. +Please view the APM Overview for details on how these components work together. + +[1]: https://www.elastic.co/guide/en/apm/server/current/index.html +[2]: https://www.elastic.co/guide/en/apm/agent/index.html diff --git a/apm-server/data/apm-server.yml b/apm-server/data/apm-server.yml new file mode 100644 index 0000000..766631f --- /dev/null +++ b/apm-server/data/apm-server.yml @@ -0,0 +1,841 @@ +################### APM Server Configuration ######################### + +############################# APM Server ###################################### + +apm-server: + # Defines the host and port the server is listening on. use "unix:/path/to.sock" to listen on a unix domain socket. + host: "0.0.0.0:8200" + + # Maximum permitted size in bytes of a request's header accepted by the server to be processed. + #max_header_size: 1048576 + + # Maximum permitted duration for reading an entire request. + #read_timeout: 30s + + # Maximum permitted duration for writing a response. + #write_timeout: 30s + + # Maximum duration in seconds before releasing resources when shutting down the server. + #shutdown_timeout: 5s + + # Maximum allowed size in bytes of a single event + #max_event_size: 307200 + + #-- + + # Maximum number of new connections to accept simultaneously (0 means unlimited) + # max_connections: 0 + + # Authorization token to be checked. If a token is set here the agents must + # send their token in the following format: Authorization: Bearer . + # It is recommended to use an authorization token in combination with SSL enabled, + # and save the token in the beats keystore. + #secret_token: + #ssl.enabled: false + #ssl.certificate : "path/to/cert" + #ssl.key : "path/to/private_key" + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: "" + + #rum: + # To enable real user monitoring (RUM) support set this to true. + #enabled: false + + #event_rate: + + # Defines the maximum amount of events allowed to be sent to the APM Server RUM + # endpoint per ip per second. Defaults to 300. + #limit: 300 + + # An LRU cache is used to keep a rate limit per IP for the most recently seen IPs. + # This setting defines the number of unique IPs that can be tracked in the cache. + # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000. + #lru_size: 1000 + + #-- General RUM settings + + # Comma separated list of permitted origins for real user monitoring. + # User-agents will send an origin header that will be validated against this list. + # An origin is made of a protocol scheme, host and port, without the url path. + # Allowed origins in this setting can have * to match anything (eg.: http://*.example.com) + # If an item in the list is a single '*', everything will be allowed + #allow_origins : ['*'] + + # Regexp to be matched against a stacktrace frame's `file_name` and `abs_path` attributes. + # If the regexp matches, the stacktrace frame is considered to be a library frame. + #library_pattern: "node_modules|bower_components|~" + + # Regexp to be matched against a stacktrace frame's `file_name`. + # If the regexp matches, the stacktrace frame is not used for calculating error groups. + # The default pattern excludes stacktrace frames that have a filename starting with '/webpack' + #exclude_from_grouping: "^/webpack" + + # If a source map has previously been uploaded, source mapping is automatically applied + # to all error and transaction documents sent to the RUM endpoint. + #source_mapping: + + # Source maps are always fetched from Elasticsearch, by default using the output.elasticsearch configuration. + # A different instance must be configured when using any other output. + # This setting only affects sourcemap reads - the output determines where sourcemaps are written. + #elasticsearch: + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + # hosts: ["localhost:9200"] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # The `cache.expiration` determines how long a source map should be cached before fetching it again from Elasticsearch. + # Note that values configured without a time unit will be interpreted as seconds. + #cache: + #expiration: 5m + + # Source maps are stored in a seperate index. + # If the default index pattern for source maps at 'outputs.elasticsearch.indices' + # is changed, a matching index pattern needs to be specified here. + #index_pattern: "apm-*-sourcemap*" + + + # If set to true, APM Server augments data received by the agent with the original IP of the backend server, + # or the IP and User Agent of the real user (RUM requests). It defaults to true. + #capture_personal_data: true + + # golang expvar support - https://golang.org/pkg/expvar/ + #expvar: + # Set to true to Expose expvar + #enabled: false + + # Url to expose expvar + #url: "/debug/vars" + + # Instrumentation support for the server's HTTP endpoints and event publisher. + #instrumentation: + # Set to true to enable instrumentation of the APM server itself. + #enabled: false + # Environment in which the APM Server is running on (eg: staging, production, etc.) + #environment: "" + # Remote host to report instrumentation results to. + #hosts: + # - http://remote-apm-server:8200 + # Remote apm-servers' secret_token + #secret_token: + + # Metrics endpoint + #metrics: + # Set to false to disable the metrics endpoint + #enabled: true + + # A pipeline is a definition of processors applied to documents when writing them to Elasticsearch. + # Using pipelines involves two steps: + # (1) registering a pipeline + # (2) applying a pipeline during data ingestion (see `output.elasticsearch.pipelines`) + # + # You can manually register pipelines, or use this configuration option to ensure + # pipelines are loaded and registered at the configured Elasticsearch instances. + # Automatic pipeline registration requires + # * `output.elasticsearch` to be enabled and configured. + # * having the required Elasticsearch Processor Plugins installed. + # APM Server default pipelines require you to have the `Ingest User Agent Plugin` installed. + # Find the default pipeline configuration at `ingest/pipeline/definition.json`. + # + #register.ingest.pipeline: + # Registers pipeline definitions in Elasticsearch on APM Server startup. Defaults to false. + #enabled: false + + # Overwrites existing pipeline definitions in Elasticsearch. Defaults to true. + #overwrite: true + +#================================ General ====================================== + +# Internal queue configuration for buffering events to be published. +#queue: + # Queue type by name (default 'mem') + # The memory queue will present all available events (up to the outputs + # bulk_max_size) to the output, the moment the output is ready to server + # another batch of events. + #mem: + # Max number of events the queue can buffer. + #events: 4096 + + # Hints the minimum number of events stored in the queue, + # before providing a batch of events to the outputs. + # A value of 0 (the default) ensures events are immediately available + # to be sent to the outputs. + #flush.min_events: 2048 + + # Maximum duration after which events are available to the outputs, + # if the number of events stored in the queue is < min_flush_events. + #flush.timeout: 1s + +# Sets the maximum number of CPUs that can be executing simultaneously. The +# default is the number of logical CPUs available in the system. +#max_procs: + + +#============================== Template ===================================== + +# A template is used to set the mapping in Elasticsearch +# By default template loading is enabled and the template is loaded. +# These settings can be adjusted to load your own template or overwrite existing ones. + +# Set to false to disable template loading. +#setup.template.enabled: true + +# Template name. By default the template name is "apm-%{[beat.version]}" +# The template name and pattern has to be set in case the elasticsearch index pattern is modified. +#setup.template.name: "apm-%{[beat.version]}" + +# Template pattern. By default the template pattern is "apm-%{[beat.version]}-*" to apply to the default index settings. +# The first part is the version of the beat and then -* is used to match all daily indices. +# The template name and pattern has to be set in case the elasticsearch index pattern is modified. +#setup.template.pattern: "apm-%{[beat.version]}-*" + +# Path to fields.yml file to generate the template +#setup.template.fields: "${path.config}/fields.yml" + +# Overwrite existing template +#setup.template.overwrite: false + +# Elasticsearch template settings +#setup.template.settings: + + # A dictionary of settings to place into the settings.index dictionary + # of the Elasticsearch template. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html + #index: + #number_of_shards: 1 + #codec: best_compression + #number_of_routing_shards: 30 + #mapping.total_fields.limit: 2000 + + # A dictionary of settings for the _source field. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html + #_source: + #enabled: false + + +#============================== Deprecated: Dashboards ===================================== +# +# Deprecated: Loading dashboards from the APM Server into Kibana is deprecated from 6.4 on. +# We suggest to use the Kibana UI to load APM Server dashboards and index pattern instead. +# +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards are disabled by default and can be enabled either by setting the +# options here, or by using the `-setup` CLI flag or the `setup` command. +#setup.dashboards.enabled: false + +# The directory from where to read the dashboards. The default is the `kibana` +# folder in the home path. +#setup.dashboards.directory: ${path.home}/kibana + +# The URL from where to download the dashboards archive. It is used instead of +# the directory if it has a value. +#setup.dashboards.url: + +# The file archive (zip file) from where to read the dashboards. It is used instead +# of the directory when it has a value. +#setup.dashboards.file: + +# The name of the Kibana index to use for setting the configuration. Default is ".kibana" +#setup.dashboards.kibana_index: .kibana + +# The Elasticsearch index name. This overwrites the index name defined in the +# dashboards and index pattern. Example: testbeat-* +# The dashboards.index needs to be changed in case the elasticsearch index pattern is modified. +#setup.dashboards.index: + +# Always use the Kibana API for loading the dashboards instead of autodetecting +# how to install the dashboards by first querying Elasticsearch. +#setup.dashboards.always_kibana: false + +# If true and Kibana is not reachable at the time when dashboards are loaded, +# it will retry to reconnect to Kibana instead of exiting with an error. +#setup.dashboards.retry.enabled: false + +# Duration interval between Kibana connection retries. +#setup.dashboards.retry.interval: 1s + +# Maximum number of retries before exiting with an error, 0 for unlimited retrying. +#setup.dashboards.retry.maximum: 0 + + +#============================== Deprecated: Kibana ===================================== + +# Deprecated: Starting with APM Server version 6.4, loading dashboards and index pattern +# from the APM Server into Kibana is deprecated. +# We suggest to use the Kibana UI to load APM Server dashboards and index pattern instead. +# +# Setting up a Kibana endpoint is not necessary when loading the index pattern and dashboards via the UI. + +#setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Optional HTTP Path + #path: "" + + # Use SSL settings for HTTPS. Default is false. + #ssl.enabled: false + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + +#============================= Elastic Cloud ================================== + +# These settings simplify using APM Server with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# [deprecated] `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + hosts: ["elasticsearch:9200"] + + # Boolean flag to enable or disable the output module. + #enabled: true + + # Set gzip compression level. + #compression_level: 0 + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the url with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Number of workers per Elasticsearch host. + #worker: 1 + + # By using the configuration below, apm documents are stored to separate indices, + # depending on their `processor.event`: + # - error + # - transaction + # - span + # - sourcemap + # + # The indices are all prefixed with `apm-%{[beat.version]}`. + # To allow managing indices based on their age, all indices (except for sourcemaps) + # end with the information of the day they got indexed. + # e.g. "apm-6.3.0-transaction-2018.03.20" + # + # Be aware that you can only specify one Elasticsearch template and one Kibana Index Pattern, + # In case you modify the index patterns you must also update those configurations accordingly, + # as they need to be aligned: + # * `setup.template.name` + # * `setup.template.pattern` + # * `setup.dashboards.index` + #index: "apm-%{[beat.version]}-%{+yyyy.MM.dd}" + indices: + - index: "apm-%{[beat.version]}-sourcemap" + when.contains: + processor.event: "sourcemap" + + - index: "apm-%{[beat.version]}-error-%{+yyyy.MM.dd}" + when.contains: + processor.event: "error" + + - index: "apm-%{[beat.version]}-transaction-%{+yyyy.MM.dd}" + when.contains: + processor.event: "transaction" + + - index: "apm-%{[beat.version]}-span-%{+yyyy.MM.dd}" + when.contains: + processor.event: "span" + + - index: "apm-%{[beat.version]}-metric-%{+yyyy.MM.dd}" + when.contains: + processor.event: "metric" + + - index: "apm-%{[beat.version]}-onboarding-%{+yyyy.MM.dd}" + when.contains: + processor.event: "onboarding" + + # A pipeline is a definition of processors applied to documents when writing them to Elasticsearch. + # APM Server comes with a default pipeline definition, located at `ingets/pipeline/definition.json`. + # Pipelines are disabled by default. To make use of them you have to: + # (1) ensure pipelines are registered in Elasticsearch, see `apm-server.register.ingest.pipeline` + # (2) enable the following: + #pipelines: + #- pipeline: "apm_user_agent" + + # Optional HTTP Path + #path: "/elasticsearch" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server url + #proxy_url: http://proxy:3128 + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, apm-server + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure http request timeout before failing an request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. Default is false. + #ssl.enabled: false + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#----------------------------- Console output --------------------------------- +#output.console: + # Boolean flag to enable or disable the output module. + #enabled: false + + # Pretty print json event + #pretty: false + +#----------------------------- Logstash output --------------------------------- +#output.logstash: + # Boolean flag to enable or disable the output module. + #enabled: false + + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Number of workers per Logstash host. + #worker: 1 + + # Set gzip compression level. + #compression_level: 3 + + # Configure escaping html symbols in strings. + #escape_html: true + + # Optional maximum time to live for a connection to Logstash, after which the + # connection will be re-established. A value of `0s` (the default) will + # disable this feature. + # + # Not yet supported for async connections (i.e. with the "pipelining" option set) + #ttl: 30s + + # Optional load balance the events between the Logstash hosts. Default is false. + #loadbalance: false + + # Number of batches to be sent asynchronously to Logstash while processing + # new batches. + #pipelining: 2 + + # If enabled only a subset of events in a batch of events is transferred per + # group. The number of events to be sent increases up to `bulk_max_size` + # if no error is encountered. + #slow_start: false + + # The number of seconds to wait before trying to reconnect to Logstash + # after a network error. After waiting backoff.init seconds, apm-server + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Logstash after a network error. The default is 60s. + #backoff.max: 60s + + # Optional index name. The default index name is set to apm + # in all lowercase. + #index: 'apm' + + # SOCKS5 proxy server URL + #proxy_url: socks5://user:password@socks5-server:2233 + + # Resolve names locally when using a proxy server. Defaults to false. + #proxy_use_local_resolver: false + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#------------------------------- Kafka output ---------------------------------- +#output.kafka: + # Boolean flag to enable or disable the output module. + #enabled: false + + # The list of Kafka broker addresses from where to fetch the cluster metadata. + # The cluster metadata contain the actual Kafka brokers events are published + # to. + #hosts: ["localhost:9092"] + + # The Kafka topic used for produced events. The setting can be a format string + # using any event field. To set the topic from document type use `%{[type]}`. + #topic: beats + + # The Kafka event key setting. Use format string to create unique event key. + # By default no event key will be generated. + #key: '' + + # The Kafka event partitioning strategy. Default hashing strategy is `hash` + # using the `output.kafka.key` setting or randomly distributes events if + # `output.kafka.key` is not configured. + #partition.hash: + # If enabled, events will only be published to partitions with reachable + # leaders. Default is false. + #reachable_only: false + + # Configure alternative event field names used to compute the hash value. + # If empty `output.kafka.key` setting will be used. + # Default value is empty list. + #hash: [] + + # Authentication details. Password is required if username is set. + #username: '' + #password: '' + + # Kafka version libbeat is assumed to run against. Defaults to the "1.0.0". + #version: '1.0.0' + + # Configure JSON encoding + #codec.json: + # Pretty print json event + #pretty: false + + # Configure escaping html symbols in strings. + #escape_html: true + + # Metadata update configuration. Metadata do contain leader information + # deciding which broker to use when publishing. + #metadata: + # Max metadata request retry attempts when cluster is in middle of leader + # election. Defaults to 3 retries. + #retry.max: 3 + + # Waiting time between retries during leader elections. Default is 250ms. + #retry.backoff: 250ms + + # Refresh metadata interval. Defaults to every 10 minutes. + #refresh_frequency: 10m + + # The number of concurrent load-balanced Kafka output workers. + #worker: 1 + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Kafka request. The default + # is 2048. + #bulk_max_size: 2048 + + # The number of seconds to wait for responses from the Kafka brokers before + # timing out. The default is 30s. + #timeout: 30s + + # The maximum duration a broker will wait for number of required ACKs. The + # default is 10s. + #broker_timeout: 10s + + # The number of messages buffered for each Kafka broker. The default is 256. + #channel_buffer_size: 256 + + # The keep-alive period for an active network connection. If 0s, keep-alives + # are disabled. The default is 0 seconds. + #keep_alive: 0 + + # Sets the output compression codec. Must be one of none, snappy and gzip. The + # default is gzip. + #compression: gzip + + # The maximum permitted size of JSON-encoded messages. Bigger messages will be + # dropped. The default value is 1000000 (bytes). This value should be equal to + # or less than the broker's message.max.bytes. + #max_message_bytes: 1000000 + + # The ACK reliability level required from broker. 0=no response, 1=wait for + # local commit, -1=wait for all replicas to commit. The default is 1. Note: + # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently + # on error. + #required_acks: 1 + + # The configurable ClientID used for logging, debugging, and auditing + # purposes. The default is "beats". + #client_id: beats + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#================================= Paths ====================================== + +# The home path for the apm-server installation. This is the default base path +# for all other path settings and for miscellaneous files that come with the +# distribution (for example, the sample dashboards). +# If not set by a CLI flag or in the configuration file, the default for the +# home path is the location of the binary. +#path.home: + +# The configuration path for the apm-server installation. This is the default +# base path for configuration files, including the main YAML configuration file +# and the Elasticsearch template file. If not set by a CLI flag or in the +# configuration file, the default for the configuration path is the home path. +#path.config: ${path.home} + +# The data path for the apm-server installation. This is the default base path +# for all the files in which apm-server needs to store its data. If not set by a +# CLI flag or in the configuration file, the default for the data path is a data +# subdirectory inside the home path. +#path.data: ${path.home}/data + +# The logs path for a apm-server installation. This is the default location for +# the Beat's log files. If not set by a CLI flag or in the configuration file, +# the default for the logs path is a logs subdirectory inside the home path. +#path.logs: ${path.home}/logs + + +#================================ Logging ====================================== +# +# There are three options for the log output: syslog, file, stderr. +# Under Windows systems, the log files are per default sent to the file output, +# under all other system per default to syslog. + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: info + +# Enable debug output for selected components. To enable all selectors use ["*"] +# Other available selectors are "beat", "publish", "service" +# Multiple selectors can be chained. +#logging.selectors: [ ] + +# Send all logging output to syslog. The default is false. +#logging.to_syslog: true + +# If enabled, apm-server periodically logs its internal metrics that have changed +# in the last period. For each metric that changed, the delta from the value at +# the beginning of the period is logged. Also, the total values for +# all non-zero internal metrics are logged on shutdown. The default is true. +#logging.metrics.enabled: false + +# The period after which to log the internal metrics. The default is 30s. +#logging.metrics.period: 30s + +# Logging to rotating files. Set logging.to_files to false to disable logging to +# files. +#logging.to_files: true +#logging.files: + # Configure the path where the logs are written. The default is the logs directory + # under the home path (the binary location). + #path: /var/log/apm-server + + # The name of the files where the logs are written to. + #name: apm-server + + # Configure log file size limit. If limit is reached, log file will be + # automatically rotated + #rotateeverybytes: 10485760 # = 10MB + + # Number of rotated log files to keep. Oldest files will be deleted first. + #keepfiles: 7 + + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 + +# Set to true to log messages in json format. +#logging.json: false + + +#================================ HTTP Endpoint ====================================== +# +# Each beat can expose internal metrics through a HTTP endpoint. For security +# reasons the endpoint is disabled by default. This feature is currently experimental. +# Stats can be access through http://localhost:5066/stats . For pretty JSON output +# append ?pretty to the URL. + +# Defines if the HTTP endpoint is enabled. +#http.enabled: false + +# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. +#http.host: localhost + +# Port on which the HTTP endpoint will bind. Default is 5066. +#http.port: 5066 + +#============================== Xpack Monitoring =============================== +# APM server can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: +# username: "apm_system" +# password: "" diff --git a/apm-server/docker-compose.yml b/apm-server/docker-compose.yml new file mode 100644 index 0000000..26d1dd0 --- /dev/null +++ b/apm-server/docker-compose.yml @@ -0,0 +1,9 @@ +apm-server: + image: docker.elastic.co/apm/apm-server:6.5.4 + ports: + - "8200:8200" + volumes: + - ./data:/usr/share/apm-server + extra_hosts: + - elasticsearch:1.2.3.4 + restart: always diff --git a/artifactory/README.md b/artifactory/README.md new file mode 100644 index 0000000..e167f9f --- /dev/null +++ b/artifactory/README.md @@ -0,0 +1,7 @@ +artifactory +=========== + +[JFrog Artifactory][1] is the only Universal Repository Manager supporting all major +packaging formats, build tools and CI servers. + +[1]: https://www.jfrog.com/confluence/display/RTF/Welcome+to+Artifactory diff --git a/artifactory/docker-compose.yml b/artifactory/docker-compose.yml new file mode 100644 index 0000000..fa553c4 --- /dev/null +++ b/artifactory/docker-compose.yml @@ -0,0 +1,35 @@ +# +# https://www.jfrog.com/confluence/display/RTF/Installing+with+Docker +# + +version: "3.7" + +services: + + postgres: + image: postgres:12-alpine + ports: + - "5432:5432" + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_DB=artifactory + - POSTGRES_USER=artifactory + - POSTGRES_PASSWORD=artifactory + restart: always + + artifactory: + image: docker.bintray.io/jfrog/artifactory-oss:6.13.1 + ports: + - "8081:8081" + volumes: + - ./data/artifactory:/var/opt/jfrog/artifactory + environment: + - DB_TYPE=postgresql + - DB_HOST=postgres + - DB_USER=artifactory + - DB_PASSWORD=artifactory + - EXTRA_JAVA_OPTIONS=-Xms512m -Xmx2g -Xss256k -XX:+UseG1GC + depends_on: + - postgres + restart: always diff --git a/awx/README.md b/awx/README.md new file mode 100644 index 0000000..2e35493 --- /dev/null +++ b/awx/README.md @@ -0,0 +1,9 @@ +awx +=== + +[AWX][1] provides a web-based user interface, REST API, and task engine built +on top of Ansible. It is the upstream project for [Tower][2], a commercial +derivative of AWX. + +[1]: https://github.com/ansible/awx +[2]: https://www.ansible.com/tower diff --git a/awx/data/etc/SECRET_KEY b/awx/data/etc/SECRET_KEY new file mode 100644 index 0000000..0b5f0c2 --- /dev/null +++ b/awx/data/etc/SECRET_KEY @@ -0,0 +1 @@ +isasekrit diff --git a/awx/data/etc/credentials.py b/awx/data/etc/credentials.py new file mode 100644 index 0000000..5f91162 --- /dev/null +++ b/awx/data/etc/credentials.py @@ -0,0 +1,29 @@ +DATABASES = { + 'default': { + 'ATOMIC_REQUESTS': True, + 'ENGINE': 'django.db.backends.postgresql', + 'NAME': "awx", + 'USER': "awx", + 'PASSWORD': "awxpass", + 'HOST': "postgres", + 'PORT': "5432", + } +} + +BROKER_URL = 'amqp://guest:guest@rabbitmq:5672/awx' + +CHANNEL_LAYERS = { + 'default': {'BACKEND': 'asgi_amqp.AMQPChannelLayer', + 'ROUTING': 'awx.main.routing.channel_routing', + 'CONFIG': {'url': BROKER_URL}} +} + +CACHES = { + 'default': { + 'BACKEND': 'django.core.cache.backends.memcached.MemcachedCache', + 'LOCATION': 'memcached:11211' + }, + 'ephemeral': { + 'BACKEND': 'django.core.cache.backends.locmem.LocMemCache', + }, +} diff --git a/awx/data/etc/environment.sh b/awx/data/etc/environment.sh new file mode 100644 index 0000000..817283d --- /dev/null +++ b/awx/data/etc/environment.sh @@ -0,0 +1,12 @@ +DATABASE_USER=awx +DATABASE_NAME=awx +DATABASE_HOST=postgres +DATABASE_PORT=5432 +DATABASE_PASSWORD=awxpass +DATABASE_ADMIN_PASSWORD=postgrespass +MEMCACHED_HOST=memcached +MEMCACHED_PORT=11211 +RABBITMQ_HOST=rabbitmq +RABBITMQ_PORT=5672 +AWX_ADMIN_USER=admin +AWX_ADMIN_PASSWORD=password diff --git a/awx/docker-compose.yml b/awx/docker-compose.yml new file mode 100644 index 0000000..8e4f4c2 --- /dev/null +++ b/awx/docker-compose.yml @@ -0,0 +1,69 @@ +# +# https://github.com/ansible/awx/raw/devel/installer/roles/local_docker/templates/docker-compose.yml.j2 +# + +version: '2' + +services: + + web: + image: ansible/awx_web + container_name: awx_web + hostname: awxweb + user: root + ports: + - "8052:8052" + volumes: + - ./data/etc/SECRET_KEY:/etc/tower/SECRET_KEY + - ./data/etc/environment.sh:/etc/tower/conf.d/environment.sh + - ./data/etc/credentials.py:/etc/tower/conf.d/credentials.py + - ./data/awx:/var/lib/awx/projects + depends_on: + - rabbitmq + - memcached + - postgres + restart: unless-stopped + + task: + image: ansible/awx_task + container_name: awx_task + hostname: awx + user: root + volumes: + - ./data/etc/SECRET_KEY:/etc/tower/SECRET_KEY + - ./data/etc/environment.sh:/etc/tower/conf.d/environment.sh + - ./data/etc/credentials.py:/etc/tower/conf.d/credentials.py + - ./data/awx:/var/lib/awx/projects + depends_on: + - rabbitmq + - memcached + - web + - postgres + restart: unless-stopped + + rabbitmq: + image: ansible/awx_rabbitmq + container_name: awx_rabbitmq + environment: + RABBITMQ_DEFAULT_VHOST: awx + RABBITMQ_DEFAULT_USER: guest + RABBITMQ_DEFAULT_PASS: guest + RABBITMQ_ERLANG_COOKIE: cookiemonster + restart: unless-stopped + + memcached: + image: memcached:alpine + container_name: awx_memcached + restart: unless-stopped + + postgres: + image: postgres:12-alpine + container_name: awx_postgres + volumes: + - ./data/postgres:/var/lib/postgresql/data/pgdata:Z + environment: + POSTGRES_USER: awx + POSTGRES_PASSWORD: awxpass + POSTGRES_DB: awx + PGDATA: /var/lib/postgresql/data/pgdata + restart: unless-stopped diff --git a/browserless/README.md b/browserless/README.md new file mode 100644 index 0000000..44b2a85 --- /dev/null +++ b/browserless/README.md @@ -0,0 +1,58 @@ +browserless +=========== + +[Browserless][1] makes it easy to run your puppeteer scripts in an optimized +way. It takes care of all the binaries and managing of Chrome so you don't have +to. + +## docker-compose.yml + +```yaml +browserless: + image: browserless/chrome + ports: + - "3000:3000" + environment: + - DEBUG=browserless/chrome + - MAX_CONCURRENT_SESSIONS=10 + - CONNECTION_TIMEOUT=600000 + - MAX_QUEUE_LENGTH=10 + - ENABLE_CORS=true + - CHROME_REFRESH_TIME=3600000 + shm_size: 2gb + restart: always +``` + +## screenshot.js + +```javascript +'use strict'; + +const puppeteer = require('puppeteer'); + +(async() => { + const browser = await puppeteer.connect({browserWSEndpoint: 'ws://localhost:3000'}); + const page = await browser.newPage(); + await page.goto('https://www.google.com/', {waitUntil: 'networkidle2'}); + await page.screenshot({path: 'google.png', fullPage: true}); + await browser.close(); +})(); +``` + +## Up and Running + +```bash +$ docker-compose up -d +$ PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true npm install puppeteer + +$ node screenshot.js +$ imgcat google.png + +$ http http://127.0.0.1:3000/screenshot \ + url=https://www.youtube.com \ + options:='{"fullPage":true}' \ + gotoOptions:='{"waitUntil":"networkidle2"}' > youtube.png +$ imgcat youtube.png +``` + +[1]: https://docs.browserless.io/ diff --git a/browserless/docker-compose.yml b/browserless/docker-compose.yml new file mode 100644 index 0000000..9b8a1f2 --- /dev/null +++ b/browserless/docker-compose.yml @@ -0,0 +1,14 @@ +browserless: + image: browserless/chrome + ports: + - "3000:3000" + environment: + - DEBUG=browserless/chrome + - MAX_CONCURRENT_SESSIONS=10 + - CONNECTION_TIMEOUT=600000 + - MAX_QUEUE_LENGTH=10 + - CHROME_REFRESH_TIME=3600000 + - ENABLE_CORS=true + - EXIT_ON_HEALTH_FAILURE=true + shm_size: 2gb + restart: always diff --git a/browserless/docker-stack.yml b/browserless/docker-stack.yml new file mode 100644 index 0000000..22ed886 --- /dev/null +++ b/browserless/docker-stack.yml @@ -0,0 +1,25 @@ +version: '3.5' +services: + browserless: + image: browserless/chrome:latest + ports: + - "3000:3000" + environment: + - DEBUG=browserless/chrome + - MAX_CONCURRENT_SESSIONS=10 + - CONNECTION_TIMEOUT=300000 + - MAX_QUEUE_LENGTH=10 + - ENABLE_CORS=true + - EXIT_ON_HEALTH_FAILURE=true + deploy: + resources: + limits: + memory: 1024M + replicas: 56 + restart_policy: + condition: on-failure +networks: + default: + ipam: + config: + - subnet: 192.168.128.0/24 diff --git a/code-server/README.md b/code-server/README.md new file mode 100644 index 0000000..ca852e2 --- /dev/null +++ b/code-server/README.md @@ -0,0 +1,7 @@ +code-server +=========== + +[code-server][1] is VS Code running on a remote server, accessible through the browser. + + +[1]: https://github.com/cdr/code-server diff --git a/code-server/docker-compose.yml b/code-server/docker-compose.yml new file mode 100644 index 0000000..3bb9d55 --- /dev/null +++ b/code-server/docker-compose.yml @@ -0,0 +1,9 @@ +code-server: + image: codercom/code-server + command: --allow-http --no-auth --disable-telemetry + ports: + - "8443:8443" + volumes: + - ./data:/home/coder/project + - /home/coder/local/share/code-server + restart: unless-stopped diff --git a/dante/Dockerfile b/dante/Dockerfile index eaabce3..98ecdac 100644 --- a/dante/Dockerfile +++ b/dante/Dockerfile @@ -8,7 +8,7 @@ MAINTAINER kev ENV DANTE_VER 1.4.2 ENV DANTE_URL https://www.inet.no/dante/files/dante-$DANTE_VER.tar.gz -ENV DANTE_SHA baa25750633a7f9f37467ee43afdf7a95c80274394eddd7dcd4e1542aa75caad +ENV DANTE_SHA 4c97cff23e5c9b00ca1ec8a95ab22972813921d7fbf60fc453e3e06382fc38a7 ENV DANTE_FILE dante.tar.gz ENV DANTE_TEMP dante ENV DANTE_DEPS build-essential curl diff --git a/docker-compose-arm/Dockerfile b/docker-compose-arm/Dockerfile index 8b0cb0e..5b3ebf7 100644 --- a/docker-compose-arm/Dockerfile +++ b/docker-compose-arm/Dockerfile @@ -2,16 +2,18 @@ # Dockerfile for building docker-compose-arm # -FROM resin/rpi-raspbian:jessie +FROM arm32v7/debian:stretch MAINTAINER EasyPi Software Foundation -ENV DOCKER_COMPOSE_VERSION 1.22.0 +ENV DOCKER_COMPOSE_VERSION 1.24.1 ENV PYINSTALLER_VERSION 3.2.1 RUN set -xe \ && apt-get update \ && apt-get install -y build-essential \ curl \ + libffi-dev \ + libssl-dev \ python-dev \ zlib1g-dev \ && curl https://bootstrap.pypa.io/get-pip.py | python \ diff --git a/drone/README.md b/drone/README.md index 952eed3..438a6e6 100644 --- a/drone/README.md +++ b/drone/README.md @@ -5,43 +5,36 @@ drone ## github +```yaml +drone: + image: drone/drone:1.5-linux-amd64 + ports: + - "8080:80" + volumes: + - ./data:/data + environment: + - DRONE_AGENTS_ENABLED=true + - DRONE_SERVER_PROTO=http + - DRONE_SERVER_HOST=drone.easypi.pro + - DRONE_RPC_SECRET=secret + - DRONE_GITHUB_SERVER=https://github.com + - DRONE_GITHUB_CLIENT_ID=xxxxxx + - DRONE_GITHUB_CLIENT_SECRET=xxxxxx + restart: always +``` + ```yaml # # Github » Settings » Applications » Developer applications » Register new application # Application name: drone -Homepage URL: http://drone.easypi.info/ +Homepage URL: http://drone.easypi.pro/ Application description: Drone is a Continuous Integration platform built on Docker, written in Go -Authorization callback URL: http://drone.easypi.info/authorize +Authorization callback URL: http://drone.easypi.pro/authorize Client ID: ... (generated by github) Client Secret: ... (generated by github) ``` -## docker-compose.yml - -```yaml -drone: - image: drone/drone - ports: - - "8000:8000" - volumes: - - ./drone:/var/lib/drone - - /var/run/docker.sock:/var/run/docker.sock - environment: - - REMOTE_DRIVER=github - - REMOTE_CONFIG=https://github.com?client_id=...&client_secret=... -# - REMOTE_DRIVER=gogs -# - REMOTE_CONFIG=https://git.easypi.info/?open=false - - DEBUG=false - restart: always - -wall: - image: drone/drone-wall - ports: - - "8080:80" - restart: always -``` - > Drone will register gogs webhooks automatically, you don't need to do it manually. ## nginx/sites-enabled/drone @@ -49,7 +42,7 @@ wall: ``` server { listen 80; - server_name drone.easypi.info; + server_name drone.easypi.pro; location / { proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $remote_addr; @@ -57,7 +50,7 @@ server { proxy_set_header Host $http_host; proxy_set_header Origin ""; - proxy_pass http://127.0.0.1:8000; + proxy_pass http://127.0.0.1:8080; proxy_redirect off; proxy_http_version 1.1; proxy_buffering off; @@ -65,14 +58,6 @@ server { chunked_transfer_encoding off; } } - -server { - listen 80; - server_name wall.easypi.info; - location / { - proxy_pass http://127.0.0.1:8080; - } -} ``` ## up and running @@ -81,13 +66,10 @@ server { # server $ cd ~/fig/drone/ $ docker-compose up -d -$ docker-compose logs +$ docker-compose logs -f # client (login with remote driver credential) -$ firefox http://drone.easypi.info/ - -# dashboard -$ firefox http://wall.easypi.info/ +$ firefox http://drone.easypi.pro/ ``` -[1]: http://readme.drone.io/usage/overview/ +[1]: https://readme.drone.io diff --git a/drone/arm/Dockerfile b/drone/arm/Dockerfile deleted file mode 100644 index f8ddc7a..0000000 --- a/drone/arm/Dockerfile +++ /dev/null @@ -1,23 +0,0 @@ -# -# Dockerfile for drone-arm -# - -FROM easypi/alpine-arm -MAINTAINER EasyPi Software Foundation - -RUN apk add --no-cache ca-certificates - -ADD drone /drone - -ENV DATABASE_DRIVER=sqlite3 \ - DATABASE_CONFIG=/var/lib/drone/drone.sqlite \ - GODEBUG=netdns=go \ - XDG_CACHE_HOME=/var/lib/drone - -VOLUME $XDG_CACHE_HOME -WORKDIR $XDG_CACHE_HOME - -EXPOSE 8000 - -ENTRYPOINT ["/drone"] -CMD ["server"] diff --git a/drone/arm/README.md b/drone/arm/README.md index a434b67..99fdcf2 100644 --- a/drone/arm/README.md +++ b/drone/arm/README.md @@ -1,24 +1,6 @@ drone-arm ========= -```yaml -drone: - image: armdrone/drone - ports: - - "8000:80" - volumes: - - ./data:/var/lib/drone - - /var/run/docker.sock:/var/run/docker.sock - environment: - - REMOTE_DRIVER=gogs - - REMOTE_CONFIG=http://git.easypi.info:3000/?open=false - - PLUGIN_FILTER=armdrone/* - - GIN_MODE=release - extra_hosts: - - git.easypi.info:192.168.31.231 - restart: always -``` - ## Deploy Key Setup ```yaml diff --git a/drone/arm/docker-compose.yml b/drone/arm/docker-compose.yml index 6913206..009117c 100644 --- a/drone/arm/docker-compose.yml +++ b/drone/arm/docker-compose.yml @@ -1,45 +1,38 @@ -version: '2' +version: '3.7' services: - drone-server: - image: quay.io/armswarm/drone:0.8 + + drone: + image: drone/drone:1.6-linux-arm ports: - - "8000:8000" - - "9000:9000" + - "8080:80" volumes: - - ./data/drone:/var/lib/drone + - ./data/drone:/data environment: - - DRONE_OPEN=true - - DRONE_HOST=https://drone.easypi.pro - - DRONE_DATABASE_DRIVER=mysql - - DRONE_DATABASE_DATASOURCE=root:root@tcp(mariadb:3306)/drone?parseTime=true - - DRONE_GOGS=true - - DRONE_GOGS_URL=https://gogs.easypi.pro - - DRONE_SECRET=0123456789 - - DRONE_ADMIN=root + - DRONE_SERVER_HOST=drone + - DRONE_SERVER_PROTO=http + - DRONE_RPC_SECRET=secret + - DRONE_DATABASE_DRIVER=sqlite3 + - DRONE_DATABASE_DATASOURCE=/data/database.sqlite + - DRONE_GOGS_SERVER=http://gogs:3000 + - DRONE_AGENTS_ENABLED=true depends_on: - - mariadb + - postgres - gogs restart: always - drone-agent: - image: drone/agent:linux-arm + agent: + image: drone/agent:1.6-linux-arm volumes: - /var/run/docker.sock:/var/run/docker.sock environment: - - DRONE_SERVER=drone-server:9000 - - DRONE_SECRET=0123456789 + - DRONE_RPC_PROTO=http + - DRONE_RPC_HOST=drone + - DRONE_RPC_SECRET=secret + - DRONE_RUNNER_NAME=agent + - DRONE_RUNNER_CAPACITY=2 depends_on: - - drone-server - restart: always - - mariadb: - image: easypi/mariadb-arm - ports: - - "3306:3306" - environment: - - MYSQL_ROOT_PASSWORD=root - - MYSQL_DATABASE=drone + - drone restart: always gogs: @@ -50,12 +43,3 @@ services: volumes: - ./data/gogs:/data restart: always - - phpmyadmin: - image: easypi/phpmyadmin-arm - ports: - - "8080:80" - environment: - - PMA_HOST=mariadb - - PMA_PORT=3306 - restart: always diff --git a/drone/arm/drone b/drone/arm/drone deleted file mode 100755 index 7c7b575..0000000 Binary files a/drone/arm/drone and /dev/null differ diff --git a/drone/docker-compose.yml b/drone/docker-compose.yml index fba7957..299018d 100644 --- a/drone/docker-compose.yml +++ b/drone/docker-compose.yml @@ -1,18 +1,57 @@ -drone: - image: drone/drone - ports: - - "8000:80" - volumes: - - ./data:/var/lib/drone - - /var/run/docker.sock:/var/run/docker.sock - environment: - - REMOTE_DRIVER=gogs - - REMOTE_CONFIG=http://git.easypi.info:3000/?open=false - - DEBUG=false - restart: always +version: "3.7" -wall: - image: drone/drone-wall - ports: - - "8080:80" - restart: always +services: + + drone: + image: drone/drone:1.6-linux-amd64 + ports: + - "8080:80" + volumes: + - ./data/drone:/data + environment: + - DRONE_SERVER_HOST=drone + - DRONE_SERVER_PROTO=http + - DRONE_RPC_SECRET=secret + - DRONE_DATABASE_DRIVER=postgres + - DRONE_DATABASE_DATASOURCE=postgres://drone:drone@postgres:5432/drone?sslmode=disable + - DRONE_GOGS_SERVER=http://gogs:3000 + - DRONE_AGENTS_ENABLED=true + depends_on: + - postgres + - gogs + restart: always + + agent: + image: drone/agent:1.6-linux-amd64 + volumes: + - /var/run/docker.sock:/var/run/docker.sock + environment: + - DRONE_RPC_PROTO=http + - DRONE_RPC_HOST=drone + - DRONE_RPC_SECRET=secret + - DRONE_RUNNER_NAME=agent + - DRONE_RUNNER_CAPACITY=2 + depends_on: + - drone + restart: always + + postgres: + image: postgres:12-alpine + ports: + - "5432:5432" + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=drone + - POSTGRES_PASSWORD=drone + - POSTGRES_DB=drone + restart: always + + gogs: + image: gogs/gogs + ports: + - "2222:22" + - "3000:3000" + volumes: + - ./data/gogs:/data + restart: always diff --git a/elastalert/README.md b/elastalert/README.md index de277a7..6498218 100644 --- a/elastalert/README.md +++ b/elastalert/README.md @@ -1,7 +1,10 @@ ElastAlert ========== -http://elastalert.readthedocs.io/en/latest/ +[ElastAlert][1] is a simple framework for alerting on anomalies, spikes, or other +patterns of interest from data in Elasticsearch. + +## up and running ```bash $ docker-compose up -d @@ -9,5 +12,9 @@ $ docker-compose exec elastalert sh >>> cd /opt/elastalert/rules >>> elastalert-test-rule xxx.yaml >>> exit -$ docker-compose restart ``` + +> ElastAlert will also load new rules, stop running missing rules, and restart +> modified rules as the files in this folder change. + +[1]: http://elastalert.readthedocs.io/en/latest/ diff --git a/elastalert/docker-compose.yml b/elastalert/docker-compose.yml index e1e5a06..0e9d414 100644 --- a/elastalert/docker-compose.yml +++ b/elastalert/docker-compose.yml @@ -1,13 +1,13 @@ elastalert: - image: bitsensor/elastalert + image: bitsensor/elastalert:2.0.0 ports: - "3030:3030" + - "3333:3333" volumes: - ./data/config.yaml:/opt/elastalert/config.yaml - ./data/rules:/opt/elastalert/rules - environment: - - ES_HOST=elasticsearch - - ES_PORT=9200 external_links: - elk_elasticsearch_1:elasticsearch +# extra_hosts: +# - elasticsearch:1.2.3.4 restart: always diff --git a/elk/README.md b/elk/README.md index 1524fc6..06dbb49 100644 --- a/elk/README.md +++ b/elk/README.md @@ -4,6 +4,7 @@ ELK - Elasticsearch - Logstash - Kibana +- APM Server ## How it works @@ -21,6 +22,8 @@ $ docker-compose up -d ## Delete indices older than 7 days +File: delete-indices.yml + ```yaml --- actions: @@ -45,6 +48,14 @@ actions: unit_count: 7 ``` +File: ~/.curator/curator.yml + +```yaml +client: + hosts: + - 127.0.0.1 +``` + ```bash $ pip install elasticsearch-curator $ curator delete-indices.yml diff --git a/elk/delete-indices.yml b/elk/curator/delete-indices.yml similarity index 100% rename from elk/delete-indices.yml rename to elk/curator/delete-indices.yml diff --git a/elk/data/apm-server.yml b/elk/data/apm-server.yml new file mode 100644 index 0000000..9abf8b4 --- /dev/null +++ b/elk/data/apm-server.yml @@ -0,0 +1,841 @@ +################### APM Server Configuration ######################### + +############################# APM Server ###################################### + +apm-server: + # Defines the host and port the server is listening on. use "unix:/path/to.sock" to listen on a unix domain socket. + host: "0.0.0.0:8200" + + # Maximum permitted size in bytes of a request's header accepted by the server to be processed. + #max_header_size: 1048576 + + # Maximum permitted duration for reading an entire request. + #read_timeout: 30s + + # Maximum permitted duration for writing a response. + #write_timeout: 30s + + # Maximum duration in seconds before releasing resources when shutting down the server. + #shutdown_timeout: 5s + + # Maximum allowed size in bytes of a single event + #max_event_size: 307200 + + #-- + + # Maximum number of new connections to accept simultaneously (0 means unlimited) + # max_connections: 0 + + # Authorization token to be checked. If a token is set here the agents must + # send their token in the following format: Authorization: Bearer . + # It is recommended to use an authorization token in combination with SSL enabled, + # and save the token in the beats keystore. + secret_token: "1870d518-6b62-450f-82b7-44fda593963f" + #ssl.enabled: false + #ssl.certificate : "path/to/cert" + #ssl.key : "path/to/private_key" + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: "" + + #rum: + # To enable real user monitoring (RUM) support set this to true. + #enabled: false + + #event_rate: + + # Defines the maximum amount of events allowed to be sent to the APM Server RUM + # endpoint per ip per second. Defaults to 300. + #limit: 300 + + # An LRU cache is used to keep a rate limit per IP for the most recently seen IPs. + # This setting defines the number of unique IPs that can be tracked in the cache. + # Sites with many concurrent clients should consider increasing this limit. Defaults to 1000. + #lru_size: 1000 + + #-- General RUM settings + + # Comma separated list of permitted origins for real user monitoring. + # User-agents will send an origin header that will be validated against this list. + # An origin is made of a protocol scheme, host and port, without the url path. + # Allowed origins in this setting can have * to match anything (eg.: http://*.example.com) + # If an item in the list is a single '*', everything will be allowed + #allow_origins : ['*'] + + # Regexp to be matched against a stacktrace frame's `file_name` and `abs_path` attributes. + # If the regexp matches, the stacktrace frame is considered to be a library frame. + #library_pattern: "node_modules|bower_components|~" + + # Regexp to be matched against a stacktrace frame's `file_name`. + # If the regexp matches, the stacktrace frame is not used for calculating error groups. + # The default pattern excludes stacktrace frames that have a filename starting with '/webpack' + #exclude_from_grouping: "^/webpack" + + # If a source map has previously been uploaded, source mapping is automatically applied + # to all error and transaction documents sent to the RUM endpoint. + #source_mapping: + + # Source maps are always fetched from Elasticsearch, by default using the output.elasticsearch configuration. + # A different instance must be configured when using any other output. + # This setting only affects sourcemap reads - the output determines where sourcemaps are written. + #elasticsearch: + # Array of hosts to connect to. + # Scheme and port can be left out and will be set to the default (http and 9200) + # In case you specify and additional path, the scheme is required: http://localhost:9200/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:9200 + # hosts: ["localhost:9200"] + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # The `cache.expiration` determines how long a source map should be cached before fetching it again from Elasticsearch. + # Note that values configured without a time unit will be interpreted as seconds. + #cache: + #expiration: 5m + + # Source maps are stored in a seperate index. + # If the default index pattern for source maps at 'outputs.elasticsearch.indices' + # is changed, a matching index pattern needs to be specified here. + #index_pattern: "apm-*-sourcemap*" + + + # If set to true, APM Server augments data received by the agent with the original IP of the backend server, + # or the IP and User Agent of the real user (RUM requests). It defaults to true. + #capture_personal_data: true + + # golang expvar support - https://golang.org/pkg/expvar/ + #expvar: + # Set to true to Expose expvar + #enabled: false + + # Url to expose expvar + #url: "/debug/vars" + + # Instrumentation support for the server's HTTP endpoints and event publisher. + #instrumentation: + # Set to true to enable instrumentation of the APM server itself. + #enabled: false + # Environment in which the APM Server is running on (eg: staging, production, etc.) + #environment: "" + # Remote host to report instrumentation results to. + #hosts: + # - http://remote-apm-server:8200 + # Remote apm-servers' secret_token + #secret_token: + + # Metrics endpoint + #metrics: + # Set to false to disable the metrics endpoint + #enabled: true + + # A pipeline is a definition of processors applied to documents when writing them to Elasticsearch. + # Using pipelines involves two steps: + # (1) registering a pipeline + # (2) applying a pipeline during data ingestion (see `output.elasticsearch.pipelines`) + # + # You can manually register pipelines, or use this configuration option to ensure + # pipelines are loaded and registered at the configured Elasticsearch instances. + # Automatic pipeline registration requires + # * `output.elasticsearch` to be enabled and configured. + # * having the required Elasticsearch Processor Plugins installed. + # APM Server default pipelines require you to have the `Ingest User Agent Plugin` installed. + # Find the default pipeline configuration at `ingest/pipeline/definition.json`. + # + #register.ingest.pipeline: + # Registers pipeline definitions in Elasticsearch on APM Server startup. Defaults to false. + #enabled: false + + # Overwrites existing pipeline definitions in Elasticsearch. Defaults to true. + #overwrite: true + +#================================ General ====================================== + +# Internal queue configuration for buffering events to be published. +#queue: + # Queue type by name (default 'mem') + # The memory queue will present all available events (up to the outputs + # bulk_max_size) to the output, the moment the output is ready to server + # another batch of events. + #mem: + # Max number of events the queue can buffer. + #events: 4096 + + # Hints the minimum number of events stored in the queue, + # before providing a batch of events to the outputs. + # A value of 0 (the default) ensures events are immediately available + # to be sent to the outputs. + #flush.min_events: 2048 + + # Maximum duration after which events are available to the outputs, + # if the number of events stored in the queue is < min_flush_events. + #flush.timeout: 1s + +# Sets the maximum number of CPUs that can be executing simultaneously. The +# default is the number of logical CPUs available in the system. +#max_procs: + + +#============================== Template ===================================== + +# A template is used to set the mapping in Elasticsearch +# By default template loading is enabled and the template is loaded. +# These settings can be adjusted to load your own template or overwrite existing ones. + +# Set to false to disable template loading. +#setup.template.enabled: true + +# Template name. By default the template name is "apm-%{[beat.version]}" +# The template name and pattern has to be set in case the elasticsearch index pattern is modified. +#setup.template.name: "apm-%{[beat.version]}" + +# Template pattern. By default the template pattern is "apm-%{[beat.version]}-*" to apply to the default index settings. +# The first part is the version of the beat and then -* is used to match all daily indices. +# The template name and pattern has to be set in case the elasticsearch index pattern is modified. +#setup.template.pattern: "apm-%{[beat.version]}-*" + +# Path to fields.yml file to generate the template +#setup.template.fields: "${path.config}/fields.yml" + +# Overwrite existing template +#setup.template.overwrite: false + +# Elasticsearch template settings +#setup.template.settings: + + # A dictionary of settings to place into the settings.index dictionary + # of the Elasticsearch template. