The Snort Team
Revision History
-Revision 3.1.12.0 2021-09-08 07:41:47 EDT TST
+Revision 3.1.13.0 2021-09-22 09:11:00 EDT TST
---------------------------------------------------------------------
* bool output.wide_hex_dump = false: output 20 bytes per lines
instead of 16 when dumping buffers
+Rules:
+
+ * 2:1 (output) tagged packet
+
2.20. packet_tracer
* string snort.--daq-var: <name=value> specify extra DAQ
configuration variable
* implied snort.--dirty-pig: don’t flush packets on shutdown
+ * string snort.--dump-builtin-options: additional options to
+ include with --dump-builtin-rules stubs
* string snort.--dump-builtin-rules: [<module prefix>] output stub
rules for selected modules { (optional) }
* select snort.--dump-config: dump config in json format { all |
Rules:
- * 148:1 (cip) CIP data is malformed.
- * 148:2 (cip) CIP data is non-conforming to ODVA standard.
+ * 148:1 (cip) CIP data is malformed
+ * 148:2 (cip) CIP data is non-conforming to ODVA standard
* 148:3 (cip) CIP connection limit exceeded. Least recently used
- connection removed.
+ connection removed
* 148:4 (cip) CIP unconnected request limit exceeded. Oldest
- request removed.
+ request removed
Peg counts:
Rules:
- * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does
- not match the length needed for the given IEC104 ASDU type id.
- * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match
- 0x68.
- * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use.
- * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field
- contains a non-default value.
- * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set
- to an invalid value.
- * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field
- contains a non-default value.
- * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set
- to zero.
- * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU
- that does not support the feature.
- * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set
- to greater than one on an ASDU that does not support the feature.
- * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of
- Initialization set to a reserved value.
- * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Interrogation Command set to a reserved value.
- * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter
- Interrogation Command request parameter set to a reserved value.
- * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values kind of parameter set to a reserved
- value.
- * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values local parameter change set to a
- technically valid but unused value.
- * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values parameter option set to a
- technically valid but unused value.
- * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter Activation set to a reserved value.
- * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command
- set to a reserved value.
- * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset
- Process set to a reserved value.
- * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier
- set to a reserved value.
- * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready
- Qualifier set to a reserved value.
- * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call
- Qualifier set to a reserved value.
- * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or
- Segment Qualifier set to a reserved value.
- * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or
- Section Qualifier set to a reserved value.
- * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier
- set on a message where it should have no effect.
- * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point
- Information Reserved field contains a non-default value.
- * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point
- Information Reserved field contains a non-default value.
- * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
- set to a reserved value.
- * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
- set to a value not allowed for the ASDU.
- * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet
- common address value detected.
- * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
- Structure Reserved field contains a non-default value.
- * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
- for Events of Protection Equipment Structure Reserved field
- contains a non-default value.
- * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
- results in NaN.
- * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
- results in infinity.
- * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of
- Protection Equipment Structure Reserved field contains a
- non-default value.
- * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of
+ * 151:1 (iec104) Length in IEC104 APCI header does not match the
+ length needed for the given IEC104 ASDU type id
+ * 151:2 (iec104) IEC104 Start byte does not match 0x68
+ * 151:3 (iec104) Reserved IEC104 ASDU type id in use
+ * 151:4 (iec104) IEC104 APCI U Reserved field contains a
+ non-default value
+ * 151:5 (iec104) IEC104 APCI U message type was set to an invalid
+ value
+ * 151:6 (iec104) IEC104 APCI S Reserved field contains a
+ non-default value
+ * 151:7 (iec104) IEC104 APCI I number of elements set to zero
+ * 151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not
+ support the feature
+ * 151:9 (iec104) IEC104 APCI I number of elements set to greater
+ than one on an ASDU that does not support the feature
+ * 151:10 (iec104) IEC104 APCI I Cause of Initialization set to a
+ reserved value
+ * 151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command
+ set to a reserved value
+ * 151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation
+ Command request parameter set to a reserved value
+ * 151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+ Values kind of parameter set to a reserved value
+ * 151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+ Values local parameter change set to a technically valid but
+ unused value
+ * 151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+ Values parameter option set to a technically valid but unused
+ value
+ * 151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation
+ set to a reserved value
+ * 151:17 (iec104) IEC104 APCI I Qualifier of Command set to a
+ reserved value
+ * 151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a
+ reserved value
+ * 151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a
+ reserved value
+ * 151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a
+ reserved value
+ * 151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a
+ reserved value
+ * 151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier
+ set to a reserved value
+ * 151:23 (iec104) IEC104 APCI I Acknowledge File or Section
+ Qualifier set to a reserved value
+ * 151:24 (iec104) IEC104 APCI I Structure Qualifier set on a
+ message where it should have no effect
+ * 151:25 (iec104) IEC104 APCI I Single Point Information Reserved
+ field contains a non-default value
+ * 151:26 (iec104) IEC104 APCI I Double Point Information Reserved
+ field contains a non-default value
+ * 151:27 (iec104) IEC104 APCI I Cause of Transmission set to a
+ reserved value
+ * 151:28 (iec104) IEC104 APCI I Cause of Transmission set to a
+ value not allowed for the ASDU
+ * 151:29 (iec104) IEC104 APCI I invalid two octet common address
+ value detected
+ * 151:30 (iec104) IEC104 APCI I Quality Descriptor Structure
+ Reserved field contains a non-default value
+ * 151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of
Protection Equipment Structure Reserved field contains a
- non-default value.
- * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit
- Information Structure Reserved field contains a non-default
- value.
- * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test
- Bit Pattern detected.
- * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command
- Structure Reserved field contains a non-default value.
- * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command
- Structure contains an invalid value.
- * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step
- Command Structure Reserved field contains a non-default value.
- * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond
- set outside of the allowable range.
- * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set
- outside of the allowable range.
- * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute
- Reserved field contains a non-default value.
- * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set
- outside of the allowable range.
- * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved
- field contains a non-default value.
- * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month
- set outside of the allowable range.
- * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set
- outside of the allowable range.
- * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved
- field contains a non-default value.
- * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set
- outside of the allowable range.
- * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved
- field contains a non-default value.
- * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of
- Segment value has been detected.
- * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of
- Segment value has been detected.
- * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to
- a reserved value.
- * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set
- Point Command ql field set to a reserved value.
+ non-default value
+ * 151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN
+ * 151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in
+ infinity
+ * 151:34 (iec104) IEC104 APCI I Single Event of Protection
+ Equipment Structure Reserved field contains a non-default value
+ * 151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment
+ Structure Reserved field contains a non-default value
+ * 151:36 (iec104) IEC104 APCI I Output Circuit Information
+ Structure Reserved field contains a non-default value
+ * 151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern
+ detected
+ * 151:38 (iec104) IEC104 APCI I Single Command Structure Reserved
+ field contains a non-default value
+ * 151:39 (iec104) IEC104 APCI I Double Command Structure contains
+ an invalid value
+ * 151:40 (iec104) IEC104 APCI I Regulating Step Command Structure
+ Reserved field contains a non-default value
+ * 151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of
+ the allowable range
+ * 151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the
+ allowable range
+ * 151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field
+ contains a non-default value
+ * 151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the
+ allowable range
+ * 151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field
+ contains a non-default value
+ * 151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of
+ the allowable range
+ * 151:47 (iec104) IEC104 APCI I Time2a Month set outside of the
+ allowable range
+ * 151:48 (iec104) IEC104 APCI I Time2a Month Reserved field
+ contains a non-default value
+ * 151:49 (iec104) IEC104 APCI I Time2a Year set outside of the
+ allowable range
+ * 151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains
+ a non-default value
+ * 151:51 (iec104) IEC104 APCI I a null Length of Segment value has
+ been detected
+ * 151:52 (iec104) IEC104 APCI I an invalid Length of Segment value
+ has been detected
+ * 151:53 (iec104) IEC104 APCI I Status of File set to a reserved
+ value
+ * 151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql
+ field set to a reserved value
Peg counts:
Configuration:
- * int stream_icmp.session_timeout = 30: session tracking timeout {
+ * int stream_icmp.session_timeout = 60: session tracking timeout {
1:max31 }
Peg counts:
minimum { 1:255 }
* enum stream_ip.policy = linux: fragment reassembly policy { first
| linux | bsd | bsd_right | last | windows | solaris }
- * int stream_ip.session_timeout = 30: session tracking timeout {
+ * int stream_ip.session_timeout = 60: session tracking timeout {
1:max31 }
Rules:
TCP small segments considered to be excessive (129:12) { 0:2048 }
* int stream_tcp.small_segments.maximum_size = 0: minimum bytes for
a TCP segment not to be considered small (129:12) { 0:2048 }
- * int stream_tcp.session_timeout = 30: session tracking timeout {
+ * int stream_tcp.session_timeout = 180: session tracking timeout {
1:max31 }
* bool stream_tcp.track_only = false: disable reassembly if true
Configuration:
- * int stream_user.session_timeout = 30: session tracking timeout {
+ * int stream_user.session_timeout = 60: session tracking timeout {
1:max31 }
--------------
-Help: rule option to overwrite payload data; use with rewrite action
+Help: rule option to overwrite payload data; use with "rewrite"
+action; works for raw packets only
Type: ips_option
automatic selection) (passive | inline | read-file)
* --daq-var <name=value> specify extra DAQ configuration variable
* --dirty-pig don’t flush packets on shutdown
+ * --dump-builtin-options additional options to include with
+ --dump-builtin-rules stubs
* --dump-builtin-rules [<module prefix>] output stub rules for
selected modules (optional)
* --dump-config dump config in json format (all | top)
* implied snort.-d: dump the Application Layer
* implied snort.--dirty-pig: don’t flush packets on shutdown
* implied snort.-D: run Snort in background (daemon) mode
+ * string snort.--dump-builtin-options: additional options to
+ include with --dump-builtin-rules stubs
* string snort.--dump-builtin-rules: [<module prefix>] output stub
rules for selected modules { (optional) }
* select snort.--dump-config: dump config in json format { all |
per flow for better estimation against cap { 0:65535 }
* int stream.icmp_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream_icmp.session_timeout = 30: session tracking timeout {
+ * int stream_icmp.session_timeout = 60: session tracking timeout {
1:max31 }
* int stream.ip_cache.cap_weight = 0: additional bytes to track per
flow for better estimation against cap { 0:65535 }
minimum { 1:255 }
* enum stream_ip.policy = linux: fragment reassembly policy { first
| linux | bsd | bsd_right | last | windows | solaris }
- * int stream_ip.session_timeout = 30: session tracking timeout {
+ * int stream_ip.session_timeout = 60: session tracking timeout {
1:max31 }
* int stream.max_flows = 476288: maximum simultaneous flows tracked
before pruning { 2:max32 }
reassembly before traffic is seen in both directions
* int stream_tcp.require_3whs = -1: don’t track midstream sessions
after given seconds from start up; -1 tracks all { -1:max31 }
- * int stream_tcp.session_timeout = 30: session tracking timeout {
+ * int stream_tcp.session_timeout = 180: session tracking timeout {
1:max31 }
* bool stream_tcp.show_rebuilt_packets = false: enable cmg like
output of reassembled packets
per flow for better estimation against cap { 0:65535 }
* int stream.user_cache.idle_timeout = 180: maximum inactive time
before retiring session tracker { 1:max32 }
- * int stream_user.session_timeout = 30: session tracking timeout {
+ * int stream_user.session_timeout = 60: session tracking timeout {
1:max31 }
* int suppress[].gid = 0: rule generator ID { 0:max32 }
* string suppress[].ip: restrict suppression to these addresses
--------------
+ * 2: output
* 105: back_orifice
* 106: rpc_decode
* 112: arp_spoof
--------------
- * 105:1 (back_orifice) BO traffic detected
- * 105:2 (back_orifice) BO client traffic detected
- * 105:3 (back_orifice) BO server traffic detected
- * 105:4 (back_orifice) BO Snort buffer attack
- * 106:1 (rpc_decode) fragmented RPC records
- * 106:2 (rpc_decode) multiple RPC records
- * 106:3 (rpc_decode) large RPC record fragment
- * 106:4 (rpc_decode) incomplete RPC segment