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping.html + #index: + #number_of_shards: 1 + #codec: best_compression + #number_of_routing_shards: 30 + #mapping.total_fields.limit: 2000 + + # A dictionary of settings for the _source field. For more details, please check + # https://www.elastic.co/guide/en/elasticsearch/reference/current/mapping-source-field.html + #_source: + #enabled: false + + +#============================== Deprecated: Dashboards ===================================== +# +# Deprecated: Loading dashboards from the APM Server into Kibana is deprecated from 6.4 on. +# We suggest to use the Kibana UI to load APM Server dashboards and index pattern instead. +# +# These settings control loading the sample dashboards to the Kibana index. Loading +# the dashboards are disabled by default and can be enabled either by setting the +# options here, or by using the `-setup` CLI flag or the `setup` command. +#setup.dashboards.enabled: false + +# The directory from where to read the dashboards. The default is the `kibana` +# folder in the home path. +#setup.dashboards.directory: ${path.home}/kibana + +# The URL from where to download the dashboards archive. It is used instead of +# the directory if it has a value. +#setup.dashboards.url: + +# The file archive (zip file) from where to read the dashboards. It is used instead +# of the directory when it has a value. +#setup.dashboards.file: + +# The name of the Kibana index to use for setting the configuration. Default is ".kibana" +#setup.dashboards.kibana_index: .kibana + +# The Elasticsearch index name. This overwrites the index name defined in the +# dashboards and index pattern. Example: testbeat-* +# The dashboards.index needs to be changed in case the elasticsearch index pattern is modified. +#setup.dashboards.index: + +# Always use the Kibana API for loading the dashboards instead of autodetecting +# how to install the dashboards by first querying Elasticsearch. +#setup.dashboards.always_kibana: false + +# If true and Kibana is not reachable at the time when dashboards are loaded, +# it will retry to reconnect to Kibana instead of exiting with an error. +#setup.dashboards.retry.enabled: false + +# Duration interval between Kibana connection retries. +#setup.dashboards.retry.interval: 1s + +# Maximum number of retries before exiting with an error, 0 for unlimited retrying. +#setup.dashboards.retry.maximum: 0 + + +#============================== Deprecated: Kibana ===================================== + +# Deprecated: Starting with APM Server version 6.4, loading dashboards and index pattern +# from the APM Server into Kibana is deprecated. +# We suggest to use the Kibana UI to load APM Server dashboards and index pattern instead. +# +# Setting up a Kibana endpoint is not necessary when loading the index pattern and dashboards via the UI. + +#setup.kibana: + + # Kibana Host + # Scheme and port can be left out and will be set to the default (http and 5601) + # In case you specify and additional path, the scheme is required: http://localhost:5601/path + # IPv6 addresses should always be defined as: https://[2001:db8::1]:5601 + #host: "localhost:5601" + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Optional HTTP Path + #path: "" + + # Use SSL settings for HTTPS. Default is false. + #ssl.enabled: false + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + +#============================= Elastic Cloud ================================== + +# These settings simplify using APM Server with the Elastic Cloud (https://cloud.elastic.co/). + +# The cloud.id setting overwrites the `output.elasticsearch.hosts` and +# [deprecated] `setup.kibana.host` options. +# You can find the `cloud.id` in the Elastic Cloud web UI. +#cloud.id: + +# The cloud.auth setting overwrites the `output.elasticsearch.username` and +# `output.elasticsearch.password` settings. The format is `:`. +#cloud.auth: + +#================================ Outputs ===================================== + +# Configure what output to use when sending the data collected by the beat. + +#-------------------------- Elasticsearch output ------------------------------ +output.elasticsearch: + hosts: ["elasticsearch:9200"] + + # Boolean flag to enable or disable the output module. + #enabled: true + + # Set gzip compression level. + #compression_level: 0 + + # Optional protocol and basic auth credentials. + #protocol: "https" + #username: "elastic" + #password: "changeme" + + # Dictionary of HTTP parameters to pass within the url with index operations. + #parameters: + #param1: value1 + #param2: value2 + + # Number of workers per Elasticsearch host. + #worker: 1 + + # By using the configuration below, apm documents are stored to separate indices, + # depending on their `processor.event`: + # - error + # - transaction + # - span + # - sourcemap + # + # The indices are all prefixed with `apm-%{[beat.version]}`. + # To allow managing indices based on their age, all indices (except for sourcemaps) + # end with the information of the day they got indexed. + # e.g. "apm-6.3.0-transaction-2018.03.20" + # + # Be aware that you can only specify one Elasticsearch template and one Kibana Index Pattern, + # In case you modify the index patterns you must also update those configurations accordingly, + # as they need to be aligned: + # * `setup.template.name` + # * `setup.template.pattern` + # * `setup.dashboards.index` + #index: "apm-%{[beat.version]}-%{+yyyy.MM.dd}" + indices: + - index: "apm-%{[beat.version]}-sourcemap" + when.contains: + processor.event: "sourcemap" + + - index: "apm-%{[beat.version]}-error-%{+yyyy.MM.dd}" + when.contains: + processor.event: "error" + + - index: "apm-%{[beat.version]}-transaction-%{+yyyy.MM.dd}" + when.contains: + processor.event: "transaction" + + - index: "apm-%{[beat.version]}-span-%{+yyyy.MM.dd}" + when.contains: + processor.event: "span" + + - index: "apm-%{[beat.version]}-metric-%{+yyyy.MM.dd}" + when.contains: + processor.event: "metric" + + - index: "apm-%{[beat.version]}-onboarding-%{+yyyy.MM.dd}" + when.contains: + processor.event: "onboarding" + + # A pipeline is a definition of processors applied to documents when writing them to Elasticsearch. + # APM Server comes with a default pipeline definition, located at `ingets/pipeline/definition.json`. + # Pipelines are disabled by default. To make use of them you have to: + # (1) ensure pipelines are registered in Elasticsearch, see `apm-server.register.ingest.pipeline` + # (2) enable the following: + #pipelines: + #- pipeline: "apm_user_agent" + + # Optional HTTP Path + #path: "/elasticsearch" + + # Custom HTTP headers to add to each request + #headers: + # X-My-Header: Contents of the header + + # Proxy server url + #proxy_url: http://proxy:3128 + + # The number of times a particular Elasticsearch index operation is attempted. If + # the indexing operation doesn't succeed after this many retries, the events are + # dropped. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Elasticsearch bulk API index request. + # The default is 50. + #bulk_max_size: 50 + + # The number of seconds to wait before trying to reconnect to Elasticsearch + # after a network error. After waiting backoff.init seconds, apm-server + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Elasticsearch after a network error. The default is 60s. + #backoff.max: 60s + + # Configure http request timeout before failing an request to Elasticsearch. + #timeout: 90 + + # Use SSL settings for HTTPS. Default is false. + #ssl.enabled: false + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # SSL configuration. By default is off. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + # It is recommended to use the provided keystore instead of entering the passphrase in plain text. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#----------------------------- Console output --------------------------------- +#output.console: + # Boolean flag to enable or disable the output module. + #enabled: false + + # Pretty print json event + #pretty: false + +#----------------------------- Logstash output --------------------------------- +#output.logstash: + # Boolean flag to enable or disable the output module. + #enabled: false + + # The Logstash hosts + #hosts: ["localhost:5044"] + + # Number of workers per Logstash host. + #worker: 1 + + # Set gzip compression level. + #compression_level: 3 + + # Configure escaping html symbols in strings. + #escape_html: true + + # Optional maximum time to live for a connection to Logstash, after which the + # connection will be re-established. A value of `0s` (the default) will + # disable this feature. + # + # Not yet supported for async connections (i.e. with the "pipelining" option set) + #ttl: 30s + + # Optional load balance the events between the Logstash hosts. Default is false. + #loadbalance: false + + # Number of batches to be sent asynchronously to Logstash while processing + # new batches. + #pipelining: 2 + + # If enabled only a subset of events in a batch of events is transferred per + # group. The number of events to be sent increases up to `bulk_max_size` + # if no error is encountered. + #slow_start: false + + # The number of seconds to wait before trying to reconnect to Logstash + # after a network error. After waiting backoff.init seconds, apm-server + # tries to reconnect. If the attempt fails, the backoff timer is increased + # exponentially up to backoff.max. After a successful connection, the backoff + # timer is reset. The default is 1s. + #backoff.init: 1s + + # The maximum number of seconds to wait before attempting to connect to + # Logstash after a network error. The default is 60s. + #backoff.max: 60s + + # Optional index name. The default index name is set to apm + # in all lowercase. + #index: 'apm' + + # SOCKS5 proxy server URL + #proxy_url: socks5://user:password@socks5-server:2233 + + # Resolve names locally when using a proxy server. Defaults to false. + #proxy_use_local_resolver: false + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#------------------------------- Kafka output ---------------------------------- +#output.kafka: + # Boolean flag to enable or disable the output module. + #enabled: false + + # The list of Kafka broker addresses from where to fetch the cluster metadata. + # The cluster metadata contain the actual Kafka brokers events are published + # to. + #hosts: ["localhost:9092"] + + # The Kafka topic used for produced events. The setting can be a format string + # using any event field. To set the topic from document type use `%{[type]}`. + #topic: beats + + # The Kafka event key setting. Use format string to create unique event key. + # By default no event key will be generated. + #key: '' + + # The Kafka event partitioning strategy. Default hashing strategy is `hash` + # using the `output.kafka.key` setting or randomly distributes events if + # `output.kafka.key` is not configured. + #partition.hash: + # If enabled, events will only be published to partitions with reachable + # leaders. Default is false. + #reachable_only: false + + # Configure alternative event field names used to compute the hash value. + # If empty `output.kafka.key` setting will be used. + # Default value is empty list. + #hash: [] + + # Authentication details. Password is required if username is set. + #username: '' + #password: '' + + # Kafka version libbeat is assumed to run against. Defaults to the "1.0.0". + #version: '1.0.0' + + # Configure JSON encoding + #codec.json: + # Pretty print json event + #pretty: false + + # Configure escaping html symbols in strings. + #escape_html: true + + # Metadata update configuration. Metadata do contain leader information + # deciding which broker to use when publishing. + #metadata: + # Max metadata request retry attempts when cluster is in middle of leader + # election. Defaults to 3 retries. + #retry.max: 3 + + # Waiting time between retries during leader elections. Default is 250ms. + #retry.backoff: 250ms + + # Refresh metadata interval. Defaults to every 10 minutes. + #refresh_frequency: 10m + + # The number of concurrent load-balanced Kafka output workers. + #worker: 1 + + # The number of times to retry publishing an event after a publishing failure. + # After the specified number of retries, the events are typically dropped. + # Some Beats, such as Filebeat, ignore the max_retries setting and retry until + # all events are published. Set max_retries to a value less than 0 to retry + # until all events are published. The default is 3. + #max_retries: 3 + + # The maximum number of events to bulk in a single Kafka request. The default + # is 2048. + #bulk_max_size: 2048 + + # The number of seconds to wait for responses from the Kafka brokers before + # timing out. The default is 30s. + #timeout: 30s + + # The maximum duration a broker will wait for number of required ACKs. The + # default is 10s. + #broker_timeout: 10s + + # The number of messages buffered for each Kafka broker. The default is 256. + #channel_buffer_size: 256 + + # The keep-alive period for an active network connection. If 0s, keep-alives + # are disabled. The default is 0 seconds. + #keep_alive: 0 + + # Sets the output compression codec. Must be one of none, snappy and gzip. The + # default is gzip. + #compression: gzip + + # The maximum permitted size of JSON-encoded messages. Bigger messages will be + # dropped. The default value is 1000000 (bytes). This value should be equal to + # or less than the broker's message.max.bytes. + #max_message_bytes: 1000000 + + # The ACK reliability level required from broker. 0=no response, 1=wait for + # local commit, -1=wait for all replicas to commit. The default is 1. Note: + # If set to 0, no ACKs are returned by Kafka. Messages might be lost silently + # on error. + #required_acks: 1 + + # The configurable ClientID used for logging, debugging, and auditing + # purposes. The default is "beats". + #client_id: beats + + # Enable SSL support. SSL is automatically enabled, if any SSL setting is set. + #ssl.enabled: true + + # Optional SSL configuration options. SSL is off by default. + # List of root certificates for HTTPS server verifications + #ssl.certificate_authorities: ["/etc/pki/root/ca.pem"] + + # Configure SSL verification mode. If `none` is configured, all server hosts + # and certificates will be accepted. In this mode, SSL based connections are + # susceptible to man-in-the-middle attacks. Use only for testing. Default is + # `full`. + #ssl.verification_mode: full + + # List of supported/valid TLS versions. By default all TLS versions 1.0 up to + # 1.2 are enabled. + #ssl.supported_protocols: [TLSv1.0, TLSv1.1, TLSv1.2] + + # Certificate for SSL client authentication + #ssl.certificate: "/etc/pki/client/cert.pem" + + # Client Certificate Key + #ssl.key: "/etc/pki/client/cert.key" + + # Optional passphrase for decrypting the Certificate Key. + #ssl.key_passphrase: '' + + # Configure cipher suites to be used for SSL connections + #ssl.cipher_suites: [] + + # Configure curve types for ECDHE based cipher suites + #ssl.curve_types: [] + + # Configure what types of renegotiation are supported. Valid options are + # never, once, and freely. Default is never. + #ssl.renegotiation: never + +#================================= Paths ====================================== + +# The home path for the apm-server installation. This is the default base path +# for all other path settings and for miscellaneous files that come with the +# distribution (for example, the sample dashboards). +# If not set by a CLI flag or in the configuration file, the default for the +# home path is the location of the binary. +#path.home: + +# The configuration path for the apm-server installation. This is the default +# base path for configuration files, including the main YAML configuration file +# and the Elasticsearch template file. If not set by a CLI flag or in the +# configuration file, the default for the configuration path is the home path. +#path.config: ${path.home} + +# The data path for the apm-server installation. This is the default base path +# for all the files in which apm-server needs to store its data. If not set by a +# CLI flag or in the configuration file, the default for the data path is a data +# subdirectory inside the home path. +#path.data: ${path.home}/data + +# The logs path for a apm-server installation. This is the default location for +# the Beat's log files. If not set by a CLI flag or in the configuration file, +# the default for the logs path is a logs subdirectory inside the home path. +#path.logs: ${path.home}/logs + + +#================================ Logging ====================================== +# +# There are three options for the log output: syslog, file, stderr. +# Under Windows systems, the log files are per default sent to the file output, +# under all other system per default to syslog. + +# Sets log level. The default log level is info. +# Available log levels are: error, warning, info, debug +#logging.level: info + +# Enable debug output for selected components. To enable all selectors use ["*"] +# Other available selectors are "beat", "publish", "service" +# Multiple selectors can be chained. +#logging.selectors: [ ] + +# Send all logging output to syslog. The default is false. +#logging.to_syslog: true + +# If enabled, apm-server periodically logs its internal metrics that have changed +# in the last period. For each metric that changed, the delta from the value at +# the beginning of the period is logged. Also, the total values for +# all non-zero internal metrics are logged on shutdown. The default is true. +#logging.metrics.enabled: false + +# The period after which to log the internal metrics. The default is 30s. +#logging.metrics.period: 30s + +# Logging to rotating files. Set logging.to_files to false to disable logging to +# files. +#logging.to_files: true +#logging.files: + # Configure the path where the logs are written. The default is the logs directory + # under the home path (the binary location). + #path: /var/log/apm-server + + # The name of the files where the logs are written to. + #name: apm-server + + # Configure log file size limit. If limit is reached, log file will be + # automatically rotated + #rotateeverybytes: 10485760 # = 10MB + + # Number of rotated log files to keep. Oldest files will be deleted first. + #keepfiles: 7 + + # The permissions mask to apply when rotating log files. The default value is 0600. + # Must be a valid Unix-style file permissions mask expressed in octal notation. + #permissions: 0600 + +# Set to true to log messages in json format. +#logging.json: false + + +#================================ HTTP Endpoint ====================================== +# +# Each beat can expose internal metrics through a HTTP endpoint. For security +# reasons the endpoint is disabled by default. This feature is currently experimental. +# Stats can be access through http://localhost:5066/stats . For pretty JSON output +# append ?pretty to the URL. + +# Defines if the HTTP endpoint is enabled. +#http.enabled: false + +# The HTTP endpoint will bind to this hostname or IP address. It is recommended to use only localhost. +#http.host: localhost + +# Port on which the HTTP endpoint will bind. Default is 5066. +#http.port: 5066 + +#============================== Xpack Monitoring =============================== +# APM server can export internal metrics to a central Elasticsearch monitoring +# cluster. This requires xpack monitoring to be enabled in Elasticsearch. The +# reporting is disabled by default. + +# Set to true to enable the monitoring reporter. +#xpack.monitoring.enabled: false + +# Uncomment to send the metrics to Elasticsearch. Most settings from the +# Elasticsearch output are accepted here as well. Any setting that is not set is +# automatically inherited from the Elasticsearch output configuration, so if you +# have the Elasticsearch output configured, you can simply uncomment the +# following line. +#xpack.monitoring.elasticsearch: +# username: "apm_system" +# password: "" diff --git a/elk/data/logstash.yml b/elk/data/logstash.yml index 9bc7d05..e9c1daa 100644 --- a/elk/data/logstash.yml +++ b/elk/data/logstash.yml @@ -1,6 +1,7 @@ http.host: "0.0.0.0" path.config: /usr/share/logstash/pipeline -#xpack.monitoring.enabled: false -xpack.monitoring.elasticsearch.url: http://elasticsearch:9200 +#xpack.monitoring.enabled: true +#xpack.monitoring.elasticsearch.hosts: +#- http://elasticsearch:9200 #xpack.monitoring.elasticsearch.username: logstash_system #xpack.monitoring.elasticsearch.password: changeme diff --git a/elk/docker-compose.yml b/elk/docker-compose.yml index 0a2c0ec..f51f17c 100644 --- a/elk/docker-compose.yml +++ b/elk/docker-compose.yml @@ -1,45 +1,58 @@ -elasticsearch: - image: docker.elastic.co/elasticsearch/elasticsearch:6.1.2 - ports: - - "9200:9200" - - "9300:9300" - volumes: - - ./data:/usr/share/elasticsearch/data - environment: - - node.name=es1 - - cluster.name=elk - - bootstrap.memory_lock=true - - "ES_JAVA_OPTS=-Xms1g -Xmx1g" - ulimits: - memlock: - soft: -1 - hard: -1 - restart: unless-stopped +version: '3.5' -logstash: - image: docker.elastic.co/logstash/logstash:6.1.2 - ports: - - "5044:5044" - - "9600:9600" - - "12201:12201/udp" - links: - - elasticsearch - volumes: - - ./data/logstash.yml:/usr/share/logstash/config/logstash.yml - - ./data/pipeline:/usr/share/logstash/pipeline - - /usr/share/logstash/vendor/bundle - environment: - - node.name=ls1 - - "LS_JAVA_OPTS=-Xms1g -Xmx1g" - restart: unless-stopped +services: -kibana: - image: docker.elastic.co/kibana/kibana:6.1.2 - ports: - - "5601:5601" - links: - - elasticsearch - environment: - SERVER_NAME: kibana - ELASTICSEARCH_URL: http://elasticsearch:9200 - restart: unless-stopped + elasticsearch: + image: docker.elastic.co/elasticsearch/elasticsearch:7.3.0 + ports: + - "9200:9200" + volumes: + - ./data:/usr/share/elasticsearch/data + environment: + - node.name=es1 + - cluster.name=docker-cluster + - cluster.initial_master_nodes=es1 + - bootstrap.memory_lock=true + - "ES_JAVA_OPTS=-Xms16g -Xmx16g" + ulimits: + memlock: + soft: -1 + hard: -1 + restart: unless-stopped + + logstash: + image: docker.elastic.co/logstash/logstash:7.3.0 + ports: + - "5044:5044" + - "9600:9600" + - "12201:12201/udp" + depends_on: + - elasticsearch + volumes: + - ./data/logstash.yml:/usr/share/logstash/config/logstash.yml + - ./data/pipeline:/usr/share/logstash/pipeline + environment: + - node.name=ls1 + - "LS_JAVA_OPTS=-Xms4g -Xmx4g" + restart: unless-stopped + + kibana: + image: docker.elastic.co/kibana/kibana:7.3.0 + ports: + - "5601:5601" + depends_on: + - elasticsearch + environment: + SERVER_NAME: kibana + ELASTICSEARCH_URL: http://elasticsearch:9200 + restart: unless-stopped + + apm-server: + image: docker.elastic.co/apm/apm-server:7.3.0 + ports: + - "8200:8200" + depends_on: + - elasticsearch + volumes: + - ./data/apm-server.yml:/usr/share/apm-server/apm-server.yml + restart: unless-stopped diff --git a/flogo/docker-compose.yml b/flogo/docker-compose.yml new file mode 100644 index 0000000..1c78874 --- /dev/null +++ b/flogo/docker-compose.yml @@ -0,0 +1,6 @@ +flogo: + image: flogo/flogo-docker + command: eula-accept + ports: + - "3303:3303" + restart: always diff --git a/flower/README.md b/flower/README.md new file mode 100644 index 0000000..7e88378 --- /dev/null +++ b/flower/README.md @@ -0,0 +1,22 @@ +flower +====== + +[Flower][1] is a web based tool for monitoring and administrating Celery clusters. + +## docker-compose.yml + +```yaml +flower: + image: mher/flower + ports: + - "5555:5555" + environment: + - CELERY_BROKER_URL=redis://redis:6379/0 + - FLOWER_PORT=5555 + - FLOWER_BASIC_AUTH=username:password + extra_hosts: + - redis:x.x.x.x + restart: always +``` + +[1]: https://flower.readthedocs.io/en/latest/ diff --git a/flower/docker-compose.yml b/flower/docker-compose.yml new file mode 100644 index 0000000..980fb25 --- /dev/null +++ b/flower/docker-compose.yml @@ -0,0 +1,11 @@ +flower: + image: mher/flower + ports: + - "5555:5555" + environment: + - CELERY_BROKER_URL=redis://redis:6379/0 + - FLOWER_PORT=5555 + - FLOWER_BASIC_AUTH=username:password + extra_hosts: + - redis:x.x.x.x + restart: always diff --git a/freegeoip/Dockerfile b/freegeoip/Dockerfile new file mode 100644 index 0000000..bd84ab7 --- /dev/null +++ b/freegeoip/Dockerfile @@ -0,0 +1,22 @@ +# +# Dockerfile for freegeoip +# + +FROM alpine +MAINTAINER EasyPi Software Foundation + +ENV FREEGEOIP_VERSION 3.4.1 +ENV FREEGEOIP_FILE freegeoip-${FREEGEOIP_VERSION}-linux-amd64.tar.gz +ENV FREEGEOIP_URL https://github.com/fiorix/freegeoip/releases/download/v${FREEGEOIP_VERSION}/${FREEGEOIP_FILE} + +WORKDIR /opt/freegeoip + +RUN set -xe \ + && apk add --no-cache curl tar \ + && curl -sSL ${FREEGEOIP_URL} | tar xz --strip 1 \ + && apk del curl tar + +EXPOSE 8080 8888 + +ENTRYPOINT ["./freegeoip"] +CMD ["-public", "public", "-http", ":8080", "-internal-server", ":8888"] diff --git a/freegeoip/README.md b/freegeoip/README.md new file mode 100644 index 0000000..4bd1258 --- /dev/null +++ b/freegeoip/README.md @@ -0,0 +1,46 @@ +freegeoip +========= + +## docker-compose.yml + +```yaml +freegeoip: + image: vimagick/freegeoip + ports: + - "8080:8080" + - "8888:8888" + restart: always +``` + +## up and running + +```bash +$ docker-compose up -d + +$ curl -s http://localhost:8080/json/8.8.8.8 | jq . +{ + "ip": "8.8.8.8", + "country_code": "US", + "country_name": "United States", + "region_code": "", + "region_name": "", + "city": "", + "zip_code": "", + "time_zone": "", + "latitude": 37.751, + "longitude": -97.822, + "metro_code": 0 +} + +$ curl -s http://localhost:8888/metrics +freegeoip_client_connections{proto="http"} 0 +freegeoip_client_country_code_total{country_code="unknown"} 7 +freegeoip_client_ipproto_version_total{ip="4"} 7 +freegeoip_db_events_total{event="loaded"} 1 +go_gc_duration_seconds{quantile="0"} 5.9754e-05 +go_gc_duration_seconds{quantile="0.25"} 7.0367e-05 +go_gc_duration_seconds{quantile="0.5"} 9.6169e-05 +go_gc_duration_seconds{quantile="0.75"} 0.000112867 +go_gc_duration_seconds{quantile="1"} 0.000260533 +go_gc_duration_seconds_sum 0.001055739 +``` diff --git a/freegeoip/docker-compose.yml b/freegeoip/docker-compose.yml new file mode 100644 index 0000000..47eb825 --- /dev/null +++ b/freegeoip/docker-compose.yml @@ -0,0 +1,6 @@ +freegeoip: + image: vimagick/freegeoip + ports: + - "8080:8080" + - "8888:8888" + restart: always diff --git a/freegeoip/freegeoip.service b/freegeoip/freegeoip.service new file mode 100644 index 0000000..944042c --- /dev/null +++ b/freegeoip/freegeoip.service @@ -0,0 +1,12 @@ +[Unit] +Description=IP Geolocation Web Server +After=network-online.target + +[Service] +WorkingDirectory=/opt/freegeoip +ExecStart=/opt/freegeoip/freegeoip -public public -http :8080 -internal-server :8888 +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/frp/Dockerfile b/frp/Dockerfile index e777c00..5d274f8 100644 --- a/frp/Dockerfile +++ b/frp/Dockerfile @@ -5,7 +5,7 @@ FROM alpine MAINTAINER kev -ENV FRP_VERSION 0.20.0 +ENV FRP_VERSION 0.29.0 ENV FRP_URL https://github.com/fatedier/frp/releases/download/v${FRP_VERSION}/frp_${FRP_VERSION}_linux_amd64.tar.gz WORKDIR /opt/frp diff --git a/frp/arm/Dockerfile b/frp/arm/Dockerfile index 221f5d8..2ee4289 100644 --- a/frp/arm/Dockerfile +++ b/frp/arm/Dockerfile @@ -2,10 +2,10 @@ # Dockerfile for frp-arm # -FROM alpine +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation -ENV FRP_VERSION 0.20.0 +ENV FRP_VERSION 0.29.0 ENV FRP_URL https://github.com/fatedier/frp/releases/download/v${FRP_VERSION}/frp_${FRP_VERSION}_linux_arm.tar.gz WORKDIR /opt/frp diff --git a/frp/arm/docker-compose.yml b/frp/arm/docker-compose.yml index 14b98dd..6e673ed 100644 --- a/frp/arm/docker-compose.yml +++ b/frp/arm/docker-compose.yml @@ -1,6 +1,7 @@ -frps: +frpc: image: easypi/frp-arm + command: ./frpc -c frpc.ini volumes: - - ./data/frps.ini:/opt/frp/frps.ini + - ./data/frpc.ini:/opt/frp/frpc.ini net: host - restart: always + restart: unless-stopped diff --git a/frp/data/frpc.ini b/frp/data/frpc.ini index 08c0404..a975ab9 100644 --- a/frp/data/frpc.ini +++ b/frp/data/frpc.ini @@ -2,7 +2,8 @@ server_addr = 1.2.3.4 server_port = 7000 protocol = kcp -privilege_token = 12345678 +token = 12345678 +admin_port = 7400 [ssh] type = tcp diff --git a/frp/openwrt/frpc b/frp/openwrt/frpc old mode 100644 new mode 100755 index c3a566a..847aa89 --- a/frp/openwrt/frpc +++ b/frp/openwrt/frpc @@ -1,5 +1,5 @@ #!/bin/sh /etc/rc.common -# Copyright (C) 2018 EasyPi Software Foundation +# Copyright (C) 2019 EasyPi Software Foundation START=99 USE_PROCD=1 diff --git a/frp/openwrt/frps b/frp/openwrt/frps old mode 100644 new mode 100755 index e40b70e..4699e6c --- a/frp/openwrt/frps +++ b/frp/openwrt/frps @@ -1,5 +1,5 @@ #!/bin/sh /etc/rc.common -# Copyright (C) 2018 EasyPi Software Foundation +# Copyright (C) 2019 EasyPi Software Foundation START=99 USE_PROCD=1 diff --git a/frp/systemd/frpc.service b/frp/systemd/frpc.service index ee2faee..54d90de 100644 --- a/frp/systemd/frpc.service +++ b/frp/systemd/frpc.service @@ -3,7 +3,10 @@ Description=frp client After=network.target [Service] +User=nobody ExecStart=/usr/local/bin/frpc -c /etc/frp/frpc.ini +ExecReload=/usr/local/bin/frpc reload -c /etc/frp/frpc.ini +LimitNOFILE=65536 RestartSec=5 Restart=always diff --git a/frp/systemd/frpc@.service b/frp/systemd/frpc@.service new file mode 100644 index 0000000..6419788 --- /dev/null +++ b/frp/systemd/frpc@.service @@ -0,0 +1,14 @@ +[Unit] +Description=Frp Client Service +After=network.target + +[Service] +User=nobody +ExecStart=/usr/local/bin/frpc -c /etc/frp/%i.ini +ExecReload=/usr/local/bin/frpc reload -c /etc/frp/%i.ini +LimitNOFILE=65536 +RestartSec=5 +Restart=always + +[Install] +WantedBy=multi-user.target diff --git a/frp/systemd/frps.service b/frp/systemd/frps.service index 2a4df17..2fb69b0 100644 --- a/frp/systemd/frps.service +++ b/frp/systemd/frps.service @@ -3,7 +3,9 @@ Description=frp server After=network.target [Service] +User=nobody ExecStart=/usr/local/bin/frps -c /etc/frp/frps.ini +LimitNOFILE=65536 RestartSec=5 Restart=always diff --git a/ghost/arm/Dockerfile b/ghost/arm/Dockerfile index efe4100..c23a3d4 100644 --- a/ghost/arm/Dockerfile +++ b/ghost/arm/Dockerfile @@ -5,10 +5,10 @@ FROM easypi/alpine-arm MAINTAINER EasyPi Software Foundation -ENV GHOST_VERSION 1.24.9 +ENV GHOST_VERSION 2.15.0 ENV GHOST_INSTALL /var/lib/ghost ENV GHOST_CONTENT /var/lib/ghost/content -ENV GHOST_CLI_VERSION 1.8.1 +ENV GHOST_CLI_VERSION 1.9.9 ENV NPM_CONFIG_LOGLEVEL warn ENV NODE_ENV production diff --git a/gitea/README.md b/gitea/README.md new file mode 100644 index 0000000..b0e1bc5 --- /dev/null +++ b/gitea/README.md @@ -0,0 +1,7 @@ +gitea +===== + +[Gitea][1] is a community managed lightweight code hosting solution written in +Go. It is published under the MIT license. + +[1]: https://gitea.io/ diff --git a/gitea/docker-compose.yml b/gitea/docker-compose.yml new file mode 100644 index 0000000..1362015 --- /dev/null +++ b/gitea/docker-compose.yml @@ -0,0 +1,34 @@ +version: "3.7" + +services: + + server: + image: gitea/gitea + ports: + - "2222:22" + - "3000:3000" + volumes: + - ./data/gitea:/data + environment: + - USER_UID=1000 + - USER_GID=1000 + - DB_TYPE=postgres + - DB_HOST=postgres:5432 + - DB_NAME=gitea + - DB_USER=gitea + - DB_PASSWD=gitea + depends_on: + - postgres + restart: always + + postgres: + image: postgres:12-alpine + ports: + - "5432:5432" + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=gitea + - POSTGRES_PASSWORD=gitea + - POSTGRES_DB=gitea + restart: always diff --git a/gogs/README.md b/gogs/README.md index cb7c96c..98d1f80 100644 --- a/gogs/README.md +++ b/gogs/README.md @@ -38,4 +38,7 @@ $ tree -FL 3 ./data/git/ └── user2/ ``` +Please read [this][2] to learn more about `app.ini`. + [1]: https://gogs.io/ +[2]: https://gogs.io/docs/advanced/configuration_cheat_sheet.html diff --git a/gogs/arm/Dockerfile b/gogs/arm/Dockerfile index 8a33fa9..f65ff8c 100644 --- a/gogs/arm/Dockerfile +++ b/gogs/arm/Dockerfile @@ -2,21 +2,23 @@ # Dockerfile for gogs-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation -ENV GOGS_VERSION 0.11.53 +ENV GOSU_VERSION 1.11 +ENV GOGS_VERSION 0.11.91 ENV GOGS_CUSTOM /data/gogs -RUN apk add --no-cache bash \ - ca-certificates \ - curl \ - git \ - linux-pam \ - openssh \ - s6 \ - socat \ - tar +RUN apk add --no-cache \ + bash \ + ca-certificates \ + curl \ + git \ + linux-pam \ + openssh \ + s6 \ + socat \ + tar RUN set -xe \ && adduser -H -D -g 'Gogs Git User' -h /data/git -s /bin/bash git \ @@ -24,16 +26,16 @@ RUN set -xe \ && echo "export GOGS_CUSTOM=${GOGS_CUSTOM}" >> /etc/profile RUN set -xe \ - && curl -L https://github.com/tianon/gosu/releases/download/1.10/gosu-armhf > /usr/sbin/gosu \ + && curl -L https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-armhf > /usr/sbin/gosu \ && chmod +x /usr/sbin/gosu RUN set -xe \ && mkdir /app/ \ && cd /app/ \ - && curl -LO https://github.com/gogits/gogs/releases/download/v${GOGS_VERSION}/raspi2_armv6.zip \ - && unzip raspi2_armv6.zip \ - && rm raspi2_armv6.zip \ - && ln -s /lib/libc.musl-armhf.so.1 /lib/ld-linux-armhf.so.3 + && curl -LO https://github.com/gogits/gogs/releases/download/v${GOGS_VERSION}/raspi_armv7.zip \ + && unzip raspi_armv7.zip \ + && rm raspi_armv7.zip \ + && ln -s /lib/libc.musl-armv7.so.1 /lib/ld-linux-armhf.so.3 RUN set -xe \ && cd /app/gogs/ \ diff --git a/gostatsd/data/gostatsd.toml b/gostatsd/data/gostatsd.toml new file mode 100644 index 0000000..4e700bf --- /dev/null +++ b/gostatsd/data/gostatsd.toml @@ -0,0 +1,14 @@ +[graphite] +address = "graphite:2003" +dial_timeout = '5s' +write_timeout = '30s' + +mode = 'tags' + +global_prefix = 'stats' +global_suffix = '' + +prefix_counter = 'counters' +prefix_timer = 'timers' +prefix_gauge = 'gauges' +prefix_sets = 'sets' diff --git a/gostatsd/docker-compose.yml b/gostatsd/docker-compose.yml new file mode 100644 index 0000000..732b695 --- /dev/null +++ b/gostatsd/docker-compose.yml @@ -0,0 +1,12 @@ +gostatsd: + image: atlassianlabs/gostatsd + command: gostatsd --backends=graphite --config-path=/etc/gostatsd/gostatsd.toml + ports: + - "8125:8125/udp" + - "8126:8126/tcp" + - "8181:8181/tcp" + volumes: + - ./data:/etc/gostatsd + external_links: + - graphite_graphite_1:graphite + restart: unless-stopped diff --git a/grafana/README.md b/grafana/README.md index 7e428d9..cede751 100644 --- a/grafana/README.md +++ b/grafana/README.md @@ -27,6 +27,7 @@ grafana: - GF_SMTP_FROM_ADDRESS=grafana@example.com - GF_SMTP_PASSWORD=****** - GF_USERS_ALLOW_SIGN_UP=false + - GF_ALERTING_ERROR_OR_TIMEOUT=keep_state restart: always ``` diff --git a/grafana/docker-compose.yml b/grafana/docker-compose.yml index c485f72..85065ee 100644 --- a/grafana/docker-compose.yml +++ b/grafana/docker-compose.yml @@ -14,4 +14,5 @@ grafana: - GF_SMTP_FROM_ADDRESS=grafana@example.com - GF_SMTP_PASSWORD=****** - GF_USERS_ALLOW_SIGN_UP=false + - GF_ALERTING_ERROR_OR_TIMEOUT=keep_state restart: always diff --git a/graphite/Dockerfile b/graphite/Dockerfile index 40694db..ee53da6 100644 --- a/graphite/Dockerfile +++ b/graphite/Dockerfile @@ -5,7 +5,7 @@ FROM alpine MAINTAINER EasyPi Software Foundation -ENV GRAPHITE_VERSION=1.1.3 +ENV GRAPHITE_VERSION=1.1.5 ENV GRAPHITE_CONF_DIR=/opt/graphite/conf ENV GRAPHITE_STORAGE_DIR=/opt/graphite/storage ENV PATH=$PATH:/opt/graphite/bin @@ -34,7 +34,8 @@ RUN set -xe \ && echo "SECRET_KEY = '$(head -c 16 /dev/urandom | base64)'" > graphite/local_settings.py \ && curl -sSL https://github.com/graphite-project/graphite-web/raw/master/webapp/manage.py > manage.py \ && chmod +x manage.py \ - && ./manage.py migrate --run-syncdb --noinput \ + && ./manage.py collectstatic --noinput --settings=graphite.settings \ + && ./manage.py migrate --noinput --run-syncdb \ && apk del build-base \ curl \ git \ @@ -48,8 +49,11 @@ COPY supervisord.conf /etc/supervisor/ VOLUME $GRAPHITE_CONF_DIR \ $GRAPHITE_STORAGE_DIR -EXPOSE 2003 \ +EXPOSE 2003/udp \ + 2003 \ 2004 \ + 2023 \ + 2024 \ 7002 \ 8080 \ 9001 diff --git a/graphite/README.md b/graphite/README.md index 9eaddae..2cd8191 100644 --- a/graphite/README.md +++ b/graphite/README.md @@ -14,7 +14,10 @@ graphite: image: vimagick/graphite ports: - "2003:2003" + - "2003:2003/udp" - "2004:2004" + - "2023:2023" + - "2024:2024" - "7002:7002" - "8080:8080" - "9001:9001" @@ -32,14 +35,21 @@ $ mkdir -p data/storage/log/webapp $ docker-compose up -d $ docker-compose exec graphite sh >>> vi conf/storage-schemas.conf ->>> python webapp/manage.py migrate --run-syncdb --noinput +>>> python webapp/manage.py migrate --noinput --run-syncdb >>> python webapp/manage.py createsuperuser >>> python webapp/manage.py changepassword +>>> supervisorctl restart +>>> supervisorctl status +carbon-aggregator RUNNING pid 9, uptime 0:00:13 +carbon-cache RUNNING pid 8, uptime 0:00:22 +graphite-webapp RUNNING pid 7, uptime 0:00:24 >>> exit $ tree -F -L 4 ├── data/ │   ├── conf/ +│   │   ├── aggregation-rules.conf │   │   ├── carbon.conf +│   │   ├── rewrite-rules.conf │   │   └── storage-schemas.conf │   └── storage/ │   ├── carbon-cache-a.pid diff --git a/graphite/data/conf/aggregation-rules.conf b/graphite/data/conf/aggregation-rules.conf new file mode 100644 index 0000000..a5e55d5 --- /dev/null +++ b/graphite/data/conf/aggregation-rules.conf @@ -0,0 +1,43 @@ +# The form of each line in this file should be as follows: +# +# output_template (frequency) = method input_pattern +# +# This will capture any received metrics that match 'input_pattern' +# for calculating an aggregate metric. The calculation will occur +# every 'frequency' seconds and the 'method' can specify 'sum' or +# 'avg'. The name of the aggregate metric will be derived from +# 'output_template' filling in any captured fields from 'input_pattern'. +# +# For example, if you're metric naming scheme is: +# +# .applications... +# +# You could configure some aggregations like so: +# +# .applications..all.requests (60) = sum .applications..*.requests +# .applications..all.latency (60) = avg .applications..*.latency +# +# As an example, if the following metrics are received: +# +# prod.applications.apache.www01.requests +# prod.applications.apache.www01.requests +# +# They would all go into the same aggregation buffer and after 60 seconds the +# aggregate metric 'prod.applications.apache.all.requests' would be calculated +# by summing their values. +# +# Template components such as will match everything up to the next dot. +# To match metric multiple components including the dots, use <> in the +# input template: +# +# .applications..all. (60) = sum .applications..*.<> +# +# It is also possible to use regular expressions. Following the example above +# when using: +# +# .applications...requests (60) = sum .applications..\d{2}.requests +# +# You will end up with 'prod.applications.apache.www.requests' instead of +# 'prod.applications.apache.all.requests'. +# +# Note that any time this file is modified, it will be re-read automatically. diff --git a/graphite/data/conf/carbon.conf b/graphite/data/conf/carbon.conf index 24105ec..25eff50 100644 --- a/graphite/data/conf/carbon.conf +++ b/graphite/data/conf/carbon.conf @@ -505,13 +505,13 @@ PICKLE_RECEIVER_PORT = 2024 # If set true, metric received will be forwarded to DESTINATIONS in addition to # the output of the aggregation rules. If set false the carbon-aggregator will # only ever send the output of aggregation. -FORWARD_ALL = True +FORWARD_ALL = False # Filenames of the configuration files to use for this instance of aggregator. # Filenames are relative to CONF_DIR. -# -# AGGREGATION_RULES = aggregation-rules.conf -# REWRITE_RULES = rewrite-rules.conf + +AGGREGATION_RULES = aggregation-rules.conf +REWRITE_RULES = rewrite-rules.conf # This is a list of carbon daemons we will send any relayed or # generated metrics to. The default provided would send to a single diff --git a/graphite/data/conf/rewrite-rules.conf b/graphite/data/conf/rewrite-rules.conf new file mode 100644 index 0000000..f7bd4d1 --- /dev/null +++ b/graphite/data/conf/rewrite-rules.conf @@ -0,0 +1,18 @@ +# This file defines regular expression patterns that can be used to +# rewrite metric names in a search & replace fashion. It consists of two +# sections, [pre] and [post]. The rules in the pre section are applied to +# metric names as soon as they are received. The post rules are applied +# after aggregation has taken place. +# +# The general form of each rule is as follows: +# +# regex-pattern = replacement-text +# +# For example: +# +# [post] +# _sum$ = +# _avg$ = +# +# These rules would strip off a suffix of _sum or _avg from any metric names +# after aggregation. diff --git a/graphite/data/storage/log/webapp/.gitkeep b/graphite/data/storage/log/webapp/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/graphite/docker-compose.yml b/graphite/docker-compose.yml index 1250ca3..cd1bb10 100644 --- a/graphite/docker-compose.yml +++ b/graphite/docker-compose.yml @@ -1,9 +1,11 @@ graphite: image: vimagick/graphite ports: - - "2003:2003" - "2003:2003/udp" + - "2003:2003" - "2004:2004" + - "2023:2023" + - "2024:2024" - "7002:7002" - "8080:8080" - "9001:9001" diff --git a/graphite/supervisord.conf b/graphite/supervisord.conf index db63e8e..df18535 100644 --- a/graphite/supervisord.conf +++ b/graphite/supervisord.conf @@ -15,6 +15,11 @@ command = carbon-cache.py --debug start redirect_stderr = true autorestart = true +[program:carbon-aggregator] +command = carbon-aggregator.py --debug start +redirect_stderr = true +autorestart = true + [program:graphite-webapp] command = gunicorn -b :8080 graphite.wsgi:application directory = /opt/graphite/webapp diff --git a/hass/Dockerfile b/hass/Dockerfile index 418be9d..5ffe224 100644 --- a/hass/Dockerfile +++ b/hass/Dockerfile @@ -9,7 +9,9 @@ RUN set -xe \ && apk update \ && apk add --no-cache ca-certificates \ build-base \ + libffi-dev \ linux-headers \ + openssl-dev \ python3 \ python3-dev \ && pip3 install --no-cache-dir homeassistant \ diff --git a/hass/arm/Dockerfile b/hass/arm/Dockerfile index e484e65..6d7c093 100644 --- a/hass/arm/Dockerfile +++ b/hass/arm/Dockerfile @@ -2,20 +2,25 @@ # Dockerfile for hass-arm (Home Assistant) # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation +ENV HASS_VERSION=0.100.2 +ENV HASS_CLI_VERSION=3.1.0 + RUN set -xe \ && apk update \ - && apk add --no-cache ca-certificates \ - build-base \ - linux-headers \ - python3 \ - python3-dev \ - && pip3 install --no-cache-dir homeassistant \ - && wget https://github.com/home-assistant/hassio-cli/releases/download/1.3.1/hassio_armhf -O /usr/local/bin/hassio + && apk add --no-cache \ + ca-certificates \ + build-base \ + libffi-dev \ + linux-headers \ + openssl-dev \ + python3 \ + python3-dev \ + && pip3 install --no-cache-dir homeassistant==${HASS_VERSION} \ + && wget https://github.com/home-assistant/hassio-cli/releases/download/${HASS_CLI_VERSION}/hassio_armhf -O /usr/local/bin/hassio VOLUME /etc/hass EXPOSE 8123 - ENTRYPOINT ["hass", "--config", "/etc/hass"] diff --git a/hass/arm/Dockerfile.debian b/hass/arm/Dockerfile.debian index ced5b8d..b7e3a35 100644 --- a/hass/arm/Dockerfile.debian +++ b/hass/arm/Dockerfile.debian @@ -2,37 +2,42 @@ # Dockerfile for hass-arm (Home Assistant) # -FROM resin/rpi-raspbian:jessie +FROM balenalib/rpi-raspbian:buster MAINTAINER EasyPi Software Foundation +ENV HASS_VERSION=0.100.2 +ENV HASS_CLI_VERSION=3.1.0 + RUN set -xe \ && apt-get update \ - && apt-get install -y build-essential \ - bluez \ - curl \ - libbluetooth3 \ - libbluetooth-dev \ - libboost-python-dev \ - libboost-thread-dev \ - libglib2.0 \ - libglib2.0-dev \ - pkg-config \ - python-dev \ - python3-dev \ + && apt-get install -y \ + build-essential \ + bluez \ + curl \ + libbluetooth3 \ + libbluetooth-dev \ + libboost-python-dev \ + libboost-thread-dev \ + libglib2.0 \ + libglib2.0-dev \ + pkg-config \ + python-dev \ + python3-dev \ && curl https://bootstrap.pypa.io/get-pip.py | python3 \ - && pip3 install --no-cache-dir gattlib \ - homeassistant \ - pybluez \ - && setcap 'cap_net_raw,cap_net_admin+eip' /usr/bin/python3.4 \ - && apt-get remove -y curl \ - libbluetooth-dev \ - libboost-python-dev \ - libboost-thread-dev \ - libglib2.0-dev \ - pkg-config \ - python-dev + && pip3 install --no-cache-dir \ + gattlib \ + homeassistant \ + pybluez \ + && setcap 'cap_net_raw,cap_net_admin+eip' /usr/bin/python3.7 \ + && apt-get remove -y \ + curl \ + libbluetooth-dev \ + libboost-python-dev \ + libboost-thread-dev \ + libglib2.0-dev \ + pkg-config \ + python-dev VOLUME /etc/hass EXPOSE 8123 - ENTRYPOINT ["hass", "--config", "/etc/hass"] diff --git a/hass/hass.service b/hass/hass.service new file mode 100644 index 0000000..6bdc486 --- /dev/null +++ b/hass/hass.service @@ -0,0 +1,12 @@ +[Unit] +Description=Home Assistant +After=network-online.target + +[Service] +WorkingDirectory=/opt/hass +ExecStart=/usr/local/bin/hass -c /opt/hass +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target diff --git a/hubot/Dockerfile b/hubot/Dockerfile index 371e578..e422119 100644 --- a/hubot/Dockerfile +++ b/hubot/Dockerfile @@ -11,7 +11,7 @@ ENV HUBOT_DESCRIPTION=$HUBOT_NAME-$HUBOT_ADAPTER ENV HUBOT_SLACK_TOKEN= RUN set -xe \ - && apk add --update ca-certificates nodejs nodejs-npm \ + && apk add --update ca-certificates nodejs nodejs-npm python3 \ && npm install -g yo generator-hubot \ && adduser -s /bin/sh -D hubot @@ -33,7 +33,10 @@ RUN set -xe \ url \ && sed -i -r 's/^\s+#//' scripts/example.coffee -VOLUME /home/hobot +VOLUME /home/hobot \ + /usr/local/bin \ + /usr/lib/python3.7/site-packages + EXPOSE 8080 CMD ["./bin/hubot", "--adapter", "slack"] diff --git a/hubot/arm/Dockerfile b/hubot/arm/Dockerfile index a29ba1f..4464d68 100644 --- a/hubot/arm/Dockerfile +++ b/hubot/arm/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile for hubot-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation ENV HUBOT_NAME=Hubot diff --git a/hydra/Dockerfile b/hydra/Dockerfile index 1721f91..1b5136b 100644 --- a/hydra/Dockerfile +++ b/hydra/Dockerfile @@ -5,14 +5,15 @@ FROM alpine MAINTAINER EasyPi Software Foundation -ENV HYDRA_VERSION=8.6 -ENV HYDRA_URL=https://github.com/vanhauser-thc/thc-hydra/archive/$HYDRA_VERSION.tar.gz +ENV HYDRA_VERSION=9.0 +ENV HYDRA_URL=https://github.com/vanhauser-thc/thc-hydra/archive/v$HYDRA_VERSION.tar.gz RUN set -xe \ && apk add --no-cache apr-dev \ apr-util-dev \ bash \ build-base \ + coreutils \ curl \ jq \ libidn \ @@ -20,8 +21,9 @@ RUN set -xe \ libpq \ libssh \ libssh-dev \ + mariadb-connector-c \ + mariadb-connector-c-dev \ mariadb-dev \ - mariadb-client-libs \ ncurses \ ncurses-dev \ parallel \ @@ -31,11 +33,11 @@ RUN set -xe \ subversion-dev \ subversion-libs \ tar \ - && echo 'will cite' | parallel --bibtex \ + tmux \ + && parallel --will-cite \ && mkdir src \ && cd src \ && curl -sSL $HYDRA_URL | tar xz --strip 1 \ - && sed -i '1s/^/#include \n/' pw-inspector.c \ && ./configure --prefix=/usr \ && make install \ && cd .. \ @@ -46,12 +48,10 @@ RUN set -xe \ libidn-dev \ libssh-dev \ ncurses-dev \ + mariadb-connector-c-dev \ mariadb-dev \ pcre-dev \ postgresql-dev \ subversion-dev -VOLUME /hydra -WORKDIR /hydra - -CMD ["bash"] +ENTRYPOINT ["bash"] diff --git a/hydra/README.md b/hydra/README.md index 1db7d4c..640268c 100644 --- a/hydra/README.md +++ b/hydra/README.md @@ -20,9 +20,24 @@ A very fast network logon cracker which support many different services. - [x] Android specialities - [x] secure compile option support in gcc +## docker-compose.yml +```yaml +hydra: + image: vimagick/hydra + command: sleep infinity + volumes: + - ./data:/data + working_dir: /data + restart: unless-stopped ``` -$ docker run --rm -it -v `pwd`:/work vimagick/hydra + +# up and running + +```bash +$ docker-compose up -d + +$ docker-compose exec hydra bash >>> cat passwd.txt 123456 diff --git a/hydra/arm/Dockerfile b/hydra/arm/Dockerfile index 45b04f7..04806a4 100644 --- a/hydra/arm/Dockerfile +++ b/hydra/arm/Dockerfile @@ -2,17 +2,18 @@ # Dockerfile for hydra-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine MAINTAINER EasyPi Software Foundation -ENV HYDRA_VERSION=8.6 -ENV HYDRA_URL=https://github.com/vanhauser-thc/thc-hydra/archive/$HYDRA_VERSION.tar.gz +ENV HYDRA_VERSION=9.0 +ENV HYDRA_URL=https://github.com/vanhauser-thc/thc-hydra/archive/v$HYDRA_VERSION.tar.gz RUN set -xe \ && apk add --no-cache apr-dev \ apr-util-dev \ bash \ build-base \ + coreutils \ curl \ jq \ libidn \ @@ -20,8 +21,9 @@ RUN set -xe \ libpq \ libssh \ libssh-dev \ + mariadb-connector-c \ + mariadb-connector-c-dev \ mariadb-dev \ - mariadb-client-libs \ ncurses \ ncurses-dev \ parallel \ @@ -31,11 +33,11 @@ RUN set -xe \ subversion-dev \ subversion-libs \ tar \ - && echo 'will cite' | parallel --bibtex \ + tmux \ + && parallel --will-cite \ && mkdir src \ && cd src \ && curl -sSL $HYDRA_URL | tar xz --strip 1 \ - && sed -i '1s/^/#include \n/' pw-inspector.c \ && ./configure --prefix=/usr \ && make install \ && cd .. \ @@ -46,12 +48,10 @@ RUN set -xe \ libidn-dev \ libssh-dev \ ncurses-dev \ + mariadb-connector-c-dev \ mariadb-dev \ pcre-dev \ postgresql-dev \ subversion-dev -VOLUME /hydra -WORKDIR /hydra - -CMD ["bash"] +ENTRYPOINT ["bash"] diff --git a/hydra/arm/docker-compose.yml b/hydra/arm/docker-compose.yml new file mode 100644 index 0000000..8f31fe6 --- /dev/null +++ b/hydra/arm/docker-compose.yml @@ -0,0 +1,8 @@ +hydra: + image: easypi/hydra-arm + entrypoint: sleep + command: infinity + volumes: + - ./data:/data + working_dir: /data + restart: unless-stopped diff --git a/hydra/docker-compose.yml b/hydra/docker-compose.yml new file mode 100644 index 0000000..acecd75 --- /dev/null +++ b/hydra/docker-compose.yml @@ -0,0 +1,8 @@ +hydra: + image: vimagick/hydra + entrypoint: sleep + command: infinity + volumes: + - ./data:/data + working_dir: /data + restart: unless-stopped diff --git a/i2pd/Dockerfile b/i2pd/Dockerfile new file mode 100644 index 0000000..d4c11c3 --- /dev/null +++ b/i2pd/Dockerfile @@ -0,0 +1,36 @@ +# +# Dockerfile for i2pd +# + +FROM debian:stretch +MAINTAINER EasyPi Software Foundation + +ENV I2PD_VERSION=2.27.0 +ENV I2PD_ARCH=amd64 +ENV I2PD_DIST=stretch +ENV I2PD_URL=https://github.com/PurpleI2P/i2pd/releases/download/${I2PD_VERSION}/i2pd_${I2PD_VERSION}-1${I2PD_DIST}1_${I2PD_ARCH}.deb + +RUN set -ex \ + && apt-get update \ + && apt-get install -y wget \ + && { \ + wget ${I2PD_URL} -O i2pd.deb; \ + dpkg -i i2pd.deb; \ + apt-get -f install -y; \ + sed -i '/^address =/s/127.0.0.1/0.0.0.0/' /etc/i2pd/i2pd.conf; \ + rm i2pd.deb; \ + } \ + && apt-get remove -y wget \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /etc/i2pd /var/lib/i2pd + +EXPOSE 4444 4447 7070 + +ENTRYPOINT ["i2pd"] +CMD [ \ + "--conf=/etc/i2pd/i2pd.conf", \ + "--tunconf=/etc/i2pd/tunnels.conf", \ + "--tunnelsdir=/etc/i2pd/tunnels.conf.d", \ + "--service" \ + ] diff --git a/i2pd/README.md b/i2pd/README.md new file mode 100644 index 0000000..b0f7ff7 --- /dev/null +++ b/i2pd/README.md @@ -0,0 +1,44 @@ +i2pd +==== + +[i2pd][1] (I2P Daemon) is a full-featured C++ implementation of I2P client. + +## docker-compose.yml + +```yaml +i2pd: + image: vimagick/i2pd + ports: + - "4444:4444" + - "4447:4447" + - "7070:7070" + volumes: + - ./data/i2pd.conf:/etc/i2pd/i2pd.conf + - ./data/tunnels.conf.d:/etc/i2pd/tunnels.conf.d + restart: unless-stopped +``` + +## Server + +```bash +$ docker-compose up -d +$ curl http://127.0.0.1:7070/ +``` + +## Tunnel + +- You can find examples in: /usr/share/doc/i2pd/tunnels.d/ +- Document: https://github.com/PurpleI2P/i2pd/wiki/tunnels.conf + +## Client + +Download [FoxyProxy][2] for Firefox. + +## Example Sites + +- http://planet.i2p +- http://identiguy.i2p +- http://tracker2.postman.i2p + +[1]: https://github.com/PurpleI2P/i2pd +[2]: https://addons.mozilla.org/en-US/firefox/addon/foxyproxy-standard/ diff --git a/i2pd/arm/Dockerfile b/i2pd/arm/Dockerfile new file mode 100644 index 0000000..66e0240 --- /dev/null +++ b/i2pd/arm/Dockerfile @@ -0,0 +1,36 @@ +# +# Dockerfile for i2pd-arm +# + +FROM arm32v7/debian:stretch +MAINTAINER EasyPi Software Foundation + +ENV I2PD_VERSION=2.27.0 +ENV I2PD_ARCH=armhf +ENV I2PD_DIST=stretch +ENV I2PD_URL=https://github.com/PurpleI2P/i2pd/releases/download/${I2PD_VERSION}/i2pd_${I2PD_VERSION}-1${I2PD_DIST}1_${I2PD_ARCH}.deb + +RUN set -ex \ + && apt-get update \ + && apt-get install -y wget \ + && { \ + wget ${I2PD_URL} -O i2pd.deb; \ + dpkg -i i2pd.deb; \ + apt-get -f install -y; \ + sed -i '/^address =/s/127.0.0.1/0.0.0.0/' /etc/i2pd/i2pd.conf; \ + rm i2pd.deb; \ + } \ + && apt-get remove -y wget \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /etc/i2pd /var/lib/i2pd + +EXPOSE 4444 4447 7070 + +ENTRYPOINT ["i2pd"] +CMD [ \ + "--conf=/etc/i2pd/i2pd.conf", \ + "--tunconf=/etc/i2pd/tunnels.conf", \ + "--tunnelsdir=/etc/i2pd/tunnels.conf.d", \ + "--service" \ + ] diff --git a/i2pd/arm/docker-compose.yml b/i2pd/arm/docker-compose.yml new file mode 100644 index 0000000..94da3d8 --- /dev/null +++ b/i2pd/arm/docker-compose.yml @@ -0,0 +1,10 @@ +i2pd: + image: easypi/i2pd-arm + ports: + - "4444:4444" + - "4447:4447" + - "7070:7070" + volumes: + - ./data/i2pd.conf:/etc/i2pd/i2pd.conf + - ./data/tunnels.conf.d:/etc/i2pd/tunnels.conf.d + restart: unless-stopped diff --git a/i2pd/data/i2pd.conf b/i2pd/data/i2pd.conf new file mode 100644 index 0000000..a25c2ef --- /dev/null +++ b/i2pd/data/i2pd.conf @@ -0,0 +1,28 @@ +## Configuration file for a typical i2pd user +## See https://i2pd.readthedocs.io/en/latest/user-guide/configuration/ +## for more options you can use in this file. +## +## Sample: https://github.com/PurpleI2P/i2pd/blob/openssl/contrib/i2pd.conf +## + +ipv4 = true +ipv6 = false + +[http] +strictheaders = false +address = 0.0.0.0 +port = 7070 + +[httpproxy] +address = 0.0.0.0 +port = 4444 + +[socksproxy] +address = 0.0.0.0 +port = 4447 + +[sam] +enabled = true + +[reseed] +verify = true diff --git a/i2pd/data/tunnels.conf.d/website.conf b/i2pd/data/tunnels.conf.d/website.conf new file mode 100644 index 0000000..db9490d --- /dev/null +++ b/i2pd/data/tunnels.conf.d/website.conf @@ -0,0 +1,12 @@ +# You can find examples in /usr/share/doc/i2pd/tunnels.d directory +# Document: https://github.com/PurpleI2P/i2pd/wiki/tunnels.conf + +[website] +type = http +host = 192.168.1.1 +port = 80 +inbound.length = 1 +inbound.quantity = 5 +outbound.length = 1 +outbound.quantity = 5 +keys = website.dat diff --git a/i2pd/docker-compose.yml b/i2pd/docker-compose.yml new file mode 100644 index 0000000..094f84b --- /dev/null +++ b/i2pd/docker-compose.yml @@ -0,0 +1,10 @@ +i2pd: + image: vimagick/i2pd + ports: + - "4444:4444" + - "4447:4447" + - "7070:7070" + volumes: + - ./data/i2pd.conf:/etc/i2pd/i2pd.conf + - ./data/tunnels.conf.d:/etc/i2pd/tunnels.conf.d + restart: unless-stopped diff --git a/jenkins/README.md b/jenkins/README.md index b336b85..4340a83 100644 --- a/jenkins/README.md +++ b/jenkins/README.md @@ -40,4 +40,12 @@ $ docker-compose exec --user root jenkins apk add -U git $ firefox http://localhost:8080/ ``` +## fix slow network + +``` +$ vim data/war/jsbundles/pluginSetupWizard.js + // default 10 seconds for AJAX responses to return before triggering an error condition + var pluginManagerErrorTimeoutMillis = 10 * 1000; +``` + [1]: https://jenkins.io/index.html diff --git a/jenkins/arm/Dockerfile b/jenkins/arm/Dockerfile index 2bf17f8..3195b07 100644 --- a/jenkins/arm/Dockerfile +++ b/jenkins/arm/Dockerfile @@ -2,21 +2,22 @@ # Dockerfile for jenkins-arm # -FROM easypi/alpine-arm:edge +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation ENV JENKINS_HOME /var/jenkins_home RUN set -xe \ - && apk add --no-cache bash \ - coreutils \ - curl \ - git \ - openjdk8 \ - openssh-client \ - ttf-dejavu \ - unzip \ - zip \ + && apk add --no-cache \ + bash \ + coreutils \ + curl \ + git \ + openjdk8 \ + openssh-client \ + ttf-dejavu \ + unzip \ + zip \ && addgroup -g 1000 jenkins \ && adduser -h $JENKINS_HOME -u 1000 -G jenkins -s /bin/bash -D jenkins \ && mkdir -p /usr/share/jenkins \ diff --git a/jmxtrans/README.md b/jmxtrans/README.md new file mode 100644 index 0000000..2fc7ef3 --- /dev/null +++ b/jmxtrans/README.md @@ -0,0 +1,17 @@ +jmxtrans +======== + +[jmxtrans][1] is very powerful tool which uses easily generated JSON (or YAML) based +configuration files and then outputs the data in whatever format you desire. It +does this with a very efficient engine design that will scale to communicating +with thousands of machines from a single jmxtrans instance. + +## Using yaml2jmxtrans configuration converter (only support graphite) + +```bash +$ wget https://github.com/jmxtrans/jmxtrans/raw/master/jmxtrans/tools/yaml2jmxtrans.py +$ chmod +x yaml2jmxtrans.py +$ ./yaml2jmxtrans.py config.yaml +``` + +[1]: https://github.com/jmxtrans/jmxtrans diff --git a/jmxtrans/docker-compose.yml b/jmxtrans/docker-compose.yml new file mode 100644 index 0000000..afc3cee --- /dev/null +++ b/jmxtrans/docker-compose.yml @@ -0,0 +1,6 @@ +jmxtrans: + image: jmxtrans/jmxtrans + command: start-without-jmx + volumes: + - ./data:/var/lib/jmxtrans + restart: always diff --git a/json-server/Dockerfile b/json-server/Dockerfile index 75159cf..b18c530 100644 --- a/json-server/Dockerfile +++ b/json-server/Dockerfile @@ -5,7 +5,7 @@ FROM alpine MAINTAINER kev -WORKDIR /app +WORKDIR /data RUN set -xe \ && apk add --no-cache nodejs nodejs-npm \ diff --git a/json-server/README.md b/json-server/README.md index 4cb2156..9a56f20 100644 --- a/json-server/README.md +++ b/json-server/README.md @@ -10,15 +10,15 @@ Get a full fake REST API with zero coding in less than 30 seconds (seriously) wi ```yaml json-server: image: vimagick/json-server - command: -w db.json + command: -H 0.0.0.0 -p 3000 -w db.json ports: - "3000:3000" volumes: - - ./db.json:/app/db.json + - ./data:/data restart: always ``` -## db.json +## data/db.json ```json { diff --git a/json-server/db.json b/json-server/data/db.json similarity index 100% rename from json-server/db.json rename to json-server/data/db.json diff --git a/json-server/docker-compose.yml b/json-server/docker-compose.yml index 64cef8b..5a14380 100644 --- a/json-server/docker-compose.yml +++ b/json-server/docker-compose.yml @@ -1,8 +1,8 @@ json-server: image: vimagick/json-server - command: -w db.json + command: -H 0.0.0.0 -p 3000 -w db.json ports: - "3000:3000" volumes: - - ./db.json:/app/db.json + - ./data:/data restart: always diff --git a/kafka-manager/Dockerfile b/kafka-manager/Dockerfile index f0fa994..e875715 100644 --- a/kafka-manager/Dockerfile +++ b/kafka-manager/Dockerfile @@ -5,9 +5,9 @@ FROM openjdk:8 MAINTAINER kev -ENV SCALA_VERSION 2.11.8 -ENV SBT_VERSION 1.1.6 -ENV KAFKA_MANAGER_VERSION 1.3.3.18 +ENV SCALA_VERSION 2.12.8 +ENV SBT_VERSION 1.2.8 +ENV KAFKA_MANAGER_VERSION 2.0.0.2 RUN set -xe \ && apt update \ diff --git a/kafka-manager/docker-compose.yml b/kafka-manager/docker-compose.yml index 04e3987..7f934aa 100644 --- a/kafka-manager/docker-compose.yml +++ b/kafka-manager/docker-compose.yml @@ -17,6 +17,7 @@ kafka: environment: - KAFKA_ADVERTISED_HOST_NAME=10.0.0.13 - KAFKA_ZOOKEEPER_CONNECT=zookeeper:2181 + - JMX_PORT=9999 links: - zookeeper restart: always diff --git a/kafka-mqtt/README.md b/kafka-mqtt/README.md new file mode 100644 index 0000000..acc35ca --- /dev/null +++ b/kafka-mqtt/README.md @@ -0,0 +1,4 @@ +kafka-mqtt +========== + +Confluent Docker Image for Kafka MQTT Proxy. diff --git a/kafka-mqtt/docker-compose.yml b/kafka-mqtt/docker-compose.yml new file mode 100644 index 0000000..b4ce768 --- /dev/null +++ b/kafka-mqtt/docker-compose.yml @@ -0,0 +1,12 @@ +kafka-mqtt: + image: confluentinc/cp-kafka-mqtt + ports: + - "1883:1883" + environment: + - KAFKA_MQTT_BOOTSTRAP_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092 + - KAFKA_MQTT_TOPIC_REGEX_LIST=temperature:.* + extra_hosts: + - kafka1:10.0.0.21 + - kafka2:10.0.0.22 + - kafka3:10.0.0.23 + restart: unless-stopped diff --git a/kafka-rest/README.md b/kafka-rest/README.md new file mode 100644 index 0000000..a71ddc7 --- /dev/null +++ b/kafka-rest/README.md @@ -0,0 +1,9 @@ +kafka-rest +========== + +[The Confluent REST Proxy][1] provides a RESTful interface to a Kafka cluster, +making it easy to produce and consume messages, view the state of the cluster, +and perform administrative actions without using the native Kafka protocol or +clients. + +[1]: https://github.com/confluentinc/kafka-rest diff --git a/kafka-rest/docker-compose.yml b/kafka-rest/docker-compose.yml new file mode 100644 index 0000000..c6a70a8 --- /dev/null +++ b/kafka-rest/docker-compose.yml @@ -0,0 +1,16 @@ +kafka-rest: + image: confluentinc/cp-kafka-rest + ports: + - "8082:8082" + environment: + - KAFKA_REST_HOST_NAME=kafka-rest + - KAFKA_REST_ZOOKEEPER_CONNECT=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 + - KAFKA_REST_BOOTSTRAP_SERVERS=kafka1:9092,kafka2:9092,kafka3:9092 + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + - kafka1:10.0.0.21 + - kafka2:10.0.0.22 + - kafka3:10.0.0.23 + restart: unless-stopped diff --git a/kafka/cluster/docker-compose-kafka-manager.yml b/kafka/cluster/docker-compose-kafka-manager.yml new file mode 100644 index 0000000..87acada --- /dev/null +++ b/kafka/cluster/docker-compose-kafka-manager.yml @@ -0,0 +1,17 @@ +kafka-manager: + image: vimagick/kafka-manager + ports: + - "9000:9000" + environment: + - ZK_HOSTS=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 + - KAFKA_MANAGER_AUTH_ENABLED=true + - KAFKA_MANAGER_USERNAME=admin + - KAFKA_MANAGER_PASSWORD=admin + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + - kafka1:10.0.0.21 + - kafka2:10.0.0.22 + - kafka3:10.0.0.23 + restart: always diff --git a/kafka/cluster/docker-compose-kafka1.yml b/kafka/cluster/docker-compose-kafka1.yml new file mode 100644 index 0000000..95e4a0f --- /dev/null +++ b/kafka/cluster/docker-compose-kafka1.yml @@ -0,0 +1,27 @@ +kafka: + image: wurstmeister/kafka:2.12-2.2.1 + ports: + - "9092:9092" + - "9999:9999" + hostname: kafka1 + volumes: + - /data/kafka:/kafka + - /var/run/docker.sock:/var/run/docker.sock + environment: + - KAFKA_BROKER_ID=1 + - KAFKA_LISTENERS=PLAINTEXT://:9092 + - KAFKA_ADVERTISED_LISTENERS=PLAINTEXT://kafka1:9092 + - KAFKA_ZOOKEEPER_CONNECT=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 + - KAFKA_JMX_OPTS=-Dcom.sun.management.jmxremote + -Dcom.sun.management.jmxremote.authenticate=false + -Dcom.sun.management.jmxremote.ssl=false + -Dcom.sun.management.jmxremote.rmi.port=9999 + -Dcom.sun.management.jmxremote.port=9999 + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + - kafka1:10.0.0.21 + - kafka2:10.0.0.22 + - kafka3:10.0.0.23 + restart: always diff --git a/kafka/cluster/docker-compose-zookeeper1.yml b/kafka/cluster/docker-compose-zookeeper1.yml new file mode 100644 index 0000000..88e6856 --- /dev/null +++ b/kafka/cluster/docker-compose-zookeeper1.yml @@ -0,0 +1,20 @@ +zookeeper: + image: zookeeper:3.5.5 + ports: + - "2181:2181" + - "2888:2888" + - "3888:3888" + hostname: zookeeper1 + volumes: + - /data/zookeeper/data:/data + - /data/zookeeper/datalog:/datalog + - /data/zookeeper/logs:/logs + environment: + - ZOO_MY_ID=1 + - ZOO_SERVERS=server.1=0.0.0.0:2888:3888;2181 server.2=zookeeper2:2888:3888;2181 server.3=zookeeper3:2888:3888;2181 + - ZOO_LOG4J_PROP=INFO,ROLLINGFILE + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + restart: always diff --git a/kismet/Dockerfile b/kismet/Dockerfile new file mode 100644 index 0000000..6c104db --- /dev/null +++ b/kismet/Dockerfile @@ -0,0 +1,56 @@ +# +# Dockerfile for kismet +# + +FROM ubuntu:16.04 + +RUN set -xe \ + && apt-get update \ + && apt-get install -y autoconf \ + build-essential \ + curl \ + gdb \ + gdbserver \ + libcap-dev \ + libdw-dev \ + libmicrohttpd-dev \ + libncurses5-dev \ + libnl-3-dev \ + libnl-genl-3-dev \ + libnm-dev \ + libpcap-dev \ + libprotobuf-c-dev \ + libprotobuf-dev \ + librtlsdr0 \ + libsqlite3-dev \ + pkg-config \ + protobuf-c-compiler \ + protobuf-compiler \ + python \ + python-pip \ + python-setuptools \ + zlib1g-dev \ + && mkdir /opt/kismet \ + && cd /opt/kismet \ + && curl -sSL https://github.com/kismetwireless/kismet/archive/master.tar.gz | tar xz --strip 1 \ + && ./configure --prefix=/usr --sysconfdir=/etc/kismet \ + && make \ + && make suidinstall \ + && make forceconfigs \ + && touch /etc/kismet_site.conf \ + && apt-get remove -y autoconf \ + build-essential \ + curl \ + pkg-config \ + protobuf-c-compiler \ + protobuf-compiler \ + python-pip \ + python-setuptools \ + && cd / \ + && rm -rf /opt/kismet + +VOLUME /root/.kismet + +EXPOSE 2501 3501 + +CMD ["kismet", "--no-ncurses"] diff --git a/kismet/README.md b/kismet/README.md new file mode 100644 index 0000000..743c60a --- /dev/null +++ b/kismet/README.md @@ -0,0 +1,12 @@ +kismet +====== + +```bash +$ docker-compose up -d + +$ docker-compose exec kismet cat /root/.kismet/kismet_httpd.conf +httpd_password=LV2nurQNGgZ46N5n +httpd_username=kismet + +$ curl http://localhost:2501 +``` diff --git a/kismet/docker-compose.yml b/kismet/docker-compose.yml new file mode 100644 index 0000000..db80d18 --- /dev/null +++ b/kismet/docker-compose.yml @@ -0,0 +1,8 @@ +kismet: + image: vimagick/kismet + ports: + - "2501:2501" + - "3501:3501" + cap_add: + - NET_ADMIN + restart: unless-stopped diff --git a/magento/Dockerfile b/magento/Dockerfile index 76d1005..405dc75 100644 --- a/magento/Dockerfile +++ b/magento/Dockerfile @@ -20,8 +20,8 @@ RUN set -xe \ libjpeg62-turbo-dev \ libmcrypt4 \ libmcrypt-dev \ - libpng12-0 \ - libpng12-dev \ + libpng16-16 \ + libpng-dev \ libxslt1.1 \ libxslt1-dev \ zlib1g \ @@ -42,7 +42,7 @@ RUN set -xe \ libicu-dev \ libjpeg62-turbo-dev \ libmcrypt-dev \ - libpng12-dev \ + libpng-dev \ libxslt1-dev \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* @@ -58,8 +58,8 @@ RUN { \ WORKDIR /var/www/html -ENV MAGENTO_VER 2.1.0 -ENV MAGENTO_MD5 aab11e6b443be7179410b195b2099819 +ENV MAGENTO_VER 2.1.15 +ENV MAGENTO_MD5 139aeece901f0e8c07f3e572bba646da ENV MAGENTO_URL https://github.com/magento/magento2/archive/$MAGENTO_VER.tar.gz ENV MAGENTO_FILE magento.tar.gz diff --git a/mantisbt/Dockerfile b/mantisbt/Dockerfile index bf15a26..a9493a9 100644 --- a/mantisbt/Dockerfile +++ b/mantisbt/Dockerfile @@ -14,9 +14,9 @@ RUN set -xe \ && docker-php-ext-install gd mbstring mysql mysqli pgsql soap \ && rm -rf /var/lib/apt/lists/* -ENV MANTIS_VER 2.16.0 -ENV MANTIS_MD5 02da0eff8b611b08610e969fa00eefe1 -ENV MANTIS_URL http://jaist.dl.sourceforge.net/project/mantisbt/mantis-stable/${MANTIS_VER}/mantisbt-${MANTIS_VER}.tar.gz +ENV MANTIS_VER 2.22.1 +ENV MANTIS_MD5 ced6493cb2c1ea6bbf8b95b5082e7d98 +ENV MANTIS_URL https://sourceforge.net/projects/mantisbt/files/mantis-stable/${MANTIS_VER}/mantisbt-${MANTIS_VER}.tar.gz ENV MANTIS_FILE mantisbt.tar.gz RUN set -xe \ diff --git a/metabase/README.md b/metabase/README.md new file mode 100644 index 0000000..b22e49f --- /dev/null +++ b/metabase/README.md @@ -0,0 +1,6 @@ +metabase +======== + +[Metabase][1] is the easy, open source way for everyone in your company to ask questions and learn from data. + +[1]: https://www.metabase.com diff --git a/metabase/docker-compose.yml b/metabase/docker-compose.yml new file mode 100644 index 0000000..eb5503a --- /dev/null +++ b/metabase/docker-compose.yml @@ -0,0 +1,36 @@ +version: '2' + +services: + + metabase: + image: metabase/metabase + ports: + - "3000:3000" + # "1099:1099" + environment: + - MB_DB_TYPE=postgres + - MB_DB_DBNAME=metabase + - MB_DB_HOST=postgres + - MB_DB_PORT=5432 + - MB_DB_USER=root + - MB_DB_PASS=root + - JAVA_TOOL_OPTIONS=-Xmx6g + # JAVA_OPTS=-Dcom.sun.management.jmxremote.port=1099 + # -Dcom.sun.management.jmxremote.rmi.port=1099 + # -Dcom.sun.management.jmxremote.authenticate=false + # -Dcom.sun.management.jmxremote.ssl=false + # -Dcom.sun.management.jmxremote.local.only=false + # -Djava.rmi.server.hostname=metabase.easypi.pro + depends_on: + - postgres + restart: unless-stopped + + postgres: + image: postgres:alpine + volumes: + - ./data:/var/lib/postgresql/data + environment: + - POSTGRES_USER=root + - POSTGRES_PASSWORD=root + - POSTGRES_DB=metabase + restart: unless-stopped diff --git a/minio/gateway-docker-compose.yml b/minio/gateway-docker-compose.yml new file mode 100644 index 0000000..88643fb --- /dev/null +++ b/minio/gateway-docker-compose.yml @@ -0,0 +1,25 @@ +version: "3.7" + +services: + + oss: + image: minio/minio + command: gateway oss https://oss-cn-beijing.aliyuncs.com + ports: + - "9000:9000" + environment: + - MINIO_ACCESS_KEY=ossaccesskey + - MINIO_SECRET_KEY=osssecretkey + restart: unless-stopped + + nas: + image: minio/minio + command: gateway nas /data + ports: + - "9001:9000" + volumes: + - ./data:/data + environment: + - MINIO_ACCESS_KEY=nasaccesskey + - MINIO_SECRET_KEY=nassecretkey + restart: unless-stopped diff --git a/mtproxy/Dockerfile b/mtproxy/Dockerfile new file mode 100644 index 0000000..9fe41a0 --- /dev/null +++ b/mtproxy/Dockerfile @@ -0,0 +1,45 @@ +# +# Dockerfile for mtproxy +# + +FROM debian:stretch +MAINTAINER EasyPi Software Foundation + +WORKDIR /usr/local/src/mtproxy + +RUN set -xe \ + && apt update \ + && apt install -y build-essential curl git libssl-dev zlib1g-dev \ + && git clone --single-branch --depth 1 https://github.com/TelegramMessenger/MTProxy.git . \ + && make -j$(getconf _NPROCESSORS_ONLN) \ + && cp ./objs/bin/mtproto-proxy /usr/local/bin/ \ + && apt remove -y build-essential git libssl-dev zlib1g-dev \ + && cd .. \ + && rm -r mtproxy /var/lib/apt/lists/* + +WORKDIR /etc/mtproxy + +RUN set -xe \ + && curl -sSL https://core.telegram.org/getProxySecret > proxy-secret \ + && curl -sSL https://core.telegram.org/getProxyConfig > proxy-multi.conf + +VOLUME /etc/mtproxy + +ENV MTP_SECRET 00000000000000000000000000000000 +ENV MTP_SLAVES 1 + +EXPOSE 443 8888 + +CMD set -xe \ + && curl -sSL https://core.telegram.org/getProxySecret > proxy-secret \ + && curl -sSL https://core.telegram.org/getProxyConfig > proxy-multi.conf \ + && mtproto-proxy --allow-skip-dh \ + --user root \ + --address 0.0.0.0 \ + --port 8888 \ + --http-ports 443 \ + --slaves $MTP_SLAVES \ + --mtproto-secret $MTP_SECRET \ + --aes-pwd proxy-secret \ + proxy-multi.conf + diff --git a/mtproxy/Dockerfile.alpine b/mtproxy/Dockerfile.alpine new file mode 100644 index 0000000..a42622f --- /dev/null +++ b/mtproxy/Dockerfile.alpine @@ -0,0 +1,47 @@ +# +# Dockerfile for mtproxy +# + +FROM alpine +MAINTAINER EasyPi Software Foundation + +WORKDIR /usr/local/src/mtproxy + +RUN set -xe \ + && apk add --no-cache curl gcc git linux-headers make musl-dev openssl-dev zlib-dev \ + && git clone --single-branch --depth 1 https://github.com/TelegramMessenger/MTProxy.git . \ + && curl -sSL https://github.com/alexdoesh/mtproxy/raw/master/patches/randr_compat.patch > randr_compat.patch \ + && patch -p0 -i randr_compat.patch \ + && make -j$(getconf _NPROCESSORS_ONLN) \ + && cp ./objs/bin/mtproto-proxy /usr/local/bin/ \ + && cd .. \ + && rm -r mtproxy \ + && apk del gcc git linux-headers make musl-dev openssl-dev zlib-dev + +WORKDIR /etc/mtproxy + +RUN set -xe \ + && ln -s /usr/lib/libcrypto.so.42 /usr/lib/libcrypto.so.1.0.0 \ + && curl -sSL https://core.telegram.org/getProxySecret > proxy-secret \ + && curl -sSL https://core.telegram.org/getProxyConfig > proxy-multi.conf + +VOLUME /etc/mtproxy + +ENV MTP_SECRET 00000000000000000000000000000000 +ENV MTP_SLAVES 1 + +EXPOSE 443 8888 + +CMD set -xe \ + && curl -sSL https://core.telegram.org/getProxySecret > proxy-secret \ + && curl -sSL https://core.telegram.org/getProxyConfig > proxy-multi.conf \ + && mtproto-proxy --allow-skip-dh \ + --user root \ + --address 0.0.0.0 \ + --port 8888 \ + --http-ports 443 \ + --slaves $MTP_SLAVES \ + --mtproto-secret $MTP_SECRET \ + --aes-pwd proxy-secret \ + proxy-multi.conf + diff --git a/mtproxy/README.md b/mtproxy/README.md new file mode 100644 index 0000000..636455c --- /dev/null +++ b/mtproxy/README.md @@ -0,0 +1,4 @@ +mtproxy +======= + +[1]: https://github.com/TelegramMessenger/MTProxy diff --git a/mtproxy/docker-compose.yml b/mtproxy/docker-compose.yml new file mode 100644 index 0000000..563f98f --- /dev/null +++ b/mtproxy/docker-compose.yml @@ -0,0 +1,11 @@ +mtproxy: + image: vimagick/mtproxy + ports: + - "8443:443" + - "8888:8888" + volumes: + - ./data:/etc/mtproxy + environment: + - MTP_SECRET=092b4a4da9855f7923c7dc032157ff53 + - MTP_SLAVES=4 + restart: unless-stopped diff --git a/n2n/Dockerfile b/n2n/Dockerfile new file mode 100644 index 0000000..a1ced81 --- /dev/null +++ b/n2n/Dockerfile @@ -0,0 +1,20 @@ +# +# Dockerfile for n2n +# + +FROM debian:buster +MAINTAINER EasyPi Software Foundation + +RUN set -xe \ + && apt update \ + && apt install -y gnupg iptables lsb-release net-tools wget \ + && wget http://apt.ntop.org/buster/all/apt-ntop.deb \ + && dpkg -i apt-ntop.deb \ + && apt update \ + && apt install -y n2n \ + && rm -rf apt-ntop.deb /var/lib/apt/lists/* + +EXPOSE 5645/udp 7654/udp + +ENTRYPOINT ["supernode"] +CMD ["-l", "7654"] diff --git a/n2n/README.md b/n2n/README.md new file mode 100644 index 0000000..5af723b --- /dev/null +++ b/n2n/README.md @@ -0,0 +1,63 @@ +n2n +=== + +[n2n][1] is a layer-two peer-to-peer virtual private network (VPN) which allows +users to exploit features typical of P2P applications at network instead of +application level. + +``` + .............VPN................ ++------LAN-+-----+ +- Edge. +| . | / . +| Client ->.Edge +-> Supernode <-+- Edge . +| . | (Edge) \ . ++----------+-----+ +- Edge. + ................................ +``` + +## Supernode/Edge (eth0:1.2.3.4, n2n0:192.168.100.1/24) + +```bash +# start supernode & edge +$ docker-compose up -d +$ ifconfig + eth0: 1.2.3.4 + br-2e0238bf6b9d: 172.20.0.1 + +# config edge routing +$ docker-compose exec edge bash +>>> ifconfig + eth0: 172.20.0.2 + n2n0: 192.168.100.1 +>>> iptables -t nat -A POSTROUTING -j MASQUERADE +>>> exit + +# get bridge ip +$ ip route get 192.168.200.1 +192.168.200.1 via 172.20.0.2 dev br-2e0238bf6b9d src 172.20.0.1 + +# add vpn route (via edge's n2n0) +$ ip route add 192.168.200.0/24 via 172.20.0.2 +$ ping 192.168.200.1 +``` + +## Edge (eth0:192.168.1.23/24, n2n0:192.168.100.x/24) + +```bash +$ docker-compose up -d edge +$ sysctl -w net.ipv4.ip_forward=1 +$ iptables -t filter -A FORWARD -j ACCEPT +$ iptables -t nat -A POSTROUTING -o n2n0 -j MASQUERADE +``` + +## Client (eth0:192.168.1.45/24) + +```bash +$ ip route add 192.168.100.0/24 via 192.168.1.23 +$ ping 192.168.100.1 +$ nmap -sP 192.168.100.0/24 +``` + +> Static routes can be added on your home router. + +[1]: https://www.ntop.org/products/n2n/ diff --git a/n2n/arm/Dockerfile b/n2n/arm/Dockerfile new file mode 100644 index 0000000..60bc63b --- /dev/null +++ b/n2n/arm/Dockerfile @@ -0,0 +1,23 @@ +# +# Dockerfile for n2n-arm +# + +FROM arm32v7/debian:buster +MAINTAINER EasyPi Software Foundation + +RUN set -xe \ + && apt update \ + && apt install -y gnupg iptables lsb-release net-tools wget \ + && wget -qO- http://packages.ntop.org/apt/ntop.key | apt-key add - \ + && { \ + echo "deb http://apt.ntop.org/buster_pi armhf/"; \ + echo "deb http://apt.ntop.org/buster_pi all/"; \ + } > /etc/apt/sources.list.d/ntop.list \ + && apt update \ + && apt install -y n2n \ + && rm -rf /var/lib/apt/lists/* + +EXPOSE 5645/udp 7654/udp + +ENTRYPOINT ["supernode"] +CMD ["-l", "7654"] diff --git a/n2n/arm/docker-compose.yml b/n2n/arm/docker-compose.yml new file mode 100644 index 0000000..3f7b542 --- /dev/null +++ b/n2n/arm/docker-compose.yml @@ -0,0 +1,12 @@ +edge: + image: easypi/n2n-arm + entrypoint: ["edge"] + command: ["-dn2n0", "-cmynetwork", "-kmypassword", "-mAA:BB:CC:DD:EE:FF", "-a192.168.100.1", "-p50001", "-lsupernode:7654", "-r", "-f"] + extra_hosts: + - supernode:1.2.3.4 + devices: + - /dev/net/tun + cap_add: + - NET_ADMIN + net: host + restart: unless-stopped diff --git a/n2n/docker-compose.yml b/n2n/docker-compose.yml new file mode 100644 index 0000000..6e9e38a --- /dev/null +++ b/n2n/docker-compose.yml @@ -0,0 +1,20 @@ +version: '3.5' + +services: + + supernode: + image: vimagick/n2n + ports: + - "5645:5645/udp" + - "7654:7654/udp" + restart: unless-stopped + + edge: + image: vimagick/n2n + entrypoint: ["edge"] + command: ["-dn2n0", "-cmynetwork", "-kmypassword", "-mAA:BB:CC:DD:EE:FF", "-a192.168.100.1", "-p50001", "-lsupernode:7654", "-r", "-f"] + devices: + - /dev/net/tun + cap_add: + - NET_ADMIN + restart: unless-stopped diff --git a/netdata/arm/docker-compose.yml b/netdata/arm/docker-compose.yml index d8b837d..628679a 100644 --- a/netdata/arm/docker-compose.yml +++ b/netdata/arm/docker-compose.yml @@ -1,7 +1,14 @@ netdata: - image: easypi/netdata-arm + image: netdata/netdata:latest-armhf + hostname: easypi.pro + ports: + - 19999:19999 + cap_add: + - SYS_PTRACE + security_opt: + - apparmor:unconfined volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock:ro - net: host - pid: host restart: always diff --git a/netdata/docker-compose.yml b/netdata/docker-compose.yml index d4d10e3..941f05e 100644 --- a/netdata/docker-compose.yml +++ b/netdata/docker-compose.yml @@ -1,7 +1,14 @@ netdata: - image: vimagick/netdata + image: netdata/netdata + hostname: easypi.pro + ports: + - 19999:19999 + cap_add: + - SYS_PTRACE + security_opt: + - apparmor:unconfined volumes: + - /proc:/host/proc:ro + - /sys:/host/sys:ro - /var/run/docker.sock:/var/run/docker.sock:ro - net: host - pid: host restart: always diff --git a/nexus3/README.md b/nexus3/README.md new file mode 100644 index 0000000..f570d24 --- /dev/null +++ b/nexus3/README.md @@ -0,0 +1,10 @@ +nexus3 +====== + +## up and running + +```bash +$ mkdir data +$ chown -R 200 data +$ docker-compose up -d +``` diff --git a/nexus3/docker-compose.yml b/nexus3/docker-compose.yml new file mode 100644 index 0000000..4fb3d02 --- /dev/null +++ b/nexus3/docker-compose.yml @@ -0,0 +1,23 @@ +version: "3.7" + +services: + + nexus3: + image: sonatype/nexus3 + ports: + - "8081:8081" + volumes: + - ./data:/nexus-data + depends_on: + - minio + restart: unless-stopped + + minio: + image: minio/minio + command: gateway oss https://oss-cn-beijing.aliyuncs.com + expose: + - "9000" + environment: + - MINIO_ACCESS_KEY=xxxxxxxxxxxxxxxx + - MINIO_SECRET_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + restart: unless-stopped diff --git a/nexus3/nginx.conf b/nexus3/nginx.conf new file mode 100644 index 0000000..afe7aa3 --- /dev/null +++ b/nexus3/nginx.conf @@ -0,0 +1,22 @@ +server { + listen 80; + server_name nexus3.easypi.pro; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name nexus3.easypi.pro; + ssl_certificate ssl/easypi.crt; + ssl_certificate_key ssl/easypi.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + client_max_body_size 1G; + location / { + proxy_pass http://127.0.0.1:8081; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto "https"; + } +} diff --git a/nfs/README.md b/nfs/README.md new file mode 100644 index 0000000..6c750d1 --- /dev/null +++ b/nfs/README.md @@ -0,0 +1,4 @@ +nfs +=== + +See: https://github.com/ehough/docker-nfs-server diff --git a/nfs/docker-compose.yml b/nfs/docker-compose.yml new file mode 100644 index 0000000..49b7a97 --- /dev/null +++ b/nfs/docker-compose.yml @@ -0,0 +1,22 @@ +nfs: + image: erichough/nfs-server + ports: + - "111:111/tcp" + - "111:111/udp" + - "2049:2049/tcp" + - "2049:2049/udp" + - "32765:32765/tcp" + - "32765:32765/udp" + - "32767:32767/tcp" + - "32767:32767/udp" + volumes: + - ./data/splash:/export/splash:ro + - /lib/modules:/lib/modules:ro + environment: + - NFS_LOG_LEVEL=DEBUG + - NFS_EXPORT_0=/export/splash/filters *(ro,no_subtree_check) + - NFS_EXPORT_1=/export/splash/js-profiles *(ro,no_subtree_check) + - NFS_EXPORT_2=/export/splash/lua_modules *(ro,no_subtree_check) + - NFS_EXPORT_3=/export/splash/proxy-profiles *(ro,no_subtree_check) + privileged: true + restart: always diff --git a/nifi/README.md b/nifi/README.md index b3f4449..e6a0b73 100644 --- a/nifi/README.md +++ b/nifi/README.md @@ -6,5 +6,14 @@ and distribute data. ![](https://nifi.apache.org/assets/images/flow-th.png) + +## up and running + +``` +$ docker-compose up -d +$ chown -R 1000:1000 data +$ docker-compose restart +``` + [1]: https://nifi.apache.org diff --git a/nifi/arm/Dockerfile b/nifi/arm/Dockerfile index c8d42a8..6a8a784 100644 --- a/nifi/arm/Dockerfile +++ b/nifi/arm/Dockerfile @@ -8,12 +8,18 @@ LABEL site="https://nifi.apache.org" ARG UID=1000 ARG GID=1000 -ARG NIFI_VERSION=1.5.0 -ARG MIRROR=https://archive.apache.org/dist +ARG NIFI_VERSION=1.9.0 +ARG BASE_URL=https://archive.apache.org/dist +ARG MIRROR_BASE_URL=${MIRROR_BASE_URL:-${BASE_URL}} +ARG NIFI_BINARY_PATH=${NIFI_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.zip} +ARG NIFI_TOOLKIT_BINARY_PATH=${NIFI_TOOLKIT_BINARY_PATH:-/nifi/${NIFI_VERSION}/nifi-toolkit-${NIFI_VERSION}-bin.zip} -ENV NIFI_BASE_DIR /opt/nifi -ENV NIFI_HOME=${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} \ - NIFI_BINARY_URL=/nifi/${NIFI_VERSION}/nifi-${NIFI_VERSION}-bin.tar.gz +ENV NIFI_BASE_DIR=/opt/nifi +ENV NIFI_HOME ${NIFI_BASE_DIR}/nifi-current +ENV NIFI_TOOLKIT_HOME ${NIFI_BASE_DIR}/nifi-toolkit-current + +ENV NIFI_PID_DIR=${NIFI_HOME}/run +ENV NIFI_LOG_DIR=${NIFI_HOME}/logs # Download scripts RUN mkdir -p /opt/nifi/scripts/ \ @@ -24,24 +30,42 @@ RUN mkdir -p /opt/nifi/scripts/ \ # Setup NiFi user RUN groupadd -g ${GID} nifi || groupmod -n nifi `getent group ${GID} | cut -d: -f1` \ && useradd --shell /bin/bash -u ${UID} -g ${GID} -m nifi \ - && mkdir -p ${NIFI_HOME}/conf/templates \ + && mkdir -p ${NIFI_BASE_DIR} \ && chown -R nifi:nifi ${NIFI_BASE_DIR} \ && apt-get update \ - && apt-get install -y jq xmlstarlet + && apt-get install -y jq xmlstarlet procps USER nifi # Download, validate, and expand Apache NiFi binary. -RUN curl -fSL ${MIRROR}/${NIFI_BINARY_URL} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ - && echo "$(curl https://archive.apache.org/dist/${NIFI_BINARY_URL}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz" | sha256sum -c - \ - && tar -xvzf ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz -C ${NIFI_BASE_DIR} \ - && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.tar.gz \ - && chown -R nifi:nifi ${NIFI_HOME} +RUN curl -fSL ${MIRROR_BASE_URL}/${NIFI_BINARY_PATH} -o ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \ + && echo "$(curl ${BASE_URL}/${NIFI_BINARY_PATH}.sha256) *${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip" | sha256sum -c - \ + && unzip ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip -d ${NIFI_BASE_DIR} \ + && rm ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION}-bin.zip \ + && mv ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} ${NIFI_HOME} \ + && mkdir -p ${NIFI_HOME}/conf \ + && mkdir -p ${NIFI_HOME}/database_repository \ + && mkdir -p ${NIFI_HOME}/flowfile_repository \ + && mkdir -p ${NIFI_HOME}/content_repository \ + && mkdir -p ${NIFI_HOME}/provenance_repository \ + && mkdir -p ${NIFI_HOME}/state \ + && mkdir -p ${NIFI_LOG_DIR} \ + && ln -s ${NIFI_HOME} ${NIFI_BASE_DIR}/nifi-${NIFI_VERSION} + +VOLUME ${NIFI_LOG_DIR} \ + ${NIFI_HOME}/conf \ + ${NIFI_HOME}/database_repository \ + ${NIFI_HOME}/flowfile_repository \ + ${NIFI_HOME}/content_repository \ + ${NIFI_HOME}/provenance_repository \ + ${NIFI_HOME}/state + +# Clear nifi-env.sh in favour of configuring all environment variables in the Dockerfile +RUN echo "#!/bin/sh\n" > $NIFI_HOME/bin/nifi-env.sh # Web HTTP(s) & Socket Site-to-Site Ports EXPOSE 8080 8443 10000 WORKDIR ${NIFI_HOME} -# Apply configuration and start NiFi -CMD ${NIFI_BASE_DIR}/scripts/start.sh +ENTRYPOINT ["../scripts/start.sh"] diff --git a/nifi/arm/docker-compose.yml b/nifi/arm/docker-compose.yml index 9dea323..e8657c3 100644 --- a/nifi/arm/docker-compose.yml +++ b/nifi/arm/docker-compose.yml @@ -2,5 +2,24 @@ nifi: image: easypi/nifi-arm ports: - "8080:8080" + - "8082:8082" - "10000:10000" + environment: + - NIFI_WEB_HTTP_PORT=8080 + - NIFI_CLUSTER_IS_NODE=true + - NIFI_CLUSTER_NODE_PROTOCOL_PORT=8082 + - NIFI_REMOTE_INPUT_SOCKET_PORT=10000 + - NIFI_ZK_CONNECT_STRING=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 + - NIFI_ELECTION_MAX_WAIT=1 min + - NIFI_ELECTION_MAX_CANDIDATES=2 + - NIFI_JVM_HEAP_INIT=512m + - NIFI_JVM_HEAP_MAX=1g + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + # nifi1:10.0.0.11 + - nifi2:10.0.0.12 + - nifi3:10.0.0.13 + hostname: nifi1 restart: always diff --git a/nifi/docker-compose.yml b/nifi/docker-compose.yml index 6350163..e691647 100644 --- a/nifi/docker-compose.yml +++ b/nifi/docker-compose.yml @@ -1,11 +1,25 @@ nifi: - image: vimagick/nifi + image: apache/nifi ports: - "8080:8080" - - "8081:8081" - volumes: - - ./data/content_repository:/opt/nifi/content_repository - - ./data/database_repository:/opt/nifi/database_repository - - ./data/flowfile_repository:/opt/nifi/flowfile_repository - - ./data/provenance_repository:/opt/nifi/provenance_repository + - "8082:8082" + - "10000:10000" + environment: + - NIFI_WEB_HTTP_PORT=8080 + - NIFI_CLUSTER_IS_NODE=true + - NIFI_CLUSTER_NODE_PROTOCOL_PORT=8082 + - NIFI_REMOTE_INPUT_SOCKET_PORT=10000 + - NIFI_ZK_CONNECT_STRING=zookeeper1:2181,zookeeper2:2181,zookeeper3:2181 + - NIFI_ELECTION_MAX_WAIT=1 min + - NIFI_ELECTION_MAX_CANDIDATES=2 + - NIFI_JVM_HEAP_INIT=512m + - NIFI_JVM_HEAP_MAX=1g + extra_hosts: + - zookeeper1:10.0.0.21 + - zookeeper2:10.0.0.22 + - zookeeper3:10.0.0.23 + # nifi1:10.0.0.11 + - nifi2:10.0.0.12 + - nifi3:10.0.0.13 + hostname: nifi1 restart: always diff --git a/nifi/nginx.conf b/nifi/nginx.conf new file mode 100644 index 0000000..1516bc4 --- /dev/null +++ b/nifi/nginx.conf @@ -0,0 +1,21 @@ +server { + listen 80; + server_name nifi.example.com; + return 301 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name nifi.example.com; + ssl_certificate ssl/example/example.com.crt; + ssl_certificate_key ssl/example/example.com.key; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + location / { + proxy_set_header X-ProxyScheme https; + proxy_set_header X-ProxyHost $host; + proxy_set_header X-ProxyPort 443; + proxy_set_header X-ProxyContextPath /; + proxy_pass http://127.0.0.1:8080; + } +} diff --git a/node-red/Dockerfile b/node-red/Dockerfile index bc2d59a..c51472f 100644 --- a/node-red/Dockerfile +++ b/node-red/Dockerfile @@ -6,30 +6,35 @@ FROM alpine MAINTAINER EasyPi Software Foundation RUN set -xe \ - && apk add --no-cache build-base \ - ca-certificates \ - curl \ - nodejs \ - nodejs-npm \ - python3 \ - python3-dev \ + && apk add --no-cache \ + bash \ + build-base \ + ca-certificates \ + curl \ + nodejs \ + nodejs-npm \ + python3 \ + python3-dev \ && ln -sf /usr/bin/python3 /usr/bin/python \ && pip3 install --no-cache-dir rpi.gpio \ - six \ - && npm install -g --unsafe-perm node-red \ - node-red-admin \ - node-red-dashboard \ - && cd /usr/lib/node_modules/node-red/nodes/core/hardware \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/nrgpio > nrgpio \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/nrgpio.py > nrgpio.py \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/36-rpi-gpio.js > 36-rpi-gpio.js \ - && apk del build-base \ - python3-dev \ + && npm install -g --unsafe-perm \ + node-red \ + node-red-admin \ + node-red-dashboard \ + node-red-node-email \ + node-red-node-feedparser \ + node-red-node-pi-gpio \ + node-red-node-sentiment \ + node-red-node-twitter \ + && mkdir -p /usr/share/doc/python-rpi.gpio \ + && apk del \ + build-base \ + python3-dev \ && rm -rf /tmp/npm-* -WORKDIR /root/.node-red -VOLUME /root/.node-red +WORKDIR /data +VOLUME /data EXPOSE 1880 -CMD ["node-red"] +CMD ["node-red", "--userDir", "/data", "--flowFile", "flows.json"] diff --git a/node-red/README.md b/node-red/README.md index d8724df..2dbff52 100644 --- a/node-red/README.md +++ b/node-red/README.md @@ -13,7 +13,7 @@ services in new and interesting ways. ``` ~/fig/node-red/ ├── docker-compose.yml -└── node-red/ +└── data/ ├── flows_cred.json ├── flows.json ├── lib/ @@ -31,7 +31,7 @@ node-red: ports: - "1880:1880" volumes: - - ./data:/root/.node-red + - ./data:/data restart: always ``` @@ -40,12 +40,6 @@ node-red: ```javascript module.exports = { - //... - - flowFile: 'flows.json', - - //... - adminAuth: { type: "credentials", users: [{ @@ -58,26 +52,30 @@ module.exports = { } }, - //... - } ``` -> Password hash can be generated by running `node-red-admin hash-pw`. +> Password hash can be generated by running `node-red-admin hash-pw` +> ## up and running -``` -$ cd ~/fig/node-red/ +```bash $ docker-compose up -d + $ docker-compose exec node-red node-red-admin hash-pw +>>> Password: ****** +... $2a$08$zZWtXTja0fB1pzD4sHCMyOCMYz2Z6dNbM6tl8sJogENOMcxWV9DN. + $ vi data/settings.js + $ docker-compose exec node-red bash ->>> cd /root/.node-red +>>> cd /data >>> apk add -U build-base >>> npm install node-red-node-irc >>> npm install node-red-node-daemon >>> exit + $ docker-compose restart ``` diff --git a/node-red/arm/Dockerfile b/node-red/arm/Dockerfile index 8d58e8b..b34a9c0 100644 --- a/node-red/arm/Dockerfile +++ b/node-red/arm/Dockerfile @@ -2,34 +2,39 @@ # Dockerfile for node-red-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation RUN set -xe \ - && apk add --no-cache build-base \ - ca-certificates \ - curl \ - nodejs \ - nodejs-npm \ - python3 \ - python3-dev \ + && apk add --no-cache \ + bash \ + build-base \ + ca-certificates \ + curl \ + nodejs \ + nodejs-npm \ + python3 \ + python3-dev \ && ln -sf /usr/bin/python3 /usr/bin/python \ && pip3 install --no-cache-dir rpi.gpio \ - six \ - && npm install -g --unsafe-perm node-red \ - node-red-admin \ - node-red-dashboard \ - && cd /usr/lib/node_modules/node-red/nodes/core/hardware \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/nrgpio > nrgpio \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/nrgpio.py > nrgpio.py \ - && curl -sSL https://github.com/vimagick/dockerfiles/raw/master/node-red/patch/36-rpi-gpio.js > 36-rpi-gpio.js \ - && apk del build-base \ - python3-dev \ + && npm install -g --unsafe-perm \ + node-red \ + node-red-admin \ + node-red-dashboard \ + node-red-node-email \ + node-red-node-feedparser \ + node-red-node-pi-gpio \ + node-red-node-sentiment \ + node-red-node-twitter \ + && mkdir -p /usr/share/doc/python-rpi.gpio \ + && apk del \ + build-base \ + python3-dev \ && rm -rf /tmp/npm-* -WORKDIR /root/.node-red -VOLUME /root/.node-red +WORKDIR /data +VOLUME /data EXPOSE 1880 -CMD ["node-red"] +CMD ["node-red", "--userDir", "/data", "--flowFile", "flows.json"] diff --git a/node-red/arm/docker-compose.yml b/node-red/arm/docker-compose.yml index e787c1d..da94bd8 100644 --- a/node-red/arm/docker-compose.yml +++ b/node-red/arm/docker-compose.yml @@ -3,7 +3,7 @@ node-red: ports: - "1880:1880" volumes: - - ./data:/root/.node-red + - ./data:/data - /dev/input:/dev/input privileged: yes restart: always diff --git a/node-red/docker-compose.yml b/node-red/docker-compose.yml index 2ba655f..a29ffc4 100644 --- a/node-red/docker-compose.yml +++ b/node-red/docker-compose.yml @@ -3,7 +3,7 @@ node-red: ports: - "1880:1880" volumes: - - ./data:/root/.node-red + - ./data:/data - /dev/input:/dev/input privileged: yes restart: always diff --git a/node-red/patch/36-rpi-gpio.js b/node-red/patch/36-rpi-gpio.js deleted file mode 100644 index 4f7ded0..0000000 --- a/node-red/patch/36-rpi-gpio.js +++ /dev/null @@ -1,332 +0,0 @@ - -module.exports = function(RED) { - "use strict"; - var exec = require('child_process').exec; - var spawn = require('child_process').spawn; - var fs = require('fs'); - - var gpioCommand = __dirname+'/nrgpio'; - - try { - var cpuinfo = fs.readFileSync("/proc/cpuinfo").toString(); - if (cpuinfo.indexOf(": BCM") === -1) { throw "Info : "+RED._("rpi-gpio.errors.ignorenode"); } - } catch(err) { - throw "Info : "+RED._("rpi-gpio.errors.ignorenode"); - } - - try { - fs.statSync("/usr/share/doc/python-rpi.gpio"); // test on Raspbian - // /usr/lib/python3.6/dist-packages/RPi/GPIO - } catch(err) { - try { - fs.statSync("/usr/lib/python3.6/site-packages/RPi/GPIO"); // test on Arch - } - catch(err) { - try { - fs.statSync("/usr/lib/python3.6/dist-packages/RPi/GPIO"); // test on Hypriot - } - catch(err) { - RED.log.warn(RED._("rpi-gpio.errors.libnotfound")); - throw "Warning : "+RED._("rpi-gpio.errors.libnotfound"); - } - } - } - - if ( !