- * 106:5 (rpc_decode) zero-length RPC fragment
- * 112:1 (arp_spoof) unicast ARP request
- * 112:2 (arp_spoof) ethernet/ARP mismatch request for source
- * 112:3 (arp_spoof) ethernet/ARP mismatch request for destination
- * 112:4 (arp_spoof) attempted ARP cache overwrite attack
- * 116:1 (ipv4) not IPv4 datagram
- * 116:2 (ipv4) IPv4 header length < minimum
- * 116:3 (ipv4) IPv4 datagram length < header field
- * 116:4 (ipv4) IPv4 options found with bad lengths
- * 116:5 (ipv4) truncated IPv4 options
- * 116:6 (ipv4) IPv4 datagram length > captured length
- * 116:45 (tcp) TCP packet length is smaller than 20 bytes
- * 116:46 (tcp) TCP data offset is less than 5
- * 116:47 (tcp) TCP header length exceeds packet length
- * 116:54 (tcp) TCP options found with bad lengths
- * 116:55 (tcp) truncated TCP options
- * 116:56 (tcp) T/TCP detected
- * 116:57 (tcp) obsolete TCP options found
- * 116:58 (tcp) experimental TCP options found
- * 116:59 (tcp) TCP window scale option found with length > 14
- * 116:95 (udp) truncated UDP header
- * 116:96 (udp) invalid UDP header, length field < 8
- * 116:97 (udp) short UDP packet, length field > payload length
- * 116:98 (udp) long UDP packet, length field < payload length
- * 116:105 (icmp4) ICMP header truncated
- * 116:106 (icmp4) ICMP timestamp header truncated
- * 116:107 (icmp4) ICMP address header truncated
- * 116:109 (arp) truncated ARP
- * 116:110 (eapol) truncated EAP header
- * 116:111 (eapol) EAP key truncated
- * 116:112 (eapol) EAP header truncated
- * 116:120 (pppoe) bad PPPOE frame detected
- * 116:130 (vlan) bad VLAN frame
- * 116:131 (llc) bad LLC header
- * 116:132 (llc) bad extra LLC info
- * 116:133 (wlan) bad 802.11 LLC header
- * 116:134 (wlan) bad 802.11 extra LLC info
- * 116:140 (token_ring) bad Token Ring header
- * 116:141 (token_ring) bad Token Ring ETHLLC header
- * 116:142 (token_ring) bad Token Ring MRLEN header
- * 116:143 (token_ring) bad Token Ring MR header
- * 116:150 (decode) loopback IP
- * 116:151 (decode) same src/dst IP
- * 116:160 (gre) GRE header length > payload length
- * 116:161 (gre) multiple encapsulations in packet
- * 116:162 (gre) invalid GRE version
- * 116:163 (gre) invalid GRE header
- * 116:164 (gre) invalid GRE v.1 PPTP header
- * 116:165 (gre) GRE trans header length > payload length
- * 116:170 (mpls) bad MPLS frame
- * 116:171 (mpls) MPLS label 0 appears in bottom header when not
- decoding as ip4
- * 116:172 (mpls) MPLS label 1 appears in bottom header
- * 116:173 (mpls) MPLS label 2 appears in bottom header when not
- decoding as ip6
- * 116:174 (mpls) MPLS label 3 appears in header
- * 116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
- * 116:176 (mpls) too many MPLS headers
- * 116:180 (geneve) insufficient room for geneve header
- * 116:181 (geneve) invalid version
- * 116:182 (geneve) invalid header
- * 116:183 (geneve) invalid flags
- * 116:184 (geneve) invalid options
- * 116:250 (icmp4) ICMP original IP header truncated
- * 116:251 (icmp4) ICMP version and original IP header versions
- differ
- * 116:252 (icmp4) ICMP original datagram length < original IP
- header length
- * 116:253 (icmp4) ICMP original IP payload < 64 bits
- * 116:254 (icmp4) ICMP original IP payload > 576 bytes
- * 116:255 (icmp4) ICMP original IP fragmented and offset not 0
- * 116:270 (ipv6) IPv6 packet below TTL limit
- * 116:271 (ipv6) IPv6 header claims to not be IPv6
- * 116:272 (ipv6) IPv6 truncated extension header
- * 116:273 (ipv6) IPv6 truncated header
- * 116:274 (ipv6) IPv6 datagram length < header field
- * 116:275 (ipv6) IPv6 datagram length > captured length
- * 116:276 (ipv6) IPv6 packet with destination address ::0
- * 116:277 (ipv6) IPv6 packet with multicast source address
- * 116:278 (ipv6) IPv6 packet with reserved multicast destination
- address
- * 116:279 (ipv6) IPv6 header includes an undefined option type
- * 116:280 (ipv6) IPv6 address includes an unassigned multicast
- scope value
- * 116:281 (ipv6) IPv6 header includes an invalid value for the next
- header field
- * 116:282 (ipv6) IPv6 header includes a routing extension header
- followed by a hop-by-hop header
- * 116:283 (ipv6) IPv6 header includes two routing extension headers
- * 116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with
- MTU field < 1280
- * 116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
- with non-RFC 2463 code
- * 116:287 (icmp6) ICMPv6 router solicitation packet with a code not
- equal to 0
- * 116:288 (icmp6) ICMPv6 router advertisement packet with a code
- not equal to 0
- * 116:289 (icmp6) ICMPv6 router solicitation packet with the
- reserved field not equal to 0
- * 116:290 (icmp6) ICMPv6 router advertisement packet with the
- reachable time field set > 1 hour
- * 116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated,
- possible Linux kernel attack
- * 116:292 (ipv6) IPv6 header has destination options followed by a
- routing header
- * 116:293 (decode) two or more IP (v4 and/or v6) encapsulation
- layers present
- * 116:294 (esp) truncated encapsulated security payload header
- * 116:295 (ipv6) IPv6 header includes an option which is too big
- for the containing header
- * 116:296 (ipv6) IPv6 packet includes out-of-order extension
- headers
- * 116:297 (gtp) two or more GTP encapsulation layers present
- * 116:298 (gtp) GTP header length is invalid
- * 116:400 (tcp) XMAS attack detected
- * 116:401 (tcp) Nmap XMAS attack detected
- * 116:402 (tcp) DOS NAPTHA vulnerability detected
- * 116:403 (tcp) SYN to multicast address
- * 116:404 (ipv4) IPv4 packet with zero TTL
- * 116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF
- set)
- * 116:406 (udp) invalid IPv6 UDP packet, checksum zero
- * 116:407 (ipv4) IPv4 packet frag offset + length exceed maximum
- * 116:408 (ipv4) IPv4 packet from current net source address
- * 116:409 (ipv4) IPv4 packet to current net dest address
- * 116:410 (ipv4) IPv4 packet from multicast source address
- * 116:411 (ipv4) IPv4 packet from reserved source address
- * 116:412 (ipv4) IPv4 packet to reserved dest address
- * 116:413 (ipv4) IPv4 packet from broadcast source address
- * 116:414 (ipv4) IPv4 packet to broadcast dest address
- * 116:415 (icmp4) ICMP4 packet to multicast dest address
- * 116:416 (icmp4) ICMP4 packet to broadcast dest address
- * 116:418 (icmp4) ICMP4 type other
- * 116:419 (tcp) TCP urgent pointer exceeds payload length or no
- payload
- * 116:420 (tcp) TCP SYN with FIN
- * 116:421 (tcp) TCP SYN with RST
- * 116:422 (tcp) TCP PDU missing ack for established session
- * 116:423 (tcp) TCP has no SYN, ACK, or RST
- * 116:424 (eth) truncated ethernet header
- * 116:424 (pbb) truncated ethernet header
- * 116:425 (ipv4) truncated IPv4 header
- * 116:426 (icmp4) truncated ICMP4 header
- * 116:427 (icmp6) truncated ICMPv6 header
- * 116:428 (ipv4) IPv4 packet below TTL limit
- * 116:429 (ipv6) IPv6 packet has zero hop limit
- * 116:430 (ipv4) IPv4 packet both DF and offset set
- * 116:431 (icmp6) ICMPv6 type not decoded
- * 116:432 (icmp6) ICMPv6 packet to multicast address
- * 116:433 (tcp) DDOS shaft SYN flood
- * 116:434 (icmp4) ICMP ping Nmap
- * 116:435 (icmp4) ICMP icmpenum v1.1.1
- * 116:436 (icmp4) ICMP redirect host
- * 116:437 (icmp4) ICMP redirect net
- * 116:438 (icmp4) ICMP traceroute ipopts
- * 116:439 (icmp4) ICMP source quench
- * 116:440 (icmp4) broadscan smurf scanner
- * 116:441 (icmp4) ICMP destination unreachable communication
- administratively prohibited
- * 116:442 (icmp4) ICMP destination unreachable communication with
- destination host is administratively prohibited
- * 116:443 (icmp4) ICMP destination unreachable communication with
- destination network is administratively prohibited
- * 116:444 (ipv4) IPv4 option set
- * 116:445 (udp) large UDP packet (> 4000 bytes)
- * 116:446 (tcp) TCP port 0 traffic
- * 116:447 (udp) UDP port 0 traffic
- * 116:448 (ipv4) IPv4 reserved bit set
- * 116:449 (decode) unassigned/reserved IP protocol
- * 116:450 (decode) bad IP protocol
- * 116:451 (icmp4) ICMP path MTU denial of service attempt
- * 116:452 (icmp4) Linux ICMP header DOS attempt
- * 116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
- * 116:454 (pgm) PGM nak list overflow attempt
- * 116:455 (igmp) DOS IGMP IP options validation attempt
- * 116:456 (ipv6) too many IPv6 extension headers
- * 116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
- with non-RFC 4443 code
- * 116:458 (ipv6) bogus fragmentation packet, possible BSD attack
- * 116:459 (decode) fragment with zero length
- * 116:460 (icmp6) ICMPv6 node info query/response packet with a
- code greater than 2
- * 116:461 (ipv6) IPv6 routing type 0 extension header
- * 116:462 (erspan2) ERSpan header version mismatch
- * 116:463 (erspan2) captured length < ERSpan type2 header length
- * 116:464 (erspan3) captured < ERSpan type3 header length
- * 116:465 (auth) truncated authentication header
- * 116:466 (auth) bad authentication header length
- * 116:467 (fabricpath) truncated FabricPath header
- * 116:468 (ciscometadata) truncated Cisco Metadata header
- * 116:469 (ciscometadata) invalid Cisco Metadata option length
- * 116:470 (ciscometadata) invalid Cisco Metadata option type
- * 116:471 (ciscometadata) invalid Cisco Metadata security group tag
- * 116:472 (decode) too many protocols present
- * 116:473 (decode) ether type out of range
- * 116:474 (icmp6) ICMPv6 not encapsulated in IPv6
- * 116:475 (ipv6) IPv6 mobility header includes an invalid value for
- the payload protocol field
- * 119:1 (http_inspect) ascii encoding
- * 119:2 (http_inspect) double decoding attack
- * 119:3 (http_inspect) u encoding
- * 119:4 (http_inspect) bare byte unicode encoding
- * 119:6 (http_inspect) UTF-8 encoding
- * 119:7 (http_inspect) unicode map code point encoding in URI
- * 119:8 (http_inspect) multi_slash encoding
- * 119:9 (http_inspect) backslash used in URI path
- * 119:10 (http_inspect) self directory traversal
- * 119:11 (http_inspect) directory traversal
- * 119:12 (http_inspect) apache whitespace (tab)
- * 119:13 (http_inspect) HTTP header line terminated by LF without a
- CR
- * 119:14 (http_inspect) non-RFC defined char
- * 119:15 (http_inspect) oversize request-uri directory
- * 119:16 (http_inspect) oversize chunk encoding
- * 119:18 (http_inspect) webroot directory traversal
- * 119:19 (http_inspect) long header
- * 119:20 (http_inspect) max header fields
- * 119:21 (http_inspect) multiple content length
- * 119:24 (http_inspect) Host header field appears more than once or
- has multiple values
- * 119:25 (http_inspect) Host header value is too long
- * 119:28 (http_inspect) POST or PUT w/o content-length or chunks
- * 119:31 (http_inspect) unknown method
- * 119:32 (http_inspect) simple request
- * 119:33 (http_inspect) unescaped space in HTTP URI
- * 119:34 (http_inspect) too many pipelined requests
- * 119:102 (http_inspect) invalid status code in HTTP response
- * 119:104 (http_inspect) HTTP response has UTF charset that failed
- to normalize
- * 119:105 (http_inspect) HTTP response has UTF-7 charset
- * 119:109 (http_inspect) javascript obfuscation levels exceeds 1
- * 119:110 (http_inspect) javascript whitespaces exceeds max allowed
- * 119:111 (http_inspect) multiple encodings within javascript
- obfuscated data
- * 119:112 (http_inspect) SWF file zlib decompression failure
- * 119:113 (http_inspect) SWF file LZMA decompression failure
- * 119:114 (http_inspect) PDF file deflate decompression failure
- * 119:115 (http_inspect) PDF file unsupported compression type
- * 119:116 (http_inspect) PDF file cascaded compression
- * 119:117 (http_inspect) PDF file parse failure
- * 119:201 (http_inspect) not HTTP traffic
- * 119:202 (http_inspect) chunk length has excessive leading zeros
- * 119:203 (http_inspect) white space before or between messages
- * 119:204 (http_inspect) request message without URI
- * 119:205 (http_inspect) control character in reason phrase
- * 119:206 (http_inspect) illegal extra whitespace in start line
- * 119:207 (http_inspect) corrupted HTTP version
- * 119:208 (http_inspect) unknown HTTP version
- * 119:209 (http_inspect) format error in HTTP header
- * 119:210 (http_inspect) chunk header options present
- * 119:211 (http_inspect) URI badly formatted
- * 119:212 (http_inspect) unrecognized type of percent encoding in
- URI
- * 119:213 (http_inspect) HTTP chunk misformatted
- * 119:214 (http_inspect) white space adjacent to chunk length
- * 119:215 (http_inspect) white space within header name
- * 119:216 (http_inspect) excessive gzip compression
- * 119:217 (http_inspect) gzip decompression failed
- * 119:218 (http_inspect) HTTP 0.9 requested followed by another
- request
- * 119:219 (http_inspect) HTTP 0.9 request following a normal
- request
- * 119:220 (http_inspect) message has both Content-Length and
- Transfer-Encoding
- * 119:221 (http_inspect) status code implying no body combined with
- Transfer-Encoding or nonzero Content-Length
- * 119:222 (http_inspect) Transfer-Encoding not ending with chunked
- * 119:223 (http_inspect) Transfer-Encoding with encodings before
- chunked
- * 119:224 (http_inspect) misformatted HTTP traffic
- * 119:225 (http_inspect) unsupported Content-Encoding used
- * 119:226 (http_inspect) unknown Content-Encoding used
- * 119:227 (http_inspect) multiple Content-Encodings applied
- * 119:228 (http_inspect) server response before client request
- * 119:229 (http_inspect) PDF/SWF/ZIP decompression of server
- response too big
- * 119:230 (http_inspect) nonprinting character in HTTP message
- header name
- * 119:231 (http_inspect) bad Content-Length value in HTTP header
- * 119:232 (http_inspect) HTTP header line wrapped
- * 119:233 (http_inspect) HTTP header line terminated by CR without
- a LF
- * 119:234 (http_inspect) chunk terminated by nonstandard separator
- * 119:235 (http_inspect) chunk length terminated by LF without CR
- * 119:236 (http_inspect) more than one response with 100 status
- code
- * 119:237 (http_inspect) 100 status code not in response to Expect
- header
- * 119:238 (http_inspect) 1XX status code other than 100 or 101
- * 119:239 (http_inspect) Expect header sent without a message body
- * 119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding
- header
- * 119:241 (http_inspect) Content-Transfer-Encoding used as HTTP
- header
- * 119:242 (http_inspect) illegal field in chunked message trailers
- * 119:243 (http_inspect) header field inappropriately appears twice
- or has two values
- * 119:244 (http_inspect) invalid value chunked in Content-Encoding
- header
- * 119:245 (http_inspect) 206 response sent to a request without a
- Range header
- * 119:246 (http_inspect) HTTP in version field not all upper case
- * 119:247 (http_inspect) white space embedded in critical header
- value
- * 119:248 (http_inspect) gzip compressed data followed by
- unexpected non-gzip data
- * 119:249 (http_inspect) excessive HTTP parameter key repeats
- * 119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than
- identity
- * 119:251 (http_inspect) HTTP/2 message body overruns
- Content-Length header value
- * 119:252 (http_inspect) HTTP/2 message body smaller than
- Content-Length header value
- * 119:253 (http_inspect) HTTP CONNECT request with a message body
- * 119:254 (http_inspect) HTTP client-to-server traffic after
- CONNECT request but before CONNECT response
- * 119:255 (http_inspect) HTTP CONNECT 2XX response with
- Content-Length header
- * 119:256 (http_inspect) HTTP CONNECT 2XX response with
- Transfer-Encoding header
- * 119:257 (http_inspect) HTTP CONNECT response with 1XX status code
- * 119:258 (http_inspect) HTTP CONNECT response before request
- message completed
- * 119:259 (http_inspect) malformed HTTP Content-Disposition
- filename parameter
- * 119:260 (http_inspect) HTTP Content-Length message body was
- truncated
- * 119:261 (http_inspect) HTTP chunked message body was truncated