(1 & parseInt((fs.statSync(gpioCommand).mode & parseInt("777", 8)).toString(8)[0]) )) { - RED.log.error(RED._("rpi-gpio.errors.needtobeexecutable",{command:gpioCommand})); - throw "Error : "+RED._("rpi-gpio.errors.mustbeexecutable"); - } - - // the magic to make python print stuff immediately - process.env.PYTHONUNBUFFERED = 1; - - var pinsInUse = {}; - var pinTypes = {"out":RED._("rpi-gpio.types.digout"), "tri":RED._("rpi-gpio.types.input"), "up":RED._("rpi-gpio.types.pullup"), "down":RED._("rpi-gpio.types.pulldown"), "pwm":RED._("rpi-gpio.types.pwmout")}; - - function GPIOInNode(n) { - RED.nodes.createNode(this,n); - this.buttonState = -1; - this.pin = n.pin; - this.intype = n.intype; - this.read = n.read || false; - this.debounce = Number(n.debounce || 25); - if (this.read) { this.buttonState = -2; } - var node = this; - if (!pinsInUse.hasOwnProperty(this.pin)) { - pinsInUse[this.pin] = this.intype; - } - else { - if ((pinsInUse[this.pin] !== this.intype)||(pinsInUse[this.pin] === "pwm")) { - node.warn(RED._("rpi-gpio.errors.alreadyset",{pin:this.pin,type:pinTypes[pinsInUse[this.pin]]})); - } - } - - if (node.pin !== undefined) { - node.child = spawn(gpioCommand, ["in",node.pin,node.intype,node.debounce]); - node.running = true; - node.status({fill:"green",shape:"dot",text:"common.status.ok"}); - - node.child.stdout.on('data', function (data) { - var d = data.toString().trim().split("\n"); - for (var i = 0; i < d.length; i++) { - if (d[i] === '') { return; } - if (node.running && node.buttonState !== -1 && !isNaN(Number(d[i])) && node.buttonState !== d[i]) { - node.send({ topic:"pi/"+node.pin, payload:Number(d[i]) }); - } - node.buttonState = d[i]; - node.status({fill:"green",shape:"dot",text:d[i]}); - if (RED.settings.verbose) { node.log("out: "+d[i]+" :"); } - } - }); - - node.child.stderr.on('data', function (data) { - if (RED.settings.verbose) { node.log("err: "+data+" :"); } - }); - - node.child.on('close', function (code) { - node.running = false; - node.child = null; - if (RED.settings.verbose) { node.log(RED._("rpi-gpio.status.closed")); } - if (node.done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - node.done(); - } - else { node.status({fill:"red",shape:"ring",text:"rpi-gpio.status.stopped"}); } - }); - - node.child.on('error', function (err) { - if (err.errno === "ENOENT") { node.error(RED._("rpi-gpio.errors.commandnotfound")); } - else if (err.errno === "EACCES") { node.error(RED._("rpi-gpio.errors.commandnotexecutable")); } - else { node.error(RED._("rpi-gpio.errors.error",{error:err.errno})) } - }); - - } - else { - node.warn(RED._("rpi-gpio.errors.invalidpin")+": "+node.pin); - } - - node.on("close", function(done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - delete pinsInUse[node.pin]; - if (node.child != null) { - node.done = done; - node.child.stdin.write("close "+node.pin); - node.child.kill('SIGKILL'); - } - else { done(); } - }); - } - RED.nodes.registerType("rpi-gpio in",GPIOInNode); - - function GPIOOutNode(n) { - RED.nodes.createNode(this,n); - this.pin = n.pin; - this.set = n.set || false; - this.level = n.level || 0; - this.freq = n.freq || 100; - this.out = n.out || "out"; - var node = this; - if (!pinsInUse.hasOwnProperty(this.pin)) { - pinsInUse[this.pin] = this.out; - } - else { - if ((pinsInUse[this.pin] !== this.out)||(pinsInUse[this.pin] === "pwm")) { - node.warn(RED._("rpi-gpio.errors.alreadyset",{pin:this.pin,type:pinTypes[pinsInUse[this.pin]]})); - } - } - - function inputlistener(msg) { - if (msg.payload === "true") { msg.payload = true; } - if (msg.payload === "false") { msg.payload = false; } - var out = Number(msg.payload); - var limit = 1; - if (node.out === "pwm") { limit = 100; } - if ((out >= 0) && (out <= limit)) { - if (RED.settings.verbose) { node.log("out: "+out); } - if (node.child !== null) { - node.child.stdin.write(out+"\n"); - node.status({fill:"green",shape:"dot",text:msg.payload.toString()}); - } - else { - node.error(RED._("rpi-gpio.errors.pythoncommandnotfound"),msg); - node.status({fill:"red",shape:"ring",text:"rpi-gpio.status.not-running"}); - } - } - else { node.warn(RED._("rpi-gpio.errors.invalidinput")+": "+out); } - } - - if (node.pin !== undefined) { - if (node.set && (node.out === "out")) { - node.child = spawn(gpioCommand, [node.out,node.pin,node.level]); - node.status({fill:"green",shape:"dot",text:node.level}); - } else { - node.child = spawn(gpioCommand, [node.out,node.pin,node.freq]); - node.status({fill:"green",shape:"dot",text:"common.status.ok"}); - } - node.running = true; - - node.on("input", inputlistener); - - node.child.stdout.on('data', function (data) { - if (RED.settings.verbose) { node.log("out: "+data+" :"); } - }); - - node.child.stderr.on('data', function (data) { - if (RED.settings.verbose) { node.log("err: "+data+" :"); } - }); - - node.child.on('close', function (code) { - node.child = null; - node.running = false; - if (RED.settings.verbose) { node.log(RED._("rpi-gpio.status.closed")); } - if (node.done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - node.done(); - } - else { node.status({fill:"red",shape:"ring",text:"rpi-gpio.status.stopped"}); } - }); - - node.child.on('error', function (err) { - if (err.errno === "ENOENT") { node.error(RED._("rpi-gpio.errors.commandnotfound")); } - else if (err.errno === "EACCES") { node.error(RED._("rpi-gpio.errors.commandnotexecutable")); } - else { node.error(RED._("rpi-gpio.errors.error")+': ' + err.errno); } - }); - - } - else { - node.warn(RED._("rpi-gpio.errors.invalidpin")+": "+node.pin); - } - - node.on("close", function(done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - delete pinsInUse[node.pin]; - if (node.child != null) { - node.done = done; - node.child.stdin.write("close "+node.pin); - node.child.kill('SIGKILL'); - } - else { done(); } - }); - - } - RED.nodes.registerType("rpi-gpio out",GPIOOutNode); - - function PiMouseNode(n) { - RED.nodes.createNode(this,n); - this.butt = n.butt || 7; - var node = this; - - node.child = spawn(gpioCommand+".py", ["mouse",node.butt]); - node.status({fill:"green",shape:"dot",text:"common.status.ok"}); - - node.child.stdout.on('data', function (data) { - data = Number(data); - if (data === 1) { node.send({ topic:"pi/mouse", button:data, payload:1 }); } - else { node.send({ topic:"pi/mouse", button:data, payload:0 }); } - }); - - node.child.stderr.on('data', function (data) { - if (RED.settings.verbose) { node.log("err: "+data+" :"); } - }); - - node.child.on('close', function (code) { - node.child = null; - node.running = false; - if (RED.settings.verbose) { node.log(RED._("rpi-gpio.status.closed")); } - if (node.done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - node.done(); - } - else { node.status({fill:"red",shape:"ring",text:"rpi-gpio.status.stopped"}); } - }); - - node.child.on('error', function (err) { - if (err.errno === "ENOENT") { node.error(RED._("rpi-gpio.errors.commandnotfound")); } - else if (err.errno === "EACCES") { node.error(RED._("rpi-gpio.errors.commandnotexecutable")); } - else { node.error(RED._("rpi-gpio.errors.error")+': ' + err.errno); } - }); - - node.on("close", function(done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - if (node.child != null) { - node.done = done; - node.child.kill('SIGINT'); - node.child = null; - } - else { done(); } - }); - } - RED.nodes.registerType("rpi-mouse",PiMouseNode); - - function PiKeyboardNode(n) { - RED.nodes.createNode(this,n); - var node = this; - - node.child = spawn(gpioCommand+".py", ["kbd","0"]); - node.status({fill:"green",shape:"dot",text:"common.status.ok"}); - - node.child.stdout.on('data', function (data) { - var b = data.toString().trim().split(","); - var act = "up"; - if (b[1] === "1") { act = "down"; } - if (b[1] === "2") { act = "repeat"; } - node.send({ topic:"pi/key", payload:Number(b[0]), action:act }); - }); - - node.child.stderr.on('data', function (data) { - if (RED.settings.verbose) { node.log("err: "+data+" :"); } - }); - - node.child.on('close', function (code) { - node.running = false; - node.child = null; - if (RED.settings.verbose) { node.log(RED._("rpi-gpio.status.closed")); } - if (node.done) { - node.status({fill:"grey",shape:"ring",text:"rpi-gpio.status.closed"}); - node.done(); - } - else { node.status({fill:"red",shape:"ring",text:"rpi-gpio.status.stopped"}); } - }); - - node.child.on('error', function (err) { - if (err.errno === "ENOENT") { node.error(RED._("rpi-gpio.errors.commandnotfound")); } - else if (err.errno === "EACCES") { node.error(RED._("rpi-gpio.errors.commandnotexecutable")); } - else { node.error(RED._("rpi-gpio.errors.error")+': ' + err.errno); } - }); - - node.on("close", function(done) { - node.status({}); - if (node.child != null) { - node.done = done; - node.child.kill('SIGINT'); - node.child = null; - } - else { done(); } - }); - } - RED.nodes.registerType("rpi-keyboard",PiKeyboardNode); - - var pitype = { type:"" }; - exec(gpioCommand+" info", function(err,stdout,stderr) { - if (err) { - RED.log.info(RED._("rpi-gpio.errors.version")); - } - else { - try { - var info = JSON.parse( stdout.trim().replace(/\'/g,"\"") ); - pitype.type = info["TYPE"]; - } - catch(e) { - RED.log.info(RED._("rpi-gpio.errors.sawpitype"),stdout.trim()); - } - } - }); - - RED.httpAdmin.get('/rpi-gpio/:id', RED.auth.needsPermission('rpi-gpio.read'), function(req,res) { - res.json(pitype); - }); - - RED.httpAdmin.get('/rpi-pins/:id', RED.auth.needsPermission('rpi-gpio.read'), function(req,res) { - res.json(pinsInUse); - }); -} diff --git a/node-red/patch/README.md b/node-red/patch/README.md deleted file mode 100644 index 2bc6d0f..0000000 --- a/node-red/patch/README.md +++ /dev/null @@ -1,4 +0,0 @@ -Node-RED PATCH -============== - -python2 (on alpine linux) cannot read usb keyboard input device diff --git a/node-red/patch/nrgpio b/node-red/patch/nrgpio deleted file mode 100755 index 3488030..0000000 --- a/node-red/patch/nrgpio +++ /dev/null @@ -1,17 +0,0 @@ -#!/bin/sh -# -# Copyright JS Foundation and other contributors, http://js.foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -BASEDIR=$(dirname $0) -python -u $BASEDIR/nrgpio.py $@ diff --git a/node-red/patch/nrgpio.py b/node-red/patch/nrgpio.py deleted file mode 100755 index 9fa5b8a..0000000 --- a/node-red/patch/nrgpio.py +++ /dev/null @@ -1,245 +0,0 @@ -#!/usr/bin/python -# -# Copyright JS Foundation and other contributors, http://js.foundation -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# http://www.apache.org/licenses/LICENSE-2.0 -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. -# - -# Import library functions we need -import six - -try: - import RPi.GPIO as GPIO -except: - class GPIO: - BOARD = None - @staticmethod - def setmode(*args): pass - @staticmethod - def setwarnings(*args): pass - -import struct -import sys -import os -import subprocess -from time import sleep - -bounce = 25; - -if len(sys.argv) > 2: - cmd = sys.argv[1].lower() - pin = int(sys.argv[2]) - GPIO.setmode(GPIO.BOARD) - GPIO.setwarnings(False) - - if cmd == "pwm": - #print "Initialised pin "+str(pin)+" to PWM" - try: - freq = int(sys.argv[3]) - except: - freq = 100 - - GPIO.setup(pin,GPIO.OUT) - p = GPIO.PWM(pin, freq) - p.start(0) - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - p.ChangeDutyCycle(float(data)) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup(pin) - sys.exit(0) - except Exception as ex: - six.print_("bad data: "+data) - - elif cmd == "buzz": - #print "Initialised pin "+str(pin)+" to Buzz" - GPIO.setup(pin,GPIO.OUT) - p = GPIO.PWM(pin, 100) - p.stop() - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - elif float(data) == 0: - p.stop() - else: - p.start(50) - p.ChangeFrequency(float(data)) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup(pin) - sys.exit(0) - except Exception as ex: - six.print_("bad data: "+data) - - elif cmd == "out": - #print "Initialised pin "+str(pin)+" to OUT" - GPIO.setup(pin,GPIO.OUT) - if len(sys.argv) == 4: - GPIO.output(pin,int(sys.argv[3])) - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - data = int(data) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup(pin) - sys.exit(0) - except: - if len(sys.argv) == 4: - data = int(sys.argv[3]) - else: - data = 0 - if data != 0: - data = 1 - GPIO.output(pin,data) - - elif cmd == "in": - #print "Initialised pin "+str(pin)+" to IN" - bounce = float(sys.argv[4]) - def handle_callback(chan): - sleep(bounce/1000.0) - six.print_(GPIO.input(chan)) - - if sys.argv[3].lower() == "up": - GPIO.setup(pin,GPIO.IN,GPIO.PUD_UP) - elif sys.argv[3].lower() == "down": - GPIO.setup(pin,GPIO.IN,GPIO.PUD_DOWN) - else: - GPIO.setup(pin,GPIO.IN) - - six.print_(GPIO.input(pin)) - GPIO.add_event_detect(pin, GPIO.BOTH, callback=handle_callback, bouncetime=int(bounce)) - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup(pin) - sys.exit(0) - - elif cmd == "byte": - #print "Initialised BYTE mode - "+str(pin)+ - list = [7,11,13,12,15,16,18,22] - GPIO.setup(list,GPIO.OUT) - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - data = int(data) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup() - sys.exit(0) - except: - data = 0 - for bit in range(8): - if pin == 1: - mask = 1 << (7 - bit) - else: - mask = 1 << bit - GPIO.output(list[bit], data & mask) - - elif cmd == "borg": - #print "Initialised BORG mode - "+str(pin)+ - GPIO.setup(11,GPIO.OUT) - GPIO.setup(13,GPIO.OUT) - GPIO.setup(15,GPIO.OUT) - r = GPIO.PWM(11, 100) - g = GPIO.PWM(13, 100) - b = GPIO.PWM(15, 100) - r.start(0) - g.start(0) - b.start(0) - - while True: - try: - data = six.moves.input() - if 'close' in data: - sys.exit(0) - c = data.split(",") - r.ChangeDutyCycle(float(c[0])) - g.ChangeDutyCycle(float(c[1])) - b.ChangeDutyCycle(float(c[2])) - except (EOFError, SystemExit): # hopefully always caused by us sigint'ing the program - GPIO.cleanup() - sys.exit(0) - except: - data = 0 - - elif cmd == "mouse": # catch mice button events - file = open( "/dev/input/mice", "rb" ) - oldbutt = 0 - - def getMouseEvent(): - global oldbutt - global pin - buf = file.read(3) - pin = pin & 0x07 - button = six.byte2int(buf) & pin # mask out just the required button(s) - if button != oldbutt: # only send if changed - oldbutt = button - six.print_(button) - - while True: - try: - getMouseEvent() - except: - file.close() - sys.exit(0) - - elif cmd == "kbd": # catch keyboard button events - try: - while not os.path.isdir("/dev/input/by-path"): - time.sleep(10) - infile = subprocess.check_output("ls /dev/input/by-path/ | grep -m 1 'kbd'", shell=True).strip() - infile_path = "/dev/input/by-path/" + infile.decode('utf-8') - EVENT_SIZE = struct.calcsize('llHHI') - file = open(infile_path, "rb") - event = file.read(EVENT_SIZE) - while event: - (tv_sec, tv_usec, type, code, value) = struct.unpack('llHHI', event) - #if type != 0 or code != 0 or value != 0: - if type == 1: - # type,code,value - six.print_("%u,%u" % (code, value)) - event = file.read(EVENT_SIZE) - six.print_("0,0") - file.close() - sys.exit(0) - except: - file.close() - sys.exit(0) - -elif len(sys.argv) > 1: - cmd = sys.argv[1].lower() - if cmd == "rev": - six.print_(GPIO.RPI_REVISION) - elif cmd == "ver": - six.print_(GPIO.VERSION) - elif cmd == "info": - six.print_(GPIO.RPI_INFO) - else: - six.print_("Bad parameters - in|out|pwm|buzz|byte|borg|mouse|kbd|ver|info {pin} {value|up|down}") - six.print_(" only ver (gpio version) and info (board information) accept no pin parameter.") - -else: - six.print_("Bad parameters - in|out|pwm|buzz|byte|borg|mouse|kbd|ver|info {pin} {value|up|down}") diff --git a/node-red/patch/screenshot.png b/node-red/patch/screenshot.png deleted file mode 100644 index 04a19b7..0000000 Binary files a/node-red/patch/screenshot.png and /dev/null differ diff --git a/nodebb/Dockerfile b/nodebb/Dockerfile index ec3f25b..79af512 100644 --- a/nodebb/Dockerfile +++ b/nodebb/Dockerfile @@ -5,31 +5,30 @@ FROM alpine MAINTAINER kev -ENV BB_VER 1.10.1 -ENV BB_URL https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz -ENV BB_SOURCE /usr/src/nodebb -ENV BB_CONTENT /var/lib/nodebb +ENV BB_VER=1.12.2 +ENV BB_URL=https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz +ENV BB_SOURCE=/usr/src/nodebb +ENV BB_CONTENT=/var/lib/nodebb WORKDIR $BB_SOURCE VOLUME $BB_CONTENT RUN set -ex \ && apk add -U bash \ + icu \ imagemagick \ - krb5-libs \ nodejs \ nodejs-npm \ openssl \ && apk add -t TMP build-base \ curl \ git \ - krb5-dev \ + icu-dev \ openssl-dev \ python \ tar \ && curl -sSL $BB_URL | tar xz --strip 1 \ - && npm install --production \ - && npm cache clean \ + && ./nodebb setup \ && apk del TMP \ && rm -rf /tmp/npm* \ /var/cache/apk/* @@ -38,4 +37,4 @@ COPY docker-entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] EXPOSE 4567 -CMD ["npm", "start"] +CMD ["./nodebb", "start"] diff --git a/nodebb/Dockerfile.debian b/nodebb/Dockerfile.debian index 2df6330..9055d1c 100644 --- a/nodebb/Dockerfile.debian +++ b/nodebb/Dockerfile.debian @@ -5,10 +5,10 @@ FROM debian MAINTAINER kev -ENV BB_VER 1.6.1 -ENV BB_URL https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz -ENV BB_SOURCE /usr/src/nodebb -ENV BB_CONTENT /var/lib/nodebb +ENV BB_VER=1.12.2 +ENV BB_URL=https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz +ENV BB_SOURCE=/usr/src/nodebb +ENV BB_CONTENT=/var/lib/nodebb WORKDIR $BB_SOURCE VOLUME $BB_CONTENT @@ -22,7 +22,7 @@ RUN set -ex \ libssl1.0.0 \ libssl-dev \ python \ - && curl -sSL https://deb.nodesource.com/setup_6.x | bash - \ + && curl -sSL https://deb.nodesource.com/setup_10.x | bash - \ && apt-get install -y nodejs \ && curl -sSL $BB_URL | tar xz --strip 1 \ && npm install --production \ diff --git a/nodebb/README.md b/nodebb/README.md index 9aac00a..ee6a507 100644 --- a/nodebb/README.md +++ b/nodebb/README.md @@ -19,6 +19,8 @@ nodebb: volumes: - ./data:/var/lib/nodebb - /usr/src/nodebb/build + - /usr/src/nodebb/node_modules + - /usr/src/nodebb/public/uploads restart: always redis: @@ -46,9 +48,9 @@ $ firefox http://localhost:4567 ```bash $ docker-compose pull nodebb $ docker-compose exec nodebb sh ->>> ./nodebb build +>>> ./nodebb upgrade >>> exit ``` [1]: https://nodebb.org/ -[2]: https://docs.nodebb.org/en/latest/ +[2]: https://docs.nodebb.org/ diff --git a/nodebb/arm/Dockerfile b/nodebb/arm/Dockerfile index 5a5c1d4..d87e957 100644 --- a/nodebb/arm/Dockerfile +++ b/nodebb/arm/Dockerfile @@ -2,34 +2,33 @@ # Dockerfile for nodebb-arm # -FROM easypi/alpine-arm +FROM arm32v7/alpine:3 MAINTAINER EasyPi Software Foundation -ENV BB_VER 1.10.1 -ENV BB_URL https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz -ENV BB_SOURCE /usr/src/nodebb -ENV BB_CONTENT /var/lib/nodebb +ENV BB_VER=1.12.2 +ENV BB_URL=https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz +ENV BB_SOURCE=/usr/src/nodebb +ENV BB_CONTENT=/var/lib/nodebb WORKDIR $BB_SOURCE VOLUME $BB_CONTENT RUN set -ex \ && apk add -U bash \ + icu \ imagemagick \ - krb5-libs \ nodejs \ nodejs-npm \ openssl \ && apk add -t TMP build-base \ curl \ git \ - krb5-dev \ + icu-dev \ openssl-dev \ python \ tar \ && curl -sSL $BB_URL | tar xz --strip 1 \ - && npm install --production \ - && npm cache clean \ + && ./nodebb setup \ && apk del TMP \ && rm -rf /tmp/npm* \ /var/cache/apk/* @@ -38,4 +37,4 @@ COPY docker-entrypoint.sh /entrypoint.sh ENTRYPOINT ["/entrypoint.sh"] EXPOSE 4567 -CMD ["npm", "start"] +CMD ["./nodebb", "start"] diff --git a/nodebb/arm/Dockerfile.debian b/nodebb/arm/Dockerfile.debian index d7ef42b..907cce2 100644 --- a/nodebb/arm/Dockerfile.debian +++ b/nodebb/arm/Dockerfile.debian @@ -5,10 +5,10 @@ FROM resin/rpi-raspbian MAINTAINER EasyPi Software Foundation -ENV BB_VER 1.6.1 -ENV BB_URL https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz -ENV BB_SOURCE /usr/src/nodebb -ENV BB_CONTENT /var/lib/nodebb +ENV BB_VER=1.12.2 +ENV BB_URL=https://github.com/NodeBB/NodeBB/archive/v$BB_VER.tar.gz +ENV BB_SOURCE=/usr/src/nodebb +ENV BB_CONTENT=/var/lib/nodebb WORKDIR $BB_SOURCE VOLUME $BB_CONTENT @@ -22,7 +22,7 @@ RUN set -ex \ libssl1.0.0 \ libssl-dev \ python \ - && curl -sSL https://deb.nodesource.com/setup_6.x | bash - \ + && curl -sSL https://deb.nodesource.com/setup_10.x | bash - \ && apt-get install -y nodejs \ && curl -sSL $BB_URL | tar xz --strip 1 \ && npm install --production \ diff --git a/nodebb/arm/docker-compose.yml b/nodebb/arm/docker-compose.yml index ddaa34d..5a7359f 100644 --- a/nodebb/arm/docker-compose.yml +++ b/nodebb/arm/docker-compose.yml @@ -7,6 +7,8 @@ nodebb: volumes: - ./data:/var/lib/nodebb - /usr/src/nodebb/build + - /usr/src/nodebb/node_modules + - /usr/src/nodebb/public/uploads restart: always redis: diff --git a/nodebb/arm/docker-entrypoint.sh b/nodebb/arm/docker-entrypoint.sh index 98553fd..cd52095 100755 --- a/nodebb/arm/docker-entrypoint.sh +++ b/nodebb/arm/docker-entrypoint.sh @@ -5,7 +5,7 @@ export NODE_ENV=production export silent=false export daemon=false -if [[ "$*" == npm*start* ]]; then +if [[ "$*" == ./nodebb*start* ]]; then if [ ! -e "$BB_CONTENT/config.json" ]; then if [ -e "$BB_SOURCE/config.json" ]; then cp "$BB_SOURCE/config.json" "$BB_CONTENT/config.json" diff --git a/nodebb/docker-compose.yml b/nodebb/docker-compose.yml index 7d4af16..84a2304 100644 --- a/nodebb/docker-compose.yml +++ b/nodebb/docker-compose.yml @@ -7,6 +7,8 @@ nodebb: volumes: - ./data:/var/lib/nodebb - /usr/src/nodebb/build + - /usr/src/nodebb/node_modules + - /usr/src/nodebb/public/uploads restart: always redis: diff --git a/nodebb/docker-entrypoint.sh b/nodebb/docker-entrypoint.sh index 98553fd..cd52095 100755 --- a/nodebb/docker-entrypoint.sh +++ b/nodebb/docker-entrypoint.sh @@ -5,7 +5,7 @@ export NODE_ENV=production export silent=false export daemon=false -if [[ "$*" == npm*start* ]]; then +if [[ "$*" == ./nodebb*start* ]]; then if [ ! -e "$BB_CONTENT/config.json" ]; then if [ -e "$BB_SOURCE/config.json" ]; then cp "$BB_SOURCE/config.json" "$BB_CONTENT/config.json" diff --git a/ntopng/Dockerfile b/ntopng/Dockerfile new file mode 100644 index 0000000..eb388be --- /dev/null +++ b/ntopng/Dockerfile @@ -0,0 +1,31 @@ +# +# Dockerfile for ntopng +# + +FROM ubuntu:18.04 +MAINTAINER EasyPi Software Foundation + +RUN set -xe \ + && apt update \ + && apt install -y curl gnupg libjson-c3 \ + && curl -sSL http://packages.ntop.org/apt-stable/ntop.key | apt-key add - \ + && { \ + echo "deb http://packages.ntop.org/apt/18.04/ x64/"; \ + echo "deb http://packages.ntop.org/apt/18.04/ all/"; \ + } > /etc/apt/sources.list.d/ntop.list \ + && apt update \ + && apt install -y ntopng \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /var/lib/ntopng + +EXPOSE 3000 5556 + +ENTRYPOINT ["ntopng"] +CMD [ \ + "--community", \ + "--data-dir", "/var/lib/ntopng", \ + "--http-port", "0.0.0.0:3000", \ + "--interface", "tcp://0.0.0.0:5556c", \ + "--redis", "redis" \ + ] diff --git a/ntopng/README.md b/ntopng/README.md new file mode 100644 index 0000000..1d03fe4 --- /dev/null +++ b/ntopng/README.md @@ -0,0 +1,66 @@ +ntopng +====== + +[ntopng][1] is the next generation version of the original ntop, a network traffic +probe that monitors network usage. ntopng is based on libpcap and it has been +written in a portable way in order to virtually run on every Unix platform, +MacOSX and on Windows as well. + +[nProbe][2] is a software NetFlow v5/v9/IPFIX probe able to collect, analyze and +export network traffic reports using the standard Cisco NetFlow v5/v9/IPFIX +format. It is available for most of the OSs on the market (Windows, BSD, Linux, +MacOSX). When installed on a PC, nProbe turn it into a Network-aware monitoring +appliance. + +> :warning: [nProbe][3] is not free + +## docker-compose.yml + +```yaml +version: '3' + +services: + + ntopng: + image: vimagick/ntopng + command: --community -d /var/lib/ntopng -i eth0 -r 127.0.0.1:6379@0 -w 0.0.0.0:3000 + volumes: + - ./data/ntopng:/var/lib/ntopng + network_mode: host + restart: unless-stopped + + redis: + image: redis:alpine + command: --save 900 1 + ports: + - "6379:6379" + volumes: + - ./data/redis:/data + restart: unless-stopped +``` + +## Standalone mode + +``` +$ mkdir -m 777 -p data/{ntopng,redis} +$ docker-compose up -d +$ curl http://127.0.0.1:3000 +``` + +## Collector mode + +``` +$ mkdir -m 777 -p data/{ntopng,redis} +$ docker-compose up -d -f docker-compose-collector.yml +$ curl http://127.0.0.1:3000 +``` + +``` +$ nprobe -i eth0 -n none --zmq-probe-mode --zmq tcp://ntopng-server:5556 -f 'tcp port 80' +``` + + + +[1]: https://www.ntop.org/guides/ntopng/cli_options.html +[2]: https://www.ntop.org/guides/nProbe/cli_options.html +[3]: https://www.ntop.org/products/netflow/nprobe/ diff --git a/ntopng/docker-compose-collector.yml b/ntopng/docker-compose-collector.yml new file mode 100644 index 0000000..d07e13a --- /dev/null +++ b/ntopng/docker-compose-collector.yml @@ -0,0 +1,19 @@ +version: '3' + +services: + + ntopng: + image: vimagick/ntopng + ports: + - "3000:3000" + - "5556:5556" + volumes: + - ./data/ntopng:/var/lib/ntopng + restart: unless-stopped + + redis: + image: redis:alpine + command: --save 900 1 + volumes: + - ./data/redis:/data + restart: unless-stopped diff --git a/ntopng/docker-compose.yml b/ntopng/docker-compose.yml new file mode 100644 index 0000000..6102220 --- /dev/null +++ b/ntopng/docker-compose.yml @@ -0,0 +1,20 @@ +version: '3' + +services: + + ntopng: + image: vimagick/ntopng + command: --community -d /var/lib/ntopng -i eth0 -r 127.0.0.1:6379@0 -w 127.0.0.1:3000 + volumes: + - ./data/ntopng:/var/lib/ntopng + network_mode: host + restart: unless-stopped + + redis: + image: redis:alpine + command: --save 900 1 + ports: + - "127.0.0.1:6379:6379" + volumes: + - ./data/redis:/data + restart: unless-stopped diff --git a/odoo/README.md b/odoo/README.md index 8d8f0b6..0b144c1 100644 --- a/odoo/README.md +++ b/odoo/README.md @@ -7,21 +7,23 @@ odoo ```yaml odoo: - image: odoo:11.0 + image: odoo:12 ports: - - "8069:8069" + - "127.0.0.1:8069:8069" volumes: - - ./data/odoo:/var/lib/odoo + - ./data/config:/etc/odoo + - ./data/web:/var/lib/odoo - ./data/addons:/mnt/extra-addons links: - postgres:db restart: always postgres: - image: postgres:9-alpine + image: postgres:11-alpine volumes: - ./data/postgres:/var/lib/postgresql/data environment: + - POSTGRES_DB=postgres - POSTGRES_USER=odoo - POSTGRES_PASSWORD=odoo restart: always @@ -30,13 +32,11 @@ postgres: ## up and running ```bash -$ mkdir -m 777 -p data/odoo +$ mkdir -m 777 -p data/web $ docker-compose up -d -$ docker-compose exec postgres psql -U postgres -postgres=# \l -postgres=# drop database odoo; -postgres=# \q $ curl http://localhost:8069 ``` +> Create a database: odoo + [1]: https://www.odoo.com diff --git a/odoo/data/addons/.gitkeep b/odoo/data/addons/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/odoo/data/config/odoo.conf b/odoo/data/config/odoo.conf new file mode 100644 index 0000000..22e2093 --- /dev/null +++ b/odoo/data/config/odoo.conf @@ -0,0 +1,37 @@ +[options] +addons_path = /mnt/extra-addons +data_dir = /var/lib/odoo +; admin_passwd = admin +; csv_internal_sep = , +; db_maxconn = 64 +; db_name = False +; db_template = template1 +; dbfilter = .* +; debug_mode = False +; email_from = False +; limit_memory_hard = 2684354560 +; limit_memory_soft = 2147483648 +; limit_request = 8192 +; limit_time_cpu = 60 +; limit_time_real = 120 +; list_db = True +; log_db = False +; log_handler = [':INFO'] +; log_level = info +; logfile = None +; longpolling_port = 8072 +; max_cron_threads = 2 +; osv_memory_age_limit = 1.0 +; osv_memory_count_limit = False +; smtp_password = False +; smtp_port = 25 +; smtp_server = localhost +; smtp_ssl = False +; smtp_user = False +; workers = 0 +; xmlrpc = True +; xmlrpc_interface = +; xmlrpc_port = 8069 +; xmlrpcs = True +; xmlrpcs_interface = +; xmlrpcs_port = 8071 diff --git a/odoo/data/web/.gitkeep b/odoo/data/web/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/odoo/docker-compose.yml b/odoo/docker-compose.yml index 6565e21..ef38231 100644 --- a/odoo/docker-compose.yml +++ b/odoo/docker-compose.yml @@ -1,19 +1,21 @@ odoo: - image: odoo:11.0 + image: odoo:12 ports: - - "8069:8069" + - "127.0.0.1:8069:8069" volumes: - - ./data/odoo:/var/lib/odoo + - ./data/config:/etc/odoo + - ./data/web:/var/lib/odoo - ./data/addons:/mnt/extra-addons links: - postgres:db restart: always postgres: - image: postgres:9-alpine + image: postgres:11-alpine volumes: - ./data/postgres:/var/lib/postgresql/data environment: + - POSTGRES_DB=postgres - POSTGRES_USER=odoo - POSTGRES_PASSWORD=odoo restart: always diff --git a/openldap/README.md b/openldap/README.md new file mode 100644 index 0000000..5c885aa --- /dev/null +++ b/openldap/README.md @@ -0,0 +1,125 @@ +OpenLDAP +======== + +[![](https://www.openldap.org/images/headers/LDAPworm.gif)](https://www.openldap.org/) + +OpenLDAP Software is an open source implementation of the Lightweight Directory Access Protocol. + +## Directory Tree + +``` +├── data +│   ├── certs +│   │   ├── ca.crt +│   │   ├── ca.key +│   │   ├── ca.srl +│   │   ├── ldap.crt +│   │   ├── ldap.csr +│   │   └── ldap.key +│   ├── conf (auto generated) +│   │   ├── cn=config +│   │   ├── cn=config.ldif +│   │   └── docker-openldap-was-started-with-tls +│   └── data (auto generated) +│   ├── data.mdb +│   └── lock.mdb +└── docker-compose.yml +``` + +## docker-compose.yml + +```yaml +version: "3.7" + +services: + + openldap: + image: osixia/openldap + command: "--loglevel debug" + hostname: ldap.easypi.pro + ports: + - "389:389" + - "636:636" + volumes: + - ./data/certs:/container/service/slapd/assets/certs + - ./data/etc:/etc/ldap/slapd.d + - ./data/var:/var/lib/ldap + - ./data/run:/container/run + environment: + - LDAP_ORGANISATION=EasyPi + - LDAP_DOMAIN=ldap.easypi.pro + - LDAP_ADMIN_PASSWORD=admin + - LDAP_CONFIG_PASSWORD=config + - LDAP_TLS=true + - LDAP_TLS_CA_CRT_FILENAME=ca.crt + - LDAP_TLS_CRT_FILENAME=ldap.crt + - LDAP_TLS_KEY_FILENAME=ldap.key + - LDAP_TLS_VERIFY_CLIENT=try + - LDAP_TLS_ENFORCE=true + restart: always + + phpldapadmin: + image: osixia/phpldapadmin + command: "--loglevel debug" + ports: + - "8080:80" + environment: + # PHPLDAPADMIN_LDAP_HOSTS=#PYTHON2BASH:[{'ldap.easypi.pro':[{'server':[{'tls':True}]}]}] + - PHPLDAPADMIN_LDAP_HOSTS=ldaps://ldap.easypi.pro/ + - PHPLDAPADMIN_HTTPS=false + - PHPLDAPADMIN_TRUST_PROXY_SSL=true + extra_hosts: + - ldap.easypi.pro:x.x.x.x + depends_on: + - openldap + restart: always +``` + +> :warnning: I haven't figured out how to connect [phpldapadmin][1] to openladp via STARTTLS: +>> openldap_1 | 5d8a7abe conn=1023 fd=12 ACCEPT from IP=172.29.0.1:59342 (IP=0.0.0.0:389) +>> openldap_1 | 5d8a7abe conn=1023 op=0 EXT oid=1.3.6.1.4.1.1466.20037 +>> openldap_1 | 5d8a7abe conn=1023 op=0 STARTTLS +>> openldap_1 | 5d8a7abe conn=1023 op=0 RESULT oid= err=0 text= +>> openldap_1 | 5d8a7abe conn=1023 fd=12 TLS established tls_ssf=256 ssf=256 +>> openldap_1 | 5d8a7abe conn=1023 fd=12 closed (connection lost) + +## Create Keys and Certificates + +```bash +openssl req \ + -x509 -nodes -days 3650 -sha256 \ + -subj '/C=US/ST=Oregon/L=Portland/CN=easypi.pro' \ + -newkey rsa:2048 -keyout ca.key -out ca.crt + +openssl req \ + -new -sha256 -newkey rsa:2048 -nodes \ + -subj '/CN=ldap.easypi.pro/O=EasyPi/C=US/ST=Oregon/L=Portland' \ + -keyout ldap.key -out ldap.csr + +openssl x509 \ + -req -days 3650 -sha256 \ + -in ldap.csr -CA ca.crt -CAkey ca.key -CAcreateserial \ + -out ldap.crt +``` + +## Test the STARTTLS & SSL connections + +```bash +$ docker-compose exec openldap bash +>>> ldapwhoami -H ldap://ldap.easypi.pro -x -ZZ +anonymous +>>> ldapwhoami -H ldaps://ldap.easypi.pro -x -D cn=admin,dc=ldap,dc=easypi,dc=pro -w admin +dn:cn=admin,dc=ldap,dc=easypi,dc=pro +>>> ldapsearch -H ldaps://ldap.easypi.pro -b dc=ldap,dc=easypi,dc=pro -D cn=admin,dc=ldap,dc=easypi,dc=pro -w admin +... +``` + +## GUI Client + +- https://directory.apache.org/ + +## References + +- https://www.digitalocean.com/community/tutorials/how-to-encrypt-openldap-connections-using-starttls + +[1]: https://github.com/commandprompt/phpldapadmin/blob/master/config/config.php.example diff --git a/openldap/docker-compose.yml b/openldap/docker-compose.yml new file mode 100644 index 0000000..56f09af --- /dev/null +++ b/openldap/docker-compose.yml @@ -0,0 +1,44 @@ +version: "3.7" + +services: + + openldap: + image: osixia/openldap + command: "--loglevel debug" + hostname: ldap.easypi.pro + ports: + - "389:389" + - "636:636" + volumes: + - ./data/certs:/container/service/slapd/assets/certs + - ./data/etc:/etc/ldap/slapd.d + - ./data/var:/var/lib/ldap + - ./data/run:/container/run + environment: + - LDAP_ORGANISATION=EasyPi + - LDAP_DOMAIN=ldap.easypi.pro + - LDAP_ADMIN_PASSWORD=admin + - LDAP_CONFIG_PASSWORD=config + - LDAP_TLS=true + - LDAP_TLS_CA_CRT_FILENAME=ca.crt + - LDAP_TLS_CRT_FILENAME=ldap.crt + - LDAP_TLS_KEY_FILENAME=ldap.key + - LDAP_TLS_VERIFY_CLIENT=try + - LDAP_TLS_ENFORCE=true + restart: always + + phpldapadmin: + image: osixia/phpldapadmin + command: "--loglevel debug" + ports: + - "8080:80" + environment: + # PHPLDAPADMIN_LDAP_HOSTS=#PYTHON2BASH:[{'ldap.easypi.pro':[{'server':[{'tls':True}]}]}] + - PHPLDAPADMIN_LDAP_HOSTS=ldaps://ldap.easypi.pro/ + - PHPLDAPADMIN_HTTPS=false + - PHPLDAPADMIN_TRUST_PROXY_SSL=true + extra_hosts: + - ldap.easypi.pro:x.x.x.x + depends_on: + - openldap + restart: always diff --git a/openldap/nginx.conf b/openldap/nginx.conf new file mode 100644 index 0000000..873548c --- /dev/null +++ b/openldap/nginx.conf @@ -0,0 +1,23 @@ +server { + listen 80; + server_name ldap.easypi.pro; + return 302 https://$host$request_uri; +} + +server { + listen 443 ssl; + server_name ldap.easypi.pro; + ssl_certificate ssl/easypi.pro/fullchain.pem; + ssl_certificate_key ssl/easypi.pro/privkey.pem; + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + location / { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host $host; + proxy_http_version 1.1; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + } +} diff --git a/openmeetings/README.md b/openmeetings/README.md new file mode 100644 index 0000000..56176f6 --- /dev/null +++ b/openmeetings/README.md @@ -0,0 +1,8 @@ +openmeetings +============ + +[Openmeetings][1] provides video conferencing, instant messaging, white board, +collaborative document editing and other groupware tools. It uses API functions +of Media Server for Remoting and Streaming (Red5 or Kurento). + +[1]: https://openmeetings.apache.org/ diff --git a/openmeetings/docker-compose.yml b/openmeetings/docker-compose.yml new file mode 100644 index 0000000..b12f841 --- /dev/null +++ b/openmeetings/docker-compose.yml @@ -0,0 +1,34 @@ +version: '3.1' + +services: + + openmeetings: + image: vimagick/openmeetings + ports: + - "5443:5443" + volumes: + - ./data/omdata:/opt/omdata + environment: + - OM_KURENTO_WS_URL=ws://kurento:8888/kurento + - OM_DB_HOST=mysql + - OM_DB_USER=root + - OM_DB_PASS=root + - OM_DB_NAME=openmeetings + - OM_USER=admin + - OM_PASS=admin + restart: always + + kurento: + image: kurento/kurento-media-server + ports: + - "8888:8888" + restart: always + + mysql: + image: mysql + volumes: + - ./data/mysql:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_DATABASE=openmeetings + restart: always diff --git a/openrefine/Dockerfile b/openrefine/Dockerfile index 040cf01..2486b9d 100644 --- a/openrefine/Dockerfile +++ b/openrefine/Dockerfile @@ -2,17 +2,17 @@ # Dockerfile for openrefine # -FROM java:8-jre-alpine +FROM openjdk:8-jre-alpine MAINTAINER kev -ENV OPENREFINE_VERSION 3.0-rc.1 +ENV OPENREFINE_VERSION 3.2 ENV OPENREFINE_FILE openrefine-linux-${OPENREFINE_VERSION}.tar.gz ENV OPENREFINE_URL https://github.com/OpenRefine/OpenRefine/releases/download/${OPENREFINE_VERSION}/${OPENREFINE_FILE} WORKDIR /app RUN set -xe \ - && apk add --no-cache bash curl jq tar \ + && apk add --no-cache bash curl tar \ && curl -sSL ${OPENREFINE_URL} | tar xz --strip 1 VOLUME /data diff --git a/osticket/docker-compose.yml b/osticket/docker-compose.yml new file mode 100644 index 0000000..f9cd98a --- /dev/null +++ b/osticket/docker-compose.yml @@ -0,0 +1,23 @@ +osticket: + image: campbellsoftwaresolutions/osticket + ports: + - "8080:80" + links: + - mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_USER=osticket + - MYSQL_PASSWORD=secret + - MYSQL_DATABASE=osticket + restart: always + +mysql: + image: mysql:5.7 + volumes: + - ./data:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_USER=osticket + - MYSQL_PASSWORD=secret + - MYSQL_DATABASE=osticket + restart: always diff --git a/ot-recorder/README.md b/ot-recorder/README.md deleted file mode 100644 index efc6f97..0000000 --- a/ot-recorder/README.md +++ /dev/null @@ -1,33 +0,0 @@ -ot-recorder -=========== - -The [OwnTracks Recorder][1] is a lightweight program for storing and accessing -location data published via MQTT (or HTTP) by the OwnTracks apps. - -## docker-compose.yml - -```yaml -ot-recorder: - image: vimagick/ot-recorder - ports: - - "8083:8083" - volumes: - - ./data:/var/spool/owntracks/recorder/store - environment: - - OTR_HOST=iot.eclipse.org - - OTR_PORT=8883 - - OTR_USER=username - - OTR_PASS=password - - OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem - - OTR_TOPICS=owntracks/# - - OTR_BROWSERAPIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - - OTR_OPTIONS=--qos 0 - restart: always -``` - -You can pass any options to process via `OTR_OPTIONS` environment variable. - -Click [this][2] to generate a google map api key. - -[1]: https://github.com/owntracks/recorder -[2]: https://developers.google.com/maps/documentation/javascript/?authuser=1 diff --git a/ot-recorder/arm/docker-compose.yml b/ot-recorder/arm/docker-compose.yml deleted file mode 100644 index be4d01f..0000000 --- a/ot-recorder/arm/docker-compose.yml +++ /dev/null @@ -1,16 +0,0 @@ -ot-recorder: - image: easypi/ot-recorder-arm - ports: - - "8083:8083" - volumes: - - ./data:/var/spool/owntracks/recorder/store - environment: - - OTR_HOST=iot.eclipse.org - - OTR_PORT=8883 - - OTR_USER=username - - OTR_PASS=password - - OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem - - OTR_TOPICS=owntracks/# - - OTR_BROWSERAPIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - - OTR_OPTIONS=--qos 0 - restart: always diff --git a/ot-recorder/docker-compose.yml b/ot-recorder/docker-compose.yml deleted file mode 100644 index 0a6a6ad..0000000 --- a/ot-recorder/docker-compose.yml +++ /dev/null @@ -1,16 +0,0 @@ -ot-recorder: - image: vimagick/ot-recorder - ports: - - "8083:8083" - volumes: - - ./data:/var/spool/owntracks/recorder/store - environment: - - OTR_HOST=iot.eclipse.org - - OTR_PORT=8883 - - OTR_USER=username - - OTR_PASS=password - - OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem - - OTR_TOPICS=owntracks/# - - OTR_BROWSERAPIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX - - OTR_OPTIONS=--qos 0 - restart: always diff --git a/owntracks/ot-frontend/arm/Dockerfile b/owntracks/ot-frontend/arm/Dockerfile new file mode 100644 index 0000000..bdb3610 --- /dev/null +++ b/owntracks/ot-frontend/arm/Dockerfile @@ -0,0 +1,39 @@ +# +# Dockerfile for ot-frontend-arm +# + +FROM arm32v7/alpine:3 +MAINTAINER EasyPi Software Foundation + +RUN set -xe \ + && apk add --no-cache gettext \ + && mv /usr/bin/envsubst /tmp/ \ + && runDeps="$( \ + scanelf --needed --nobanner /tmp/envsubst \ + | awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \ + | sort -u \ + | xargs -r apk info --installed \ + | sort -u \ + )" \ + && apk add --no-cache $runDeps \ + && apk del gettext + +RUN set -xe \ + && apk add --no-cache curl nginx \ + && mv /tmp/envsubst /usr/local/bin/ \ + && curl -sSLO https://github.com/owntracks/frontend/archive/master.tar.gz \ + && mkdir -p /usr/share/nginx/html/ \ + && tar xzf master.tar.gz --strip-components=1 -C /usr/share/nginx/html/ frontend-master/index.html frontend-master/static \ + && tar xzf master.tar.gz --strip-components=1 -C /etc/nginx/ frontend-master/nginx.tmpl \ + && rm master.tar.gz + +ENV LISTEN_PORT=80 +ENV SERVER_HOST=otrecorder +ENV SERVER_PORT=8083 + +EXPOSE 80 + +CMD set -xe \ + && envsubst '${SERVER_HOST}:${SERVER_PORT}' < /etc/nginx/nginx.tmpl > /etc/nginx/nginx.conf \ + && mkdir -p /run/nginx/ \ + && nginx -g 'daemon off;' diff --git a/ot-recorder/arm/Dockerfile b/owntracks/ot-recorder/Dockerfile similarity index 79% rename from ot-recorder/arm/Dockerfile rename to owntracks/ot-recorder/Dockerfile index 5ed176d..b648b01 100644 --- a/ot-recorder/arm/Dockerfile +++ b/owntracks/ot-recorder/Dockerfile @@ -1,25 +1,25 @@ # -# Dockerfile for ot-recorder-arm +# Dockerfile for ot-recorder # -FROM arm32v7/debian:jessie +FROM debian:buster MAINTAINER EasyPi Software Foundation RUN set -xe \ && apt-get update \ - && apt-get install -y curl \ + && apt-get install -y curl gnupg \ && curl -sSL http://repo.owntracks.org/repo.owntracks.org.gpg.key | apt-key add - \ - && echo 'deb http://repo.owntracks.org/debian jessie main' > /etc/apt/sources.list.d/owntracks.list \ + && echo 'deb http://repo.owntracks.org/debian buster main' > /etc/apt/sources.list.d/owntracks.list \ && apt-get update \ && apt-get install -y ot-recorder \ && rm -rf /var/lib/apt/lists/* -ENV OTR_STORAGEDIR /var/spool/owntracks/recorder/store ENV OTR_HOST iot.eclipse.org ENV OTR_PORT 1883 ENV OTR_HTTPHOST 0.0.0.0 ENV OTR_HTTPPORT 8083 ENV OTR_TOPICS owntracks/# +ENV OTR_STORAGEDIR /var/spool/owntracks/recorder/store VOLUME $OTR_STORAGEDIR diff --git a/owntracks/ot-recorder/README.md b/owntracks/ot-recorder/README.md new file mode 100644 index 0000000..9f8c028 --- /dev/null +++ b/owntracks/ot-recorder/README.md @@ -0,0 +1,59 @@ +ot-recorder +=========== + +The [OwnTracks Recorder][1] is a lightweight program for storing and accessing +location data published via MQTT (or HTTP) by the OwnTracks apps. + +## docker-compose.yml + +```yaml +version: "3.7" + +services: + + recorder: + image: vimagick/ot-recorder + ports: + - "8083:8083" + volumes: + - ./data:/var/spool/owntracks/recorder/store + environment: + - OTR_HOST=iot.eclipse.org + - OTR_PORT=1883 + - OTR_USER=username + - OTR_PASS=password + - OTR_TOPICS=owntracks/# + # OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem + # OTR_BROWSERAPIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + # OTR_OPTIONS=--debug + restart: unless-stopped + + frontend: + image: owntracks/frontend + ports: + - 8080:80 + environment: + - SERVER_HOST=recorder + - SERVER_PORT=8083 + restart: unless-stopped +``` + +:warning: Some variables don't work (`OTR_QOS`, `OTR_CAFILE`) as [document][3] said. +You can pass any options to process via `OTR_OPTIONS` environment variable. + +Click [this][2] to generate a google map api key. + +## up and running + +```bash +$ docker-compse up -d +$ tree data +$ docker-compose exec recorder bash +>>> ocat --list +{"results":["foo"]} +>>> ocat --user foo --device bar +``` + +[1]: https://github.com/owntracks/recorder +[2]: https://developers.google.com/maps/documentation/javascript/?authuser=1 +[3]: https://github.com/owntracks/recorder#configuration-file diff --git a/ot-recorder/Dockerfile b/owntracks/ot-recorder/arm/Dockerfile similarity index 92% rename from ot-recorder/Dockerfile rename to owntracks/ot-recorder/arm/Dockerfile index f92d723..69a3b6c 100644 --- a/ot-recorder/Dockerfile +++ b/owntracks/ot-recorder/arm/Dockerfile @@ -1,8 +1,8 @@ # -# Dockerfile for ot-recorder +# Dockerfile for ot-recorder-arm # -FROM debian:stretch +FROM arm32v7/debian:stretch MAINTAINER EasyPi Software Foundation RUN set -xe \ @@ -14,12 +14,12 @@ RUN set -xe \ && apt-get install -y ot-recorder \ && rm -rf /var/lib/apt/lists/* -ENV OTR_STORAGEDIR /var/spool/owntracks/recorder/store ENV OTR_HOST iot.eclipse.org ENV OTR_PORT 1883 ENV OTR_HTTPHOST 0.0.0.0 ENV OTR_HTTPPORT 8083 ENV OTR_TOPICS owntracks/# +ENV OTR_STORAGEDIR /var/spool/owntracks/recorder/store VOLUME $OTR_STORAGEDIR diff --git a/owntracks/ot-recorder/arm/docker-compose.yml b/owntracks/ot-recorder/arm/docker-compose.yml new file mode 100644 index 0000000..5f0f8ea --- /dev/null +++ b/owntracks/ot-recorder/arm/docker-compose.yml @@ -0,0 +1,28 @@ +version: "3.7" + +services: + + recorder: + image: easypi/ot-recorder-arm + ports: + - "8083:8083" + volumes: + - ./data:/var/spool/owntracks/recorder/store + environment: + - OTR_HOST=iot.eclipse.org + - OTR_PORT=8883 + - OTR_USER=username + - OTR_PASS=password + - OTR_TOPICS=owntracks/# + # OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem + # OTR_OPTIONS=--debug + restart: unless-stopped + + frontend: + image: easypi/ot-frontend-arm + ports: + - 8080:80 + environment: + - SERVER_HOST=recorder + - SERVER_PORT=8083 + restart: unless-stopped diff --git a/ot-recorder/arm/docker-entrypoint.sh b/owntracks/ot-recorder/arm/docker-entrypoint.sh similarity index 85% rename from ot-recorder/arm/docker-entrypoint.sh rename to owntracks/ot-recorder/arm/docker-entrypoint.sh index f1e6b70..e75ff3b 100755 --- a/ot-recorder/arm/docker-entrypoint.sh +++ b/owntracks/ot-recorder/arm/docker-entrypoint.sh @@ -10,4 +10,4 @@ then ot-recorder --initialize fi -exec ot-recorder --http-host $OTR_HTTPHOST --http-port $OTR_HTTPPORT $OTR_OPTIONS +exec ot-recorder --http-host $OTR_HTTPHOST --http-port $OTR_HTTPPORT $OTR_OPTIONS ${OTR_TOPICS:-owntracks/#} diff --git a/owntracks/ot-recorder/docker-compose.yml b/owntracks/ot-recorder/docker-compose.yml new file mode 100644 index 0000000..698b2ad --- /dev/null +++ b/owntracks/ot-recorder/docker-compose.yml @@ -0,0 +1,29 @@ +version: "3.7" + +services: + + recorder: + image: vimagick/ot-recorder + ports: + - "8083:8083" + volumes: + - ./data:/var/spool/owntracks/recorder/store + environment: + - OTR_HOST=iot.eclipse.org + - OTR_PORT=1883 + - OTR_USER=username + - OTR_PASS=password + - OTR_TOPICS=owntracks/# + # OTR_CAFILE=/etc/ssl/certs/DST_Root_CA_X3.pem + # OTR_BROWSERAPIKEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX + # OTR_OPTIONS=--debug + restart: unless-stopped + + frontend: + image: owntracks/frontend + ports: + - 8080:80 + environment: + - SERVER_HOST=recorder + - SERVER_PORT=8083 + restart: unless-stopped diff --git a/ot-recorder/docker-entrypoint.sh b/owntracks/ot-recorder/docker-entrypoint.sh similarity index 85% rename from ot-recorder/docker-entrypoint.sh rename to owntracks/ot-recorder/docker-entrypoint.sh index f1e6b70..e75ff3b 100755 --- a/ot-recorder/docker-entrypoint.sh +++ b/owntracks/ot-recorder/docker-entrypoint.sh @@ -10,4 +10,4 @@ then ot-recorder --initialize fi -exec ot-recorder --http-host $OTR_HTTPHOST --http-port $OTR_HTTPPORT $OTR_OPTIONS +exec ot-recorder --http-host $OTR_HTTPHOST --http-port $OTR_HTTPPORT $OTR_OPTIONS ${OTR_TOPICS:-owntracks/#} diff --git a/phpbb/Dockerfile b/phpbb/Dockerfile index 7cba005..69736ef 100644 --- a/phpbb/Dockerfile +++ b/phpbb/Dockerfile @@ -9,16 +9,16 @@ RUN a2enmod rewrite RUN set -xe \ && apt-get update \ - && apt-get install -y curl unzip bzip2 libpq-dev libpng12-dev libjpeg-dev \ + && apt-get install -y curl unzip bzip2 libpq-dev libpng-dev libjpeg-dev \ && rm -rf /var/lib/apt/lists/* \ && docker-php-ext-configure gd --with-png-dir=/usr --with-jpeg-dir=/usr \ && docker-php-ext-install gd mysqli pgsql WORKDIR /var/www/html -ENV PHPBB_VERSION 3.2.0 +ENV PHPBB_VERSION 3.2.3 ENV PHPBB_URL https://www.phpbb.com/files/release/phpBB-${PHPBB_VERSION}.tar.bz2 -ENV PHPBB_SHA 610d960b6e050b205b7248dea366c63bf1feee0551170c75fa4ecbacd5213a0d +ENV PHPBB_SHA a04e2f5972180d7e3cee37ae3d72552fd12e846d0e62e7b7993a6a0d317464e7 ENV PHPBB_FILE phpBB.tar.bz2 RUN set -xe \ diff --git a/phpvirtualbox/Dockerfile b/phpvirtualbox/Dockerfile index e84ea54..bc3e60c 100644 --- a/phpvirtualbox/Dockerfile +++ b/phpvirtualbox/Dockerfile @@ -3,28 +3,23 @@ # FROM alpine -MAINTAINER kev +MAINTAINER EasyPi Software Foundation + +ENV PHPVBOX_VERSION=5.2-1 +ENV PHPVBOX_URL=https://github.com/phpvirtualbox/phpvirtualbox/archive/${PHPVBOX_VERSION}.tar.gz + +WORKDIR /var/www RUN set -xe \ && apk add --no-cache bash nginx php5-fpm php5-cli php5-json php5-soap \ - && apk add --no-cache --virtual build-dependencies wget unzip \ + && apk add --no-cache --virtual build-dependencies curl tar \ && touch /etc/php5/fpm.d/empty.conf \ - && wget --no-check-certificate https://sourceforge.net/projects/phpvirtualbox/files/latest/download -O phpvirtualbox.zip \ - && unzip phpvirtualbox.zip -d phpvirtualbox \ - && mkdir -p /var/www \ - && mv -v phpvirtualbox/*/* /var/www/ \ - && rm phpvirtualbox.zip \ - && rm phpvirtualbox/ -R \ + && curl -sSL ${PHPVBOX_URL} | tar xz --strip 1 \ && apk del build-dependencies \ - && rm -rf /var/cache/apk/* \ - && echo "" > /var/www/config-servers.php \ - && echo "" > /var/www/config-override.php \ && chown nobody:nobody -R /var/www -COPY config.php /var/www/config.php COPY nginx.conf /etc/nginx/nginx.conf -COPY servers-from-env.php /servers-from-env.php EXPOSE 80 -CMD php /servers-from-env.php && php-fpm && nginx +CMD php-fpm && nginx diff --git a/phpvirtualbox/arm/Dockerfile b/phpvirtualbox/arm/Dockerfile index 593b1da..3c13996 100644 --- a/phpvirtualbox/arm/Dockerfile +++ b/phpvirtualbox/arm/Dockerfile @@ -2,29 +2,24 @@ # Dockerfile for phpvirtualbox-arm # -FROM easypi/alpine-arm -MAINTAINER kev +FROM arm32v7/alpine:3 +MAINTAINER EasyPi Software Foundation + +ENV PHPVBOX_VERSION=5.2-1 +ENV PHPVBOX_URL=https://github.com/phpvirtualbox/phpvirtualbox/archive/${PHPVBOX_VERSION}.tar.gz + +WORKDIR /var/www RUN set -xe \ && apk add --no-cache bash nginx php5-fpm php5-cli php5-json php5-soap \ - && apk add --no-cache --virtual build-dependencies wget unzip \ + && apk add --no-cache --virtual build-dependencies curl tar \ && touch /etc/php5/fpm.d/empty.conf \ - && wget --no-check-certificate https://sourceforge.net/projects/phpvirtualbox/files/latest/download -O phpvirtualbox.zip \ - && unzip phpvirtualbox.zip -d phpvirtualbox \ - && mkdir -p /var/www \ - && mv -v phpvirtualbox/*/* /var/www/ \ - && rm phpvirtualbox.zip \ - && rm phpvirtualbox/ -R \ + && curl -sSL ${PHPVBOX_URL} | tar xz --strip 1 \ && apk del build-dependencies \ - && rm -rf /var/cache/apk/* \ - && echo "" > /var/www/config-servers.php \ - && echo "" > /var/www/config-override.php \ && chown nobody:nobody -R /var/www -COPY config.php /var/www/config.php COPY nginx.conf /etc/nginx/nginx.conf -COPY servers-from-env.php /servers-from-env.php EXPOSE 80 -CMD php /servers-from-env.php && php-fpm && nginx +CMD php-fpm && nginx diff --git a/phpvirtualbox/arm/config.php b/phpvirtualbox/arm/data/config.php similarity index 69% rename from phpvirtualbox/arm/config.php rename to phpvirtualbox/arm/data/config.php index fa19014..57e94b9 100644 --- a/phpvirtualbox/arm/config.php +++ b/phpvirtualbox/arm/data/config.php @@ -1,29 +1,19 @@ servers = require __DIR__ . '/config-servers.php'; - // getting override settings - $overrides = require __DIR__.'/config-override.php'; - foreach ($overrides as $key => $value) { - $this->$key = $value; - } - } - /* Username / Password for system user that runs VirtualBox */ - var $username = ''; - var $password = ''; + var $username = 'vbox'; + var $password = 'pass'; /* SOAP URL of vboxwebsrv (not phpVirtualBox's URL) */ - var $location = 'http://127.0.0.1:18083/'; + var $location = 'http://vboxwebsrv:18083/'; /* Default language. See languages folder for more language options. * Can also be changed in File -> Preferences -> Language in @@ -33,6 +23,8 @@ class phpVBoxConfig { /* Set the standard VRDE Port Number / Range, e.g. 1010-1020 or 1027 */ var $vrdeports = '9000-9100'; + /* Set the default VRDE address, e.g. 192.168.1.1 */ + #var $vrdeaddress = '192.168.1.1'; /* * @@ -43,27 +35,26 @@ class phpVBoxConfig { // Multiple servers example config. Uncomment (remove /* and */) to use. // Add ALL the servers you want to use. Even if you have the server set // above. The default server will be the first one in the list. - /* - var $servers = array( - array( - 'name' => 'London', - 'username' => 'user', - 'password' => 'pass', - 'location' => 'http://192.168.1.1:18083/', - 'authMaster' => true // Use this server for authentication - ), - array( - 'name' => '', - 'username' => 'user2', - 'password' => 'pass2', - 'location' => 'http://192.168.1.2:18083/' - ), - ); - */ + var $servers = array( + array( + 'name' => 'London', + 'username' => 'user', + 'password' => 'pass', + 'location' => 'http://192.168.1.1:18083/', + 'authMaster' => true // Use this server for authentication + ), + array( + 'name' => 'New York', + 'username' => 'user2', + 'password' => 'pass2', + 'location' => 'http://192.168.1.2:18083/' + ), + ); + */ // Disable authentication - var $noAuth = true; + #var $noAuth = true; // Host / ip to use for console connections #var $consoleHost = '192.168.1.40'; @@ -80,7 +71,7 @@ class phpVBoxConfig { // Max number of progress operations to keep in list var $maxProgressList = 5; - // Change default preview aspect ratio to 1. + // Change default preview aspect ratio to 1. // http://www.wikipedia.org/wiki/Aspect_ratio_%28image%29#Previous_and_presently_used_aspect_ratios #var $previewAspectRatio = 1.6; @@ -88,24 +79,24 @@ class phpVBoxConfig { #var $enableCustomIcons = true; /* - Exclusively use phpVirtualBox's groups configuration rather than VirtualBox groups. - This has the following effects: + Exclusively use phpVirtualBox's groups configuration rather than VirtualBox groups. + This has the following effects: - *) Group changes made in phpVirtualBox will not be reflected in VirtualBox programs such as - VirtualBox and VBoxManage - *) Group changes will not affect which folder a VM is placed in - *) You can rename groups that contain running VMs and move / copy running VMs to groups - */ - #var $phpVboxGroups = true; + *) Group changes made in phpVirtualBox will not be reflected in VirtualBox programs such as + VirtualBox and VBoxManage + *) Group changes will not affect which folder a VM is placed in + *) You can rename groups that contain running VMs and move / copy running VMs to groups + */ + #var $phpVboxGroups = true; /* - Allow to prompt deletion hard disk files on removal from Virtual Media Manager. - If this is not set, files are always kept. If this is set, you will be PROMPTED - to decide whether or not you would like to delete the hard disk file(s) when you - remove a hard disk from virtual media manager. You may still choose not to delete - the file when prompted. - */ + Allow to prompt deletion hard disk files on removal from Virtual Media Manager. + If this is not set, files are always kept. If this is set, you will be PROMPTED + to decide whether or not you would like to delete the hard disk file(s) when you + remove a hard disk from virtual media manager. You may still choose not to delete + the file when prompted. + */ var $deleteOnRemove = true; /* @@ -116,7 +107,7 @@ class phpVBoxConfig { var $browserRestrictFiles = array('.iso','.vdi','.vmdk','.img','.bin','.vhd','.hdd','.ovf','.ova','.xml','.vbox','.cdr','.dmg','.ima','.dsk','.vfd'); // Restrict locations / folders - var $browserRestrictFolders = array('/'); // Or something like array('/home/vbox','/var/ISOs') + #var $browserRestrictFolders = array('D:\\','C:\\Users\\Ian'); // Or something like array('/home/vbox','/var/ISOs') // Force use of local, web server based file browser instead of going through vboxwebsrv #var $browserLocal = true; @@ -146,7 +137,7 @@ class phpVBoxConfig { /* * VM Memory warnings. - * + * * If $vmMemoryStartLimitWarn is enabled, each time a VM is started through * phpVirtualBox, it will check that the available host memory is greater than * the base and video memory of the VM + 50MB (a little bit of overhead). If it @@ -158,8 +149,8 @@ class phpVBoxConfig { * performed by $vmMemoryStartLimitWarn logic. For instance it may be a good * idea to always have VM memory requirements + 100MB free. 100 is the default. */ - #var $vmMemoryStartLimitWarn = true; - #var $vmMemoryOffset = 100; + #var $vmMemoryStartLimitWarn = true; + #var $vmMemoryOffset = 100; /* @@ -181,7 +172,7 @@ class phpVBoxConfig { var $nicMax = 4; /* Enable advanced configuration items (normally hidden in the VirtualBox GUI) - * Note that some of these items may not be translated to languages other than English. + * Note that some of these items may not be translated to languages other than English. */ #var $enableAdvancedConfig = true; @@ -192,7 +183,7 @@ class phpVBoxConfig { #var $startStopConfig = true; // Authentication library. - var $authLib = 'Builtin'; + // var $authLib = 'Builtin'; // VM ownership #var $enforceVMOwnership = true; @@ -204,26 +195,29 @@ class phpVBoxConfig { // Allow VDE network configuration. This must be supported by the underlying VirtualBox installation! // If you do not know what VDE networking is - you do not need it, it is probably not supported by your // VirtualBox installation and will cause errors if enabled. - #var $enableVDE = true; + #var $enableVDE = true; // Disable setting SATA controllers port count to the max port number found when saving VMs. #var $disableSataPortCount = true; /* Enable Parallel Port configuration - EXPERIMENTAL - LPT support may or may not work for you. - !!! VirtualBox LPT support only works in Linux. !!! - */ + LPT support may or may not work for you. + !!! VirtualBox LPT support only works in Linux. !!! + */ #var $enableLPTConfig = true; /* Enable HardDisk IgnoreFlush configuration. This controls the "ExtraData" setting * in "VBoxInternal/Devices/[controller type]/0/LUN#[x]/Config/IgnoreFlush". See * Responding to guest IDE/SATA flush requests at: * http://www.virtualbox.org/manual/ch12.html#idp12757424 - */ + */ #var $enableHDFlushConfig = true; + /* + * Event listener timeout in seconds. This is an advanced option that most people will + * probably not need to change. + */ + #var $eventListenerTimeout = 20; /* END SETTINGS */ - - } diff --git a/phpvirtualbox/arm/docker-compose.yml b/phpvirtualbox/arm/docker-compose.yml index 5ad45c7..9b33a2d 100644 --- a/phpvirtualbox/arm/docker-compose.yml +++ b/phpvirtualbox/arm/docker-compose.yml @@ -2,10 +2,8 @@ phpvirtualbox: image: easypi/phpvirtualbox-arm ports: - "8888:80" - environment: - - ID_PORT_18083_TCP=remote-server:18083 - - ID_NAME=Vbox - - ID_USER=username - - ID_PW=password - - CONF_browserRestrictFolders=/data, + volumes: + - ./data/config.php:/var/www/config.php:ro + extra_hosts: + - vboxwebsrv:x.x.x.x restart: always diff --git a/phpvirtualbox/arm/servers-from-env.php b/phpvirtualbox/arm/servers-from-env.php deleted file mode 100644 index 8089a45..0000000 --- a/phpvirtualbox/arm/servers-from-env.php +++ /dev/null @@ -1,65 +0,0 @@ - $value) { - preg_match('/(.*?)(?:_ENV_|_)?CONF_(.+)/', $key, $matches); - if ($matches) { - $value= (strpos($value, ',')) ? split(',',$value) : $value; - $config_overrides[$matches[1]] = array($matches[2] => $value); - } -} - -echo 'Exposing the following linked server instances:' . PHP_EOL; - -// getting servers from linked vboxwebsrv containers or environment variables -foreach ($_SERVER as $key => $value) { - if (substr($key, -15) === '_PORT_18083_TCP') { - $prefix = substr($key, 0, -15); - - $name = getenv($prefix . '_NAME'); - $pos = strrpos($name, '/'); - if ($pos !== false) { - $name = substr($name, $pos + 1); - } - - if (!$name) { - $name = strtolower($prefix); - } - $name = ucfirst($name); - - $location = 'http://' . str_replace('tcp://', '', $value) . '/'; - - echo '- ' . $name . ' (' . $location .')' . PHP_EOL; - - $username = getenv($prefix.'_USER'); - $password = getenv($prefix.'_PW'); - - if ($username == "") $username = 'username'; - if ($password == "") $password = 'username'; - - $servers []= array_merge(array( - 'name' => $name, - 'username' => $username, - 'password' => $password, - 'authMaster' => true, - 'location' => $location), - (array_key_exists($prefix, $config_overrides)) ? $config_overrides[$prefix] : array()); - } -} -// check if there are any servers -if (!$servers) { - echo 'Error: No vboxwebsrv instance linked? Use "--link containername:myname"' . PHP_EOL; - echo 'Use environment variables if no vboxwebsrv containers are used!'; - exit(1); -} - -// put servers array to file -file_put_contents('/var/www/config-servers.php', 'servers = require __DIR__ . '/config-servers.php'; - // getting override settings - $overrides = require __DIR__.'/config-override.php'; - foreach ($overrides as $key => $value) { - $this->$key = $value; - } - } - /* Username / Password for system user that runs VirtualBox */ - var $username = ''; - var $password = ''; + var $username = 'vbox'; + var $password = 'pass'; /* SOAP URL of vboxwebsrv (not phpVirtualBox's URL) */ - var $location = 'http://127.0.0.1:18083/'; + var $location = 'http://vboxwebsrv:18083/'; /* Default language. See languages folder for more language options. * Can also be changed in File -> Preferences -> Language in @@ -33,6 +23,8 @@ class phpVBoxConfig { /* Set the standard VRDE Port Number / Range, e.g. 1010-1020 or 1027 */ var $vrdeports = '9000-9100'; + /* Set the default VRDE address, e.g. 192.168.1.1 */ + #var $vrdeaddress = '192.168.1.1'; /* * @@ -43,27 +35,26 @@ class phpVBoxConfig { // Multiple servers example config. Uncomment (remove /* and */) to use. // Add ALL the servers you want to use. Even if you have the server set // above. The default server will be the first one in the list. - /* - var $servers = array( - array( - 'name' => 'London', - 'username' => 'user', - 'password' => 'pass', - 'location' => 'http://192.168.1.1:18083/', - 'authMaster' => true // Use this server for authentication - ), - array( - 'name' => '', - 'username' => 'user2', - 'password' => 'pass2', - 'location' => 'http://192.168.1.2:18083/' - ), - ); - */ + var $servers = array( + array( + 'name' => 'London', + 'username' => 'user', + 'password' => 'pass', + 'location' => 'http://192.168.1.1:18083/', + 'authMaster' => true // Use this server for authentication + ), + array( + 'name' => 'New York', + 'username' => 'user2', + 'password' => 'pass2', + 'location' => 'http://192.168.1.2:18083/' + ), + ); + */ // Disable authentication - var $noAuth = true; + #var $noAuth = true; // Host / ip to use for console connections #var $consoleHost = '192.168.1.40'; @@ -80,7 +71,7 @@ class phpVBoxConfig { // Max number of progress operations to keep in list var $maxProgressList = 5; - // Change default preview aspect ratio to 1. + // Change default preview aspect ratio to 1. // http://www.wikipedia.org/wiki/Aspect_ratio_%28image%29#Previous_and_presently_used_aspect_ratios #var $previewAspectRatio = 1.6; @@ -88,24 +79,24 @@ class phpVBoxConfig { #var $enableCustomIcons = true; /* - Exclusively use phpVirtualBox's groups configuration rather than VirtualBox groups. - This has the following effects: + Exclusively use phpVirtualBox's groups configuration rather than VirtualBox groups. + This has the following effects: - *) Group changes made in phpVirtualBox will not be reflected in VirtualBox programs such as - VirtualBox and VBoxManage - *) Group changes will not affect which folder a VM is placed in - *) You can rename groups that contain running VMs and move / copy running VMs to groups - */ - #var $phpVboxGroups = true; + *) Group changes made in phpVirtualBox will not be reflected in VirtualBox programs such as + VirtualBox and VBoxManage + *) Group changes will not affect which folder a VM is placed in + *) You can rename groups that contain running VMs and move / copy running VMs to groups + */ + #var $phpVboxGroups = true; /* - Allow to prompt deletion hard disk files on removal from Virtual Media Manager. - If this is not set, files are always kept. If this is set, you will be PROMPTED - to decide whether or not you would like to delete the hard disk file(s) when you - remove a hard disk from virtual media manager. You may still choose not to delete - the file when prompted. - */ + Allow to prompt deletion hard disk files on removal from Virtual Media Manager. + If this is not set, files are always kept. If this is set, you will be PROMPTED + to decide whether or not you would like to delete the hard disk file(s) when you + remove a hard disk from virtual media manager. You may still choose not to delete + the file when prompted. + */ var $deleteOnRemove = true; /* @@ -116,7 +107,7 @@ class phpVBoxConfig { var $browserRestrictFiles = array('.iso','.vdi','.vmdk','.img','.bin','.vhd','.hdd','.ovf','.ova','.xml','.vbox','.cdr','.dmg','.ima','.dsk','.vfd'); // Restrict locations / folders - var $browserRestrictFolders = array('/'); // Or something like array('/home/vbox','/var/ISOs') + #var $browserRestrictFolders = array('D:\\','C:\\Users\\Ian'); // Or something like array('/home/vbox','/var/ISOs') // Force use of local, web server based file browser instead of going through vboxwebsrv #var $browserLocal = true; @@ -146,7 +137,7 @@ class phpVBoxConfig { /* * VM Memory warnings. - * + * * If $vmMemoryStartLimitWarn is enabled, each time a VM is started through * phpVirtualBox, it will check that the available host memory is greater than * the base and video memory of the VM + 50MB (a little bit of overhead). If it @@ -158,8 +149,8 @@ class phpVBoxConfig { * performed by $vmMemoryStartLimitWarn logic. For instance it may be a good * idea to always have VM memory requirements + 100MB free. 100 is the default. */ - #var $vmMemoryStartLimitWarn = true; - #var $vmMemoryOffset = 100; + #var $vmMemoryStartLimitWarn = true; + #var $vmMemoryOffset = 100; /* @@ -181,7 +172,7 @@ class phpVBoxConfig { var $nicMax = 4; /* Enable advanced configuration items (normally hidden in the VirtualBox GUI) - * Note that some of these items may not be translated to languages other than English. + * Note that some of these items may not be translated to languages other than English. */ #var $enableAdvancedConfig = true; @@ -192,7 +183,7 @@ class phpVBoxConfig { #var $startStopConfig = true; // Authentication library. - var $authLib = 'Builtin'; + // var $authLib = 'Builtin'; // VM ownership #var $enforceVMOwnership = true; @@ -204,26 +195,29 @@ class phpVBoxConfig { // Allow VDE network configuration. This must be supported by the underlying VirtualBox installation! // If you do not know what VDE networking is - you do not need it, it is probably not supported by your // VirtualBox installation and will cause errors if enabled. - #var $enableVDE = true; + #var $enableVDE = true; // Disable setting SATA controllers port count to the max port number found when saving VMs. #var $disableSataPortCount = true; /* Enable Parallel Port configuration - EXPERIMENTAL - LPT support may or may not work for you. - !!! VirtualBox LPT support only works in Linux. !!! - */ + LPT support may or may not work for you. + !!! VirtualBox LPT support only works in Linux. !!! + */ #var $enableLPTConfig = true; /* Enable HardDisk IgnoreFlush configuration. This controls the "ExtraData" setting * in "VBoxInternal/Devices/[controller type]/0/LUN#[x]/Config/IgnoreFlush". See * Responding to guest IDE/SATA flush requests at: * http://www.virtualbox.org/manual/ch12.html#idp12757424 - */ + */ #var $enableHDFlushConfig = true; + /* + * Event listener timeout in seconds. This is an advanced option that most people will + * probably not need to change. + */ + #var $eventListenerTimeout = 20; /* END SETTINGS */ - - } diff --git a/phpvirtualbox/docker-compose.yml b/phpvirtualbox/docker-compose.yml index 5870709..17b868d 100644 --- a/phpvirtualbox/docker-compose.yml +++ b/phpvirtualbox/docker-compose.yml @@ -2,10 +2,8 @@ phpvirtualbox: image: vimagick/phpvirtualbox ports: - "8888:80" - environment: - - ID_PORT_18083_TCP=remote-server:18083 - - ID_NAME=Vbox - - ID_USER=username - - ID_PW=password - - CONF_browserRestrictFolders=/data, + volumes: + - ./data/config.php:/var/www/config.php:ro + extra_hosts: + - vboxwebsrv:x.x.x.x restart: always diff --git a/phpvirtualbox/servers-from-env.php b/phpvirtualbox/servers-from-env.php deleted file mode 100644 index 8089a45..0000000 --- a/phpvirtualbox/servers-from-env.php +++ /dev/null @@ -1,65 +0,0 @@ - $value) { - preg_match('/(.*?)(?:_ENV_|_)?CONF_(.+)/', $key, $matches); - if ($matches) { - $value= (strpos($value, ',')) ? split(',',$value) : $value; - $config_overrides[$matches[1]] = array($matches[2] => $value); - } -} - -echo 'Exposing the following linked server instances:' . PHP_EOL; - -// getting servers from linked vboxwebsrv containers or environment variables -foreach ($_SERVER as $key => $value) { - if (substr($key, -15) === '_PORT_18083_TCP') { - $prefix = substr($key, 0, -15); - - $name = getenv($prefix . '_NAME'); - $pos = strrpos($name, '/'); - if ($pos !== false) { - $name = substr($name, $pos + 1); - } - - if (!$name) { - $name = strtolower($prefix); - } - $name = ucfirst($name); - - $location = 'http://' . str_replace('tcp://', '', $value) . '/'; - - echo '- ' . $name . ' (' . $location .')' . PHP_EOL; - - $username = getenv($prefix.'_USER'); - $password = getenv($prefix.'_PW'); - - if ($username == "") $username = 'username'; - if ($password == "") $password = 'username'; - - $servers []= array_merge(array( - 'name' => $name, - 'username' => $username, - 'password' => $password, - 'authMaster' => true, - 'location' => $location), - (array_key_exists($prefix, $config_overrides)) ? $config_overrides[$prefix] : array()); - } -} -// check if there are any servers -if (!$servers) { - echo 'Error: No vboxwebsrv instance linked? Use "--link containername:myname"' . PHP_EOL; - echo 'Use environment variables if no vboxwebsrv containers are used!'; - exit(1); -} - -// put servers array to file -file_put_contents('/var/www/config-servers.php', ' RUN a2enmod rewrite @@ -17,8 +17,8 @@ RUN set -xe \ WORKDIR /var/www/html -ENV PS_VER 1.7.2.4 -ENV PS_MD5 19c374fd4e65e2a0d978c619781686bc +ENV PS_VER 1.7.5.1 +ENV PS_MD5 7ec5bf2ce9c5d0d369c76ae5d0a716a3 ENV PS_URL https://download.prestashop.com/download/releases/prestashop_${PS_VER}.zip ENV PS_FILE prestashop_${PS_VER}.zip diff --git a/prestashop/README.md b/prestashop/README.md index 2362dd1..ac822ac 100644 --- a/prestashop/README.md +++ b/prestashop/README.md @@ -9,21 +9,22 @@ free. ```yaml prestashop: - image: vimagick/prestashop + image: prestashop/prestashop:1.7-7.2-apache ports: - - "8000:80" + - "8080:80" links: - mysql volumes: - - /var/www - restart: always + - ./data:/var/www/html + restart: unless-stopped mysql: - image: mysql + image: mysql:8 + command: --default-authentication-plugin=mysql_native_password environment: - MYSQL_ROOT_PASSWORD=root - MYSQL_DATABASE=prestashop - restart: always + restart: unless-stopped ``` ## Nginx Config @@ -44,7 +45,7 @@ server { ssl_ciphers HIGH:!aNULL:!MD5; client_max_body_size 20M; location / { - proxy_pass http://127.0.0.1:8000; + proxy_pass http://127.0.0.1:8080; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } @@ -53,18 +54,26 @@ server { ## Enable SSL -1. Activate SSL directtly on the database, (because the broken images avoid to +0. Open http://localhost:8080 (`ssh -L 8080:localhost:8080`) + +1. Configure > Shop Parameters > Traffic & SEO > SEO & URLs > Set shop URL + + - Shop domain: shop.easypi.pro + - SSL domain: shop.easypi.pro + - Base URI: / + +2. Activate SSL directtly on the database, (because the broken images avoid to use the activate SSL option on the admin panel, click on the url simply does not pass the test). To ativate SSL on the database i use the next query on: UPDATE ps_configuration SET value = 1 WHERE name = 'PS_SSL_ENABLED'; -2. Add the next line to the `.htacces` file to avoid teh loop redirect issue with +3. Add the next line to the `.htacces` file to avoid the loop redirect issue with SSL enabled: SetEnv HTTPS On -3. Configure > Shop Parameters > General > Enable SSL on all pages +4. Configure > Shop Parameters > General > Enable SSL on all pages ## Reset Admin Password diff --git a/prestashop/docker-compose.yml b/prestashop/docker-compose.yml index 5f0ec86..17a2328 100644 --- a/prestashop/docker-compose.yml +++ b/prestashop/docker-compose.yml @@ -1,16 +1,17 @@ prestashop: - image: vimagick/prestashop + image: prestashop/prestashop:1.7-7.2-apache ports: - - "8000:80" + - "8080:80" links: - mysql volumes: - - /var/www - restart: always + - ./data:/var/www/html + restart: unless-stopped mysql: - image: mysql + image: mysql:8 + command: --default-authentication-plugin=mysql_native_password environment: - MYSQL_ROOT_PASSWORD=root - MYSQL_DATABASE=prestashop - restart: always + restart: unless-stopped diff --git a/prestodb/Dockerfile.alpine b/prestodb/Dockerfile.alpine new file mode 100644 index 0000000..f95f70e --- /dev/null +++ b/prestodb/Dockerfile.alpine @@ -0,0 +1,28 @@ +# +# Dockerfile for prestodb +# + +FROM openjdk:8-jre-alpine +MAINTAINER kev + +ENV PRESTO_VERSION=0.227 +ENV PRESTO_SERVER_URL=https://repo1.maven.org/maven2/com/facebook/presto/presto-server/${PRESTO_VERSION}/presto-server-${PRESTO_VERSION}.tar.gz +ENV PRESTO_CLI_URL=https://repo1.maven.org/maven2/com/facebook/presto/presto-cli/${PRESTO_VERSION}/presto-cli-${PRESTO_VERSION}-executable.jar +ENV PRESTO_HOME=/opt/presto +ENV PATH=${PRESTO_HOME}/bin:${PATH} + +WORKDIR $PRESTO_HOME + +RUN set -xe \ + && apk add --no-cache curl less python tar \ + && curl -sSL $PRESTO_SERVER_URL | tar xz --strip 1 \ + && curl -sSL $PRESTO_CLI_URL > ./bin/presto \ + && chmod +x ./bin/presto \ + && apk del curl tar + +VOLUME /data + +EXPOSE 8080 + +ENTRYPOINT ["launcher"] +CMD ["run"] diff --git a/prestodb/Dockerfile.debian b/prestodb/Dockerfile.debian new file mode 100644 index 0000000..b6c30d9 --- /dev/null +++ b/prestodb/Dockerfile.debian @@ -0,0 +1,30 @@ +# +# Dockerfile for prestodb +# + +FROM openjdk:8-jre-slim-buster +MAINTAINER kev + +ENV PRESTO_VERSION=0.227 +ENV PRESTO_SERVER_URL=https://repo1.maven.org/maven2/com/facebook/presto/presto-server/${PRESTO_VERSION}/presto-server-${PRESTO_VERSION}.tar.gz +ENV PRESTO_CLI_URL=https://repo1.maven.org/maven2/com/facebook/presto/presto-cli/${PRESTO_VERSION}/presto-cli-${PRESTO_VERSION}-executable.jar +ENV PRESTO_HOME=/opt/presto +ENV PATH=${PRESTO_HOME}/bin:${PATH} + +WORKDIR $PRESTO_HOME + +RUN set -xe \ + && apt-get update \ + && apt-get install -y curl less python \ + && curl -sSL $PRESTO_SERVER_URL | tar xz --strip 1 \ + && curl -sSL $PRESTO_CLI_URL > ./bin/presto \ + && chmod +x ./bin/presto \ + && apt-get remove -y curl \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /data + +EXPOSE 8080 + +ENTRYPOINT ["launcher"] +CMD ["run"] diff --git a/prestodb/README.md b/prestodb/README.md new file mode 100644 index 0000000..406b58c --- /dev/null +++ b/prestodb/README.md @@ -0,0 +1,48 @@ +prestodb +======== + +[Presto][1] is an open source distributed SQL query engine for running +interactive analytic queries against data sources of all sizes ranging from +gigabytes to petabytes. + +## standalone mode + +```yaml +prestodb: + image: vimagick/prestodb + ports: + - "8080:8080" + volumes: + - ./conf/standalone:/opt/presto/etc:ro + - /data:/data + restart: unless-stopped +``` + +## cluster mode + +```bash +$ ansible all -a 'mkdir -p /data' + +$ docker stack deploy -c docker-stack.yml prestodb + +$ docker service update --replicas-max-per-node=1 prestodb_worker + +$ docker service update --replicas=10 prestodb_worker + +$ docker ps | grep prestodb_coordinator | awk '{print $1}' +4cc5c6c420d7 + +$ docker exec -it 4cc5c6c420d7 presto --server localhost:8080 --catalog tpch +>>> show schemas; +>>> show tables from tiny; +>>> select * from tiny.customer limit 10; +>>> quit + +$ curl http://localhost:8080/ui/ + +$ curl http://localhost:8080/v1/service/presto/general +``` + +> :warning: If volume settings are changed, you need to remove them manually on all nodes. + +[1]: https://prestodb.github.io/ diff --git a/prestodb/conf/coordinator/catalog/jmx.properties b/prestodb/conf/coordinator/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestodb/conf/coordinator/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestodb/conf/coordinator/catalog/memory.properties b/prestodb/conf/coordinator/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestodb/conf/coordinator/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestodb/conf/coordinator/catalog/tpcds.properties b/prestodb/conf/coordinator/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestodb/conf/coordinator/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestodb/conf/coordinator/catalog/tpch.properties b/prestodb/conf/coordinator/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestodb/conf/coordinator/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestodb/conf/coordinator/config.properties b/prestodb/conf/coordinator/config.properties new file mode 100644 index 0000000..bb11096 --- /dev/null +++ b/prestodb/conf/coordinator/config.properties @@ -0,0 +1,9 @@ +coordinator=true +node-scheduler.include-coordinator=false +http-server.http.port=8080 +query.max-memory=50GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery-server.enabled=true +discovery.uri=http://127.0.0.1:8080 +node.internal-address=coordinator diff --git a/prestodb/conf/coordinator/jvm.config b/prestodb/conf/coordinator/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestodb/conf/coordinator/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestodb/conf/coordinator/log.properties b/prestodb/conf/coordinator/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestodb/conf/coordinator/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestodb/conf/coordinator/node.properties b/prestodb/conf/coordinator/node.properties new file mode 100644 index 0000000..24ee579 --- /dev/null +++ b/prestodb/conf/coordinator/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +node.id=coordinator diff --git a/prestodb/conf/standalone/catalog/jmx.properties b/prestodb/conf/standalone/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestodb/conf/standalone/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestodb/conf/standalone/catalog/memory.properties b/prestodb/conf/standalone/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestodb/conf/standalone/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestodb/conf/standalone/catalog/tpcds.properties b/prestodb/conf/standalone/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestodb/conf/standalone/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestodb/conf/standalone/catalog/tpch.properties b/prestodb/conf/standalone/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestodb/conf/standalone/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestodb/conf/standalone/config.properties b/prestodb/conf/standalone/config.properties new file mode 100644 index 0000000..d54e2a1 --- /dev/null +++ b/prestodb/conf/standalone/config.properties @@ -0,0 +1,8 @@ +coordinator=true +node-scheduler.include-coordinator=true +http-server.http.port=8080 +query.max-memory=5GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery-server.enabled=true +discovery.uri=http://127.0.0.1:8080 diff --git a/prestodb/conf/standalone/jvm.config b/prestodb/conf/standalone/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestodb/conf/standalone/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestodb/conf/standalone/log.properties b/prestodb/conf/standalone/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestodb/conf/standalone/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestodb/conf/standalone/node.properties b/prestodb/conf/standalone/node.properties new file mode 100644 index 0000000..f2cf0e0 --- /dev/null +++ b/prestodb/conf/standalone/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +node.id=standalone diff --git a/prestodb/conf/worker/catalog/jmx.properties b/prestodb/conf/worker/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestodb/conf/worker/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestodb/conf/worker/catalog/memory.properties b/prestodb/conf/worker/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestodb/conf/worker/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestodb/conf/worker/catalog/tpcds.properties b/prestodb/conf/worker/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestodb/conf/worker/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestodb/conf/worker/catalog/tpch.properties b/prestodb/conf/worker/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestodb/conf/worker/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestodb/conf/worker/config.properties b/prestodb/conf/worker/config.properties new file mode 100644 index 0000000..2be3f48 --- /dev/null +++ b/prestodb/conf/worker/config.properties @@ -0,0 +1,7 @@ +coordinator=false +http-server.http.port=8080 +query.max-memory=50GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery.uri=http://coordinator:8080 +#node.internal-address=worker1 diff --git a/prestodb/conf/worker/jvm.config b/prestodb/conf/worker/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestodb/conf/worker/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestodb/conf/worker/log.properties b/prestodb/conf/worker/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestodb/conf/worker/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestodb/conf/worker/node.properties b/prestodb/conf/worker/node.properties new file mode 100644 index 0000000..2a9d1e8 --- /dev/null +++ b/prestodb/conf/worker/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +#node.id=worker1 diff --git a/prestodb/docker-compose.yml b/prestodb/docker-compose.yml new file mode 100644 index 0000000..c55bf65 --- /dev/null +++ b/prestodb/docker-compose.yml @@ -0,0 +1,20 @@ +nfs: + image: erichough/nfs-server + ports: + - "111:111/tcp" + - "111:111/udp" + - "2049:2049/tcp" + - "2049:2049/udp" + - "32765:32765/tcp" + - "32765:32765/udp" + - "32767:32767/tcp" + - "32767:32767/udp" + volumes: + - ./conf:/export/presto:ro + - /lib/modules:/lib/modules:ro + environment: + - NFS_LOG_LEVEL=DEBUG + - NFS_EXPORT_0=/export/prestodb/coordinator *(ro,no_subtree_check) + - NFS_EXPORT_1=/export/prestodb/worker1 *(ro,no_subtree_check) + privileged: true + restart: unless-stopped diff --git a/prestodb/docker-stack.yml b/prestodb/docker-stack.yml new file mode 100644 index 0000000..87030f2 --- /dev/null +++ b/prestodb/docker-stack.yml @@ -0,0 +1,50 @@ +version: "3.7" + +services: + + coordinator: + image: vimagick/prestodb:alpine + ports: + - "8080:8080" + volumes: + - /data:/data + - prestodb_coordinator_conf:/opt/presto/etc + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + + worker: + image: vimagick/prestodb:alpine + entrypoint: sh -c 'launcher run -Dnode.id=$$HOSTNAME' + volumes: + - /data:/data + - prestodb_worker_conf:/opt/presto/etc + deploy: + replicas: 0 + placement: + constraints: + - node.role == worker + restart_policy: + condition: on-failure + depends_on: + - coordinator + +volumes: + + prestodb_coordinator_conf: + driver: local + driver_opts: + type: nfs + o: "addr=10.0.0.1,nolock,soft,ro" + device: ":/export/prestodb/coordinator" + + prestodb_worker_conf: + driver: local + driver_opts: + type: nfs + o: "addr=10.0.0.1,nolock,soft,ro" + device: ":/export/prestodb/worker" diff --git a/prestosql/Dockerfile.alpine b/prestosql/Dockerfile.alpine new file mode 100644 index 0000000..d119dde --- /dev/null +++ b/prestosql/Dockerfile.alpine @@ -0,0 +1,28 @@ +# +# Dockerfile for prestosql +# + +FROM openjdk:8-jre-alpine +MAINTAINER kev + +ENV PRESTO_VERSION=322 +ENV PRESTO_SERVER_URL=https://repo1.maven.org/maven2/io/prestosql/presto-server/${PRESTO_VERSION}/presto-server-${PRESTO_VERSION}.tar.gz +ENV PRESTO_CLI_URL=https://repo1.maven.org/maven2/io/prestosql/presto-cli/${PRESTO_VERSION}/presto-cli-${PRESTO_VERSION}-executable.jar +ENV PRESTO_HOME=/opt/presto +ENV PATH=${PRESTO_HOME}/bin:${PATH} + +WORKDIR $PRESTO_HOME + +RUN set -xe \ + && apk add --no-cache curl less python tar \ + && curl -sSL $PRESTO_SERVER_URL | tar xz --strip 1 \ + && curl -sSL $PRESTO_CLI_URL > ./bin/presto \ + && chmod +x ./bin/presto \ + && apk del curl tar + +VOLUME /data + +EXPOSE 8080 + +ENTRYPOINT ["launcher"] +CMD ["run"] diff --git a/prestosql/Dockerfile.debian b/prestosql/Dockerfile.debian new file mode 100644 index 0000000..b192aed --- /dev/null +++ b/prestosql/Dockerfile.debian @@ -0,0 +1,30 @@ +# +# Dockerfile for prestosql +# + +FROM openjdk:8-jre-slim-buster +MAINTAINER kev + +ENV PRESTO_VERSION=322 +ENV PRESTO_SERVER_URL=https://repo1.maven.org/maven2/io/prestosql/presto-server/${PRESTO_VERSION}/presto-server-${PRESTO_VERSION}.tar.gz +ENV PRESTO_CLI_URL=https://repo1.maven.org/maven2/io/prestosql/presto-cli/${PRESTO_VERSION}/presto-cli-${PRESTO_VERSION}-executable.jar +ENV PRESTO_HOME=/opt/presto +ENV PATH=${PRESTO_HOME}/bin:${PATH} + +WORKDIR $PRESTO_HOME + +RUN set -xe \ + && apt-get update \ + && apt-get install -y curl less python \ + && curl -sSL $PRESTO_SERVER_URL | tar xz --strip 1 \ + && curl -sSL $PRESTO_CLI_URL > ./bin/presto \ + && chmod +x ./bin/presto \ + && apt-get remove -y curl \ + && rm -rf /var/lib/apt/lists/* + +VOLUME /data + +EXPOSE 8080 + +ENTRYPOINT ["launcher"] +CMD ["run"] diff --git a/prestosql/README.md b/prestosql/README.md new file mode 100644 index 0000000..a3a562d --- /dev/null +++ b/prestosql/README.md @@ -0,0 +1,46 @@ +prestosql +======== + +[Presto][1] is a high performance, distributed SQL query engine for big data. + +## standalone mode + +```yaml +prestosql: + image: vimagick/prestosql:alpine + ports: + - "8080:8080" + volumes: + - ./conf/standalone:/opt/presto/etc:ro + - /data:/data + restart: unless-stopped +``` + +## cluster mode + +```bash +$ ansible all -a 'mkdir -p /data' + +$ docker stack deploy -c docker-stack.yml prestosql + +$ docker service update --replicas-max-per-node=1 prestosql_worker + +$ docker service update --replicas=10 prestosql_worker + +$ docker ps | grep prestosql_coordinator | awk '{print $1}' +4cc5c6c420d7 + +$ docker exec -it 4cc5c6c420d7 presto --server localhost:8080 --catalog tpch +>>> show schemas; +>>> show tables from tiny; +>>> select * from tiny.customer limit 10; +>>> quit + +$ curl http://localhost:8080/ui/ + +$ curl http://localhost:8080/v1/service/presto/general +``` + +> :warning: If volume settings are changed, you need to remove them manually on all nodes. + +[1]: https://prestosql.io/ diff --git a/prestosql/conf/coordinator/catalog/jmx.properties b/prestosql/conf/coordinator/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestosql/conf/coordinator/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestosql/conf/coordinator/catalog/memory.properties b/prestosql/conf/coordinator/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestosql/conf/coordinator/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestosql/conf/coordinator/catalog/tpcds.properties b/prestosql/conf/coordinator/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestosql/conf/coordinator/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestosql/conf/coordinator/catalog/tpch.properties b/prestosql/conf/coordinator/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestosql/conf/coordinator/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestosql/conf/coordinator/config.properties b/prestosql/conf/coordinator/config.properties new file mode 100644 index 0000000..bb11096 --- /dev/null +++ b/prestosql/conf/coordinator/config.properties @@ -0,0 +1,9 @@ +coordinator=true +node-scheduler.include-coordinator=false +http-server.http.port=8080 +query.max-memory=50GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery-server.enabled=true +discovery.uri=http://127.0.0.1:8080 +node.internal-address=coordinator diff --git a/prestosql/conf/coordinator/jvm.config b/prestosql/conf/coordinator/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestosql/conf/coordinator/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestosql/conf/coordinator/log.properties b/prestosql/conf/coordinator/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestosql/conf/coordinator/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestosql/conf/coordinator/node.properties b/prestosql/conf/coordinator/node.properties new file mode 100644 index 0000000..24ee579 --- /dev/null +++ b/prestosql/conf/coordinator/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +node.id=coordinator diff --git a/prestosql/conf/standalone/catalog/jmx.properties b/prestosql/conf/standalone/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestosql/conf/standalone/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestosql/conf/standalone/catalog/memory.properties b/prestosql/conf/standalone/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestosql/conf/standalone/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestosql/conf/standalone/catalog/tpcds.properties b/prestosql/conf/standalone/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestosql/conf/standalone/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestosql/conf/standalone/catalog/tpch.properties b/prestosql/conf/standalone/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestosql/conf/standalone/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestosql/conf/standalone/config.properties b/prestosql/conf/standalone/config.properties new file mode 100644 index 0000000..d54e2a1 --- /dev/null +++ b/prestosql/conf/standalone/config.properties @@ -0,0 +1,8 @@ +coordinator=true +node-scheduler.include-coordinator=true +http-server.http.port=8080 +query.max-memory=5GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery-server.enabled=true +discovery.uri=http://127.0.0.1:8080 diff --git a/prestosql/conf/standalone/jvm.config b/prestosql/conf/standalone/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestosql/conf/standalone/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestosql/conf/standalone/log.properties b/prestosql/conf/standalone/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestosql/conf/standalone/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestosql/conf/standalone/node.properties b/prestosql/conf/standalone/node.properties new file mode 100644 index 0000000..f2cf0e0 --- /dev/null +++ b/prestosql/conf/standalone/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +node.id=standalone diff --git a/prestosql/conf/worker/catalog/jmx.properties b/prestosql/conf/worker/catalog/jmx.properties new file mode 100644 index 0000000..b6e0372 --- /dev/null +++ b/prestosql/conf/worker/catalog/jmx.properties @@ -0,0 +1 @@ +connector.name=jmx diff --git a/prestosql/conf/worker/catalog/memory.properties b/prestosql/conf/worker/catalog/memory.properties new file mode 100644 index 0000000..833abd3 --- /dev/null +++ b/prestosql/conf/worker/catalog/memory.properties @@ -0,0 +1 @@ +connector.name=memory diff --git a/prestosql/conf/worker/catalog/tpcds.properties b/prestosql/conf/worker/catalog/tpcds.properties new file mode 100644 index 0000000..ba8147d --- /dev/null +++ b/prestosql/conf/worker/catalog/tpcds.properties @@ -0,0 +1 @@ +connector.name=tpcds diff --git a/prestosql/conf/worker/catalog/tpch.properties b/prestosql/conf/worker/catalog/tpch.properties new file mode 100644 index 0000000..75110c5 --- /dev/null +++ b/prestosql/conf/worker/catalog/tpch.properties @@ -0,0 +1 @@ +connector.name=tpch diff --git a/prestosql/conf/worker/config.properties b/prestosql/conf/worker/config.properties new file mode 100644 index 0000000..2be3f48 --- /dev/null +++ b/prestosql/conf/worker/config.properties @@ -0,0 +1,7 @@ +coordinator=false +http-server.http.port=8080 +query.max-memory=50GB +query.max-memory-per-node=1GB +query.max-total-memory-per-node=2GB +discovery.uri=http://coordinator:8080 +#node.internal-address=worker1 diff --git a/prestosql/conf/worker/jvm.config b/prestosql/conf/worker/jvm.config new file mode 100644 index 0000000..afd8e8a --- /dev/null +++ b/prestosql/conf/worker/jvm.config @@ -0,0 +1,9 @@ +-server +-Xmx16G +-XX:+UseG1GC +-XX:G1HeapRegionSize=32M +-XX:+UseGCOverheadLimit +-XX:+ExplicitGCInvokesConcurrent +-XX:+HeapDumpOnOutOfMemoryError +-XX:+ExitOnOutOfMemoryError +-XX:OnOutOfMemoryError=kill -9 %p diff --git a/prestosql/conf/worker/log.properties b/prestosql/conf/worker/log.properties new file mode 100644 index 0000000..1c52627 --- /dev/null +++ b/prestosql/conf/worker/log.properties @@ -0,0 +1 @@ +com.facebook.presto=INFO diff --git a/prestosql/conf/worker/node.properties b/prestosql/conf/worker/node.properties new file mode 100644 index 0000000..2a9d1e8 --- /dev/null +++ b/prestosql/conf/worker/node.properties @@ -0,0 +1,3 @@ +node.environment=production +node.data-dir=/data +#node.id=worker1 diff --git a/prestosql/docker-stack.yml b/prestosql/docker-stack.yml new file mode 100644 index 0000000..cdd1540 --- /dev/null +++ b/prestosql/docker-stack.yml @@ -0,0 +1,50 @@ +version: "3.7" + +services: + + coordinator: + image: vimagick/prestosql:alpine + ports: + - "8080:8080" + volumes: + - /data:/data + - prestosql_coordinator_conf:/opt/presto/etc + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + + worker: + image: vimagick/prestosql:alpine + entrypoint: sh -c 'launcher run -Dnode.id=$$HOSTNAME' + volumes: + - /data:/data + - prestosql_worker_conf:/opt/presto/etc + deploy: + replicas: 0 + placement: + constraints: + - node.role == worker + restart_policy: + condition: on-failure + depends_on: + - coordinator + +volumes: + + prestosql_coordinator_conf: + driver: local + driver_opts: + type: nfs + o: "addr=10.0.0.1,nolock,soft,ro" + device: ":/export/prestosql/coordinator" + + prestosql_worker_conf: + driver: local + driver_opts: + type: nfs + o: "addr=10.0.0.1,nolock,soft,ro" + device: ":/export/prestosql/worker" diff --git a/pure-ftpd/Dockerfile b/pure-ftpd/Dockerfile index 2660844..c88e8b6 100644 --- a/pure-ftpd/Dockerfile +++ b/pure-ftpd/Dockerfile @@ -2,7 +2,7 @@ # Dockerfile for pure-ftpd # -FROM debian:jessie +FROM debian:buster MAINTAINER kev RUN set -xe \ @@ -15,4 +15,5 @@ RUN set -xe \ EXPOSE 21 VOLUME /home/ftpuser /etc/pure-ftpd -CMD ["pure-ftpd", "--login", "puredb:/etc/pure-ftpd/pureftpd.pdb", "--createhomedir"] +ENTRYPOINT ["pure-ftpd"] +CMD ["/etc/pure-ftpd/pureftpd.conf"] diff --git a/pure-ftpd/README.md b/pure-ftpd/README.md index 0050129..ecc4f33 100644 --- a/pure-ftpd/README.md +++ b/pure-ftpd/README.md @@ -9,13 +9,12 @@ efficiency and ease of use. It provides simple answers to common needs, plus unique useful features for personal users as well as hosting providers. -## ~/fig/pureftpd/docker-compose.yml +## docker-compose.yml ```yaml -pureftpd: +pure-ftpd: image: vimagick/pure-ftpd - ports: - - "21:21" + net: host volumes: - ./data/ftpuser:/home/ftpuser - ./data/pure-ftpd:/etc/pure-ftpd @@ -23,16 +22,14 @@ pureftpd: restart: always ``` -> We only need to expose port `21` to accept client ftp connection. -> Pure-FTPd will open random port to accept client ftp-data connection. -> At this time, host machine is a router for DNAT. +> Please config firewall according to `PassivePortRange`. ## server ```bash -$ cd ~/fig/pureftpd/ +$ cd ~/fig/pure-ftpd/ $ docker-compose up -d -$ docker-compose exec pureftpd bash +$ docker-compose exec pure-ftpd bash >>> pure-pw useradd kev -u ftpuser -d /home/ftpuser/kev -t 1024 -T 1024 -y 1 -m >>> pure-pw list >>> pure-pw show kev @@ -48,6 +45,7 @@ $ tree -F │   └── kev/ │   └── file.txt └── pure-ftpd/ + ├── pure-ftpd.conf ├── pureftpd.passwd └── pureftpd.pdb ``` diff --git a/pure-ftpd/data/ftpuser/.gitkeep b/pure-ftpd/data/ftpuser/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/pure-ftpd/data/pure-ftpd/pure-ftpd.conf b/pure-ftpd/data/pure-ftpd/pure-ftpd.conf new file mode 100644 index 0000000..ba8dab7 --- /dev/null +++ b/pure-ftpd/data/pure-ftpd/pure-ftpd.conf @@ -0,0 +1,8 @@ +ChrootEveryone yes +CreateHomeDir yes +DontResolve yes +MaxClientsNumber 100 +MaxClientsPerIP 10 +NoAnonymous yes +PassivePortRange 50000 50099 +PureDB /etc/pure-ftpd/pureftpd.pdb diff --git a/pure-ftpd/docker-compose.yml b/pure-ftpd/docker-compose.yml index c17beb9..71de884 100644 --- a/pure-ftpd/docker-compose.yml +++ b/pure-ftpd/docker-compose.yml @@ -1,7 +1,6 @@ pure-ftpd: image: vimagick/pure-ftpd - ports: - - "21:21" + net: host volumes: - ./data/ftpuser:/home/ftpuser - ./data/pure-ftpd:/etc/pure-ftpd diff --git a/rabbitmq/README.md b/rabbitmq/README.md new file mode 100644 index 0000000..f662688 --- /dev/null +++ b/rabbitmq/README.md @@ -0,0 +1,26 @@ +Rabbit MQ +======= +localhost 15672 +user guest +pw guest + + +```bash +# Config +[ + {rabbit, + [ + %% The default "guest" user is only permitted to access the server + %% via a loopback interface (e.g. localhost). + %% {loopback_users, [<<"guest">>]}, + %% + %% Uncomment the following line if you want to allow access to the + %% guest user from anywhere on the network. + {loopback_users, []}, + {default_vhost, "/"}, + {default_user, "guest"}, + {default_pass, "guest"}, + {default_permissions, [".