- * 119:262 (http_inspect) HTTP URI scheme longer than 10 characters
- * 119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade
- * 119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade
- * 119:265 (http_inspect) bad token in JavaScript
- * 119:266 (http_inspect) unexpected script opening tag in
- JavaScript
- * 119:267 (http_inspect) unexpected script closing tag in
- JavaScript
- * 119:268 (http_inspect) JavaScript code under the external script
- tags
- * 119:269 (http_inspect) script opening tag in a short form
- * 119:270 (http_inspect) max number of unique JavaScript
- identifiers reached
- * 119:271 (http_inspect) JavaScript template literal nesting is
- over capacity
- * 119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
- header
- * 121:1 (http2_inspect) invalid flag set on HTTP/2 frame
- * 121:2 (http2_inspect) HPACK integer value has leading zeros
- * 121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream
- id
- * 121:4 (http2_inspect) missing HTTP/2 continuation frame
- * 121:5 (http2_inspect) unexpected HTTP/2 continuation frame
- * 121:6 (http2_inspect) misformatted HTTP/2 traffic
- * 121:7 (http2_inspect) HTTP/2 connection preface does not match
- * 121:8 (http2_inspect) HTTP/2 request missing required header
- field
- * 121:9 (http2_inspect) HTTP/2 response has no status code
- * 121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path
- * 121:11 (http2_inspect) error in HTTP/2 settings frame
- * 121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
- * 121:13 (http2_inspect) invalid HTTP/2 frame sequence
- * 121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
- * 121:15 (http2_inspect) HTTP/2 push promise frame with invalid
- promised stream id
- * 121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
- data size
- * 121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
- * 121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
- * 121:19 (http2_inspect) invalid HTTP/2 pseudo-header
- * 121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
- * 121:21 (http2_inspect) HTTP/2 push promise frame sent when
- prohibited by receiver
- * 121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
- length
- * 121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction
- * 121:24 (http2_inspect) invalid HTTP/2 push promise frame
- * 121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid
- time
- * 121:26 (http2_inspect) invalid parameter value sent in HTTP/2
- settings frame
- * 121:27 (http2_inspect) excessive concurrent HTTP/2 streams
- * 121:28 (http2_inspect) invalid HTTP/2 rst stream frame
- * 121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid
- time
- * 121:30 (http2_inspect) uppercase HTTP/2 header field name
- * 121:31 (http2_inspect) invalid HTTP/2 window update frame
- * 121:32 (http2_inspect) HTTP/2 window update frame with zero
- increment
- * 121:33 (http2_inspect) HTTP/2 request without a method
- * 121:34 (http2_inspect) HTTP/2 HPACK table size update not at the
- start of a header block
- * 121:35 (http2_inspect) More than two HTTP/2 HPACK table size
- updates in a single header block
- * 121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
- value set by decoder in SETTINGS frame
- * 122:1 (port_scan) TCP portscan
- * 122:2 (port_scan) TCP decoy portscan
- * 122:3 (port_scan) TCP portsweep
- * 122:4 (port_scan) TCP distributed portscan
- * 122:5 (port_scan) TCP filtered portscan
- * 122:6 (port_scan) TCP filtered decoy portscan
- * 122:7 (port_scan) TCP filtered portsweep
- * 122:8 (port_scan) TCP filtered distributed portscan
- * 122:9 (port_scan) IP protocol scan
- * 122:10 (port_scan) IP decoy protocol scan
- * 122:11 (port_scan) IP protocol sweep
- * 122:12 (port_scan) IP distributed protocol scan
- * 122:13 (port_scan) IP filtered protocol scan
- * 122:14 (port_scan) IP filtered decoy protocol scan
- * 122:15 (port_scan) IP filtered protocol sweep
- * 122:16 (port_scan) IP filtered distributed protocol scan
- * 122:17 (port_scan) UDP portscan
- * 122:18 (port_scan) UDP decoy portscan
- * 122:19 (port_scan) UDP portsweep
- * 122:20 (port_scan) UDP distributed portscan
- * 122:21 (port_scan) UDP filtered portscan
- * 122:22 (port_scan) UDP filtered decoy portscan
- * 122:23 (port_scan) UDP filtered portsweep
- * 122:24 (port_scan) UDP filtered distributed portscan
- * 122:25 (port_scan) ICMP sweep
- * 122:26 (port_scan) ICMP filtered sweep
- * 122:27 (port_scan) open port
- * 123:1 (stream_ip) inconsistent IP options on fragmented packets
- * 123:2 (stream_ip) teardrop attack
- * 123:3 (stream_ip) short fragment, possible DOS attempt
- * 123:4 (stream_ip) fragment packet ends after defragmented packet
- * 123:5 (stream_ip) zero-byte fragment packet
- * 123:6 (stream_ip) bad fragment size, packet size is negative
- * 123:7 (stream_ip) bad fragment size, packet size is greater than
- 65536
- * 123:8 (stream_ip) fragmentation overlap
- * 123:11 (stream_ip) TTL value less than configured minimum, not
- using for reassembly
- * 123:12 (stream_ip) excessive fragment overlap
- * 123:13 (stream_ip) tiny fragment
- * 124:1 (smtp) attempted command buffer overflow
- * 124:2 (smtp) attempted data header buffer overflow
- * 124:3 (smtp) attempted response buffer overflow
- * 124:4 (smtp) attempted specific command buffer overflow
- * 124:5 (smtp) unknown command
- * 124:6 (smtp) illegal command
- * 124:7 (smtp) attempted header name buffer overflow
- * 124:8 (smtp) attempted X-Link2State command buffer overflow
- * 124:10 (smtp) base64 decoding failed
- * 124:11 (smtp) quoted-printable decoding failed
- * 124:13 (smtp) Unix-to-Unix decoding failed
- * 124:14 (smtp) Cyrus SASL authentication attack
- * 124:15 (smtp) attempted authentication command buffer overflow
- * 124:16 (smtp) file decompression failed
- * 125:1 (ftp_server) TELNET cmd on FTP command channel
- * 125:2 (ftp_server) invalid FTP command
- * 125:3 (ftp_server) FTP command parameters were too long
- * 125:4 (ftp_server) FTP command parameters were malformed
- * 125:5 (ftp_server) FTP command parameters contained potential
- string format
- * 125:6 (ftp_server) FTP response message was too long
- * 125:7 (ftp_server) FTP traffic encrypted
- * 125:8 (ftp_server) FTP bounce attempt
- * 125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command
- channel
- * 126:1 (telnet) consecutive Telnet AYT commands beyond threshold
- * 126:2 (telnet) Telnet traffic encrypted
- * 126:3 (telnet) Telnet subnegotiation begin command without
- subnegotiation end
- * 128:1 (ssh) challenge-response overflow exploit
- * 128:2 (ssh) SSH1 CRC32 exploit
- * 128:3 (ssh) server version string overflow
- * 128:5 (ssh) bad message direction
- * 128:6 (ssh) payload size incorrect for the given payload
- * 128:7 (ssh) failed to detect SSH version string
- * 129:1 (stream_tcp) SYN on established session
- * 129:2 (stream_tcp) data on SYN packet
- * 129:3 (stream_tcp) data sent on stream not accepting data
- * 129:4 (stream_tcp) TCP timestamp is outside of PAWS window
- * 129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)
- * 129:6 (stream_tcp) window size (after scaling) larger than policy
- allows
- * 129:7 (stream_tcp) limit on number of overlapping TCP packets
- reached
- * 129:8 (stream_tcp) data sent on stream after TCP reset sent
- * 129:9 (stream_tcp) TCP client possibly hijacked, different
- ethernet address
- * 129:10 (stream_tcp) TCP server possibly hijacked, different
- ethernet address
- * 129:11 (stream_tcp) TCP data with no TCP flags set
- * 129:12 (stream_tcp) consecutive TCP small segments exceeding
- threshold
- * 129:13 (stream_tcp) 4-way handshake detected
- * 129:14 (stream_tcp) TCP timestamp is missing
- * 129:15 (stream_tcp) reset outside window
- * 129:16 (stream_tcp) FIN number is greater than prior FIN
- * 129:17 (stream_tcp) ACK number is greater than prior FIN
- * 129:18 (stream_tcp) data sent on stream after TCP reset received
- * 129:19 (stream_tcp) TCP window closed before receiving data
- * 129:20 (stream_tcp) TCP session without 3-way handshake
- * 131:1 (dns) obsolete DNS RR types
- * 131:2 (dns) experimental DNS RR types
- * 131:3 (dns) DNS client rdata txt overflow
- * 133:2 (dce_smb) SMB - bad NetBIOS session service session type
- * 133:3 (dce_smb) SMB - bad SMB message type
- * 133:4 (dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \
- xfeSMB for SMB2)
- * 133:5 (dce_smb) SMB - bad word count or structure size
- * 133:6 (dce_smb) SMB - bad byte count
- * 133:7 (dce_smb) SMB - bad format type
- * 133:8 (dce_smb) SMB - bad offset
- * 133:9 (dce_smb) SMB - zero total data count
- * 133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
- length
- * 133:11 (dce_smb) SMB - remaining NetBIOS data length less than
- command length
- * 133:12 (dce_smb) SMB - remaining NetBIOS data length less than
- command byte count
- * 133:13 (dce_smb) SMB - remaining NetBIOS data length less than
- command data size
- * 133:14 (dce_smb) SMB - remaining total data count less than this
- command data size
- * 133:15 (dce_smb) SMB - total data sent (STDu64) greater than
- command total data expected
- * 133:16 (dce_smb) SMB - byte count less than command data size
- (STDu64)
- * 133:17 (dce_smb) SMB - invalid command data size for byte count
- * 133:18 (dce_smb) SMB - excessive tree connect requests with
- pending tree connect responses
- * 133:19 (dce_smb) SMB - excessive read requests with pending read
- responses
- * 133:20 (dce_smb) SMB - excessive command chaining
- * 133:21 (dce_smb) SMB - Multiple chained login requests
- * 133:22 (dce_smb) SMB - Multiple chained tree connect requests
- * 133:23 (dce_smb) SMB - chained/compounded login followed by
- logoff
- * 133:24 (dce_smb) SMB - chained/compounded tree connect followed
- by tree disconnect
- * 133:25 (dce_smb) SMB - chained/compounded open pipe followed by
- close pipe
- * 133:26 (dce_smb) SMB - invalid share access
- * 133:27 (dce_tcp) connection oriented DCE/RPC - invalid major
- version
- * 133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor
- version
- * 133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
- * 133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length
- less than header size
- * 133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment
- length less than size needed
- * 133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
- specified
- * 133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer
- syntaxes specified
- * 133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on
- non-last fragment less than maximum negotiated fragment transmit
- size for client
- * 133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length
- greater than maximum negotiated fragment transmit size
- * 133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte
- order different from bind
- * 133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non
- first/last fragment different from call id established for
- fragmented request
- * 133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first
- /last fragment different from opnum established for fragmented
- request
- * 133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non
- first/last fragment different from context id established for
- fragmented request
- * 133:40 (dce_udp) connection-less DCE/RPC - invalid major version
- * 133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type
- * 133:42 (dce_udp) connection-less DCE/RPC - data length less than
- header size
- * 133:43 (dce_udp) connection-less DCE/RPC - bad sequence number
- * 133:44 (dce_smb) SMB - invalid SMB version 1 seen
- * 133:45 (dce_smb) SMB - invalid SMB version 2 seen
- * 133:46 (dce_smb) SMB - invalid user, tree connect, file binding
- * 133:47 (dce_smb) SMB - excessive command compounding
- * 133:48 (dce_smb) SMB - zero data count
- * 133:50 (dce_smb) SMB - maximum number of outstanding requests
- exceeded
- * 133:51 (dce_smb) SMB - outstanding requests with same MID
- * 133:52 (dce_smb) SMB - deprecated dialect negotiated
- * 133:53 (dce_smb) SMB - deprecated command used
- * 133:54 (dce_smb) SMB - unusual command used
- * 133:55 (dce_smb) SMB - invalid setup count for command
- * 133:56 (dce_smb) SMB - client attempted multiple dialect
- negotiations on session
- * 133:57 (dce_smb) SMB - client attempted to create or set a file’s
- attributes to readonly/hidden/system
- * 133:58 (dce_smb) SMB - file offset provided is greater than file
- size specified
- * 133:59 (dce_smb) SMB - next command specified in SMB2 header is
- beyond payload boundary
- * 134:1 (latency) rule tree suspended due to latency
- * 134:2 (latency) rule tree re-enabled after suspend timeout
- * 134:3 (latency) packet fastpathed due to latency
- * 135:1 (stream) TCP SYN received
- * 135:2 (stream) TCP session established
- * 135:3 (stream) TCP session cleared
- * 136:1 (reputation) packets blocked based on source
- * 136:2 (reputation) packets trusted based on source
- * 136:3 (reputation) packets monitored based on source
- * 136:4 (reputation) packets blocked based on destination
- * 136:5 (reputation) packets trusted based on destination
- * 136:6 (reputation) packets monitored based on destination
- * 137:1 (ssl) invalid client HELLO after server HELLO detected
- * 137:2 (ssl) invalid server HELLO without client HELLO detected
- * 137:3 (ssl) heartbeat read overrun attempt detected
- * 137:4 (ssl) large heartbeat response detected
- * 140:2 (sip) empty request URI
- * 140:3 (sip) URI is too long
- * 140:4 (sip) empty call-Id
- * 140:5 (sip) Call-Id is too long
- * 140:6 (sip) CSeq number is too large or negative
- * 140:7 (sip) request name in CSeq is too long
- * 140:8 (sip) empty From header
- * 140:9 (sip) From header is too long
- * 140:10 (sip) empty To header
- * 140:11 (sip) To header is too long
- * 140:12 (sip) empty Via header
- * 140:13 (sip) Via header is too long
- * 140:14 (sip) empty Contact
- * 140:15 (sip) contact is too long
- * 140:16 (sip) content length is too large or negative
- * 140:17 (sip) multiple SIP messages in a packet
- * 140:18 (sip) content length mismatch
- * 140:19 (sip) request name is invalid
- * 140:20 (sip) Invite replay attack
- * 140:21 (sip) illegal session information modification
- * 140:22 (sip) response status code is not a 3 digit number
- * 140:23 (sip) empty Content-type header
- * 140:24 (sip) SIP version is invalid
- * 140:25 (sip) mismatch in METHOD of request and the CSEQ header
- * 140:26 (sip) method is unknown
- * 140:27 (sip) maximum dialogs within a session reached
- * 141:1 (imap) unknown IMAP3 command
- * 141:2 (imap) unknown IMAP3 response
- * 141:4 (imap) base64 decoding failed
- * 141:5 (imap) quoted-printable decoding failed
- * 141:7 (imap) Unix-to-Unix decoding failed
- * 141:8 (imap) file decompression failed
- * 142:1 (pop) unknown POP3 command
- * 142:2 (pop) unknown POP3 response
- * 142:4 (pop) base64 decoding failed
- * 142:5 (pop) quoted-printable decoding failed
- * 142:7 (pop) Unix-to-Unix decoding failed
- * 142:8 (pop) file decompression failed
- * 143:1 (gtp_inspect) message length is invalid
- * 143:2 (gtp_inspect) information element length is invalid
- * 143:3 (gtp_inspect) information elements are out of order
- * 143:4 (gtp_inspect) TEID is missing
- * 144:1 (modbus) length in Modbus MBAP header does not match the
- length needed for the given function
- * 144:2 (modbus) Modbus protocol ID is non-zero
- * 144:3 (modbus) reserved Modbus function code in use
- * 145:1 (dnp3) DNP3 link-layer frame contains bad CRC
- * 145:2 (dnp3) DNP3 link-layer frame was dropped
- * 145:3 (dnp3) DNP3 transport-layer segment was dropped during
- reassembly
- * 145:4 (dnp3) DNP3 reassembly buffer was cleared without
- reassembling a complete message
- * 145:5 (dnp3) DNP3 link-layer frame uses a reserved address
- * 145:6 (dnp3) DNP3 application-layer fragment uses a reserved
- function code
- * 148:1 (cip) CIP data is malformed.
- * 148:2 (cip) CIP data is non-conforming to ODVA standard.
- * 148:3 (cip) CIP connection limit exceeded. Least recently used
- connection removed.
- * 148:4 (cip) CIP unconnected request limit exceeded. Oldest
- request removed.
- * 149:1 (s7commplus) length in S7commplus MBAP header does not
- match the length needed for the given S7commplus function
- * 149:2 (s7commplus) S7commplus protocol ID is non-zero
- * 149:3 (s7commplus) reserved S7commplus function code in use
- * 150:1 (file_id) file not processed due to per flow limit
- * 151:1 (iec104) (spp_iec104): Length in IEC104 APCI header does
- not match the length needed for the given IEC104 ASDU type id.
- * 151:2 (iec104) (spp_iec104): IEC104 Start byte does not match
- 0x68.
- * 151:3 (iec104) (spp_iec104): Reserved IEC104 ASDU type id in use.
- * 151:4 (iec104) (spp_iec104): IEC104 APCI U Reserved field
- contains a non-default value.
- * 151:5 (iec104) (spp_iec104): IEC104 APCI U message type was set
- to an invalid value.
- * 151:6 (iec104) (spp_iec104): IEC104 APCI S Reserved field
- contains a non-default value.
- * 151:7 (iec104) (spp_iec104): IEC104 APCI I number of elements set
- to zero.
- * 151:8 (iec104) (spp_iec104): IEC104 APCI I SQ bit set on an ASDU
- that does not support the feature.
- * 151:9 (iec104) (spp_iec104): IEC104 APCI I number of elements set
- to greater than one on an ASDU that does not support the feature.
- * 151:10 (iec104) (spp_iec104): IEC104 APCI I Cause of
- Initialization set to a reserved value.
- * 151:11 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Interrogation Command set to a reserved value.
- * 151:12 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Counter
- Interrogation Command request parameter set to a reserved value.
- * 151:13 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values kind of parameter set to a reserved
- value.
- * 151:14 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values local parameter change set to a
- technically valid but unused value.
- * 151:15 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter of Measured Values parameter option set to a
- technically valid but unused value.
- * 151:16 (iec104) (spp_iec104): IEC104 APCI I Qualifier of
- Parameter Activation set to a reserved value.
- * 151:17 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Command
- set to a reserved value.
- * 151:18 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Reset
- Process set to a reserved value.
- * 151:19 (iec104) (spp_iec104): IEC104 APCI I File Ready Qualifier
- set to a reserved value.
- * 151:20 (iec104) (spp_iec104): IEC104 APCI I Section Ready
- Qualifier set to a reserved value.
- * 151:21 (iec104) (spp_iec104): IEC104 APCI I Select and Call
- Qualifier set to a reserved value.
- * 151:22 (iec104) (spp_iec104): IEC104 APCI I Last Section or
- Segment Qualifier set to a reserved value.
- * 151:23 (iec104) (spp_iec104): IEC104 APCI I Acknowledge File or
- Section Qualifier set to a reserved value.
- * 151:24 (iec104) (spp_iec104): IEC104 APCI I Structure Qualifier
- set on a message where it should have no effect.
- * 151:25 (iec104) (spp_iec104): IEC104 APCI I Single Point
- Information Reserved field contains a non-default value.
- * 151:26 (iec104) (spp_iec104): IEC104 APCI I Double Point
- Information Reserved field contains a non-default value.
- * 151:27 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
- set to a reserved value.
- * 151:28 (iec104) (spp_iec104): IEC104 APCI I Cause of Transmission
- set to a value not allowed for the ASDU.
- * 151:29 (iec104) (spp_iec104): IEC104 APCI I invalid two octet
- common address value detected.
- * 151:30 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
- Structure Reserved field contains a non-default value.
- * 151:31 (iec104) (spp_iec104): IEC104 APCI I Quality Descriptor
- for Events of Protection Equipment Structure Reserved field
- contains a non-default value.
- * 151:32 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
- results in NaN.
- * 151:33 (iec104) (spp_iec104): IEC104 APCI I IEEE STD 754 value
- results in infinity.
- * 151:34 (iec104) (spp_iec104): IEC104 APCI I Single Event of
- Protection Equipment Structure Reserved field contains a
- non-default value.
- * 151:35 (iec104) (spp_iec104): IEC104 APCI I Start Event of
- Protection Equipment Structure Reserved field contains a
- non-default value.
- * 151:36 (iec104) (spp_iec104): IEC104 APCI I Output Circuit
- Information Structure Reserved field contains a non-default
- value.
- * 151:37 (iec104) (spp_iec104): IEC104 APCI I Abnormal Fixed Test
- Bit Pattern detected.
- * 151:38 (iec104) (spp_iec104): IEC104 APCI I Single Command
- Structure Reserved field contains a non-default value.
- * 151:39 (iec104) (spp_iec104): IEC104 APCI I Double Command
- Structure contains an invalid value.
- * 151:40 (iec104) (spp_iec104): IEC104 APCI I Regulating Step
- Command Structure Reserved field contains a non-default value.
- * 151:41 (iec104) (spp_iec104): IEC104 APCI I Time2a Millisecond
- set outside of the allowable range.
- * 151:42 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute set
- outside of the allowable range.
- * 151:43 (iec104) (spp_iec104): IEC104 APCI I Time2a Minute
- Reserved field contains a non-default value.
- * 151:44 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours set
- outside of the allowable range.
- * 151:45 (iec104) (spp_iec104): IEC104 APCI I Time2a Hours Reserved
- field contains a non-default value.
- * 151:46 (iec104) (spp_iec104): IEC104 APCI I Time2a Day of Month
- set outside of the allowable range.
- * 151:47 (iec104) (spp_iec104): IEC104 APCI I Time2a Month set
- outside of the allowable range.
- * 151:48 (iec104) (spp_iec104): IEC104 APCI I Time2a Month Reserved
- field contains a non-default value.
- * 151:49 (iec104) (spp_iec104): IEC104 APCI I Time2a Year set
- outside of the allowable range.
- * 151:50 (iec104) (spp_iec104): IEC104 APCI I Time2a Year Reserved
- field contains a non-default value.
- * 151:51 (iec104) (spp_iec104): IEC104 APCI I a null Length of
- Segment value has been detected.
- * 151:52 (iec104) (spp_iec104): IEC104 APCI I an invalid Length of
- Segment value has been detected.
- * 151:53 (iec104) (spp_iec104): IEC104 APCI I Status of File set to
- a reserved value.
- * 151:54 (iec104) (spp_iec104): IEC104 APCI I Qualifier of Set
- Point Command ql field set to a reserved value.
- * 175:1 (domain_filter) configured domain detected
- * 256:1 (dpx) too much data sent to port
+2:1 (output) tagged packet
+
+A tagged packet was logged.
+
+105:1 (back_orifice) BO traffic detected
+
+(back_orifice) BO traffic detected
+
+105:2 (back_orifice) BO client traffic detected
+
+(back_orifice) BO client traffic detected
+
+105:3 (back_orifice) BO server traffic detected
+
+(back_orifice) BO server traffic detected
+
+105:4 (back_orifice) BO Snort buffer attack
+
+(back_orifice) BO Snort buffer attack
+
+106:1 (rpc_decode) fragmented RPC records
+
+(rpc_decode) fragmented RPC records
+
+106:2 (rpc_decode) multiple RPC records
+
+(rpc_decode) multiple RPC records
+
+106:3 (rpc_decode) large RPC record fragment
+
+(rpc_decode) large RPC record fragment
+
+106:4 (rpc_decode) incomplete RPC segment
+
+(rpc_decode) incomplete RPC segment
+
+106:5 (rpc_decode) zero-length RPC fragment
+
+(rpc_decode) zero-length RPC fragment
+
+112:1 (arp_spoof) unicast ARP request
+
+(arp_spoof) unicast ARP request
+
+112:2 (arp_spoof) ethernet/ARP mismatch request for source
+
+(arp_spoof) ethernet/ARP mismatch request for source
+
+112:3 (arp_spoof) ethernet/ARP mismatch request for destination
+
+(arp_spoof) ethernet/ARP mismatch request for destination
+
+112:4 (arp_spoof) attempted ARP cache overwrite attack
+
+(arp_spoof) attempted ARP cache overwrite attack
+
+116:1 (ipv4) not IPv4 datagram
+
+(ipv4) not IPv4 datagram
+
+116:2 (ipv4) IPv4 header length < minimum
+
+(ipv4) IPv4 header length < minimum
+
+116:3 (ipv4) IPv4 datagram length < header field
+
+(ipv4) IPv4 datagram length < header field
+
+116:4 (ipv4) IPv4 options found with bad lengths
+
+(ipv4) IPv4 options found with bad lengths
+
+116:5 (ipv4) truncated IPv4 options
+
+(ipv4) truncated IPv4 options
+
+116:6 (ipv4) IPv4 datagram length > captured length
+
+(ipv4) IPv4 datagram length > captured length
+
+116:45 (tcp) TCP packet length is smaller than 20 bytes
+
+(tcp) TCP packet length is smaller than 20 bytes
+
+116:46 (tcp) TCP data offset is less than 5
+
+(tcp) TCP data offset is less than 5
+
+116:47 (tcp) TCP header length exceeds packet length
+
+(tcp) TCP header length exceeds packet length
+
+116:54 (tcp) TCP options found with bad lengths
+
+(tcp) TCP options found with bad lengths
+
+116:55 (tcp) truncated TCP options
+
+(tcp) truncated TCP options
+
+116:56 (tcp) T/TCP detected
+
+(tcp) T/TCP detected
+
+116:57 (tcp) obsolete TCP options found
+
+(tcp) obsolete TCP options found
+
+116:58 (tcp) experimental TCP options found
+
+(tcp) experimental TCP options found
+
+116:59 (tcp) TCP window scale option found with length > 14
+
+(tcp) TCP window scale option found with length > 14
+
+116:95 (udp) truncated UDP header
+
+(udp) truncated UDP header
+
+116:96 (udp) invalid UDP header, length field < 8
+
+(udp) invalid UDP header, length field < 8
+
+116:97 (udp) short UDP packet, length field > payload length
+
+(udp) short UDP packet, length field > payload length
+
+116:98 (udp) long UDP packet, length field < payload length
+
+(udp) long UDP packet, length field < payload length
+
+116:105 (icmp4) ICMP header truncated
+
+(icmp4) ICMP header truncated
+
+116:106 (icmp4) ICMP timestamp header truncated
+
+(icmp4) ICMP timestamp header truncated
+
+116:107 (icmp4) ICMP address header truncated
+
+(icmp4) ICMP address header truncated
+
+116:109 (arp) truncated ARP
+
+(arp) truncated ARP
+
+116:110 (eapol) truncated EAP header
+
+(eapol) truncated EAP header
+
+116:111 (eapol) EAP key truncated
+
+(eapol) EAP key truncated
+
+116:112 (eapol) EAP header truncated
+
+(eapol) EAP header truncated
+
+116:120 (pppoe) bad PPPOE frame detected
+
+(pppoe) bad PPPOE frame detected
+
+116:130 (vlan) bad VLAN frame
+
+(vlan) bad VLAN frame
+
+116:131 (llc) bad LLC header
+
+(llc) bad LLC header
+
+116:132 (llc) bad extra LLC info
+
+(llc) bad extra LLC info
+
+116:133 (wlan) bad 802.11 LLC header
+
+(wlan) bad 802.11 LLC header
+
+116:134 (wlan) bad 802.11 extra LLC info
+
+(wlan) bad 802.11 extra LLC info
+
+116:140 (token_ring) bad Token Ring header
+
+(token_ring) bad Token Ring header
+
+116:141 (token_ring) bad Token Ring ETHLLC header
+
+(token_ring) bad Token Ring ETHLLC header
+
+116:142 (token_ring) bad Token Ring MRLEN header
+
+(token_ring) bad Token Ring MRLEN header
+
+116:143 (token_ring) bad Token Ring MR header
+
+(token_ring) bad Token Ring MR header
+
+116:150 (decode) loopback IP
+
+(decode) loopback IP
+
+116:151 (decode) same src/dst IP
+
+(decode) same src/dst IP
+
+116:160 (gre) GRE header length > payload length
+
+(gre) GRE header length > payload length
+
+116:161 (gre) multiple encapsulations in packet
+
+(gre) multiple encapsulations in packet
+
+116:162 (gre) invalid GRE version
+
+(gre) invalid GRE version
+
+116:163 (gre) invalid GRE header
+
+(gre) invalid GRE header
+
+116:164 (gre) invalid GRE v.1 PPTP header
+
+(gre) invalid GRE v.1 PPTP header
+
+116:165 (gre) GRE trans header length > payload length
+
+(gre) GRE trans header length > payload length
+
+116:170 (mpls) bad MPLS frame
+
+(mpls) bad MPLS frame
+
+116:171 (mpls) MPLS label 0 appears in bottom header when not
+decoding as ip4
+
+(mpls) MPLS label 0 appears in bottom header when not decoding as ip4
+
+116:172 (mpls) MPLS label 1 appears in bottom header
+
+(mpls) MPLS label 1 appears in bottom header
+
+116:173 (mpls) MPLS label 2 appears in bottom header when not
+decoding as ip6
+
+(mpls) MPLS label 2 appears in bottom header when not decoding as ip6
+
+116:174 (mpls) MPLS label 3 appears in header
+
+(mpls) MPLS label 3 appears in header
+
+116:175 (mpls) MPLS label 4, 5,.. or 15 appears in header
+
+(mpls) MPLS label 4, 5,.. or 15 appears in header
+
+116:176 (mpls) too many MPLS headers
+
+(mpls) too many MPLS headers
+
+116:180 (geneve) insufficient room for geneve header
+
+(geneve) insufficient room for geneve header
+
+116:181 (geneve) invalid version
+
+(geneve) invalid version
+
+116:182 (geneve) invalid header
+
+(geneve) invalid header
+
+116:183 (geneve) invalid flags
+
+(geneve) invalid flags
+
+116:184 (geneve) invalid options
+
+(geneve) invalid options
+
+116:250 (icmp4) ICMP original IP header truncated
+
+(icmp4) ICMP original IP header truncated
+