*", ".*", ".*"]} + ]} +]. +``` diff --git a/rabbitmq/docker-compose.yml b/rabbitmq/docker-compose.yml new file mode 100644 index 0000000..97234c9 --- /dev/null +++ b/rabbitmq/docker-compose.yml @@ -0,0 +1,14 @@ +version: '3' + +services: + + rabbitmq: + image: "rabbitmq:3-management" + hostname: "rabbit" + ports: + - "15672:15672" + - "5672:5672" + labels: + NAME: "rabbitmq" + volumes: + - ./rabbitmq-isolated.conf:/etc/rabbitmq/rabbitmq.config \ No newline at end of file diff --git a/registry/README.md b/registry/README.md index b01e0d3..e41cf31 100644 --- a/registry/README.md +++ b/registry/README.md @@ -60,33 +60,45 @@ proxy: $ docker-compose restart ``` +> :warning: You cannot use it as registry+mirror at the same time. + ## Client Setup ```bash -$ scp registry.easypi.info:fig/registry/certs/domain.crt \ - /etc/docker/certs.d/registry.easypi.info:5000/ca.crt +$ scp registry.easypi.pro:fig/registry/certs/domain.crt \ + /etc/docker/certs.d/registry.easypi.pro:5000/ca.crt -$ systemctl edit docker -# /etc/systemd/system/docker.service.d/override.conf -[Service] -ExecStart= -ExecStart=/usr/bin/dockerd -H fd:// --registry-mirror https://registry.easypi.info:5000 +$ vim /etc/docker/daemon.json +{ + "registry-mirrors": [ + "https://registry.easypi.pro:5000" + ], + "insecure-registries": [ + "registry.easypi.pro" + ], + "log-driver": "json-file", + "log-opts": { + "max-size": "10m", + "max-file": "3" + } +} -$ systemctl daemon-reload -$ systemctl restart docker +$ systemctl reload docker +$ docker info $ docker pull alpine -$ docker tag alpine registry.easypi.info:5000/alpine +$ docker tag alpine registry.easypi.pro:5000/alpine -$ docker login -u username -p password easypi.info:5000 -$ docker push registry.easypi.info:5000/alpine -$ docker rmi registry.easypi.info:5000/alpine -$ docker pull registry.easypi.info:5000/alpine +$ docker login -u username -p password easypi.pro:5000 +$ docker push registry.easypi.pro:5000/alpine +$ docker rmi registry.easypi.pro:5000/alpine +$ docker pull registry.easypi.pro:5000/alpine -$ firefox http://registry.easypi.info:8080 +$ curl -k -u username:password https://registry.easypi.pro:5000/v2/_catalog +$ curl -k -u username:password https://registry.easypi.pro:5000/v2/alpine/tags/list ``` -> Append `--insecure-registry registry.easypi.info:5000` option to disable TLS. +> :warning: Docker will connect [insecure-registries][2] via HTTPS first (ignore TLS error), then try HTTP. ## Read More @@ -94,5 +106,7 @@ $ firefox http://registry.easypi.info:8080 - https://github.com/docker/distribution/blob/master/docs/insecure.md - https://serversforhackers.com/tcp-load-balancing-with-nginx-ssl-pass-thru - https://github.com/docker/distribution/blob/master/docs/recipes/mirror.md +- https://docs.docker.com/registry/spec/api/ [1]: https://github.com/docker/distribution +[2]: https://docs.docker.com/registry/insecure/#deploy-a-plain-http-registry diff --git a/registry/docker-compose.oss.yml b/registry/docker-compose.oss.yml new file mode 100644 index 0000000..084637b --- /dev/null +++ b/registry/docker-compose.oss.yml @@ -0,0 +1,18 @@ +# +# See: https://docs.docker.com/registry/storage-drivers/oss/ +# + +registry: + image: registry:2 + ports: + - 5000:5000 + environment: + - REGISTRY_STORAGE=oss + - REGISTRY_STORAGE_OSS_ACCESSKEYID=xxxxxxxxxxxxxxxx + - REGISTRY_STORAGE_OSS_ACCESSKEYSECRET=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx + - REGISTRY_STORAGE_OSS_REGION=oss-us-west-1 + - REGISTRY_STORAGE_OSS_INTERNAL=true + - REGISTRY_STORAGE_OSS_BUCKET=easypi + - REGISTRY_STORAGE_OSS_SECURE=false + - REGISTRY_STORAGE_OSS_ROOTDIRECTORY=/registry/ + restart: always diff --git a/registry/docker-compose.yml b/registry/docker-compose.yml index 7ac2d9a..e20f4b6 100644 --- a/registry/docker-compose.yml +++ b/registry/docker-compose.yml @@ -1,3 +1,7 @@ +# +# See: https://docs.docker.com/registry/deploying/ +# + registry: image: registry:2 ports: diff --git a/rundeck/README.md b/rundeck/README.md new file mode 100644 index 0000000..30d54b0 --- /dev/null +++ b/rundeck/README.md @@ -0,0 +1,36 @@ +rundeck +======= + +[Rundeck Community][1] Turn your operations procedures into self-service jobs. +Safely give others the control and visibility they need. + +## docker-compose.yml + +```yaml +rundeck: + image: rundeck/rundeck:3.0.22 + ports: + - "4440:4440" + volumes: + - ./data/ssh:/home/rundeck/.ssh + - ./data/rundeck:/home/rundeck/server/data + environment: + - RUNDECK_SECURITY_HTTPHEADERS_ENABLED=false + mem_limit: 1024m + restart: always +``` + +Read [this][2] to use more environment variables. + +## up and running + +```bash +$ mkdir -p data/{rundeck,ssh,postgres} +$ chown -R 1000:1000 data +$ chmod 700 data/ssh +$ docker-compose up -d +$ curl http://127.0.0.1:4440 +``` + +[1]: https://www.rundeck.com/open-source +[2]: https://github.com/rundeck/rundeck/tree/master/docker/official diff --git a/rundeck/docker-compose.yml b/rundeck/docker-compose.yml new file mode 100644 index 0000000..e95a0d4 --- /dev/null +++ b/rundeck/docker-compose.yml @@ -0,0 +1,29 @@ +version: '3.5' + +services: + + rundeck: + image: rundeck/rundeck:3.0.23 + ports: + - "4440:4440" + volumes: + - ./data/ssh:/home/rundeck/.ssh + - ./data/rundeck:/home/rundeck/server/data + environment: + - RUNDECK_GRAILS_URL=https://rundeck.easypi.pro + - RUNDECK_SECURITY_HTTPHEADERS_ENABLED=true + - RUNDECK_DATABASE_DRIVER=org.postgresql.Driver + - RUNDECK_DATABASE_URL=jdbc:postgresql://postgres/rundeck + - RUNDECK_DATABASE_USERNAME=rundeck + - RUNDECK_DATABASE_PASSWORD=rundeck + restart: always + + postgres: + image: postgres:alpine + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + - POSTGRES_USER=rundeck + - POSTGRES_PASSWORD=rundeck + - POSTGRES_DB=rundeck + restart: always diff --git a/samba/Dockerfile b/samba/Dockerfile index 6b9df96..88dddca 100644 --- a/samba/Dockerfile +++ b/samba/Dockerfile @@ -17,4 +17,4 @@ EXPOSE 137/udp \ 139/tcp \ 445/tcp -CMD nmbd -D && smbd -FS +CMD nmbd -D && smbd -FS --no-process-group diff --git a/scrapyd/py3/Dockerfile b/scrapyd/py3/Dockerfile index 56ad375..4d4fc1a 100644 --- a/scrapyd/py3/Dockerfile +++ b/scrapyd/py3/Dockerfile @@ -61,4 +61,4 @@ COPY ./scrapyd.conf /etc/scrapyd/ VOLUME /etc/scrapyd/ /var/lib/scrapyd/ EXPOSE 6800 -CMD ["scrapyd"] +CMD ["scrapyd", "--pidfile="] diff --git a/sdc/README.md b/sdc/README.md new file mode 100644 index 0000000..34ed7e7 --- /dev/null +++ b/sdc/README.md @@ -0,0 +1,17 @@ +datacollector +============= + +[StreamSets Data Collector][1] - Continuous big data and cloud platform ingest infrastructure. + + +```bash +$ chmod 777 data +$ docker-compose up -d +$ docker-compose exec sdc id +uid=20159(sdc) gid=20159(sdc) groups=20159(sdc) +$ chown 20159:20159 data/*.properties +$ chmod 600 data/form-realm.properties +$ docker-compose restart +``` + +[1]: https://streamsets.com diff --git a/sdc/data/form-realm.properties b/sdc/data/form-realm.properties new file mode 100644 index 0000000..e1996a1 --- /dev/null +++ b/sdc/data/form-realm.properties @@ -0,0 +1,46 @@ +# +# Copyright 2017 StreamSets Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +#The format is +# : MD5:[,user,,,...,,,....] +# +# Supported roles are: admin, manager, creator, guest +# +# 'user' must always be present +# +# Prefix with 'group:' for group information for the user. +# + +# FORM authentication, password is same as user name +admin: MD5:21232f297a57a5a743894a0e4a801fc3,user,admin +guest: MD5:084e0343a0486ff05530df6c705c8bb4,user,guest +creator: MD5:ee2433259b0fe399b40e81d2c98a38b6,user,creator +manager: MD5:1d0258c2440a8d19e716292b231e3190,user,manager +user1: MD5:24c9e15e52afc47c225b757e7bee1f9d,user,manager,creator,group:dev +user2: MD5:7e58d63b60197ceb55a1c487989a3720,user,manager,creator,group:dev +user3: MD5:92877af70a45fd6a2ed7fe81e1236b78,user,manager,creator,group:test +user4: MD5:3f02ebe3d7929b091e3d8ccfde2f3bc6,user,manager,creator,group:test + + +# +# To compute the MD5 run the following command: +# +# OSX: +# $ echo -n "" | md5 +# +# Linux: +# $ echo -n "" | md5sum +# diff --git a/sdc/data/sdc.properties b/sdc/data/sdc.properties new file mode 100644 index 0000000..a07ff2d --- /dev/null +++ b/sdc/data/sdc.properties @@ -0,0 +1,455 @@ +# +# Copyright 2017 StreamSets Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# + +# HTTP configuration + +# The base URL of the datacollector, used to create email alert messages. +# If not set http://: is used +# is either taken from http.bindHost or resolved using +# 'hostname -f' if not configured. +#sdc.base.http.url=http://: + +# Hostname or IP address that data collector will bind to. +# Default is 0.0.0.0 that will bind to all interfaces. +#http.bindHost=0.0.0.0 + +# Maximum number of HTTP servicing threads. +#http.maxThreads=200 + +# The port the data collector runs the SDC HTTP endpoint. +# If different that -1, the SDC will run on this port +# If 0, the SDC will pick up a random port +# If the https.port is different that -1 or 0 and http.port is different than -1 or 0, the HTTP endpoint +# will redirect to the HTTPS endpoint. +http.port=18630 + +# HTTPS configuration + +# The port the data collector runs the SDC HTTPS endpoint. +# If different that -1, the SDC will run over SSL on this port +# If 0, the SDC will pick up a random port +https.port=-1 + +# Enables HTTP/2 support for the SDC UI/REST API. If you are using any clients +# that do not support ALPN for protocol negotiation, leave this option disabled. +http2.enable=false + +# Reverse Proxy / Load Balancer configuration + +# SDC will handle X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Port +# headers issued by a reverse proxy such as HAProxy, ELB, nginx when set to true. +# Set to true when hosting SDC behind a reverse proxy / load balancer. +http.enable.forwarded.requests=false + +# Java keystore file, in the SDC 'etc/' configuration directory +https.keystore.path=keystore.jks + +# Password for the keystore file, +# By default, the password is loaded from the 'keystore-password.txt' +# from the SDC 'etc/' configuration directory +https.keystore.password=${file("keystore-password.txt")} + +# Path to keystore file on worker node. This should always be an absolute location +https.cluster.keystore.path=/opt/security/jks/sdc-keystore.jks + +# Password for keystore file on worker +https.cluster.keystore.password=${file("/opt/security/jks/keystore-password.txt")} + +# Truststore configs +# By default, if below configs are commented then cacerts from JRE lib directory will be used as truststore + +# Java truststore file on gateway sdc which stores certificates to trust identity of workers +#https.truststore.path= + +# Password for truststore file +#https.truststore.password= + +# Path to truststore file on worker node. This should always be an absolute location +#https.cluster.truststore.path=/opt/security/jks/sdc-truststore.jks + +# Password for truststore file on worker +#https.cluster.truststore.password=${file("/opt/security/jks/truststore-password.txt")} + +# HTTP Session Timeout +# Max period of inactivity, after which the HTTP session is invalidated, in seconds. +# Default value is 86400 seconds (24 hours) +# value -1 means no timeout +http.session.max.inactive.interval=86400 + +# The authentication for the HTTP endpoint of the data collector +# Valid values are: 'none', 'basic', 'digest', or 'form' +# +http.authentication=form + +# Authentication Login Module +# Valid values are: 'file' and 'ldap' +# For 'file', the authentication and role information is read from a property file (etc/basic-realm.properties, +# etc/digest-realm.properties or etc/form-realm.properties based on the 'http.authentication' value). +# For 'ldap', the authentication and role information is read from a LDAP Server +# and LDAP connection information is read from etc/ldap-login.conf. +http.authentication.login.module=file + +# The realm used for authentication +# A file with the realm name and '.properties' extension must exist in the data collector configuration directory +# If this property is not set, the realm name is '-realm' +#http.digest.realm=local-realm + +# Check the permissions of the realm file should be owner only +http.realm.file.permission.check=true + +# LDAP group to Data Collector role mapping +# the mapping is specified as the following pattern: +# :(,)*(;:(,)*)* +# e.g. +# Administrator:admin;Manager:manager;DevOP:creator;Tester:guest; +http.authentication.ldap.role.mapping= + +# LDAP login module name as present in the JAAS config file. +# If no value is specified, the login module name is assumed to be "ldap" +ldap.login.module.name=ldap + +# HTTP access control (CORS) +http.access.control.allow.origin=* +http.access.control.allow.headers=origin, content-type, cache-control, pragma, accept, authorization, x-requested-by, x-ss-user-auth-token, x-ss-rest-call +http.access.control.allow.methods=GET, POST, PUT, DELETE, OPTIONS, HEAD + +# Runs the data collector within a Kerberos session which is propagated to all stages. +# This is useful for stages that require Kerberos authentication with the services they interact with +kerberos.client.enabled=false + +# The kerberos principal to use for the Kerberos session. +# It should be a service principal. If the hostname part of the service principal is '_HOST' or '0.0.0.0', +# the hostname will be replaced with the actual complete hostname of the data collector as advertised by the +# unix command 'hostname -f' +kerberos.client.principal=sdc/_HOST@EXAMPLE.COM + +# The location of the keytab file for the specified principal. If the path is relative, the keytab file will be +# looked under the data collector configuration directory +kerberos.client.keytab=sdc.keytab + +preview.maxBatchSize=10 +preview.maxBatches=10 + +production.maxBatchSize=1000 + +#Specifies the buffer size for Overrun parsers - including JSON, XML and CSV. +#This parameter is specified in bytes, and must be greater than +#1048576 bytes (which is the default size). +#parser.limit=5335040 + +#This option determines the number of error records, per stage, that will be retained in memory when the pipeline is +#running. If set to zero, error records will not be retained in memory. +#If the specified limit is reached the oldest records will be discarded to make room for the newest one. +production.maxErrorRecordsPerStage=100 + +#This option determines the number of pipeline errors that will be retained in memory when the pipeline is +#running. If set to zero, pipeline errors will not be retained in memory. +#If the specified limit is reached the oldest error will be discarded to make room for the newest one. +production.maxPipelineErrors=100 + +# Max number of concurrent REST calls allowed for the /rest/v1/admin/log endpoint +max.logtail.concurrent.requests=5 + +# Max number of concurrent WebSocket calls allowed +max.webSockets.concurrent.requests=15 + +# Pipeline Sharing / ACLs +pipeline.access.control.enabled=false + +# Customize header title for SDC UI +# You can pass any HTML tags here +# Example: +# For Text - New Brand Name +# For Image - +ui.header.title= + +ui.local.help.base.url=/docs +ui.hosted.help.base.url=https://www.streamsets.com/documentation/datacollector/3.8.0-SNAPSHOT/userguide/help + +ui.refresh.interval.ms=2000 +ui.jvmMetrics.refresh.interval.ms=4000 + +# If true SDC UI will use WebSocket to fetch pipeline status/metrics/alerts otherwise UI will poll every few seconds +# to get the Pipeline status/metrics/alerts. +ui.enable.webSocket=true + +# Number of changes supported by undo/redo functionality. +# UI archives Pipeline Configuration/Rules in browser memory to support undo/redo functionality. +ui.undo.limit=10 + +# SMTP configuration to send alert emails +# All properties starting with 'mail.' are used to create the JavaMail session, supported protocols are 'smtp' & 'smtps' +mail.transport.protocol=smtp +mail.smtp.host=localhost +mail.smtp.port=25 +mail.smtp.auth=false +mail.smtp.starttls.enable=false +mail.smtps.host=localhost +mail.smtps.port=465 +mail.smtps.auth=false +# If 'mail.smtp.auth' or 'mail.smtps.auth' are to true, these properties are used for the user/password credentials, +# ${file("email-password.txt")} will load the value from the 'email-password.txt' file in the config directory (where this file is) +xmail.username=foo +xmail.password=${file("email-password.txt")} +# FROM email address to use for the messages +xmail.from.address=sdc@localhost + +#Indicates the location where runtime configuration properties can be found. +#Value 'embedded' implies that the runtime configuration properties are present in this file and are prefixed with +#'runtime.conf_'. +#A value other than 'embedded' is treated as the name of a properties file from which the runtime configuration +#properties must be picked up. Note that the properties should not be prefixed with 'runtime.conf_' in this case. +runtime.conf.location=embedded + +# Java Security properties +# +# Any configuration prefixed with 'java.security.' will be set on the static instance java.security.Security +# as part of SDC bootstrap process. This will change JVM configuration and should not be used when embedding and running +# multiple SDC instances inside the same JVM. +# +# We're explicitly overriding this to zero as JVM will default to -1 if security manager is active. +java.security.networkaddress.cache.ttl=0 + +# Security Manager +# +# By default when Security Manager is enabled, SDC will use Java one that only follows the specified policy. + +# Enable SDC Security Manager that will always prevent access to SDC's internal directories to all stages (e.g. data dir, +# ...). Please note that there are certain JVM bugs that this manager might hit, especially on some older JVM versions. +#security_manager.sdc_manager.enable=true + +# When Security manager is enabled SDC will by default prohibits access to it's internal directories regardless of what +# the security policy specifies. The following properties allow specific access to given files inside protected directories. +security_manager.sdc_dirs.exceptions=$SDC_CONF/ldap-login.conf + +# General exceptions - use with caution, all stage libraries will be able to access those files. +# * Access to ldap-login.conf is sadly required by Hadoop's UserGroupInfo class +security_manager.sdc_dirs.exceptions=$SDC_CONF/ldap-login.conf + +# Exceptions for specific stage libraries +# * Our documentation recommends default name for credential store inside ETC directory +security_manager.sdc_dirs.exceptions.lib.streamsets-datacollector-jks-credentialstore-lib=$SDC_CONF/jks-credentialStore.pkcs12 + + +# Stage specific configuration(s) +# +# The following config properties are for particular stages, please refer to their documentation for further details. +# +# Hadoop components +# Uncomment to enforce Hadoop components in SDC to always impersonate current user rather then use the impersonation +# configuration option. Current user is a user who either started the pipeline or run preview. +#stage.conf_hadoop.always.impersonate.current.user=true +# Uncomment to enforce impersonated user name to be lower cased. +#stage.conf_hadoop.always.lowercase.user=true +# +# Shell executor +# Controls impersonation mode +#stage.conf_com.streamsets.pipeline.stage.executor.shell.impersonation_mode=CURRENT_USER +# Relative or absolute path to shell that should be used to execute the shell script +#stage.conf_com.streamsets.pipeline.stage.executor.shell.shell=sh +# Relative or absolute path to sudo command +#stage.conf_com.streamsets.pipeline.stage.executor.shell.sudo=sudo + +#Observer related + +#The size of the queueName where the pipeline queues up data rule evaluation requests. +#Each request is for a stream and contains sampled records for all rules that apply to that lane. +observer.queue.size=100 + +#Sampled records which pass evaluation are cached for user to view. This determines the size of the cache and there is +#once cache per data rule +observer.sampled.records.cache.size=100 + +#The time to wait before dropping a data rule evaluation request if the observer queueName is full. +observer.queue.offer.max.wait.time.ms=1000 + + +#Maximum number of private classloaders to allow in the data collector. +#Stage that have configuration singletons (i.e. Hadoop FS & Hbase) require private classloaders +max.stage.private.classloaders=50 + +# Pipeline runner pool +# Default value is sufficient to run 22 pipelines. One pipeline requires 5 Threads and pipelines share +# threads using thread pool. Approximate runner thread pool size = (Number of Running Pipelines) * 2.2. +# Increasing this value will not increase parallelisation of individual pipelines. +runner.thread.pool.size=50 + +# Uncomment to disable starting all previously running pipelines on SDC start up +#runner.boot.pipeline.restart=false + +# Maximal number of runners (multithreaded pipelines) +# +# Maximal number of source-less pipeline instances (=runners) that are allowed for a single multi-threaded +# pipeline. The default is 50. +pipeline.max.runners.count=50 + +# Uncomment to specify a custom location for the package manager repositories. +# Enter a url or comma-separated list of urls. +# Official Data Collector releases use the following repositories by default: +# http://archives.streamsets.com/datacollector//tarball/,http://archives.streamsets.com/datacollector//tarball/enterprise/ +# Data Collector source code builds (master branch) use the following repositories by default: +# http://nightly.streamsets.com/datacollector/latest/tarball/,http://nightly.streamsets.com/datacollector/latest/tarball/enterprise/ +#package.manager.repository.links= + +# Support bundles +# +# Uncomment if you need to disable the facility for automatic support bundle upload. +#bundle.upload.enabled=false +# +# Uncomment to automatically generate and upload bundle on various errors. Enable with caution, uploading bundle +# can be time consuming task (depending on size and internet speed) and pipelines can appear "frozen" during +# the upload especially when many pipelines are failing at the same time. +#bundle.upload.on_error=true + +# Library aliases mapping to keep backward compatibility on pipelines when library names change +# The current aliasing mapping is to handle 1.0.0beta2 to 1.0.0 library names changes +# +# IMPORTANT: Under normal circumstances all these properties should not be changed +# +library.alias.streamsets-datacollector-apache-kafka_0_8_1_1-lib=streamsets-datacollector-apache-kafka_0_8_1-lib +library.alias.streamsets-datacollector-apache-kafka_0_8_2_0-lib=streamsets-datacollector-apache-kafka_0_8_2-lib +library.alias.streamsets-datacollector-apache-kafka_0_8_2_1-lib=streamsets-datacollector-apache-kafka_0_8_2-lib +library.alias.streamsets-datacollector-cassandra_2_1_5-lib=streamsets-datacollector-cassandra_2-lib +library.alias.streamsets-datacollector-cdh5_2_1-lib=streamsets-datacollector-cdh_5_2-lib +library.alias.streamsets-datacollector-cdh5_2_3-lib=streamsets-datacollector-cdh_5_2-lib +library.alias.streamsets-datacollector-cdh5_2_4-lib=streamsets-datacollector-cdh_5_2-lib +library.alias.streamsets-datacollector-cdh5_3_0-lib=streamsets-datacollector-cdh_5_3-lib +library.alias.streamsets-datacollector-cdh5_3_1-lib=streamsets-datacollector-cdh_5_3-lib +library.alias.streamsets-datacollector-cdh5_3_2-lib=streamsets-datacollector-cdh_5_3-lib +library.alias.streamsets-datacollector-cdh5_4_0-cluster-cdh_kafka_1_2_0-lib=streamsets-datacollector-cdh_5_4-cluster-cdh_kafka_1_2-lib +library.alias.streamsets-datacollector-cdh5_4_0-lib=streamsets-datacollector-cdh_5_4-lib +library.alias.streamsets-datacollector-cdh5_4_1-cluster-cdh_kafka_1_2_0-lib=streamsets-datacollector-cdh_5_4-cluster-cdh_kafka_1_2-lib +library.alias.streamsets-datacollector-cdh5_4_1-lib=streamsets-datacollector-cdh_5_4-lib +library.alias.streamsets-datacollector-cdh_5_4-cluster-cdh_kafka_1_2_0-lib=streamsets-datacollector-cdh_5_4-cluster-cdh_kafka_1_2-lib +library.alias.streamsets-datacollector-cdh_kafka_1_2_0-lib=streamsets-datacollector-cdh_kafka_1_2-lib +library.alias.streamsets-datacollector-elasticsearch_1_4_4-lib=streamsets-datacollector-elasticsearch_1_4-lib +library.alias.streamsets-datacollector-elasticsearch_1_5_0-lib=streamsets-datacollector-elasticsearch_1_5-lib +library.alias.streamsets-datacollector-hdp_2_2_0-lib=streamsets-datacollector-hdp_2_2-lib +library.alias.streamsets-datacollector-jython_2_7_0-lib=streamsets-datacollector-jython_2_7-lib +library.alias.streamsets-datacollector-mongodb_3_0_2-lib=streamsets-datacollector-mongodb_3-lib +library.alias.streamsets-datacollector-cassandra_2-lib=streamsets-datacollector-cassandra_3-lib +library.alias.streamsets-datacollector-cdh_5_9-cluster-cdh_kafka_2_0-lib=streamsets-datacollector-cdh-spark_2_1-lib +library.alias.streamsets-datacollector-cdh_5_10-cluster-cdh_kafka_2_1-lib=streamsets-datacollector-cdh-spark_2_1-lib +library.alias.streamsets-datacollector-cdh_5_11-cluster-cdh_kafka_2_1-lib=streamsets-datacollector-cdh-spark_2_1-lib +library.alias.streamsets-datacollector-cdh_5_12-cluster-cdh_kafka_2_1-lib=streamsets-datacollector-cdh-spark_2_1-lib +library.alias.streamsets-datacollector-cdh_5_13-cluster-cdh_kafka_2_1-lib=streamsets-datacollector-cdh-spark_2_1-lib +library.alias.streamsets-datacollector-cdh_5_14-cluster-cdh_kafka_2_1-lib=streamsets-datacollector-cdh-spark_2_1-lib + + +# Stage aliases for mapping to keep backward compatibility on pipelines when stages move libraries +# The current alias mapping is to handle moving the jdbc stages to their own library +# +# IMPORTANT: Under normal circumstances all these properties should not be changed +# +stage.alias.streamsets-datacollector-basic-lib,com_streamsets_pipeline_stage_destination_jdbc_JdbcDTarget=streamsets-datacollector-jdbc-lib,com_streamsets_pipeline_stage_destination_jdbc_JdbcDTarget +stage.alias.streamsets-datacollector-basic-lib,com_streamsets_pipeline_stage_origin_jdbc_JdbcDSource=streamsets-datacollector-jdbc-lib,com_streamsets_pipeline_stage_origin_jdbc_JdbcDSource +stage.alias.streamsets-datacollector-basic-lib,com_streamsets_pipeline_stage_origin_omniture_OmnitureDSource=streamsets-datacollector-omniture-lib,com_streamsets_pipeline_stage_origin_omniture_OmnitureDSource +stage.alias.streamsets-datacollector-cdh_5_7-cluster-cdh_kafka_2_0-lib,com_streamsets_pipeline_stage_destination_kafka_KafkaDTarget=streamsets-datacollector-cdh_kafka_2_0-lib,com_streamsets_pipeline_stage_destination_kafka_KafkaDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_4-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_6-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_7-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_0-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_1-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_2-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_3-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_4-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_5_0-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_4-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_6-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_1_7-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_0-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_1-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_2-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_3-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_2_4-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-elasticsearch_5_0-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget=streamsets-datacollector-elasticsearch_5-lib,com_streamsets_pipeline_stage_destination_elasticsearch_ToErrorElasticSearchDTarget +stage.alias.streamsets-datacollector-cdh_5_4-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-cdh_5_5-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-cdh_5_7-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-cdh_5_8-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-cdh_5_9-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-cdh_5_10-lib,com_streamsets_pipeline_stage_processor_spark_StandaloneSparkDProcessor=streamsets-datacollector-cdh_spark_2_1_r1-lib,com_streamsets_pipeline_stage_processor_spark_SparkDProcessor +stage.alias.streamsets-datacollector-aws-lib,com_streamsets_pipeline_stage_destination_kinesis_FirehoseDTarget=streamsets-datacollector-kinesis-lib,com_streamsets_pipeline_stage_destination_kinesis_FirehoseDTarget +stage.alias.streamsets-datacollector-aws-lib,com_streamsets_pipeline_stage_destination_kinesis_StatsKinesisDTarget=streamsets-datacollector-kinesis-lib,com_streamsets_pipeline_stage_destination_kinesis_StatsKinesisDTarget +stage.alias.streamsets-datacollector-aws-lib,com_streamsets_pipeline_stage_destination_kinesis_KinesisDTarget=streamsets-datacollector-kinesis-lib,com_streamsets_pipeline_stage_destination_kinesis_KinesisDTarget +stage.alias.streamsets-datacollector-aws-lib,com_streamsets_pipeline_stage_destination_kinesis_ToErrorKinesisDTarget=streamsets-datacollector-kinesis-lib,com_streamsets_pipeline_stage_destination_kinesis_ToErrorKinesisDTarget +stage.alias.streamsets-datacollector-aws-lib,com_streamsets_pipeline_stage_origin_kinesis_KinesisDSource=streamsets-datacollector-kinesis-lib,com_streamsets_pipeline_stage_origin_kinesis_KinesisDSource +stage.alias.streamsets-datacollector-hdp_2_3-lib,com_streamsets_pipeline_stage_processor_hive_HiveMetadataDProcessor=streamsets-datacollector-hdp_2_3-hive1-lib,com_streamsets_pipeline_stage_processor_hive_HiveMetadataDProcessor +stage.alias.streamsets-datacollector-hdp_2_3-lib,com_streamsets_pipeline_stage_destination_hive_HiveMetastoreDTarget=streamsets-datacollector-hdp_2_3-hive1-lib,com_streamsets_pipeline_stage_destination_hive_HiveMetastoreDTarget +stage.alias.streamsets-datacollector-hdp_2_3-lib,com_streamsets_pipeline_stage_destination_hive_HiveDTarget=streamsets-datacollector-hdp_2_3-hive1-lib,com_streamsets_pipeline_stage_destination_hive_HiveDTarget +stage.alias.streamsets-datacollector-hdp_2_4-lib,com_streamsets_pipeline_stage_processor_hive_HiveMetadataDProcessor=streamsets-datacollector-hdp_2_4-hive1-lib,com_streamsets_pipeline_stage_processor_hive_HiveMetadataDProcessor +stage.alias.streamsets-datacollector-hdp_2_4-lib,com_streamsets_pipeline_stage_destination_hive_HiveMetastoreDTarget=streamsets-datacollector-hdp_2_4-hive1-lib,com_streamsets_pipeline_stage_destination_hive_HiveMetastoreDTarget +stage.alias.streamsets-datacollector-hdp_2_4-lib,com_streamsets_pipeline_stage_destination_hive_HiveDTarget=streamsets-datacollector-hdp_2_4-hive1-lib,com_streamsets_pipeline_stage_destination_hive_HiveDTarget + + +# System and user stage libraries whitelists and blacklists +# +# If commented out all stagelibraries directories are used. +# +# Given 'system' or 'user', only whitelist or blacklist can be set, if both are set the Data Collector will fail to start +# +# Specify stage library directories separated by commas +# +# The MapR stage libraries are disabled as they require manual installation step. Use setup-mapr script to enable +# the desired MapR stage library. +# +# It's important to keep the blacklist and whitelist properties on a single line, otherwise CSD's control.sh script and +# setup-mapr script will not work properly. +# +#system.stagelibs.whitelist= +system.stagelibs.blacklist=streamsets-datacollector-mapr_5_0-lib,streamsets-datacollector-mapr_5_1-lib,streamsets-datacollector-mapr_5_2-lib,streamsets-datacollector-mapr_6_0-lib,streamsets-datacollector-mapr_6_0-mep4-lib,streamsets-datacollector-mapr_6_0-mep5-lib,streamsets-datacollector-mapr_6_1-lib,streamsets-datacollector-mapr_6_1-mep6-lib,streamsets-datacollector-mapr_spark_2_1_mep_3_0-lib +# +#user.stagelibs.whitelist= +#user.stagelibs.blacklist= + +# Stage Classpath Validation +# +# Uncomment to disable best effort validation of each stage library classpath to detect known issues with +# colliding dependencies (such as conflicting versions of the same dependency, ...). Result of the validation +# is by default only printed to log. +#stagelibs.classpath.validation.enable=false +# +# By default the validation result is only logged. Uncomment to prevent SDC to start if classpath of any +# stage library is not considered valid. +#stagelibs.classpath.validation.terminate=true + +# +# Additional Configuration files to include in to the configuration. +# Value of this property is the name of the configuration file separated by commas. +# +config.includes=dpm.properties,vault.properties,credential-stores.properties + + +# +# Record Sampling configurations indicate the size of the subset (sample set) that must be chosen from a population (of records). +# Default configuration values indicate the sampler to select 1 out of 10000 records +# +# For better performance simplify the fraction ( sdc.record.sampling.sample.size / sdc.record.sampling.population.size ) +# i.e., specify ( 1 / 40 ) instead of ( 250 / 10000 ). +sdc.record.sampling.sample.size=1 +sdc.record.sampling.population.size=10000 + +# +# Pipeline State are cached for faster access. +# Specifies the maximum number of pipeline state entries the cache may contain. +store.pipeline.state.cache.maximum.size=100 + +# Specifies that each pipeline state entry should be automatically removed from the cache once a fixed duration +# has elapsed after the entry's creation, the most recent replacement of its value, or its last access. +# In minutes +store.pipeline.state.cache.expire.after.access=10 diff --git a/sdc/docker-compose.yml b/sdc/docker-compose.yml new file mode 100644 index 0000000..43f2c00 --- /dev/null +++ b/sdc/docker-compose.yml @@ -0,0 +1,9 @@ +sdc: + image: streamsets/datacollector + ports: + - "18630:18630" + volumes: + - ./data:/data + - ./data/sdc.properties:/etc/sdc/sdc.properties + - ./data/form-realm.properties:/etc/sdc/form-realm.properties + restart: always diff --git a/searx/README.md b/searx/README.md new file mode 100644 index 0000000..baef6cf --- /dev/null +++ b/searx/README.md @@ -0,0 +1,9 @@ +searx +===== + +[Searx][1] is a free internet metasearch engine which aggregates results from more +than 70 search services. Users are neither tracked nor profiled. Additionally, +searx can be used over Tor for online anonymity. + + +[1]: https://asciimoo.github.io/searx/ diff --git a/searx/docker-compose.yml b/searx/docker-compose.yml new file mode 100644 index 0000000..556fad9 --- /dev/null +++ b/searx/docker-compose.yml @@ -0,0 +1,5 @@ +searx: + image: wonderfall/searx + ports: + - "8888:8888" + restart: unless-stopped diff --git a/selenium/README.md b/selenium/README.md index 6ac2c38..13d2678 100644 --- a/selenium/README.md +++ b/selenium/README.md @@ -32,7 +32,7 @@ hub: environment: - GRID_TIMEOUT=60 - GRID_BROWSER_TIMEOUT=30 - retart: always + restart: always chrome: image: selenium/node-chrome @@ -41,7 +41,7 @@ chrome: - "5555" links: - hub - retart: always + restart: always firefox: image: selenium/node-firefox @@ -50,7 +50,7 @@ firefox: - "5555" links: - hub - retart: always + restart: always ``` > Access grid console at @@ -92,15 +92,33 @@ baidu-search.py ```python from selenium import webdriver from selenium.webdriver.common.desired_capabilities import DesiredCapabilities +from selenium.webdriver.common.proxy import Proxy, ProxyType +from selenium.webdriver.common.by import By +from selenium.webdriver.support.ui import WebDriverWait +from selenium.webdriver.support import expected_conditions as EC + +proxy = Proxy({ + 'proxyType': 'MANUAL', + 'httpProxy': '1.2.3.4:8080', + 'sslProxy': '1.2.3.4:8080', +}) + +capabilities = DesiredCapabilities.CHROME +proxy.add_to_capabilities(capabilities) driver = webdriver.Remote( command_executor='http://127.0.0.1:4444/wd/hub', - desired_capabilities=DesiredCapabilities.FIREFOX + desired_capabilities=capabilities ) driver.get('http://www.baidu.com/') -driver.find_element_by_id('kw').send_keys('webdriver') +driver.find_element_by_id('kw').send_keys('ip') driver.find_element_by_id('su').click() + +WebDriverWait(driver, 10).until( + EC.presence_of_element_located((By.CLASS_NAME, 'nums_text')) +) + driver.save_screenshot('baidu.png') driver.close() ``` diff --git a/selenium/docker-stack.yml b/selenium/docker-stack.yml new file mode 100644 index 0000000..391456b --- /dev/null +++ b/selenium/docker-stack.yml @@ -0,0 +1,66 @@ +version: '3.5' +services: + hub: + image: selenium/hub:3.141.59-selenium + ports: + - "4444:4444" + volumes: + - /dev/shm:/dev/shm + environment: + - JAVA_OPTS=-Xmx2g + - GRID_TIMEOUT=200 + - GRID_BROWSER_TIMEOUT=180 + - GRID_CLEAN_UP_CYCLE=5000 + - GRID_MAX_SESSION=9999 + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + firefox: + image: selenium/node-firefox:3.141.59-selenium + entrypoint: bash -c 'REMOTE_HOST=http://$$HOSTNAME:5555 /opt/bin/entry_point.sh' + volumes: + - /dev/shm:/dev/shm + environment: + - HUB_HOST=hub + - HUB_PORT=4444 + - NODE_MAX_INSTANCES=4 + - NODE_MAX_SESSION=4 + - NODE_UNREGISTER_IF_STILL_DOWN_AFTER=30000 + depends_on: + - hub + deploy: + replicas: 1 + placement: + constraints: + - node.role == manager + restart_policy: + condition: on-failure + chrome: + image: selenium/node-chrome:3.141.59-selenium + entrypoint: bash -c 'REMOTE_HOST=http://$$HOSTNAME:5555 /opt/bin/entry_point.sh' + volumes: + - /dev/shm:/dev/shm + environment: + - HUB_HOST=hub + - HUB_PORT=4444 + - NODE_MAX_INSTANCES=8 + - NODE_MAX_SESSION=8 + - NODE_UNREGISTER_IF_STILL_DOWN_AFTER=30000 + depends_on: + - hub + deploy: + replicas: 8 + placement: + constraints: + - node.role == worker + restart_policy: + condition: on-failure +networks: + default: + ipam: + config: + - subnet: 192.168.100.0/24 diff --git a/selenium/grid/docker-compose-hub.yml b/selenium/grid/docker-compose-hub.yml new file mode 100644 index 0000000..57fa764 --- /dev/null +++ b/selenium/grid/docker-compose-hub.yml @@ -0,0 +1,20 @@ +version: '3' + +services: + + selenium-hub: + image: selenium/hub:3.141.59-neon + ports: + - "4444:4444" + volumes: + - /dev/shm:/dev/shm + environment: + - JAVA_OPTS=-Xmx512m + - GRID_TIMEOUT=60 + - GRID_BROWSER_TIMEOUT=30 + healthcheck: + test: ["CMD", "/opt/bin/check-grid.sh", "--host", "127.0.0.1", "--port", "4444"] + interval: 15s + timeout: 30s + retries: 5 + restart: unless-stopped diff --git a/selenium/grid/docker-compose-node.yml b/selenium/grid/docker-compose-node.yml new file mode 100644 index 0000000..b5941ef --- /dev/null +++ b/selenium/grid/docker-compose-node.yml @@ -0,0 +1,13 @@ +chrome: + image: selenium/node-chrome:3.141.59-neon + ports: + - "5555:5555" + volumes: + - /dev/shm:/dev/shm + environment: + - HUB_HOST=10.0.0.21 + - HUB_PORT=4444 + - REMOTE_HOST=http://10.0.0.22:5555 + - NODE_MAX_INSTANCES=2 + - NODE_MAX_SESSION=2 + restart: unless-stopped diff --git a/sentry/README.md b/sentry/README.md new file mode 100644 index 0000000..7435559 --- /dev/null +++ b/sentry/README.md @@ -0,0 +1,17 @@ +sentry +====== + +[Sentry][1] is cross-platform application monitoring, with a focus on error reporting. + +```bash +$ docker-compose up -d +$ docker-compose exec sentry sentry upgrade +Would you like to create a user account now? [Y/n]: y +Email: root@easypi.pro +Password: ****** +Repeat for confirmation: ****** +Should this user be a superuser? [y/N]: y +User created: root@easypi.pro +``` + +[1]: https://github.com/getsentry/sentry diff --git a/sentry/docker-compose.yml b/sentry/docker-compose.yml new file mode 100644 index 0000000..63d17f0 --- /dev/null +++ b/sentry/docker-compose.yml @@ -0,0 +1,69 @@ +version: '3' + +services: + + sentry: + image: 'sentry:latest' + ports: + - '9000:9000' + environment: + SENTRY_SECRET_KEY: 'theSentrySecretKey' + SENTRY_POSTGRES_HOST: 'postgres' + SENTRY_POSTGRES_PORT: '5432' + SENTRY_DB_NAME: 'sentry' + SENTRY_DB_USER: 'sentry' + SENTRY_DB_PASSWORD: 'sentry' + SENTRY_REDIS_HOST: 'redis' + depends_on: + - 'redis' + - 'postgres' + restart: always + + sentry_worker: + image: 'sentry:latest' + command: "sentry run worker" + environment: + SENTRY_SECRET_KEY: 'theSentrySecretKey' + SENTRY_POSTGRES_HOST: 'postgres' + SENTRY_POSTGRES_PORT: '5432' + SENTRY_DB_NAME: 'sentry' + SENTRY_DB_USER: 'sentry' + SENTRY_DB_PASSWORD: 'sentry' + SENTRY_REDIS_HOST: 'redis' + depends_on: + - 'redis' + - 'postgres' + restart: always + + sentry_cron: + image: 'sentry:latest' + command: "sentry run cron" + environment: + SENTRY_SECRET_KEY: 'theSentrySecretKey' + SENTRY_POSTGRES_HOST: 'postgres' + SENTRY_POSTGRES_PORT: '5432' + SENTRY_DB_NAME: 'sentry' + SENTRY_DB_USER: 'sentry' + SENTRY_DB_PASSWORD: 'sentry' + SENTRY_REDIS_HOST: 'redis' + depends_on: + - 'redis' + - 'postgres' + restart: always + + redis: + image: 'redis:alpine' + command: --save 900 1 + volumes: + - ./data/redis:/data + restart: always + + postgres: + image: 'postgres:alpine' + volumes: + - ./data/postgres:/var/lib/postgresql/data + environment: + POSTGRES_USER: 'sentry' + POSTGRES_PASSWORD: 'sentry' + POSTGRES_DB: 'sentry' + restart: always diff --git a/snipeit/data/snipeit/snipeit.env b/snipeit/data/snipeit/snipeit.env new file mode 100644 index 0000000..dbfc9e8 --- /dev/null +++ b/snipeit/data/snipeit/snipeit.env @@ -0,0 +1,27 @@ +# Mysql Parameters +MYSQL_ROOT_PASSWORD=root +MYSQL_DATABASE=snipeit +MYSQL_USER=snipeit +MYSQL_PASSWORD=snipeit + +# Email Parameters +# - the hostname/IP address of your mailserver +MAIL_PORT_587_TCP_ADDR=smtp.gmail.com +#the port for the mailserver (probably 587, could be another) +MAIL_PORT_587_TCP_PORT=587 +# the default from address, and from name for emails +MAIL_ENV_FROM_ADDR=easypi@gmail.com +MAIL_ENV_FROM_NAME=EasyPi Software Foundation +# - pick 'tls' for SMTP-over-SSL, 'tcp' for unencrypted +MAIL_ENV_ENCRYPTION=tls +# SMTP username and password +MAIL_ENV_USERNAME=easypi +MAIL_ENV_PASSWORD=****** + +# Snipe-IT Settings +APP_ENV=production +APP_DEBUG=false +APP_KEY=base64:D5oGA+zhFSVA3VwuoZoQ21RAcwBtJv/RGiqOcZ7BUvI= +APP_URL=http://snipeit.easypi.pro:8080 +APP_TIMEZONE=UTC +APP_LOCALE=en diff --git a/snipeit/docker-compose.yml b/snipeit/docker-compose.yml new file mode 100644 index 0000000..729add5 --- /dev/null +++ b/snipeit/docker-compose.yml @@ -0,0 +1,22 @@ +snipeit: + image: snipe/snipe-it + ports: + - "8080:80" + links: + - mysql + volumes: + - ./data/snipeit:/var/lib/snipeit + env_file: + - ./data/snipeit/snipeit.env + restart: always + +mysql: + image: mysql + volumes: + - ./data/mysql:/var/lib/mysql + environment: + - MYSQL_ROOT_PASSWORD=root + - MYSQL_USER=snipeit + - MYSQL_PASSWORD=snipeit + - MYSQL_DATABASE=snipeit + restart: always diff --git a/snort/Dockerfile b/snort/Dockerfile index 5acabf7..d6d437d 100644 --- a/snort/Dockerfile +++ b/snort/Dockerfile @@ -2,59 +2,30 @@ # Dockerfile for snort # -FROM debian:jessie +FROM centos:7 MAINTAINER kev ENV DAQ_VERSION 2.0.6 -ENV SNORT_VERSION 2.9.8.3 -ENV LIBDNET_VERSION 1.12 +ENV SNORT_VERSION 2.9.13 +ENV BASE_URL https://www.snort.org/downloads RUN set -xe \ - && apt-get update \ - && apt-get install -y build-essential \ - bison \ - curl \ - flex \ - libdnet \ - libdnet-dev \ - libpcap0.8 \ - libpcap-dev \ - libpcre3 \ - libpcre3-dev \ - zlib1g \ - zlib1g-dev \ - && mkdir daq \ - && curl -sSL https://snort.org/downloads/snort/daq-${DAQ_VERSION}.tar.gz | tar xz --strip 1 -C daq \ - && cd daq \ - && ./configure \ - && make install \ - && cd .. \ - && rm -rf daq \ - && mkdir libdnet \ - && curl -sSL https://github.com/dugsong/libdnet/archive/libdnet-${LIBDNET_VERSION}.tar.gz | tar xz --strip 1 -C libdnet \ - && cd libdnet \ - && ./configure \ - && make install \ - && (cd /usr/local/lib && ln -s libdnet.1 libdnet.so.1) \ - && cd .. \ - && rm -rf libdnet \ - && mkdir snort \ - && curl -sSL https://snort.org/downloads/snort/snort-${SNORT_VERSION}.tar.gz | tar xz --strip 1 -C snort \ - && cd snort \ - && ./configure --enable-sourcefire \ - && make install \ - && cd .. \ - && rm -rf snort \ + && yum -y install epel-release libdnet \ + && yum -y install ${BASE_URL}/snort/daq-${DAQ_VERSION}-1.centos7.x86_64.rpm \ + ${BASE_URL}/snort/snort-${SNORT_VERSION}-1.centos7.x86_64.rpm \ && mkdir -p /etc/snort/rules \ - && curl -sSL https://snort.org/rules/community | tar xz -C /etc/snort/rules \ - && apt-get purge -y --auto-remove build-essential \ - bison \ - flex \ - libdnet-dev \ - libpcap-dev \ - libpcre3-dev \ - zlib1g-dev \ - && rm -rf /var/lib/apt/lists/* + && curl -sSL ${BASE_URL}/community/community-rules.tar.gz | \ + tar xz --strip 1 -C /etc/snort/rules/ community-rules/community.rules \ + && touch /etc/snort/rules/local.rules \ + /etc/snort/rules/black_list.rules \ + /etc/snort/rules/white_list.rules \ + && mkdir -p /etc/snort/so_rules \ + /etc/snort/preproc_rules \ + /usr/local/lib/snort_dynamicrules \ + && ln -s /usr/lib64/libdnet.so.1 /usr/local/lib/libdnet.1 \ + && yum clean all + +COPY data/snort.conf /etc/snort/snort.conf ENTRYPOINT ["snort"] CMD ["--help"] diff --git a/snort/README.md b/snort/README.md index 82c4e30..4aef4ae 100644 --- a/snort/README.md +++ b/snort/README.md @@ -6,11 +6,38 @@ snort [`Snort`][1] is an open source intrusion prevention system capable of real-time traffic analysis and packet logging. -## Quick Start - +```yaml +snort: + image: vimagick/snort + command: -q -c /etc/snort/snort.conf -A fast -y -i eth0 + volumes: + - ./data/snort.conf:/etc/snort/snort.conf + - ./data/rules:/etc/snort/rules + - ./data/log:/var/log/snort + cap_add: + - NET_ADMIN + net: host + restart: unless-stopped ``` -$ alias snort='docker run --rm --net host -v `pwd`:/work -w /work vimagick/snort' -$ snort -vde + +```bash +# /etc/snort/rules/local.rules +alert icmp any any -> any any (msg:"ICMP Echo Request"; itype:8; sid:10000;) +alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype:0; sid:10001;) +``` + +```bash +$ docker-compose up -d + +$ tail -f data/log/alert +snort_1 | 08/26/18-06:47:35.460754 [**] [1:10000:0] ICMP Echo Request [**] [Priority: 0] {ICMP} x.x.x.x -> y.y.y.y +snort_1 | 08/26/18-06:47:35.460835 [**] [1:10001:0] ICMP Echo Reply [**] [Priority: 0] {ICMP} y.y.y.y -> x.x.x.x + +$ tcpdump -n -r data/log/snort.log.xxx +06:47:35.460754 IP x.x.x.x > y.y.y.y: ICMP echo request, id 17767, seq 933, length 12 +06:47:35.460835 IP y.y.y.y > x.x.x.x: ICMP echo reply, id 17767, seq 933, length 12 + +$ while :; do inotifywait -q -e modify data/log/alert && play -q alert.wav; done ``` [1]: https://snort.org/ diff --git a/snort/alert.wav b/snort/alert.wav new file mode 100644 index 0000000..59f5665 Binary files /dev/null and b/snort/alert.wav differ diff --git a/snort/arm/Dockerfile b/snort/arm/Dockerfile new file mode 100644 index 0000000..2ace048 --- /dev/null +++ b/snort/arm/Dockerfile @@ -0,0 +1,15 @@ +# +# Dockerfile for snort-arm +# + +FROM easypi/alpine-arm +MAINTAINER EasyPi Software Foundation + +RUN set -xe \ + && apk add --no-cache snort \ + && mkdir -p /usr/local/lib/snort_dynamicrules + +COPY data /etc/snort + +ENTRYPOINT ["snort"] +CMD ["--help"] diff --git a/snort/arm/data/classification.config b/snort/arm/data/classification.config new file mode 100644 index 0000000..848c07e --- /dev/null +++ b/snort/arm/data/classification.config @@ -0,0 +1,70 @@ +# $Id$ +# The following includes information for prioritizing rules +# +# Each classification includes a shortname, a description, and a default +# priority for that classification. +# +# This allows alerts to be classified and prioritized. You can specify +# what priority each classification has. Any rule can override the default +# priority for that rule. +# +# Here are a few example rules: +# +# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow"; +# dsize: > 128; classtype:attempted-admin; priority:10; +# +# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \ +# content:"expn root"; nocase; classtype:attempted-recon;) +# +# The first rule will set its type to "attempted-admin" and override +# the default priority for that type to 10. +# +# The second rule set its type to "attempted-recon" and set its +# priority to the default for that type. +# + +# +# config classification:shortname,short description,priority +# + +config classification: not-suspicious,Not Suspicious Traffic,3 +config classification: unknown,Unknown Traffic,3 +config classification: bad-unknown,Potentially Bad Traffic, 2 +config classification: attempted-recon,Attempted Information Leak,2 +config classification: successful-recon-limited,Information Leak,2 +config classification: successful-recon-largescale,Large Scale Information Leak,2 +config classification: attempted-dos,Attempted Denial of Service,2 +config classification: successful-dos,Denial of Service,2 +config classification: attempted-user,Attempted User Privilege Gain,1 +config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1 +config classification: successful-user,Successful User Privilege Gain,1 +config classification: attempted-admin,Attempted Administrator Privilege Gain,1 +config classification: successful-admin,Successful Administrator Privilege Gain,1 + + +# NEW CLASSIFICATIONS +config classification: rpc-portmap-decode,Decode of an RPC Query,2 +config classification: shellcode-detect,Executable code was detected,1 +config classification: string-detect,A suspicious string was detected,3 +config classification: suspicious-filename-detect,A suspicious filename was detected,2 +config classification: suspicious-login,An attempted login using a suspicious username was detected,2 +config classification: system-call-detect,A system call was detected,2 +config classification: tcp-connection,A TCP connection was detected,4 +config classification: trojan-activity,A Network Trojan was detected, 1 +config classification: unusual-client-port-connection,A client was using an unusual port,2 +config classification: network-scan,Detection of a Network Scan,3 +config classification: denial-of-service,Detection of a Denial of Service Attack,2 +config classification: non-standard-protocol,Detection of a non-standard protocol or event,2 +config classification: protocol-command-decode,Generic Protocol Command Decode,3 +config classification: web-application-activity,access to a potentially vulnerable web application,2 +config classification: web-application-attack,Web Application Attack,1 +config classification: misc-activity,Misc activity,3 +config classification: misc-attack,Misc Attack,2 +config classification: icmp-event,Generic ICMP event,3 +config classification: inappropriate-content,Inappropriate Content was Detected,1 +config classification: policy-violation,Potential Corporate Privacy Violation,1 +config classification: default-login-attempt,Attempt to login by a default username and password,2 +config classification: sdf,Senstive Data,2 +config classification: file-format,Known malicious file or file based exploit,1 +config classification: malware-cnc,Known malware command and control traffic,1 +config classification: client-side-exploit,Known client side exploit attempt,1 diff --git a/snort/arm/data/gen-msg.map b/snort/arm/data/gen-msg.map new file mode 100644 index 0000000..8e34aad --- /dev/null +++ b/snort/arm/data/gen-msg.map @@ -0,0 +1,520 @@ +# $Id$ +# GENERATORS -> msg map +# Format: generatorid || alertid || MSG + +1 || 1 || snort general alert +2 || 1 || tag: Tagged Packet +3 || 1 || snort dynamic alert +100 || 1 || spp_portscan: Portscan Detected +100 || 2 || spp_portscan: Portscan Status +100 || 3 || spp_portscan: Portscan Ended +101 || 1 || spp_minfrag: minfrag alert +102 || 1 || http_decode: Unicode Attack +102 || 2 || http_decode: CGI NULL Byte Attack +102 || 3 || http_decode: large method attempted +102 || 4 || http_decode: missing uri +102 || 5 || http_decode: double encoding detected +102 || 6 || http_decode: illegal hex values detected +102 || 7 || http_decode: overlong character detected +103 || 1 || spp_defrag: Fragmentation Overflow Detected +103 || 2 || spp_defrag: Stale Fragments Discarded +104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded +104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted +105 || 1 || spp_bo: Back Orifice Traffic Detected +105 || 2 || spp_bo: Back Orifice Client Traffic Detected +105 || 3 || spp_bo: Back Orifice Server Traffic Detected +105 || 4 || spp_bo: Back Orifice Snort Buffer Attack +106 || 1 || spp_rpc_decode: Fragmented RPC Records +106 || 2 || spp_rpc_decode: Multiple Records in one packet +106 || 3 || spp_rpc_decode: Large RPC Record Fragment +106 || 4 || spp_rpc_decode: Incomplete RPC segment +106 || 5 || spp_rpc_decode: Zero-length RPC Fragment +110 || 1 || spp_unidecode: CGI NULL Attack +110 || 2 || spp_unidecode: Directory Traversal +110 || 3 || spp_unidecode: Unknown Mapping +110 || 4 || spp_unidecode: Invalid Mapping +111 || 1 || spp_stream4: Stealth Activity Detected +111 || 2 || spp_stream4: Evasive Reset Packet +111 || 3 || spp_stream4: Retransmission +111 || 4 || spp_stream4: Window Violation +111 || 5 || spp_stream4: Data on SYN Packet +111 || 6 || spp_stream4: Full XMAS Stealth Scan +111 || 7 || spp_stream4: SAPU Stealth Scan +111 || 8 || spp_stream4: FIN Stealth Scan +111 || 9 || spp_stream4: NULL Stealth Scan +111 || 10 || spp_stream4: NMAP XMAS Stealth Scan +111 || 11 || spp_stream4: VECNA Stealth Scan +111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection +111 || 13 || spp_stream4: SYN FIN Stealth Scan +111 || 14 || spp_stream4: TCP forward overlap detected +111 || 15 || spp_stream4: TTL Evasion attempt +111 || 16 || spp_stream4: Evasive retransmitted data attempt +111 || 17 || spp_stream4: Evasive retransmitted data with the data split attempt +111 || 18 || spp_stream4: Multiple acked +111 || 19 || spp_stream4: Shifting to Emergency Session Mode +111 || 20 || spp_stream4: Shifting to Suspend Mode +111 || 21 || spp_stream4: TCP Timestamp option has value of zero +111 || 22 || spp_stream4: Too many overlapping TCP packets +111 || 23 || spp_stream4: Packet in established TCP stream missing ACK +111 || 24 || spp_stream4: Evasive FIN Packet +111 || 25 || spp_stream4: SYN on established +112 || 1 || spp_arpspoof: Directed ARP Request +112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC +112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST +112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack +113 || 1 || spp_frag2: Oversized Frag +113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack +113 || 3 || spp_frag2: TTL evasion detected +113 || 4 || spp_frag2: overlap detected +113 || 5 || spp_frag2: Duplicate first fragments +113 || 6 || spp_frag2: memcap exceeded +113 || 7 || spp_frag2: Out of order fragments +113 || 8 || spp_frag2: IP Options on Fragmented Packet +113 || 9 || spp_frag2: Shifting to Emegency Session Mode +113 || 10 || spp_frag2: Shifting to Suspend Mode +114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected +114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected +114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected +114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected +115 || 1 || spp_asn1: Indefinite ASN.1 length encoding +115 || 2 || spp_asn1: Invalid ASN.1 length encoding +115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow +115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow +115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length +116 || 1 || snort_decoder: WARNING: Not IPv4 datagram +116 || 2 || snort_decoder: WARNING: hlen < IP_HEADER_LEN +116 || 3 || snort_decoder: WARNING: IP dgm len < IP Hdr len +116 || 4 || snort_decoder: WARNING: Bad IPv4 Options +116 || 5 || snort_decoder: WARNING: Truncated IPv4 Options +116 || 6 || snort_decoder: WARNING: IP dgm len > captured len +116 || 45 || snort_decoder: WARNING: TCP packet len is smaller than 20 bytes +116 || 46 || snort_decoder: WARNING: TCP Data Offset is less than 5 +116 || 47 || snort_decoder: WARNING: TCP Data Offset is longer than payload +116 || 54 || snort_decoder: WARNING: Tcp Options found with bad lengths +116 || 55 || snort_decoder: WARNING: Truncated Tcp Options +116 || 56 || snort_decoder: WARNING: T/TCP Detected +116 || 57 || snort_decoder: WARNING: Obsolete TCP options +116 || 58 || snort_decoder: WARNING: Experimental TCP options +116 || 59 || snort_decoder: WARNING: TCP Window Scale Option Scale Invalid (> 14) +116 || 95 || snort_decoder: WARNING: Truncated UDP Header +116 || 96 || snort_decoder: WARNING: Invalid UDP header, length field < 8 +116 || 97 || snort_decoder: WARNING: Short UDP packet, length field > payload length +116 || 98 || snort_decoder: WARNING: Long UDP packet, length field < payload length +116 || 105 || snort_decoder: WARNING: ICMP Header Truncated +116 || 106 || snort_decoder: WARNING: ICMP Timestamp Header Truncated +116 || 107 || snort_decoder: WARNING: ICMP Address Header Truncated +116 || 108 || snort_decoder: WARNING: Unknown Datagram decoding problem +116 || 109 || snort_decoder: WARNING: Truncated ARP Packet +116 || 110 || snort_decoder: WARNING: Truncated EAP Header +116 || 111 || snort_decoder: WARNING: EAP Key Truncated +116 || 112 || snort_decoder: WARNING: EAP Header Truncated +116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected +116 || 130 || snort_decoder: WARNING: Bad VLAN Frame +116 || 131 || snort_decoder: WARNING: Bad LLC header +116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info +116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header +116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info +116 || 140 || snort_decoder: WARNING: Bad Token Ring Header +116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header +116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header +116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header +116 || 150 || snort_decoder: WARNING: Bad Traffic Loopback IP +116 || 151 || snort_decoder: WARNING: Bad Traffic Same Src/Dst IP +116 || 160 || snort_decoder: WARNING: GRE header length > payload length +116 || 161 || snort_decoder: WARNING: Multiple encapsulations in packet +116 || 162 || snort_decoder: WARNING: Invalid GRE version +116 || 163 || snort_decoder: WARNING: Invalid GRE v.0 header +116 || 164 || snort_decoder: WARNING: Invalid GRE v.1 PPTP header +116 || 165 || snort_decoder: WARNING: GRE Trans header length > payload length +116 || 170 || snort_decoder: WARNING: Bad MPLS Frame +116 || 171 || snort_decoder: WARNING: MPLS Label 0 Appears in Nonbottom Header +116 || 172 || snort_decoder: WARNING: MPLS Label 1 Appears in Bottom Header +116 || 173 || snort_decoder: WARNING: MPLS Label 2 Appears in Nonbottom Header +116 || 174 || snort_decoder: WARNING: Bad use of label 3 +116 || 175 || snort_decoder: WARNING: MPLS Label 4, 5,.. or 15 Appears in Header +116 || 176 || snort_decoder: WARNING: Too Many MPLS headers +116 || 250 || snort_decoder: WARNING: ICMP Original IP Header Truncated +116 || 251 || snort_decoder: WARNING: ICMP Original IP Header Not IPv4 +116 || 252 || snort_decoder: WARNING: ICMP Original Datagram Length < Original IP Header Length +116 || 253 || snort_decoder: WARNING: ICMP Original IP Payload < 64 bits +116 || 254 || snort_decoder: WARNING: ICMP Original IP Payload > 576 bytes +116 || 255 || snort_decoder: WARNING: ICMP Original IP Fragmented and Offset Not 0 +116 || 270 || snort_decoder: WARNING: IPV6 packet exceeded TTL limit +116 || 271 || snort_decoder: WARNING: IPv6 header claims to not be IPv6 +116 || 272 || snort_decoder: WARNING: IPV6 truncated extension header +116 || 273 || snort_decoder: WARNING: IPV6 truncated header +116 || 274 || snort_decoder: WARNING: IPV6 dgm len < IPV6 Hdr len +116 || 275 || snort_decoder: WARNING: IPV6 dgm len > captured len +116 || 276 || snort_decoder: WARNING: IPv6 packet with destination address ::0 +116 || 277 || snort_decoder: WARNING: IPv6 packet with multicast source address +116 || 278 || snort_decoder: WARNING: IPv6 packet with reserved multicast destination address +116 || 279 || snort_decoder: WARNING: IPv6 header includes an undefined option type +116 || 280 || snort_decoder: WARNING: IPv6 address includes an unassigned multicast scope value +116 || 281 || snort_decoder: WARNING: IPv6 header includes an invalid value for the "next header" field +116 || 282 || snort_decoder: WARNING: IPv6 header includes a routing extension header followed by a hop-by-hop header +116 || 283 || snort_decoder: WARNING: IPv6 header includes two routing extension headers +116 || 285 || snort_decoder: WARNING: ICMPv6 packet of type 2 (message too big) with MTU field < 1280 +116 || 286 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 2463 code +116 || 287 || snort_decoder: WARNING: ICMPv6 router solicitation packet with a code not equal to 0 +116 || 288 || snort_decoder: WARNING: ICMPv6 router advertisement packet with a code not equal to 0 +116 || 289 || snort_decoder: WARNING: ICMPv6 router solicitation packet with the reserved field not equal to 0 +116 || 290 || snort_decoder: WARNING: ICMPv6 router advertisement packet with the reachable time field set > 1 hour +116 || 291 || snort_decoder: WARNING: IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux Kernel attack +116 || 292 || snort_decoder: WARNING: IPv6 header has destination options followed by a routing header +116 || 293 || snort_decoder: WARNING: Two or more IP (v4 and/or v6) encapsulation layers present +116 || 294 || snort_decoder: WARNING: truncated Encapsulated Security Payload (ESP) header +116 || 295 || snort_decoder: WARNING: IPv6 header includes an option which is too big for the containing header. +116 || 296 || snort_decoder: WARNING: IPv6 packet includes out-of-order extension headers +116 || 297 || snort_decoder: WARNING: Two or more GTP encapsulation layers are present +116 || 298 || snort_decoder: WARNING: GTP header length is invalid +116 || 400 || snort_decoder: WARNING: XMAS Attack Detected +116 || 401 || snort_decoder: WARNING: Nmap XMAS Attack Detected +116 || 402 || snort_decoder: WARNING: DOS NAPTHA Vulnerability Detected +116 || 403 || snort_decoder: WARNING: Bad Traffic SYN to multicast address +116 || 404 || snort_decoder: WARNING: IPV4 packet with zero TTL +116 || 405 || snort_decoder: WARNING: IPV4 packet with bad frag bits (Both MF and DF set) +116 || 406 || snort_decoder: WARNING: Invalid IPv6 UDP packet, checksum zero +116 || 407 || snort_decoder: WARNING: IPV4 packet frag offset + length exceed maximum +116 || 408 || snort_decoder: WARNING: IPV4 packet from 'current net' source address +116 || 409 || snort_decoder: WARNING: IPV4 packet to 'current net' dest address +116 || 410 || snort_decoder: WARNING: IPV4 packet from multicast source address +116 || 411 || snort_decoder: WARNING: IPV4 packet from reserved source address +116 || 412 || snort_decoder: WARNING: IPV4 packet to reserved dest address +116 || 413 || snort_decoder: WARNING: IPV4 packet from broadcast source address +116 || 414 || snort_decoder: WARNING: IPV4 packet to broadcast dest address +116 || 415 || snort_decoder: WARNING: ICMP4 packet to multicast dest address +116 || 416 || snort_decoder: WARNING: ICMP4 packet to broadcast dest address +116 || 417 || snort_decoder: WARNING: ICMP4 source quence +116 || 418 || snort_decoder: WARNING: ICMP4 type other +116 || 419 || snort_decoder: WARNING: TCP urgent pointer exceeds payload length or no payload +116 || 420 || snort_decoder: WARNING: TCP SYN with FIN +116 || 421 || snort_decoder: WARNING: TCP SYN with RST +116 || 422 || snort_decoder: WARNING: TCP PDU missing ack for established session +116 || 423 || snort_decoder: WARNING: TCP has no SYN, ACK, or RST +116 || 424 || snort_decoder: WARNING: truncated eth header +116 || 425 || snort_decoder: WARNING: truncated IP4 header +116 || 426 || snort_decoder: WARNING: truncated ICMP4 header +116 || 427 || snort_decoder: WARNING: truncated ICMP6 header +116 || 428 || snort_decoder: WARNING: IPV4 packet below TTL limit +116 || 429 || snort_decoder: WARNING: IPV6 packet has zero hop limit +116 || 430 || snort_decoder: WARNING: IPV4 packet both DF and offset set +116 || 431 || snort_decoder: WARNING: ICMP6 type not decoded +116 || 432 || snort_decoder: WARNING: ICMP6 packet to multicast address +116 || 433 || snort_decoder: WARNING: DDOS shaft synflood +116 || 434 || snort_decoder: WARNING: ICMP PING NMAP +116 || 435 || snort_decoder: WARNING: ICMP icmpenum v1.1.1 +116 || 436 || snort_decoder: WARNING: ICMP redirect host +116 || 437 || snort_decoder: WARNING: ICMP redirect net +116 || 438 || snort_decoder: WARNING: ICMP traceroute ipopts +116 || 439 || snort_decoder: WARNING: ICMP Source Quench +116 || 440 || snort_decoder: WARNING: Broadscan Smurf Scanner +116 || 441 || snort_decoder: WARNING: ICMP Destination Unreachable Communication Administratively Prohibited +116 || 442 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited +116 || 443 || snort_decoder: WARNING: ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited +116 || 444 || snort_decoder: WARNING: MISC IP option set +116 || 445 || snort_decoder: WARNING: MISC Large UDP Packet +116 || 446 || snort_decoder: WARNING: BAD-TRAFFIC TCP port 0 traffic +116 || 447 || snort_decoder: WARNING: BAD-TRAFFIC UDP port 0 traffic +116 || 448 || snort_decoder: WARNING: BAD-TRAFFIC IP reserved bit set +116 || 449 || snort_decoder: WARNING: BAD-TRAFFIC Unassigned/Reserved IP protocol +116 || 450 || snort_decoder: WARNING: BAD-TRAFFIC Bad IP protocol +116 || 451 || snort_decoder: WARNING: ICMP PATH MTU denial of service attempt +116 || 452 || snort_decoder: WARNING: BAD-TRAFFIC linux ICMP header dos attempt +116 || 453 || snort_decoder: WARNING: IPV6 ISATAP spoof +116 || 454 || snort_decoder: WARNING: PGM NAK overflow +116 || 455 || snort_decoder: WARNING: IGMP options dos +116 || 456 || snort_decoder: WARNING: too many IPV6 extension headers +116 || 457 || snort_decoder: WARNING: ICMPv6 packet of type 1 (destination unreachable) with non-RFC 4443 code +116 || 458 || snort_decoder: WARNING: bogus fragmentation packet. Possible BSD attack +116 || 459 || snort_decoder: WARNING: zero length fragment +116 || 460 || snort_decoder: WARNING: ICMPv6 node info query/response packet with a code greater than 2 +116 || 461 || snort_decoder: WARNING: Deprecated IPv6 Type 0 Routing Header +116 || 462 || snort_decoder: WARNING: ERSpan Header version mismatch +116 || 463 || snort_decoder: WARNING: captured < ERSpan Type2 Header Length +116 || 464 || snort_decoder: WARNING: captured < ERSpan Type3 Header Length +116 || 467 || snort_decoder: WARNING: truncated FabricPath header +117 || 1 || spp_portscan2: Portscan detected +118 || 1 || spp_conversation: Bad IP protocol +119 || 1 || http_inspect: ASCII ENCODING +119 || 2 || http_inspect: DOUBLE DECODING ATTACK +119 || 3 || http_inspect: U ENCODING +119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING +119 || 5 || http_inspect: BASE36 ENCODING +119 || 6 || http_inspect: UTF-8 ENCODING +119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING +119 || 8 || http_inspect: MULTI_SLASH ENCODING +119 || 9 || http_inspect: IIS BACKSLASH EVASION +119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL +119 || 11 || http_inspect: DIRECTORY TRAVERSAL +119 || 12 || http_inspect: APACHE WHITESPACE (TAB) +119 || 13 || http_inspect: NON-RFC HTTP DELIMITER +119 || 14 || http_inspect: NON-RFC DEFINED CHAR +119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY +119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING +119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED +119 || 18 || http_inspect: WEBROOT DIRECTORY TRAVERSAL +119 || 19 || http_inspect: LONG HEADER +119 || 20 || http_inspect: MAX HEADERS +119 || 21 || http_inspect: MULTIPLE CONTENT LENGTH HEADER FIELDS +119 || 22 || http_inspect: CHUNK SIZE MISMATCH DETECTED +119 || 23 || http_inspect: INVALID IP IN TRUE-CLIENT-IP/XFF HEADER +119 || 24 || http_inspect: MULTIPLE HOST HEADERS DETECTED +119 || 25 || http_inspect: HOSTNAME EXCEEDS 255 CHARACTERS +119 || 26 || http_inspect: HEADER PARSING SPACE SATURATION +119 || 27 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +119 || 28 || http_inspect: POST W/O CONTENT-LENGTH OR CHUNKS +119 || 29 || http_inspect: MULTIPLE TRUE IPS IN A SESSION +119 || 30 || http_inspect: BOTH TRUE_CLIENT_IP AND XFF HDRS PRESENT +119 || 31 || http_inspect: UNKNOWN METHOD +119 || 32 || http_inspect: SIMPLE REQUEST +119 || 33 || http_inspect: UNESCAPED SPACE IN HTTP URI +119 || 34 || http_inspect: TOO MANY PIPELINED REQUESTS +120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT +120 || 2 || http_inspect: INVALID STATUS CODE IN HTTP RESPONSE +120 || 3 || http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE +120 || 4 || http_inspect: HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE +120 || 5 || http_inspect: HTTP RESPONSE HAS UTF-7 CHARSET +120 || 6 || http_inspect: HTTP RESPONSE GZIP DECOMPRESSION FAILED +120 || 7 || http_inspect: CHUNKED ENCODING - EXCESSIVE CONSECUTIVE SMALL CHUNKS +120 || 8 || http_inspect: MESSAGE WITH INVALID CONTENT-LENGTH OR CHUNK SIZE +120 || 9 || http_inspect: JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1 +120 || 10 || http_inspect: JAVASCRIPT WHITESPACES EXCEEDS MAX ALLOWED +120 || 11 || http_inspect: MULTIPLE ENCODINGS WITHIN JAVASCRIPT OBFUSCATED DATA +120 || 12 || http_inspect: SWF FILE ZLIB DECOMPRESSION FAILURE +120 || 13 || http_inspect: SWF FILE LZMA DECOMPRESSION FAILURE +120 || 14 || http_inspect: PDF FILE DEFLATE DECOMPRESSION FAILURE +120 || 15 || http_inspect: PDF FILE UNSUPPORTED COMPRESSION TYPES +120 || 16 || http_inspect: PDF FILE CASCADED COMPRESSION +120 || 17 || http_inspect: PDF FILE PARSE FAILURE +120 || 18 || http_inspect: PROTOCOL-OTHER HTTP server response before client request +121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded +121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded +121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded +121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded +122 || 1 || portscan: TCP Portscan +122 || 2 || portscan: TCP Decoy Portscan +122 || 3 || portscan: TCP Portsweep +122 || 4 || portscan: TCP Distributed Portscan +122 || 5 || portscan: TCP Filtered Portscan +122 || 6 || portscan: TCP Filtered Decoy Portscan +122 || 7 || portscan: TCP Filtered Portsweep +122 || 8 || portscan: TCP Filtered Distributed Portscan +122 || 9 || portscan: IP Protocol Scan +122 || 10 || portscan: IP Decoy Protocol Scan +122 || 11 || portscan: IP Protocol Sweep +122 || 12 || portscan: IP Distributed Protocol Scan +122 || 13 || portscan: IP Filtered Protocol Scan +122 || 14 || portscan: IP Filtered Decoy Protocol Scan +122 || 15 || portscan: IP Filtered Protocol Sweep +122 || 16 || portscan: IP Filtered Distributed Protocol Scan +122 || 17 || portscan: UDP Portscan +122 || 18 || portscan: UDP Decoy Portscan +122 || 19 || portscan: UDP Portsweep +122 || 20 || portscan: UDP Distributed Portscan +122 || 21 || portscan: UDP Filtered Portscan +122 || 22 || portscan: UDP Filtered Decoy Portscan +122 || 23 || portscan: UDP Filtered Portsweep +122 || 24 || portscan: UDP Filtered Distributed Portscan +122 || 25 || portscan: ICMP Sweep +122 || 26 || portscan: ICMP Filtered Sweep +122 || 27 || portscan: Open Port +123 || 1 || frag3: IP Options on fragmented packet +123 || 2 || frag3: Teardrop attack +123 || 3 || frag3: Short fragment, possible DoS attempt +123 || 4 || frag3: Fragment packet ends after defragmented packet +123 || 5 || frag3: Zero-byte fragment +123 || 6 || frag3: Bad fragment size, packet size is negative +123 || 7 || frag3: Bad fragment size, packet size is greater than 65536 +123 || 8 || frag3: Fragmentation overlap +123 || 9 || frag3: IPv6 BSD mbufs remote kernel buffer overflow +123 || 10 || frag3: Bogus fragmentation packet. Possible BSD attack +123 || 11 || frag3: TTL value less than configured minimum, not using for reassembly +123 || 12 || frag3: Number of overlapping fragments exceed configured limit +123 || 13 || frag3: Fragments smaller than configured min_fragment_length +124 || 1 || smtp: Attempted command buffer overflow +124 || 2 || smtp: Attempted data header buffer overflow +124 || 3 || smtp: Attempted response buffer overflow +124 || 4 || smtp: Attempted specific command buffer overflow +124 || 5 || smtp: Unknown command +124 || 6 || smtp: Illegal command +124 || 7 || smtp: Attempted header name buffer overflow +124 || 8 || smtp: Attempted X-Link2State command buffer overflow +124 || 9 || smtp: No memory available for decoding. Max Mime Mem exceeded. +124 || 10 || smtp: Base64 Decoding failed +124 || 11 || smtp: Quoted-Printable Decoding failed +124 || 12 || smtp: Non-Encoded MIME attachment Extraction failed +124 || 13 || smtp: Unix-to-Unix Decoding failed +124 || 14 || smtp: Cyrus SASL authentication attack +125 || 1 || ftp_pp: Telnet command on FTP command channel +125 || 2 || ftp_pp: Invalid FTP command +125 || 3 || ftp_pp: FTP parameter length overflow +125 || 4 || ftp_pp: FTP malformed parameter +125 || 5 || ftp_pp: Possible string format attempt in FTP command/parameter +125 || 6 || ftp_pp: FTP response length overflow +125 || 7 || ftp_pp: FTP command channel encrypted +125 || 8 || ftp_pp: FTP bounce attack +125 || 9 || ftp_pp: Evasive Telnet command on FTP command channel +126 || 1 || telnet_pp: Telnet consecutive AYT overflow +126 || 2 || telnet_pp: Telnet data encrypted +126 || 3 || telnet_pp: Subnegotiation Begin without matching Subnegotiation End +128 || 1 || ssh: Gobbles exploit +128 || 2 || ssh: SSH1 CRC32 exploit +128 || 3 || ssh: Server version string overflow +128 || 4 || ssh: Protocol mismatch +128 || 5 || ssh: Bad message direction +128 || 6 || ssh: Payload size incorrect for the given payload +128 || 7 || ssh: Failed to detect SSH version string +129 || 1 || stream5: SYN on established session +129 || 2 || stream5: Data on SYN packet +129 || 3 || stream5: Data sent on stream not accepting data +129 || 4 || stream5: TCP Timestamp is outside of PAWS window +129 || 5 || stream5: Bad segment, overlap adjusted size less than/equal 0 +129 || 6 || stream5: Window size (after scaling) larger than policy allows +129 || 7 || stream5: Limit on number of overlapping TCP packets reached +129 || 8 || stream5: Data sent on stream after TCP Reset +129 || 9 || stream5: TCP Client possibly hijacked, different Ethernet Address +129 || 10 || stream5: TCP Server possibly hijacked, different Ethernet Address +129 || 11 || stream5: TCP Data with no TCP Flags set +129 || 12 || stream5: TCP Small Segment Threshold Exceeded +129 || 13 || stream5: TCP 4-way handshake detected +129 || 14 || stream5: TCP Timestamp is missing +129 || 15 || stream5: Reset outside window +129 || 16 || stream5: FIN number is greater than prior FIN +129 || 17 || stream5: ACK number is greater than prior FIN +129 || 18 || stream5: Data sent on stream after TCP Reset received +129 || 19 || stream5: TCP window closed before receiving data +129 || 20 || stream5: TCP session without 3-way handshake +130 || 1 || dcerpc: Maximum memory usage reached +131 || 1 || dns: Obsolete DNS RData Type +131 || 2 || dns: Experimental DNS RData Type +131 || 3 || dns: Client RData TXT Overflow +133 || 1 || dcerpc2: Memory cap exceeded +133 || 2 || dcerpc2: SMB - Bad NetBIOS Session Service session type +133 || 3 || dcerpc2: SMB - Bad SMB message type +133 || 4 || dcerpc2: SMB - Bad SMB Id (not "\xffSMB" for SMB1 or not "\xfeSMB" for SMB2) +133 || 5 || dcerpc2: SMB - Bad word count or structure size for command +133 || 6 || dcerpc2: SMB - Bad byte count for command +133 || 7 || dcerpc2: SMB - Bad format type for command +133 || 8 || dcerpc2: SMB - Bad AndX or data offset in command +133 || 9 || dcerpc2: SMB - Zero total data count in command +133 || 10 || dcerpc2: SMB - NetBIOS data length less than SMB header length +133 || 11 || dcerpc2: SMB - Remaining NetBIOS data length less than command length +133 || 12 || dcerpc2: SMB - Remaining NetBIOS data length less than command byte count +133 || 13 || dcerpc2: SMB - Remaining NetBIOS data length less than command data size +133 || 14 || dcerpc2: SMB - Remaining total data count less than this command data size +133 || 15 || dcerpc2: SMB - Total data sent greater than command total data expected +133 || 16 || dcerpc2: SMB - Byte count less than command data size +133 || 17 || dcerpc2: SMB - Invalid command data size for byte count +133 || 18 || dcerpc2: SMB - Excessive Tree Connect requests with pending Tree Connect responses +133 || 19 || dcerpc2: SMB - Excessive Read requests with pending Read responses +133 || 20 || dcerpc2: SMB - Excessive command chaining +133 || 21 || dcerpc2: SMB - Multiple chained login requests +133 || 22 || dcerpc2: SMB - Multiple chained tree connect requests +133 || 23 || dcerpc2: SMB - Chained/Compounded login followed by logoff +133 || 24 || dcerpc2: SMB - Chained/Compounded tree connect followed by tree disconnect +133 || 25 || dcerpc2: SMB - Chained/Compounded open pipe followed by close pipe +133 || 26 || dcerpc2: SMB - Invalid share access +133 || 27 || dcerpc2: Connection-oriented DCE/RPC - Invalid major version +133 || 28 || dcerpc2: Connection-oriented DCE/RPC - Invalid minor version +133 || 29 || dcerpc2: Connection-oriented DCE/RPC - Invalid pdu type +133 || 30 || dcerpc2: Connection-oriented DCE/RPC - Fragment length less than header size +133 || 31 || dcerpc2: Connection-oriented DCE/RPC - Remaining fragment length less than size needed +133 || 32 || dcerpc2: Connection-oriented DCE/RPC - No context items specified +133 || 33 || dcerpc2: Connection-oriented DCE/RPC - No transfer syntaxes specified +133 || 34 || dcerpc2: Connection-oriented DCE/RPC - Fragment length on non-last fragment less than maximum negotiated fragment transmit size for client +133 || 35 || dcerpc2: Connection-oriented DCE/RPC - Fragment length greater than maximum negotiated fragment transmit size +133 || 36 || dcerpc2: Connection-oriented DCE/RPC - Alter Context byte order different from Bind +133 || 37 || dcerpc2: Connection-oriented DCE/RPC - Call id of non first/last fragment different from call id established for fragmented request +133 || 38 || dcerpc2: Connection-oriented DCE/RPC - Opnum of non first/last fragment different from opnum established for fragmented request +133 || 39 || dcerpc2: Connection-oriented DCE/RPC - Context id of non first/last fragment different from context id established for fragmented request +133 || 40 || dcerpc2: Connectionless DCE/RPC - Invalid major version +133 || 41 || dcerpc2: Connectionless DCE/RPC - Invalid pdu type +133 || 42 || dcerpc2: Connectionless DCE/RPC - Data length less than header size +133 || 43 || dcerpc2: Connectionless DCE/RPC - Bad sequence number +#133 || 44 || dcerpc2: SMB - Invalid SMB version 1 seen +#133 || 45 || dcerpc2: SMB - Invalid SMB version 2 seen +#133 || 46 || dcerpc2: SMB - Invalid user, tree connect, file binding +#133 || 47 || dcerpc2: SMB - Excessive command compounding +133 || 48 || dcerpc2: SMB - Zero data count +133 || 49 || dcerpc2: SMB - Data count mismatch +133 || 50 || dcerpc2: SMB - Maximum number of outstanding requests exceeded +133 || 51 || dcerpc2: SMB - Outstanding requests with the same MID +133 || 52 || dcerpc2: SMB - Deprecated dialect negotiated +133 || 53 || dcerpc2: SMB - Deprecated command used +133 || 54 || dcerpc2: SMB - Unusual command used +133 || 55 || dcerpc2: SMB - Invalid setup count +133 || 56 || dcerpc2: SMB - Client attempted multiple dialect negotiations on session +133 || 57 || dcerpc2: SMB - Client attempted to create or set a file's attributes to readonly/hidden/system +133 || 58 || dcerpc2: SMB - File offset provided is greater than file size specified +133 || 59 || dcerpc2: SMB - Nextcommand specified in SMB2 header is beyond payload boundary +134 || 1 || ppm: rule tree disabled +134 || 2 || ppm: rule tree enabled +134 || 3 || ppm: packet aborted +135 || 1 || internal: syn received +135 || 2 || internal: session established +135 || 3 || internal: session cleared +136 || 1 || reputation: Packet is blacklisted +136 || 2 || reputation: Packet is whitelisted +137 || 1 || spp_ssl: Invalid Client HELLO after Server HELLO Detected +137 || 2 || spp_ssl: Invalid Server HELLO without Client HELLO Detected +137 || 3 || spp_ssl: Heartbeat Read Overrun Attempt Detected +137 || 4 || spp_ssl: Large Heartbeat Response Detected +138 || 2 || sensitive_data: sensitive data - Credit card numbers +138 || 3 || sensitive_data: sensitive data - U.S. social security numbers with dashes +138 || 4 || sensitive_data: sensitive data - U.S. social security numbers without dashes +138 || 5 || sensitive_data: sensitive data - eMail addresses +138 || 6 || sensitive_data: sensitive data - U.S. phone numbers +139 || 1 || sensitive_data: sensitive data global threshold exceeded +140 || 1 || sip: Maximum sessions reached +140 || 2 || sip: Empty request URI +140 || 3 || sip: URI is too long +140 || 4 || sip: Empty call-Id +140 || 5 || sip: Call-Id is too long +140 || 6 || sip: CSeq number is too large or negative +140 || 7 || sip: Request name in CSeq is too long +140 || 8 || sip: Empty From header +140 || 9 || sip: From header is too long +140 || 10 || sip: Empty To header +140 || 11 || sip: To header is too long +140 || 12 || sip: Empty Via header +140 || 13 || sip: Via header is too long +140 || 14 || sip: Empty Contact +140 || 15 || sip: Contact is too long +140 || 16 || sip: Content length is too large or negative +140 || 17 || sip: Multiple SIP messages in a packet +140 || 18 || sip: Content length mismatch +140 || 19 || sip: Request name is invalid +140 || 20 || sip: Invite replay attack +140 || 21 || sip: Illegal session information modification +140 || 22 || sip: Response status code is not a 3 digit number +140 || 23 || sip: Empty Content type +140 || 24 || sip: SIP version other than 2.0, 1.0, and 1.1 are invalid +140 || 25 || sip: Mismatch in Method of request and the CSEQ header +140 || 26 || sip: The method is unknown +140 || 27 || sip: Maximum dialogs in a session reached +141 || 1 || imap: Unknown IMAP4 command +141 || 2 || imap: Unknown IMAP4 response +141 || 3 || imap: No memory available for decoding. Memcap exceeded. +141 || 4 || imap: Base64 Decoding failed +141 || 5 || imap: Quoted-Printable Decoding failed +141 || 6 || imap: Non-Encoded MIME attachment Extraction failed +141 || 7 || imap: Unix-to-Unix Decoding failed +142 || 1 || pop: Unknown POP3 command +142 || 2 || pop: Unknown POP3 response +142 || 3 || pop: No memory available for decoding. Memcap exceeded. +142 || 4 || pop: Base64 Decoding failed +142 || 5 || pop: Quoted-Printable Decoding failed +142 || 6 || pop: Non-Encoded MIME attachment Extraction failed +142 || 7 || pop: Unix-to-Unix Decoding failed +143 || 1 || gtp: Message length is invalid +143 || 2 || gtp: Information element length is invalid +143 || 3 || gtp: Information elements are out of order +144 || 1 || modbus: Length in Modbus MBAP header does not match the length needed for the given Modbus function. +144 || 2 || modbus: Modbus protocol ID is non-zero. +144 || 3 || modbus: Reserved Modbus function code in use. +145 || 1 || dnp3: DNP3 Link-Layer Frame contains bad CRC. +145 || 2 || dnp3: DNP3 Link-Layer Frame was dropped. +145 || 3 || dnp3: DNP3 Transport-Layer Segment was dropped during reassembly. +145 || 4 || dnp3: DNP3 Reassembly Buffer was cleared without reassembling a complete message. +145 || 5 || dnp3: DNP3 Link-Layer Frame uses a reserved address. +145 || 6 || dnp3: DNP3 Application-Layer Fragment uses a reserved function code. diff --git a/snort/arm/data/reference.config b/snort/arm/data/reference.config new file mode 100644 index 0000000..a499bb3 --- /dev/null +++ b/snort/arm/data/reference.config @@ -0,0 +1,16 @@ +# $Id$ +# The following defines URLs for the references found in the rules +# +# config reference: system URL + +config reference: bugtraq http://www.securityfocus.com/bid/ +config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name= +config reference: arachNIDS http://www.whitehats.com/info/IDS +config reference: osvdb http://osvdb.org/show/osvdb/ + +# Note, this one needs a suffix as well.... lets add that in a bit. +config reference: McAfee http://vil.nai.com/vil/content/v_ +config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id= +config reference: url http:// +config reference: msb http://technet.microsoft.com/en-us/security/bulletin/ + diff --git a/snort/arm/data/rules/black_list.rules b/snort/arm/data/rules/black_list.rules new file mode 100644 index 0000000..e69de29 diff --git a/snort/arm/data/rules/community.rules b/snort/arm/data/rules/community.rules new file mode 100644 index 0000000..ed11893 --- /dev/null +++ b/snort/arm/data/rules/community.rules @@ -0,0 +1,3766 @@ +# Copyright 2001-2018 Sourcefire, Inc. All Rights Reserved. +# +# This file contains rules that were created by Sourcefire, Inc. and other third parties +# (the "GPL Rules") that are distributed under the GNU General Public License (GPL), +# v2. The GPL Rules created by Sourcefire are owned by Sourcefire, Inc., and the GPL +# Rules not created by Sourcefire are owned by their respective owners. Please see +# the AUTHORS file included in the community package for a list of third party owners and their +# respective copyrights. +# +# This file does not contain any Sourcefire VRT Certified Rules; the VRT Certified +# Rules are distributed by Sourcefire separately under the VRT Certified Rules License +# Agreement (v 2.0) +# +#----------------- +# COMMUNITY RULES +#----------------- + +# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10;) +# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Infector.1.x"; flow:established,to_client; content:"WHATISIT"; depth:9; metadata:impact_flag red, ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17;) +# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;) +# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11;) +# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;) +# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;) +# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;) +# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:11;) +# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9;) +# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10;) +# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10;) +# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10;) +# alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10;) +# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;) +# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:12;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; classtype:attempted-admin; sid:213; rev:8;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; classtype:attempted-admin; sid:214; rev:8;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; classtype:attempted-admin; sid:215; rev:8;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; classtype:attempted-admin; sid:216; rev:11;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13;) +# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12;) +# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:233; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:234; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:235; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:237; rev:10;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8;) +# alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;) +# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:bad-unknown; sid:253; rev:14;) +# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:ruleset community, service dns; classtype:bad-unknown; sid:254; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:23;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:262; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:264; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:265; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;) +# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:12;) +# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:287; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:288; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12;) +# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:22;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:334; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:suspicious-filename-detect; sid:335; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:353; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:354; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:355; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:356; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; metadata:ruleset community, service ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:358; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:359; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20."; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9;) +# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10;) +# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:unknown; sid:489; rev:19;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community, service smtp; classtype:policy-violation; sid:490; rev:12;) +# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown; sid:491; rev:15;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,osvdb.org/show/osvdb/436; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:19;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename"; nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495; rev:14;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:20;) +# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|"; fast_pattern:only; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; metadata:ruleset community, service http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;) +# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:12;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:14;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9;) +# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; dsize:<140; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:543; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:544; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:545; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:546; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD ' possible warez site"; flow:to_server,established; content:"MKD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:547; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:548; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community, service ftp; classtype:misc-activity; sid:553; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:554; rev:10;) +# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT PCAnywhere server response"; content:"ST"; depth:2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10;) +# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SMTP relaying denied"; flow:established,to_client; content:"550 5.7.1"; depth:70; metadata:ruleset community, service smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:22;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:20;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:19;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request UDP attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:585; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:26;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:601; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:602; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:603; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,458; reference:cve,1999-0113; reference:url,osvdb.org/show/osvdb/1007; classtype:attempted-admin; sid:604; rev:12;) +# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:605; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:606; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:610; rev:15;) +# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:ruleset community; classtype:unsuccessful-user; sid:611; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:11;) +# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; classtype:attempted-recon; sid:613; rev:10;) +# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:616; rev:8;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; metadata:ruleset community; classtype:attempted-recon; sid:619; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; classtype:attempted-recon; sid:622; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:626; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; classtype:attempted-recon; sid:627; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; classtype:attempted-recon; sid:630; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:631; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:632; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:634; rev:8;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:635; rev:9;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:636; rev:7;) +# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:ruleset community; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:647; rev:15;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:649; rev:14;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:ruleset community; classtype:system-call-detect; sid:650; rev:14;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:28;) +# alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:ruleset community, service smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; fast_pattern:only; pcre:"/^expn\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern:only; pcre:"/^expn\s+root/smi"; metadata:ruleset community, service smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; fast_pattern:only; metadata:ruleset community, service smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; fast_pattern:only; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-admin; sid:715; rev:14;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:717; rev:15;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; http_raw_uri; content:"%00"; distance:1; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; content:"/s.cgi"; fast_pattern; nocase; http_uri; content:"tmpl="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri; content:"WSMadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; content:"/webdriver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:web-application-attack; sid:809; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; content:"/whois_raw.