+116:251 (icmp4) ICMP version and original IP header versions differ
+
+(icmp4) ICMP version and original IP header versions differ
+
+116:252 (icmp4) ICMP original datagram length < original IP header
+length
+
+(icmp4) ICMP original datagram length < original IP header length
+
+116:253 (icmp4) ICMP original IP payload < 64 bits
+
+(icmp4) ICMP original IP payload < 64 bits
+
+116:254 (icmp4) ICMP original IP payload > 576 bytes
+
+(icmp4) ICMP original IP payload > 576 bytes
+
+116:255 (icmp4) ICMP original IP fragmented and offset not 0
+
+(icmp4) ICMP original IP fragmented and offset not 0
+
+116:270 (ipv6) IPv6 packet below TTL limit
+
+(ipv6) IPv6 packet below TTL limit
+
+116:271 (ipv6) IPv6 header claims to not be IPv6
+
+(ipv6) IPv6 header claims to not be IPv6
+
+116:272 (ipv6) IPv6 truncated extension header
+
+(ipv6) IPv6 truncated extension header
+
+116:273 (ipv6) IPv6 truncated header
+
+(ipv6) IPv6 truncated header
+
+116:274 (ipv6) IPv6 datagram length < header field
+
+(ipv6) IPv6 datagram length < header field
+
+116:275 (ipv6) IPv6 datagram length > captured length
+
+(ipv6) IPv6 datagram length > captured length
+
+116:276 (ipv6) IPv6 packet with destination address ::0
+
+(ipv6) IPv6 packet with destination address ::0
+
+116:277 (ipv6) IPv6 packet with multicast source address
+
+(ipv6) IPv6 packet with multicast source address
+
+116:278 (ipv6) IPv6 packet with reserved multicast destination
+address
+
+(ipv6) IPv6 packet with reserved multicast destination address
+
+116:279 (ipv6) IPv6 header includes an undefined option type
+
+(ipv6) IPv6 header includes an undefined option type
+
+116:280 (ipv6) IPv6 address includes an unassigned multicast scope
+value
+
+(ipv6) IPv6 address includes an unassigned multicast scope value
+
+116:281 (ipv6) IPv6 header includes an invalid value for the next
+header field
+
+(ipv6) IPv6 header includes an invalid value for the next header
+field
+
+116:282 (ipv6) IPv6 header includes a routing extension header
+followed by a hop-by-hop header
+
+(ipv6) IPv6 header includes a routing extension header followed by a
+hop-by-hop header
+
+116:283 (ipv6) IPv6 header includes two routing extension headers
+
+(ipv6) IPv6 header includes two routing extension headers
+
+116:285 (icmp6) ICMPv6 packet of type 2 (message too big) with MTU
+field < 1280
+
+(icmp6) ICMPv6 packet of type 2 (message too big) with MTU field <
+1280
+
+116:286 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
+with non-RFC 2463 code
+
+(icmp6) ICMPv6 packet of type 1 (destination unreachable) with
+non-RFC 2463 code
+
+116:287 (icmp6) ICMPv6 router solicitation packet with a code not
+equal to 0
+
+(icmp6) ICMPv6 router solicitation packet with a code not equal to 0
+
+116:288 (icmp6) ICMPv6 router advertisement packet with a code not
+equal to 0
+
+(icmp6) ICMPv6 router advertisement packet with a code not equal to 0
+
+116:289 (icmp6) ICMPv6 router solicitation packet with the reserved
+field not equal to 0
+
+(icmp6) ICMPv6 router solicitation packet with the reserved field not
+equal to 0
+
+116:290 (icmp6) ICMPv6 router advertisement packet with the reachable
+time field set > 1 hour
+
+(icmp6) ICMPv6 router advertisement packet with the reachable time
+field set > 1 hour
+
+116:291 (ipv6) IPV6 tunneled over IPv4, IPv6 header truncated,
+possible Linux kernel attack
+
+(ipv6) IPV6 tunneled over IPv4, IPv6 header truncated, possible Linux
+kernel attack
+
+116:292 (ipv6) IPv6 header has destination options followed by a
+routing header
+
+(ipv6) IPv6 header has destination options followed by a routing
+header
+
+116:293 (decode) two or more IP (v4 and/or v6) encapsulation layers
+present
+
+(decode) two or more IP (v4 and/or v6) encapsulation layers present
+
+116:294 (esp) truncated encapsulated security payload header
+
+(esp) truncated encapsulated security payload header
+
+116:295 (ipv6) IPv6 header includes an option which is too big for
+the containing header
+
+(ipv6) IPv6 header includes an option which is too big for the
+containing header
+
+116:296 (ipv6) IPv6 packet includes out-of-order extension headers
+
+(ipv6) IPv6 packet includes out-of-order extension headers
+
+116:297 (gtp) two or more GTP encapsulation layers present
+
+(gtp) two or more GTP encapsulation layers present
+
+116:298 (gtp) GTP header length is invalid
+
+(gtp) GTP header length is invalid
+
+116:400 (tcp) XMAS attack detected
+
+(tcp) XMAS attack detected
+
+116:401 (tcp) Nmap XMAS attack detected
+
+(tcp) Nmap XMAS attack detected
+
+116:402 (tcp) DOS NAPTHA vulnerability detected
+
+(tcp) DOS NAPTHA vulnerability detected
+
+116:403 (tcp) SYN to multicast address
+
+(tcp) SYN to multicast address
+
+116:404 (ipv4) IPv4 packet with zero TTL
+
+(ipv4) IPv4 packet with zero TTL
+
+116:405 (ipv4) IPv4 packet with bad frag bits (both MF and DF set)
+
+(ipv4) IPv4 packet with bad frag bits (both MF and DF set)
+
+116:406 (udp) invalid IPv6 UDP packet, checksum zero
+
+(udp) invalid IPv6 UDP packet, checksum zero
+
+116:407 (ipv4) IPv4 packet frag offset + length exceed maximum
+
+(ipv4) IPv4 packet frag offset + length exceed maximum
+
+116:408 (ipv4) IPv4 packet from current net source address
+
+(ipv4) IPv4 packet from current net source address
+
+116:409 (ipv4) IPv4 packet to current net dest address
+
+(ipv4) IPv4 packet to current net dest address
+
+116:410 (ipv4) IPv4 packet from multicast source address
+
+(ipv4) IPv4 packet from multicast source address
+
+116:411 (ipv4) IPv4 packet from reserved source address
+
+(ipv4) IPv4 packet from reserved source address
+
+116:412 (ipv4) IPv4 packet to reserved dest address
+
+(ipv4) IPv4 packet to reserved dest address
+
+116:413 (ipv4) IPv4 packet from broadcast source address
+
+(ipv4) IPv4 packet from broadcast source address
+
+116:414 (ipv4) IPv4 packet to broadcast dest address
+
+(ipv4) IPv4 packet to broadcast dest address
+
+116:415 (icmp4) ICMP4 packet to multicast dest address
+
+(icmp4) ICMP4 packet to multicast dest address
+
+116:416 (icmp4) ICMP4 packet to broadcast dest address
+
+(icmp4) ICMP4 packet to broadcast dest address
+
+116:418 (icmp4) ICMP4 type other
+
+(icmp4) ICMP4 type other
+
+116:419 (tcp) TCP urgent pointer exceeds payload length or no payload
+
+(tcp) TCP urgent pointer exceeds payload length or no payload
+
+116:420 (tcp) TCP SYN with FIN
+
+(tcp) TCP SYN with FIN
+
+116:421 (tcp) TCP SYN with RST
+
+(tcp) TCP SYN with RST
+
+116:422 (tcp) TCP PDU missing ack for established session
+
+(tcp) TCP PDU missing ack for established session
+
+116:423 (tcp) TCP has no SYN, ACK, or RST
+
+(tcp) TCP has no SYN, ACK, or RST
+
+116:424 (pbb) truncated ethernet header
+
+(eth) truncated ethernet header
+
+116:424 (pbb) truncated ethernet header
+
+(pbb) truncated ethernet header
+
+116:425 (ipv4) truncated IPv4 header
+
+(ipv4) truncated IPv4 header
+
+116:426 (icmp4) truncated ICMP4 header
+
+(icmp4) truncated ICMP4 header
+
+116:427 (icmp6) truncated ICMPv6 header
+
+(icmp6) truncated ICMPv6 header
+
+116:428 (ipv4) IPv4 packet below TTL limit
+
+(ipv4) IPv4 packet below TTL limit
+
+116:429 (ipv6) IPv6 packet has zero hop limit
+
+(ipv6) IPv6 packet has zero hop limit
+
+116:430 (ipv4) IPv4 packet both DF and offset set
+
+(ipv4) IPv4 packet both DF and offset set
+
+116:431 (icmp6) ICMPv6 type not decoded
+
+(icmp6) ICMPv6 type not decoded
+
+116:432 (icmp6) ICMPv6 packet to multicast address
+
+(icmp6) ICMPv6 packet to multicast address
+
+116:433 (tcp) DDOS shaft SYN flood
+
+(tcp) DDOS shaft SYN flood
+
+116:434 (icmp4) ICMP ping Nmap
+
+(icmp4) ICMP ping Nmap
+
+116:435 (icmp4) ICMP icmpenum v1.1.1
+
+(icmp4) ICMP icmpenum v1.1.1
+
+116:436 (icmp4) ICMP redirect host
+
+(icmp4) ICMP redirect host
+
+116:437 (icmp4) ICMP redirect net
+
+(icmp4) ICMP redirect net
+
+116:438 (icmp4) ICMP traceroute ipopts
+
+(icmp4) ICMP traceroute ipopts
+
+116:439 (icmp4) ICMP source quench
+
+(icmp4) ICMP source quench
+
+116:440 (icmp4) broadscan smurf scanner
+
+(icmp4) broadscan smurf scanner
+
+116:441 (icmp4) ICMP destination unreachable communication
+administratively prohibited
+
+(icmp4) ICMP destination unreachable communication administratively
+prohibited
+
+116:442 (icmp4) ICMP destination unreachable communication with
+destination host is administratively prohibited
+
+(icmp4) ICMP destination unreachable communication with destination
+host is administratively prohibited
+
+116:443 (icmp4) ICMP destination unreachable communication with
+destination network is administratively prohibited
+
+(icmp4) ICMP destination unreachable communication with destination
+network is administratively prohibited
+
+116:444 (ipv4) IPv4 option set
+
+(ipv4) IPv4 option set
+
+116:445 (udp) large UDP packet (> 4000 bytes)
+
+(udp) large UDP packet (> 4000 bytes)
+
+116:446 (tcp) TCP port 0 traffic
+
+(tcp) TCP port 0 traffic
+
+116:447 (udp) UDP port 0 traffic
+
+(udp) UDP port 0 traffic
+
+116:448 (ipv4) IPv4 reserved bit set
+
+(ipv4) IPv4 reserved bit set
+
+116:449 (decode) unassigned/reserved IP protocol
+
+(decode) unassigned/reserved IP protocol
+
+116:450 (decode) bad IP protocol
+
+(decode) bad IP protocol
+
+116:451 (icmp4) ICMP path MTU denial of service attempt
+
+(icmp4) ICMP path MTU denial of service attempt
+
+116:452 (icmp4) Linux ICMP header DOS attempt
+
+(icmp4) Linux ICMP header DOS attempt
+
+116:453 (ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
+
+(ipv6) ISATAP-addressed IPv6 traffic spoofing attempt
+
+116:454 (pgm) PGM nak list overflow attempt
+
+(pgm) PGM nak list overflow attempt
+
+116:455 (igmp) DOS IGMP IP options validation attempt
+
+(igmp) DOS IGMP IP options validation attempt
+
+116:456 (ipv6) too many IPv6 extension headers
+
+(ipv6) too many IPv6 extension headers
+
+116:457 (icmp6) ICMPv6 packet of type 1 (destination unreachable)
+with non-RFC 4443 code
+
+(icmp6) ICMPv6 packet of type 1 (destination unreachable) with
+non-RFC 4443 code
+
+116:458 (ipv6) bogus fragmentation packet, possible BSD attack
+
+(ipv6) bogus fragmentation packet, possible BSD attack
+
+116:459 (decode) fragment with zero length
+
+(decode) fragment with zero length
+
+116:460 (icmp6) ICMPv6 node info query/response packet with a code
+greater than 2
+
+(icmp6) ICMPv6 node info query/response packet with a code greater
+than 2
+
+116:461 (ipv6) IPv6 routing type 0 extension header
+
+(ipv6) IPv6 routing type 0 extension header
+
+116:462 (erspan2) ERSpan header version mismatch
+
+(erspan2) ERSpan header version mismatch
+
+116:463 (erspan2) captured length < ERSpan type2 header length
+
+(erspan2) captured length < ERSpan type2 header length
+
+116:464 (erspan3) captured < ERSpan type3 header length
+
+(erspan3) captured < ERSpan type3 header length
+
+116:465 (auth) truncated authentication header
+
+(auth) truncated authentication header
+
+116:466 (auth) bad authentication header length
+
+(auth) bad authentication header length
+
+116:467 (fabricpath) truncated FabricPath header
+
+(fabricpath) truncated FabricPath header
+
+116:468 (ciscometadata) truncated Cisco Metadata header
+
+(ciscometadata) truncated Cisco Metadata header
+
+116:469 (ciscometadata) invalid Cisco Metadata option length
+
+(ciscometadata) invalid Cisco Metadata option length
+
+116:470 (ciscometadata) invalid Cisco Metadata option type
+
+(ciscometadata) invalid Cisco Metadata option type
+
+116:471 (ciscometadata) invalid Cisco Metadata security group tag
+
+(ciscometadata) invalid Cisco Metadata security group tag
+
+116:472 (decode) too many protocols present
+
+(decode) too many protocols present
+
+116:473 (decode) ether type out of range
+
+(decode) ether type out of range
+
+116:474 (icmp6) ICMPv6 not encapsulated in IPv6
+
+(icmp6) ICMPv6 not encapsulated in IPv6
+
+116:475 (ipv6) IPv6 mobility header includes an invalid value for the
+payload protocol field
+
+(ipv6) IPv6 mobility header includes an invalid value for the payload
+protocol field
+
+119:1 (http_inspect) ascii encoding
+
+(http_inspect) ascii encoding
+
+119:2 (http_inspect) double decoding attack
+
+(http_inspect) double decoding attack
+
+119:3 (http_inspect) u encoding
+
+(http_inspect) u encoding
+
+119:4 (http_inspect) bare byte unicode encoding
+
+(http_inspect) bare byte unicode encoding
+
+119:6 (http_inspect) UTF-8 encoding
+
+(http_inspect) UTF-8 encoding
+
+119:7 (http_inspect) unicode map code point encoding in URI
+
+(http_inspect) unicode map code point encoding in URI
+
+119:8 (http_inspect) multi_slash encoding
+
+(http_inspect) multi_slash encoding
+
+119:9 (http_inspect) backslash used in URI path
+
+(http_inspect) backslash used in URI path
+
+119:10 (http_inspect) self directory traversal
+
+(http_inspect) self directory traversal
+
+119:11 (http_inspect) directory traversal
+
+(http_inspect) directory traversal
+
+119:12 (http_inspect) apache whitespace (tab)
+
+(http_inspect) apache whitespace (tab)
+
+119:13 (http_inspect) HTTP header line terminated by LF without a CR
+
+(http_inspect) HTTP header line terminated by LF without a CR
+
+119:14 (http_inspect) non-RFC defined char
+
+(http_inspect) non-RFC defined char
+
+119:15 (http_inspect) oversize request-uri directory
+
+(http_inspect) oversize request-uri directory
+
+119:16 (http_inspect) oversize chunk encoding
+
+(http_inspect) oversize chunk encoding
+
+119:18 (http_inspect) webroot directory traversal
+
+(http_inspect) webroot directory traversal
+
+119:19 (http_inspect) long header
+
+(http_inspect) long header
+
+119:20 (http_inspect) max header fields
+
+(http_inspect) max header fields
+
+119:21 (http_inspect) multiple content length
+
+(http_inspect) multiple content length
+
+119:24 (http_inspect) Host header field appears more than once or has
+multiple values
+
+(http_inspect) Host header field appears more than once or has
+multiple values
+
+119:25 (http_inspect) Host header value is too long
+
+(http_inspect) Host header value is too long
+
+119:28 (http_inspect) POST or PUT w/o content-length or chunks
+
+(http_inspect) POST or PUT w/o content-length or chunks
+
+119:31 (http_inspect) unknown method
+
+(http_inspect) unknown method
+
+119:32 (http_inspect) simple request
+
+(http_inspect) simple request
+
+119:33 (http_inspect) unescaped space in HTTP URI
+
+(http_inspect) unescaped space in HTTP URI
+
+119:34 (http_inspect) too many pipelined requests
+
+(http_inspect) too many pipelined requests
+
+119:102 (http_inspect) invalid status code in HTTP response
+
+(http_inspect) invalid status code in HTTP response
+
+119:104 (http_inspect) HTTP response has UTF charset that failed to
+normalize
+
+(http_inspect) HTTP response has UTF charset that failed to normalize
+
+119:105 (http_inspect) HTTP response has UTF-7 charset
+
+(http_inspect) HTTP response has UTF-7 charset
+
+119:109 (http_inspect) javascript obfuscation levels exceeds 1
+
+(http_inspect) javascript obfuscation levels exceeds 1
+
+119:110 (http_inspect) javascript whitespaces exceeds max allowed
+
+(http_inspect) javascript whitespaces exceeds max allowed
+
+119:111 (http_inspect) multiple encodings within javascript
+obfuscated data
+
+(http_inspect) multiple encodings within javascript obfuscated data
+
+119:112 (http_inspect) SWF file zlib decompression failure
+
+(http_inspect) SWF file zlib decompression failure
+
+119:113 (http_inspect) SWF file LZMA decompression failure
+
+(http_inspect) SWF file LZMA decompression failure
+
+119:114 (http_inspect) PDF file deflate decompression failure
+
+(http_inspect) PDF file deflate decompression failure
+
+119:115 (http_inspect) PDF file unsupported compression type
+
+(http_inspect) PDF file unsupported compression type
+
+119:116 (http_inspect) PDF file cascaded compression
+
+(http_inspect) PDF file cascaded compression
+
+119:117 (http_inspect) PDF file parse failure
+
+(http_inspect) PDF file parse failure
+
+119:201 (http_inspect) not HTTP traffic
+
+(http_inspect) not HTTP traffic
+
+119:202 (http_inspect) chunk length has excessive leading zeros
+
+(http_inspect) chunk length has excessive leading zeros
+
+119:203 (http_inspect) white space before or between messages
+
+(http_inspect) white space before or between messages
+
+119:204 (http_inspect) request message without URI
+
+(http_inspect) request message without URI
+
+119:205 (http_inspect) control character in reason phrase
+
+(http_inspect) control character in reason phrase
+
+119:206 (http_inspect) illegal extra whitespace in start line
+
+(http_inspect) illegal extra whitespace in start line
+
+119:207 (http_inspect) corrupted HTTP version
+
+(http_inspect) corrupted HTTP version
+
+119:208 (http_inspect) unknown HTTP version
+
+(http_inspect) unknown HTTP version
+
+119:209 (http_inspect) format error in HTTP header
+
+(http_inspect) format error in HTTP header
+
+119:210 (http_inspect) chunk header options present
+
+(http_inspect) chunk header options present
+
+119:211 (http_inspect) URI badly formatted
+
+(http_inspect) URI badly formatted
+
+119:212 (http_inspect) unrecognized type of percent encoding in URI
+
+(http_inspect) unrecognized type of percent encoding in URI
+
+119:213 (http_inspect) HTTP chunk misformatted
+
+(http_inspect) HTTP chunk misformatted
+
+119:214 (http_inspect) white space adjacent to chunk length
+
+(http_inspect) white space adjacent to chunk length
+
+119:215 (http_inspect) white space within header name
+
+(http_inspect) white space within header name
+
+119:216 (http_inspect) excessive gzip compression
+
+(http_inspect) excessive gzip compression
+
+119:217 (http_inspect) gzip decompression failed
+
+(http_inspect) gzip decompression failed
+
+119:218 (http_inspect) HTTP 0.9 requested followed by another request
+
+(http_inspect) HTTP 0.9 requested followed by another request
+
+119:219 (http_inspect) HTTP 0.9 request following a normal request
+
+(http_inspect) HTTP 0.9 request following a normal request
+
+119:220 (http_inspect) message has both Content-Length and
+Transfer-Encoding
+
+(http_inspect) message has both Content-Length and Transfer-Encoding
+
+119:221 (http_inspect) status code implying no body combined with
+Transfer-Encoding or nonzero Content-Length
+
+(http_inspect) status code implying no body combined with
+Transfer-Encoding or nonzero Content-Length
+
+119:222 (http_inspect) Transfer-Encoding not ending with chunked
+
+(http_inspect) Transfer-Encoding not ending with chunked
+
+119:223 (http_inspect) Transfer-Encoding with encodings before
+chunked
+
+(http_inspect) Transfer-Encoding with encodings before chunked
+
+119:224 (http_inspect) misformatted HTTP traffic
+
+(http_inspect) misformatted HTTP traffic
+
+119:225 (http_inspect) unsupported Content-Encoding used
+
+(http_inspect) unsupported Content-Encoding used
+
+119:226 (http_inspect) unknown Content-Encoding used
+
+(http_inspect) unknown Content-Encoding used
+
+119:227 (http_inspect) multiple Content-Encodings applied
+
+(http_inspect) multiple Content-Encodings applied
+
+119:228 (http_inspect) server response before client request
+
+(http_inspect) server response before client request
+
+119:229 (http_inspect) PDF/SWF/ZIP decompression of server response
+too big
+
+(http_inspect) PDF/SWF/ZIP decompression of server response too big
+
+119:230 (http_inspect) nonprinting character in HTTP message header
+name
+
+(http_inspect) nonprinting character in HTTP message header name
+
+119:231 (http_inspect) bad Content-Length value in HTTP header
+
+(http_inspect) bad Content-Length value in HTTP header
+
+119:232 (http_inspect) HTTP header line wrapped
+
+(http_inspect) HTTP header line wrapped
+
+119:233 (http_inspect) HTTP header line terminated by CR without a LF
+
+(http_inspect) HTTP header line terminated by CR without a LF
+
+119:234 (http_inspect) chunk terminated by nonstandard separator
+
+(http_inspect) chunk terminated by nonstandard separator
+
+119:235 (http_inspect) chunk length terminated by LF without CR
+
+(http_inspect) chunk length terminated by LF without CR
+
+119:236 (http_inspect) more than one response with 100 status code
+
+(http_inspect) more than one response with 100 status code
+
+119:237 (http_inspect) 100 status code not in response to Expect
+header
+
+(http_inspect) 100 status code not in response to Expect header
+
+119:238 (http_inspect) 1XX status code other than 100 or 101
+
+(http_inspect) 1XX status code other than 100 or 101
+
+119:239 (http_inspect) Expect header sent without a message body
+
+(http_inspect) Expect header sent without a message body
+
+119:240 (http_inspect) HTTP 1.0 message with Transfer-Encoding header
+
+(http_inspect) HTTP 1.0 message with Transfer-Encoding header
+
+119:241 (http_inspect) Content-Transfer-Encoding used as HTTP header
+
+(http_inspect) Content-Transfer-Encoding used as HTTP header
+
+119:242 (http_inspect) illegal field in chunked message trailers
+
+(http_inspect) illegal field in chunked message trailers
+
+119:243 (http_inspect) header field inappropriately appears twice or
+has two values
+
+(http_inspect) header field inappropriately appears twice or has two
+values
+
+119:244 (http_inspect) invalid value chunked in Content-Encoding
+header
+
+(http_inspect) invalid value chunked in Content-Encoding header
+
+119:245 (http_inspect) 206 response sent to a request without a Range
+header
+
+(http_inspect) 206 response sent to a request without a Range header
+
+119:246 (http_inspect) HTTP in version field not all upper case
+
+(http_inspect) HTTP in version field not all upper case
+
+119:247 (http_inspect) white space embedded in critical header value
+
+(http_inspect) white space embedded in critical header value
+
+119:248 (http_inspect) gzip compressed data followed by unexpected
+non-gzip data
+
+(http_inspect) gzip compressed data followed by unexpected non-gzip
+data
+
+119:249 (http_inspect) excessive HTTP parameter key repeats
+
+(http_inspect) excessive HTTP parameter key repeats
+
+119:250 (http_inspect) HTTP/2 Transfer-Encoding header other than
+identity
+
+(http_inspect) HTTP/2 Transfer-Encoding header other than identity
+
+119:251 (http_inspect) HTTP/2 message body overruns Content-Length
+header value
+
+(http_inspect) HTTP/2 message body overruns Content-Length header
+value
+
+119:252 (http_inspect) HTTP/2 message body smaller than
+Content-Length header value
+
+(http_inspect) HTTP/2 message body smaller than Content-Length header
+value
+
+119:253 (http_inspect) HTTP CONNECT request with a message body
+
+(http_inspect) HTTP CONNECT request with a message body
+
+119:254 (http_inspect) HTTP client-to-server traffic after CONNECT
+request but before CONNECT response
+
+(http_inspect) HTTP client-to-server traffic after CONNECT request
+but before CONNECT response
+
+119:255 (http_inspect) HTTP CONNECT 2XX response with Content-Length
+header
+
+(http_inspect) HTTP CONNECT 2XX response with Content-Length header
+
+119:256 (http_inspect) HTTP CONNECT 2XX response with
+Transfer-Encoding header
+
+(http_inspect) HTTP CONNECT 2XX response with Transfer-Encoding
+header
+
+119:257 (http_inspect) HTTP CONNECT response with 1XX status code
+
+(http_inspect) HTTP CONNECT response with 1XX status code
+
+119:258 (http_inspect) HTTP CONNECT response before request message
+completed
+
+(http_inspect) HTTP CONNECT response before request message completed
+
+119:259 (http_inspect) malformed HTTP Content-Disposition filename
+parameter
+
+(http_inspect) malformed HTTP Content-Disposition filename parameter
+
+119:260 (http_inspect) HTTP Content-Length message body was truncated
+
+(http_inspect) HTTP Content-Length message body was truncated
+
+119:261 (http_inspect) HTTP chunked message body was truncated
+
+(http_inspect) HTTP chunked message body was truncated
+
+119:262 (http_inspect) HTTP URI scheme longer than 10 characters
+
+(http_inspect) HTTP URI scheme longer than 10 characters
+
+119:263 (http_inspect) HTTP/1 client requested HTTP/2 upgrade
+
+(http_inspect) HTTP/1 client requested HTTP/2 upgrade
+
+119:264 (http_inspect) HTTP/1 server granted HTTP/2 upgrade
+
+(http_inspect) HTTP/1 server granted HTTP/2 upgrade
+
+119:265 (http_inspect) bad token in JavaScript
+
+(http_inspect) bad token in JavaScript
+
+119:266 (http_inspect) unexpected script opening tag in JavaScript
+
+(http_inspect) unexpected script opening tag in JavaScript
+
+119:267 (http_inspect) unexpected script closing tag in JavaScript
+
+(http_inspect) unexpected script closing tag in JavaScript
+
+119:268 (http_inspect) JavaScript code under the external script tags
+
+(http_inspect) JavaScript code under the external script tags
+
+119:269 (http_inspect) script opening tag in a short form
+
+(http_inspect) script opening tag in a short form
+
+119:270 (http_inspect) max number of unique JavaScript identifiers
+reached
+
+(http_inspect) max number of unique JavaScript identifiers reached
+
+119:271 (http_inspect) JavaScript template literal nesting is over
+capacity
+
+(http_inspect) JavaScript template literal nesting is over capacity
+
+119:272 (http_inspect) Consecutive commas in HTTP Accept-Encoding
+header
+
+(http_inspect) Consecutive commas in HTTP Accept-Encoding header
+
+121:1 (http2_inspect) invalid flag set on HTTP/2 frame
+
+(http2_inspect) invalid flag set on HTTP/2 frame
+
+121:2 (http2_inspect) HPACK integer value has leading zeros
+
+(http2_inspect) HPACK integer value has leading zeros