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1."; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; content:"/webplus?about"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; content:"/webplus?script"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; content:"/websendmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; content:"command=register"; content:"%7cadmin"; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; content:"/dcforum.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; content:"/mmstdod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; content:"/apexec.pl"; http_uri; content:"template=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; content:"/imagemap.exe?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; content:"/cvsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; content:"/php.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; content:"/glimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; content:"/htmlscript"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:828; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nph-test-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; content:"/textcounter.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; content:"/uploader.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; content:"/webgais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP finger access"; flow:to_server,established; content:"/finger"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; content:"/perlshop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; content:"/aglimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; content:"/AnForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; content:"/args.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; content:"/AT-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; content:"/bnbform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas access"; flow:to_server,established; content:"/campas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; content:"/view-source"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; content:"/view-source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; content:"/wais.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:850; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; content:"/files.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; content:"/wguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; content:"/wrap"; http_uri; metadata:ruleset community, service http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; content:"/classifieds.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; content:"/environ.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:856; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; content:"/faxsurvey"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; content:"/man.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; content:"/day5datacopier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; content:"/post-query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:870; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; content:"/survey.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; content:"/win-c-sample.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; content:"/w3tvars.pm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:878; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; content:"/admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; content:"/LWGate"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP archie access"; flow:to_server,established; content:"/archie"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:881; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; content:"/calendar"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:882; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; content:"/flexform"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf access"; flow:to_server,established; content:"/phf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; content:"/www-sql"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; content:"/wwwadmin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:888; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; content:"/ppdscgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; content:"/sendform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; content:"/upload.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:891; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; content:"/AnyForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; content:"/bb-hist.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; content:"/redirect"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; content:"/way-board"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; content:"/pals-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; content:"/commerce.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri; content:"templ="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:28;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:941; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:942; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:943; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:944; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:945; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:946; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:947; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:949; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:950; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:952; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:956; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:957; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:960; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:964; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:968; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; metadata:ruleset community, service http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; content:".printer"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|.."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:".htw?CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/ctguestb.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/details.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MSProxy access"; flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:31;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS achg.htr access"; flow:to_server,established; content:"/iisadmpwd/achg.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:992; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:994; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll access"; flow:to_server,established; content:"/scripts/iisadmin/ism.dll?http/dir"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS anot.htr access"; flow:to_server,established; content:"/iisadmpwd/anot"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; content:".asp."; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; content:"|23|filename=*.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:998; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir access"; flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:ruleset community, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1002; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1003; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; content:"/Form_JScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1008; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1011; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; content:"Digits="; nocase; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1015; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; fast_pattern:only; metadata:ruleset community, service http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none"; fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; content:".idc|3A 3A 24|data"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; pcre:"/\s{230,}\.htr/U"; metadata:ruleset community, service http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS jet vba access"; flow:to_server,established; content:"/advworks/equipment/catalog_type.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; content:"/scripts/tools/newdsn.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl access"; flow:to_server,established; content:"/scripts/perl"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1025; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; content:"|0A|.pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; content:" .pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS query.asp access"; flow:to_server,established; content:"/issamples/query.asp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ "; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS search97.vts access"; flow:to_server,established; content:"/search97.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; content:"/showcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site server config access"; flow:to_server,established; content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srch.htm access"; flow:to_server,established; content:"/samples/isapi/srch.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1039; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srchadm access"; flow:to_server,established; content:"/srchadm"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; content:"/scripts/uploadn.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; content:"/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS webhits access"; flow:to_server,established; content:".htw"; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1045; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; metadata:ruleset community, service http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; metadata:ruleset community, service http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; content:"/technote/main.cgi"; fast_pattern; nocase; http_uri; content:"filename="; nocase; content:"../../"; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; content:"/technote/print.cgi"; fast_pattern; nocase; http_uri; content:"board="; nocase; content:"../../"; http_raw_uri; content:"%00"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; content:"/ads.cgi"; fast_pattern; nocase; http_uri; content:"file="; nocase; content:"../../"; http_raw_uri; content:"|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:ruleset community, service http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1057; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1058; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1059; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1060; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1062; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1064; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; content:"rcmd.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1065; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1066; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1067; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1068; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1069; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; metadata:ruleset community, service http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1071; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; content:".nsf/"; http_uri; content:"../"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; content:"/scripts/samples/search/webhits.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS repost.asp access"; flow:to_server,established; content:"/scripts/repost.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL queryhit.htm access"; flow:to_server,established; content:"/samples/search/queryhit.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL counter.exe access"; flow:to_server,established; content:"/counter.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/ $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; content:"/servlet/com.unify.servletexec.UploadServlet"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; content:"/dsgw/bin/search?context="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; content:"/servlet/ServletExec"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/......."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community, service http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"?STRENGUR"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1090; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; content:"??????????"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"keys"; distance:0; nocase; http_uri; content:"catigory=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"script=test.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"about"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; content:"/webplus.cgi?"; nocase; http_uri; content:"Script=/webplus/webping/webping.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; content:"_private/shopping_cart.mdb"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1099; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:web-application-activity; sid:1100; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; classtype:web-application-activity; sid:1101; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1102; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; content:"/bb-hostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; content:"/ftp.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; content:"/%00"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; content:".html/......"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; content:"?DeleteDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1116; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; content:"?EditDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l"; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1118; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; content:"/mlog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1122; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; content:"?PageServices"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; content:"/config/check.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1124; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; content:"/webcart/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; content:"/scripts/convert.bas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; content:".htaccess"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1129; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1130; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1131; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; classtype:attempted-recon; sid:1133; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; content:"/admin.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd.."; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1136; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; content:"/guestbook.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler access"; flow:to_server,established; content:"/handler"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community, service http; classtype:attempted-recon; sid:1142; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1145; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/config/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1146; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; content:"cat "; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/orders/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1148; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; content:"/count.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; content:"/catalog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; content:"/domcfg.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; content:"/domlog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; content:"/log.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; content:"/names.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; content:"/orders/checks.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////"; fast_pattern:only; content:"////////"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; content:"/webplus?script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; content:"?wp-"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; content:"/passwd.php3"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; content:"/mall_log_files/order.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; content:"/ews/architext_query.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgi-bin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1178; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; content:"/ping?query="; http_uri; metadata:ruleset community, service http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; content:"mail"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; content:"/slxweb.dll/admin?command="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; content:"/sojourn.cgi?"; nocase; http_uri; content:"cat="; distance:0; nocase; http_uri; content:"%00"; nocase; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; content:"/sojourn.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri; content:"fname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; content:"/code.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1197; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:17;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL"; nocase; metadata:ruleset community, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17;) +# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403"; http_stat_code; metadata:ruleset community, service http; classtype:attempted-recon; sid:1201; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; content:"/search.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ax-admin.cgi access"; flow:to_server,established; content:"/ax-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1204; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP axs.cgi access"; flow:to_server,established; content:"/axs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1205; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; content:"/cachemgr.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; content:"/htgrep"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; content:"/responder.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:ruleset community, service http; reference:url,osvdb.org/show/osvdb/5709; classtype:attempted-recon; sid:1209; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; content:"/web-map.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1211; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; content:"/admin_files"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1212; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP backup access"; flow:to_server,established; content:"/backup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1213; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP intranet access"; flow:to_server,established; content:"/intranet/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ministats admin access"; flow:to_server,established; content:"/ministats/admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1215; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP plusmail access"; flow:to_server,established; content:"/plusmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP adminlogin access"; flow:to_server,established; content:"/adminlogin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dfire.cgi access"; flow:to_server,established; content:"/dfire.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ultraboard access"; flow:to_server,established; content:"/ultraboard"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Muscat Empower cgi access"; flow:to_server,established; content:"/empower?DB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi arbitrary file access attempt"; flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase; http_uri; content:"documentName="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROADS search.pl attempt"; flow:to_server,established; content:"/ROADS/cgi-bin/search.pl"; http_uri; content:"form="; nocase; metadata:ruleset community, service http; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unknown; sid:1226; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; content:"/FtpSave.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; metadata:ruleset community; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:ruleset community, service http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:25;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:28;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:30;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:21;) +# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;) +# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16;) +# alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet access"; flow:to_server,established; content:"/SWEditServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri; content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community, service http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; content:"/readme.eml"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; content:"/_mem_bin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:16;) +# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:10;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|"; nocase; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; content:"/graphics/sml3com"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php file upload attempt"; flow:to_server,established; content:"/admin.php"; fast_pattern; nocase; http_uri; content:"file_name="; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php access"; flow:to_server,established; content:"/admin.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP console.exe access"; flow:to_server,established; content:"/cgi-bin/console.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cs.exe access"; flow:to_server,established; content:"/cgi-bin/cs.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi access"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1304; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1305; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; content:".htgroup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1374; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; content:"/?.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;) +# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * "; fast_pattern:only; content:"LOCATION|3A|"; nocase; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; content:"/admin_/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15;) +# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:22;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; content:"/lastlines.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22;) +# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi attempt"; flow:to_server,established; content:"/zml.cgi"; http_uri; content:"file=../"; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1395; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi access"; flow:to_server,established; content:"/zml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1396; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wayboard attempt"; flow:to_server,established; content:"/way-board/way-board.cgi"; http_uri; content:"db="; http_uri; content:"../.."; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; http_uri; pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; content:"/scripts/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri; content:"template="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; content:"/smssend.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; dsize:>1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:20;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:18;) +# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:17;) +# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:17;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:18;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:18;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:13;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:12;) +# alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .history access"; flow:to_server,established; content:"/.history"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1433; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; content:"/.bash_history"; http_uri; metadata:ruleset community, service http; reference:bugtraq,337; reference:cve,1999-0408; classtype:web-application-attack; sid:1434; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:15;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;) +# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:1437; rev:27;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;) +# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1441; rev:10;) +# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1442; rev:10;) +# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:ruleset community; classtype:successful-admin; sid:1443; rev:10;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:ruleset community; classtype:bad-unknown; sid:1444; rev:9;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:ruleset community, service smtp; classtype:attempted-recon; sid:1446; rev:14;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn"; fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:ruleset community, service smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NPH-maillist access"; flow:to_server,established; content:"/nph-maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.cmd access"; flow:to_server,established; content:"/args.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-generated.cgi access"; flow:to_server,established; content:"/AT-generated.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwwais access"; flow:to_server,established; content:"/wwwwais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar.pl access"; flow:to_server,established; content:"calendar"; nocase; http_uri; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calender_admin.pl access"; flow:to_server,established; content:"/calender_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_admin.pl access"; flow:to_server,established; content:"/user_update_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_passwd.pl access"; flow:to_server,established; content:"/user_update_passwd.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histlog.sh access"; flow:to_server,established; content:"/bb-histlog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bb-histsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bb-rep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bb-replog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17;) +# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; dsize:<140; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:15;) +# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directorypro.cgi access"; flow:to_server,established; content:"/directorypro.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-activity; sid:1467; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern; nocase; http_uri; content:"newpage=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi access"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP listrec.pl access"; flow:to_server,established; content:"/listrec.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailnews.cgi access"; flow:to_server,established; content:"/mailnews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi access"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newsdesk.cgi access"; flow:to_server,established; content:"/newsdesk.cgi"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr="; distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service http; reference:bugtraq,6581; reference:nessus,10493; reference:url,osvdb.org/show/osvdb/392; classtype:attempted-user; sid:1478; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; content:"/upload.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; content:"/view_source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; content:"/ustorekeeper.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; reference:url,osvdb.org/show/osvdb/274; classtype:web-application-activity; sid:1485; rev:20;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; content:"/ctss.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; metadata:ruleset community, service http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:ruleset community, service http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; content:"/support/common.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser directory traversal attempt"; flow:to_server,established; content:"/newuser?Image=../.."; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser access"; flow:to_server,established; content:"/newuser"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; content:"/generate.cgi"; http_uri; content:"content=../"; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; content:"/generate.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; content:"/spin_client.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:10;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; content:"/exair/search/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; content:"/a1disp3.cgi?"; fast_pattern:only; http_uri; content:"/../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; content:"/a1disp3.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15;) +# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; content:"/alibaba.pl|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl access"; flow:to_server,established; content:"/alibaba.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; content:"/query?mss=.."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat arbitrary command execution attempt"; flow:to_server,established; content:"/test.bat|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat access"; flow:to_server,established; content:"/test.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat access"; flow:to_server,established; content:"/input.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input2.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; content:"/input2.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; content:"/envout.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; content:"/envout.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:12;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; content:"/server-info"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; content:"/server-status"; http_uri; metadata:ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:13;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?"; nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD access"; flow:to_server,established; content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix sendmail.inc access"; flow:to_server,established; content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:16;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix mysql.class access"; flow:to_server,established; content:"/class/mysql.class"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BBoard access"; flow:to_server,established; content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh attempt"; flow:to_server,established; content:"/bb-hist.sh?"; nocase; http_uri; content:"HISTFILE=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh attempt"; flow:to_server,established; content:"/bb-hostsvc.sh?"; fast_pattern:only; http_uri; content:"HOSTSVC"; nocase; http_uri; content:"../.."; distance:0; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:21;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh access"; flow:to_server,established; content:"/bb-hostsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:19;) +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi attempt"; flow:to_server,established; content:"/store/agora.cgi?"; nocase; http_uri; content:"cart_id= $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:bad-unknown; sid:23481; rev:4;) +# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:bad-unknown; sid:23482; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:5;) +# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:7;) +# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23651; rev:12;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23652; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23653; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23654; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23655; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23656; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23657; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23664; rev:14;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23667; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23670; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23678; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23707; rev:13;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23708; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23711; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:10;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:""; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23758; rev:7;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:" $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23766; rev:12;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:23773; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; content:".asp?"; content:"mac="; within:4; content:"&ver="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:4;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24253; rev:6;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:ruleset community, service http; classtype:bad-unknown; sid:24254; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; flowbits:isnotset,smb.null_session; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:5;) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24455; rev:9;) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24456; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24457; rev:8;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:24458; rev:8;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:established,to_server; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,128,0,relative; content:"|01 00|"; within:2; distance:52; content:"|04 01|"; within:2; distance:11; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11<>20; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:!"Content-Disposition"; http_client_body; content:"Content-Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; urilen:52; content:"/s/?k="; fast_pattern:only; http_header; pcre:"/^\x2f[a-z0-9]{51}$/Ui"; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25224; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/a/image.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25256; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bin/check.php?cv="; http_uri; content:"ThIs_Is_tHe_bouNdaRY_$"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; content:"/file.aspx?file="; fast_pattern:only; http_uri; content:"ksp/WS"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25271; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:4;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26837; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26923; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26924; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0; http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown; sid:27047; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:""; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b9cf069222f529e50a4d5f/; reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5eb8113b4a4d99e0a0eb893/; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26057; rev:10;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:ruleset community, service smtp; classtype:misc-activity; sid:26058; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26106; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; content:"cstype="; depth:7; http_client_body; content:"&authname="; within:48; distance:1; http_client_body; content:"&authpass="; within:48; distance:1; http_client_body; content:"&hostname="; within:48; distance:1; http_client_body; content:"&ostype="; within:256; distance:1; http_client_body; content:"&macaddr="; within:64; distance:16; http_client_body; content:"&owner="; within:48; distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:26212; rev:2;) +alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26251; rev:9;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_client_body; content:"%0"; distance:0; http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26276; rev:4;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:ruleset community, service http; classtype:attempted-admin; sid:26277; rev:4;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:3;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:4;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:4;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU"; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5; distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26327; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only; http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26335; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26353; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; content:"op="; depth:3; http_client_body; content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1;) +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:3;) +# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:4;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:4;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:misc-activity; sid:26410; rev:4;) +# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:2;) +# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:2;) +# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Magic variant inbound connection"; flow:to_client,established; file_data; content:"some_magic_code1"; depth:36; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:26467; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Location"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26468; rev:4;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Refresh"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26469; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header; pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:1;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| |00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26814; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26837; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:trojan-activity; sid:26838; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26923; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26924; rev:2;) +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:" $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0; http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; dsize:142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:ruleset community, service http; classtype:bad-unknown; sid:27047; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"|0A||0A||0A 0A|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;) +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:3;) +# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"