+
+121:3 (http2_inspect) HTTP/2 stream initiated with invalid stream id
+
+(http2_inspect) HTTP/2 stream initiated with invalid stream id
+
+121:4 (http2_inspect) missing HTTP/2 continuation frame
+
+(http2_inspect) missing HTTP/2 continuation frame
+
+121:5 (http2_inspect) unexpected HTTP/2 continuation frame
+
+(http2_inspect) unexpected HTTP/2 continuation frame
+
+121:6 (http2_inspect) misformatted HTTP/2 traffic
+
+(http2_inspect) misformatted HTTP/2 traffic
+
+121:7 (http2_inspect) HTTP/2 connection preface does not match
+
+(http2_inspect) HTTP/2 connection preface does not match
+
+121:8 (http2_inspect) HTTP/2 request missing required header field
+
+(http2_inspect) HTTP/2 request missing required header field
+
+121:9 (http2_inspect) HTTP/2 response has no status code
+
+(http2_inspect) HTTP/2 response has no status code
+
+121:10 (http2_inspect) HTTP/2 CONNECT request with scheme or path
+
+(http2_inspect) HTTP/2 CONNECT request with scheme or path
+
+121:11 (http2_inspect) error in HTTP/2 settings frame
+
+(http2_inspect) error in HTTP/2 settings frame
+
+121:12 (http2_inspect) unknown parameter in HTTP/2 settings frame
+
+(http2_inspect) unknown parameter in HTTP/2 settings frame
+
+121:13 (http2_inspect) invalid HTTP/2 frame sequence
+
+(http2_inspect) invalid HTTP/2 frame sequence
+
+121:14 (http2_inspect) HTTP/2 dynamic table size limit exceeded
+
+(http2_inspect) HTTP/2 dynamic table size limit exceeded
+
+121:15 (http2_inspect) HTTP/2 push promise frame with invalid
+promised stream id
+
+(http2_inspect) HTTP/2 push promise frame with invalid promised
+stream id
+
+121:16 (http2_inspect) HTTP/2 padding length is bigger than frame
+data size
+
+(http2_inspect) HTTP/2 padding length is bigger than frame data size
+
+121:17 (http2_inspect) HTTP/2 pseudo-header after regular header
+
+(http2_inspect) HTTP/2 pseudo-header after regular header
+
+121:18 (http2_inspect) HTTP/2 pseudo-header in trailers
+
+(http2_inspect) HTTP/2 pseudo-header in trailers
+
+121:19 (http2_inspect) invalid HTTP/2 pseudo-header
+
+(http2_inspect) invalid HTTP/2 pseudo-header
+
+121:20 (http2_inspect) HTTP/2 trailers without END_STREAM bit
+
+(http2_inspect) HTTP/2 trailers without END_STREAM bit
+
+121:21 (http2_inspect) HTTP/2 push promise frame sent when prohibited
+by receiver
+
+(http2_inspect) HTTP/2 push promise frame sent when prohibited by
+receiver
+
+121:22 (http2_inspect) padding flag set on HTTP/2 frame with zero
+length
+
+(http2_inspect) padding flag set on HTTP/2 frame with zero length
+
+121:23 (http2_inspect) HTTP/2 push promise frame in c2s direction
+
+(http2_inspect) HTTP/2 push promise frame in c2s direction
+
+121:24 (http2_inspect) invalid HTTP/2 push promise frame
+
+(http2_inspect) invalid HTTP/2 push promise frame
+
+121:25 (http2_inspect) HTTP/2 push promise frame sent at invalid time
+
+(http2_inspect) HTTP/2 push promise frame sent at invalid time
+
+121:26 (http2_inspect) invalid parameter value sent in HTTP/2
+settings frame
+
+(http2_inspect) invalid parameter value sent in HTTP/2 settings frame
+
+121:27 (http2_inspect) excessive concurrent HTTP/2 streams
+
+(http2_inspect) excessive concurrent HTTP/2 streams
+
+121:28 (http2_inspect) invalid HTTP/2 rst stream frame
+
+(http2_inspect) invalid HTTP/2 rst stream frame
+
+121:29 (http2_inspect) HTTP/2 rst stream frame sent at invalid time
+
+(http2_inspect) HTTP/2 rst stream frame sent at invalid time
+
+121:30 (http2_inspect) uppercase HTTP/2 header field name
+
+(http2_inspect) uppercase HTTP/2 header field name
+
+121:31 (http2_inspect) invalid HTTP/2 window update frame
+
+(http2_inspect) invalid HTTP/2 window update frame
+
+121:32 (http2_inspect) HTTP/2 window update frame with zero increment
+
+(http2_inspect) HTTP/2 window update frame with zero increment
+
+121:33 (http2_inspect) HTTP/2 request without a method
+
+(http2_inspect) HTTP/2 request without a method
+
+121:34 (http2_inspect) HTTP/2 HPACK table size update not at the
+start of a header block
+
+(http2_inspect) HTTP/2 HPACK table size update not at the start of a
+header block
+
+121:35 (http2_inspect) More than two HTTP/2 HPACK table size updates
+in a single header block
+
+(http2_inspect) More than two HTTP/2 HPACK table size updates in a
+single header block
+
+121:36 (http2_inspect) HTTP/2 HPACK table size update exceeds max
+value set by decoder in SETTINGS frame
+
+(http2_inspect) HTTP/2 HPACK table size update exceeds max value set
+by decoder in SETTINGS frame
+
+122:1 (port_scan) TCP portscan
+
+(port_scan) TCP portscan
+
+122:2 (port_scan) TCP decoy portscan
+
+(port_scan) TCP decoy portscan
+
+122:3 (port_scan) TCP portsweep
+
+(port_scan) TCP portsweep
+
+122:4 (port_scan) TCP distributed portscan
+
+(port_scan) TCP distributed portscan
+
+122:5 (port_scan) TCP filtered portscan
+
+(port_scan) TCP filtered portscan
+
+122:6 (port_scan) TCP filtered decoy portscan
+
+(port_scan) TCP filtered decoy portscan
+
+122:7 (port_scan) TCP filtered portsweep
+
+(port_scan) TCP filtered portsweep
+
+122:8 (port_scan) TCP filtered distributed portscan
+
+(port_scan) TCP filtered distributed portscan
+
+122:9 (port_scan) IP protocol scan
+
+(port_scan) IP protocol scan
+
+122:10 (port_scan) IP decoy protocol scan
+
+(port_scan) IP decoy protocol scan
+
+122:11 (port_scan) IP protocol sweep
+
+(port_scan) IP protocol sweep
+
+122:12 (port_scan) IP distributed protocol scan
+
+(port_scan) IP distributed protocol scan
+
+122:13 (port_scan) IP filtered protocol scan
+
+(port_scan) IP filtered protocol scan
+
+122:14 (port_scan) IP filtered decoy protocol scan
+
+(port_scan) IP filtered decoy protocol scan
+
+122:15 (port_scan) IP filtered protocol sweep
+
+(port_scan) IP filtered protocol sweep
+
+122:16 (port_scan) IP filtered distributed protocol scan
+
+(port_scan) IP filtered distributed protocol scan
+
+122:17 (port_scan) UDP portscan
+
+(port_scan) UDP portscan
+
+122:18 (port_scan) UDP decoy portscan
+
+(port_scan) UDP decoy portscan
+
+122:19 (port_scan) UDP portsweep
+
+(port_scan) UDP portsweep
+
+122:20 (port_scan) UDP distributed portscan
+
+(port_scan) UDP distributed portscan
+
+122:21 (port_scan) UDP filtered portscan
+
+(port_scan) UDP filtered portscan
+
+122:22 (port_scan) UDP filtered decoy portscan
+
+(port_scan) UDP filtered decoy portscan
+
+122:23 (port_scan) UDP filtered portsweep
+
+(port_scan) UDP filtered portsweep
+
+122:24 (port_scan) UDP filtered distributed portscan
+
+(port_scan) UDP filtered distributed portscan
+
+122:25 (port_scan) ICMP sweep
+
+(port_scan) ICMP sweep
+
+122:26 (port_scan) ICMP filtered sweep
+
+(port_scan) ICMP filtered sweep
+
+122:27 (port_scan) open port
+
+(port_scan) open port
+
+123:1 (stream_ip) inconsistent IP options on fragmented packets
+
+(stream_ip) inconsistent IP options on fragmented packets
+
+123:2 (stream_ip) teardrop attack
+
+(stream_ip) teardrop attack
+
+123:3 (stream_ip) short fragment, possible DOS attempt
+
+(stream_ip) short fragment, possible DOS attempt
+
+123:4 (stream_ip) fragment packet ends after defragmented packet
+
+(stream_ip) fragment packet ends after defragmented packet
+
+123:5 (stream_ip) zero-byte fragment packet
+
+(stream_ip) zero-byte fragment packet
+
+123:6 (stream_ip) bad fragment size, packet size is negative
+
+(stream_ip) bad fragment size, packet size is negative
+
+123:7 (stream_ip) bad fragment size, packet size is greater than
+65536
+
+(stream_ip) bad fragment size, packet size is greater than 65536
+
+123:8 (stream_ip) fragmentation overlap
+
+(stream_ip) fragmentation overlap
+
+123:11 (stream_ip) TTL value less than configured minimum, not using
+for reassembly
+
+(stream_ip) TTL value less than configured minimum, not using for
+reassembly
+
+123:12 (stream_ip) excessive fragment overlap
+
+(stream_ip) excessive fragment overlap
+
+123:13 (stream_ip) tiny fragment
+
+(stream_ip) tiny fragment
+
+124:1 (smtp) attempted command buffer overflow
+
+(smtp) attempted command buffer overflow
+
+124:2 (smtp) attempted data header buffer overflow
+
+(smtp) attempted data header buffer overflow
+
+124:3 (smtp) attempted response buffer overflow
+
+(smtp) attempted response buffer overflow
+
+124:4 (smtp) attempted specific command buffer overflow
+
+(smtp) attempted specific command buffer overflow
+
+124:5 (smtp) unknown command
+
+(smtp) unknown command
+
+124:6 (smtp) illegal command
+
+(smtp) illegal command
+
+124:7 (smtp) attempted header name buffer overflow
+
+(smtp) attempted header name buffer overflow
+
+124:8 (smtp) attempted X-Link2State command buffer overflow
+
+(smtp) attempted X-Link2State command buffer overflow
+
+124:10 (smtp) base64 decoding failed
+
+(smtp) base64 decoding failed
+
+124:11 (smtp) quoted-printable decoding failed
+
+(smtp) quoted-printable decoding failed
+
+124:13 (smtp) Unix-to-Unix decoding failed
+
+(smtp) Unix-to-Unix decoding failed
+
+124:14 (smtp) Cyrus SASL authentication attack
+
+(smtp) Cyrus SASL authentication attack
+
+124:15 (smtp) attempted authentication command buffer overflow
+
+(smtp) attempted authentication command buffer overflow
+
+124:16 (smtp) file decompression failed
+
+(smtp) file decompression failed
+
+125:1 (ftp_server) TELNET cmd on FTP command channel
+
+(ftp_server) TELNET cmd on FTP command channel
+
+125:2 (ftp_server) invalid FTP command
+
+(ftp_server) invalid FTP command
+
+125:3 (ftp_server) FTP command parameters were too long
+
+(ftp_server) FTP command parameters were too long
+
+125:4 (ftp_server) FTP command parameters were malformed
+
+(ftp_server) FTP command parameters were malformed
+
+125:5 (ftp_server) FTP command parameters contained potential string
+format
+
+(ftp_server) FTP command parameters contained potential string format
+
+125:6 (ftp_server) FTP response message was too long
+
+(ftp_server) FTP response message was too long
+
+125:7 (ftp_server) FTP traffic encrypted
+
+(ftp_server) FTP traffic encrypted
+
+125:8 (ftp_server) FTP bounce attempt
+
+(ftp_server) FTP bounce attempt
+
+125:9 (ftp_server) evasive (incomplete) TELNET cmd on FTP command
+channel
+
+(ftp_server) evasive (incomplete) TELNET cmd on FTP command channel
+
+126:1 (telnet) consecutive Telnet AYT commands beyond threshold
+
+(telnet) consecutive Telnet AYT commands beyond threshold
+
+126:2 (telnet) Telnet traffic encrypted
+
+(telnet) Telnet traffic encrypted
+
+126:3 (telnet) Telnet subnegotiation begin command without
+subnegotiation end
+
+(telnet) Telnet subnegotiation begin command without subnegotiation
+end
+
+128:1 (ssh) challenge-response overflow exploit
+
+(ssh) challenge-response overflow exploit
+
+128:2 (ssh) SSH1 CRC32 exploit
+
+(ssh) SSH1 CRC32 exploit
+
+128:3 (ssh) server version string overflow
+
+(ssh) server version string overflow
+
+128:5 (ssh) bad message direction
+
+(ssh) bad message direction
+
+128:6 (ssh) payload size incorrect for the given payload
+
+(ssh) payload size incorrect for the given payload
+
+128:7 (ssh) failed to detect SSH version string
+
+(ssh) failed to detect SSH version string
+
+129:1 (stream_tcp) SYN on established session
+
+(stream_tcp) SYN on established session
+
+129:2 (stream_tcp) data on SYN packet
+
+(stream_tcp) data on SYN packet
+
+129:3 (stream_tcp) data sent on stream not accepting data
+
+(stream_tcp) data sent on stream not accepting data
+
+129:4 (stream_tcp) TCP timestamp is outside of PAWS window
+
+(stream_tcp) TCP timestamp is outside of PAWS window
+
+129:5 (stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)
+
+(stream_tcp) bad segment, adjusted size ⇐ 0 (deprecated)
+
+129:6 (stream_tcp) window size (after scaling) larger than policy
+allows
+
+(stream_tcp) window size (after scaling) larger than policy allows
+
+129:7 (stream_tcp) limit on number of overlapping TCP packets reached
+
+(stream_tcp) limit on number of overlapping TCP packets reached
+
+129:8 (stream_tcp) data sent on stream after TCP reset sent
+
+(stream_tcp) data sent on stream after TCP reset sent
+
+129:9 (stream_tcp) TCP client possibly hijacked, different ethernet
+address
+
+(stream_tcp) TCP client possibly hijacked, different ethernet address
+
+129:10 (stream_tcp) TCP server possibly hijacked, different ethernet
+address
+
+(stream_tcp) TCP server possibly hijacked, different ethernet address
+
+129:11 (stream_tcp) TCP data with no TCP flags set
+
+(stream_tcp) TCP data with no TCP flags set
+
+129:12 (stream_tcp) consecutive TCP small segments exceeding
+threshold
+
+(stream_tcp) consecutive TCP small segments exceeding threshold
+
+129:13 (stream_tcp) 4-way handshake detected
+
+stream_tcp detected a 4-way handshake, which includes a TCP SYN
+(without ACK) in response to the initiating client SYN.
+stream_tcp.require_3whs = 0 should be set to ensure this can be
+detected in all cases.
+
+129:14 (stream_tcp) TCP timestamp is missing
+
+(stream_tcp) TCP timestamp is missing
+
+129:15 (stream_tcp) reset outside window
+
+(stream_tcp) reset outside window
+
+129:16 (stream_tcp) FIN number is greater than prior FIN
+
+(stream_tcp) FIN number is greater than prior FIN
+
+129:17 (stream_tcp) ACK number is greater than prior FIN
+
+(stream_tcp) ACK number is greater than prior FIN
+
+129:18 (stream_tcp) data sent on stream after TCP reset received
+
+(stream_tcp) data sent on stream after TCP reset received
+
+129:19 (stream_tcp) TCP window closed before receiving data
+
+(stream_tcp) TCP window closed before receiving data
+
+129:20 (stream_tcp) TCP session without 3-way handshake
+
+(stream_tcp) TCP session without 3-way handshake
+
+131:1 (dns) obsolete DNS RR types
+
+(dns) obsolete DNS RR types
+
+131:2 (dns) experimental DNS RR types
+
+(dns) experimental DNS RR types
+
+131:3 (dns) DNS client rdata txt overflow
+
+(dns) DNS client rdata txt overflow
+
+133:2 (dce_smb) SMB - bad NetBIOS session service session type
+
+(dce_smb) SMB - bad NetBIOS session service session type
+
+133:3 (dce_smb) SMB - bad SMB message type
+
+(dce_smb) SMB - bad SMB message type
+
+133:4 (dce_smb) SMB - bad SMB Id (not xffSMB for SMB1 or not xfeSMB
+for SMB2)
+
+(dce_smb) SMB - bad SMB Id (not \xffSMB for SMB1 or not \xfeSMB for
+SMB2)
+
+133:5 (dce_smb) SMB - bad word count or structure size
+
+(dce_smb) SMB - bad word count or structure size
+
+133:6 (dce_smb) SMB - bad byte count
+
+(dce_smb) SMB - bad byte count
+
+133:7 (dce_smb) SMB - bad format type
+
+(dce_smb) SMB - bad format type
+
+133:8 (dce_smb) SMB - bad offset
+
+(dce_smb) SMB - bad offset
+
+133:9 (dce_smb) SMB - zero total data count
+
+(dce_smb) SMB - zero total data count
+
+133:10 (dce_smb) SMB - NetBIOS data length less than SMB header
+length
+
+(dce_smb) SMB - NetBIOS data length less than SMB header length
+
+133:11 (dce_smb) SMB - remaining NetBIOS data length less than
+command length
+
+(dce_smb) SMB - remaining NetBIOS data length less than command
+length
+
+133:12 (dce_smb) SMB - remaining NetBIOS data length less than
+command byte count
+
+(dce_smb) SMB - remaining NetBIOS data length less than command byte
+count
+
+133:13 (dce_smb) SMB - remaining NetBIOS data length less than
+command data size
+
+(dce_smb) SMB - remaining NetBIOS data length less than command data
+size
+
+133:14 (dce_smb) SMB - remaining total data count less than this
+command data size
+
+(dce_smb) SMB - remaining total data count less than this command
+data size
+
+133:15 (dce_smb) SMB - total data sent (STDu64) greater than command
+total data expected
+
+(dce_smb) SMB - total data sent (STDu64) greater than command total
+data expected
+
+133:16 (dce_smb) SMB - byte count less than command data size
+(STDu64)
+
+(dce_smb) SMB - byte count less than command data size (STDu64)
+
+133:17 (dce_smb) SMB - invalid command data size for byte count
+
+(dce_smb) SMB - invalid command data size for byte count
+
+133:18 (dce_smb) SMB - excessive tree connect requests with pending
+tree connect responses
+
+(dce_smb) SMB - excessive tree connect requests with pending tree
+connect responses
+
+133:19 (dce_smb) SMB - excessive read requests with pending read
+responses
+
+(dce_smb) SMB - excessive read requests with pending read responses
+
+133:20 (dce_smb) SMB - excessive command chaining
+
+(dce_smb) SMB - excessive command chaining
+
+133:21 (dce_smb) SMB - Multiple chained login requests
+
+(dce_smb) SMB - Multiple chained login requests
+
+133:22 (dce_smb) SMB - Multiple chained tree connect requests
+
+(dce_smb) SMB - Multiple chained tree connect requests
+
+133:23 (dce_smb) SMB - chained/compounded login followed by logoff
+
+(dce_smb) SMB - chained/compounded login followed by logoff
+
+133:24 (dce_smb) SMB - chained/compounded tree connect followed by
+tree disconnect
+
+(dce_smb) SMB - chained/compounded tree connect followed by tree
+disconnect
+
+133:25 (dce_smb) SMB - chained/compounded open pipe followed by close
+pipe
+
+(dce_smb) SMB - chained/compounded open pipe followed by close pipe
+
+133:26 (dce_smb) SMB - invalid share access
+
+(dce_smb) SMB - invalid share access
+
+133:27 (dce_tcp) connection oriented DCE/RPC - invalid major version
+
+(dce_tcp) connection oriented DCE/RPC - invalid major version
+
+133:28 (dce_tcp) connection oriented DCE/RPC - invalid minor version
+
+(dce_tcp) connection oriented DCE/RPC - invalid minor version
+
+133:29 (dce_tcp) connection-oriented DCE/RPC - invalid PDU type
+
+(dce_tcp) connection-oriented DCE/RPC - invalid PDU type
+
+133:30 (dce_tcp) connection-oriented DCE/RPC - fragment length less
+than header size
+
+(dce_tcp) connection-oriented DCE/RPC - fragment length less than
+header size
+
+133:31 (dce_tcp) connection-oriented DCE/RPC - remaining fragment
+length less than size needed
+
+(dce_tcp) connection-oriented DCE/RPC - remaining fragment length
+less than size needed
+
+133:32 (dce_tcp) connection-oriented DCE/RPC - no context items
+specified
+
+(dce_tcp) connection-oriented DCE/RPC - no context items specified
+
+133:33 (dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes
+specified
+
+(dce_tcp) connection-oriented DCE/RPC -no transfer syntaxes specified
+
+133:34 (dce_tcp) connection-oriented DCE/RPC - fragment length on
+non-last fragment less than maximum negotiated fragment transmit size
+for client
+
+(dce_tcp) connection-oriented DCE/RPC - fragment length on non-last
+fragment less than maximum negotiated fragment transmit size for
+client
+
+133:35 (dce_tcp) connection-oriented DCE/RPC - fragment length
+greater than maximum negotiated fragment transmit size
+
+(dce_tcp) connection-oriented DCE/RPC - fragment length greater than
+maximum negotiated fragment transmit size
+
+133:36 (dce_tcp) connection-oriented DCE/RPC - alter context byte
+order different from bind
+
+(dce_tcp) connection-oriented DCE/RPC - alter context byte order
+different from bind
+
+133:37 (dce_tcp) connection-oriented DCE/RPC - call id of non first/
+last fragment different from call id established for fragmented
+request
+
+(dce_tcp) connection-oriented DCE/RPC - call id of non first/last
+fragment different from call id established for fragmented request
+
+133:38 (dce_tcp) connection-oriented DCE/RPC - opnum of non first/
+last fragment different from opnum established for fragmented request
+
+(dce_tcp) connection-oriented DCE/RPC - opnum of non first/last
+fragment different from opnum established for fragmented request
+
+133:39 (dce_tcp) connection-oriented DCE/RPC - context id of non
+first/last fragment different from context id established for
+fragmented request
+
+(dce_tcp) connection-oriented DCE/RPC - context id of non first/last
+fragment different from context id established for fragmented request
+
+133:40 (dce_udp) connection-less DCE/RPC - invalid major version
+
+(dce_udp) connection-less DCE/RPC - invalid major version
+
+133:41 (dce_udp) connection-less DCE/RPC - invalid PDU type
+
+(dce_udp) connection-less DCE/RPC - invalid PDU type
+
+133:42 (dce_udp) connection-less DCE/RPC - data length less than
+header size
+
+(dce_udp) connection-less DCE/RPC - data length less than header size
+
+133:43 (dce_udp) connection-less DCE/RPC - bad sequence number
+
+(dce_udp) connection-less DCE/RPC - bad sequence number
+
+133:44 (dce_smb) SMB - invalid SMB version 1 seen
+
+(dce_smb) SMB - invalid SMB version 1 seen
+
+133:45 (dce_smb) SMB - invalid SMB version 2 seen
+
+(dce_smb) SMB - invalid SMB version 2 seen
+
+133:46 (dce_smb) SMB - invalid user, tree connect, file binding
+
+(dce_smb) SMB - invalid user, tree connect, file binding
+
+133:47 (dce_smb) SMB - excessive command compounding
+
+(dce_smb) SMB - excessive command compounding
+
+133:48 (dce_smb) SMB - zero data count
+
+(dce_smb) SMB - zero data count
+
+133:50 (dce_smb) SMB - maximum number of outstanding requests
+exceeded
+
+(dce_smb) SMB - maximum number of outstanding requests exceeded
+
+133:51 (dce_smb) SMB - outstanding requests with same MID
+
+(dce_smb) SMB - outstanding requests with same MID
+
+133:52 (dce_smb) SMB - deprecated dialect negotiated
+
+(dce_smb) SMB - deprecated dialect negotiated
+
+133:53 (dce_smb) SMB - deprecated command used
+
+(dce_smb) SMB - deprecated command used
+
+133:54 (dce_smb) SMB - unusual command used
+
+(dce_smb) SMB - unusual command used
+
+133:55 (dce_smb) SMB - invalid setup count for command
+
+(dce_smb) SMB - invalid setup count for command
+
+133:56 (dce_smb) SMB - client attempted multiple dialect negotiations
+on session
+
+(dce_smb) SMB - client attempted multiple dialect negotiations on
+session
+
+133:57 (dce_smb) SMB - client attempted to create or set a file’s
+attributes to readonly/hidden/system
+
+(dce_smb) SMB - client attempted to create or set a file’s attributes
+to readonly/hidden/system
+
+133:58 (dce_smb) SMB - file offset provided is greater than file size
+specified
+
+(dce_smb) SMB - file offset provided is greater than file size
+specified
+
+133:59 (dce_smb) SMB - next command specified in SMB2 header is
+beyond payload boundary
+
+(dce_smb) SMB - next command specified in SMB2 header is beyond
+payload boundary
+
+134:1 (latency) rule tree suspended due to latency
+
+(latency) rule tree suspended due to latency
+
+134:2 (latency) rule tree re-enabled after suspend timeout
+
+(latency) rule tree re-enabled after suspend timeout
+
+134:3 (latency) packet fastpathed due to latency
+
+(latency) packet fastpathed due to latency
+
+135:1 (stream) TCP SYN received
+
+(stream) TCP SYN received
+
+135:2 (stream) TCP session established
+
+(stream) TCP session established
+
+135:3 (stream) TCP session cleared
+
+(stream) TCP session cleared
+
+136:1 (reputation) packets blocked based on source
+
+(reputation) packets blocked based on source
+
+136:2 (reputation) packets trusted based on source
+
+(reputation) packets trusted based on source
+
+136:3 (reputation) packets monitored based on source
+
+(reputation) packets monitored based on source
+
+136:4 (reputation) packets blocked based on destination
+
+(reputation) packets blocked based on destination
+
+136:5 (reputation) packets trusted based on destination
+
+(reputation) packets trusted based on destination
+
+136:6 (reputation) packets monitored based on destination
+
+(reputation) packets monitored based on destination
+
+137:1 (ssl) invalid client HELLO after server HELLO detected
+
+(ssl) invalid client HELLO after server HELLO detected
+
+137:2 (ssl) invalid server HELLO without client HELLO detected
+
+(ssl) invalid server HELLO without client HELLO detected
+
+137:3 (ssl) heartbeat read overrun attempt detected
+
+(ssl) heartbeat read overrun attempt detected
+
+137:4 (ssl) large heartbeat response detected
+
+(ssl) large heartbeat response detected
+
+140:2 (sip) empty request URI
+
+(sip) empty request URI
+
+140:3 (sip) URI is too long
+
+(sip) URI is too long
+
+140:4 (sip) empty call-Id
+
+(sip) empty call-Id
+
+140:5 (sip) Call-Id is too long
+
+(sip) Call-Id is too long
+
+140:6 (sip) CSeq number is too large or negative
+
+(sip) CSeq number is too large or negative
+
+140:7 (sip) request name in CSeq is too long
+
+(sip) request name in CSeq is too long
+
+140:8 (sip) empty From header
+
+(sip) empty From header
+
+140:9 (sip) From header is too long
+
+(sip) From header is too long
+
+140:10 (sip) empty To header
+
+(sip) empty To header
+
+140:11 (sip) To header is too long
+
+(sip) To header is too long
+
+140:12 (sip) empty Via header
+
+(sip) empty Via header
+
+140:13 (sip) Via header is too long
+
+(sip) Via header is too long
+
+140:14 (sip) empty Contact
+
+(sip) empty Contact
+
+140:15 (sip) contact is too long
+
+(sip) contact is too long
+
+140:16 (sip) content length is too large or negative
+
+(sip) content length is too large or negative
+
+140:17 (sip) multiple SIP messages in a packet
+
+(sip) multiple SIP messages in a packet
+
+140:18 (sip) content length mismatch
+
+(sip) content length mismatch
+
+140:19 (sip) request name is invalid
+
+(sip) request name is invalid
+
+140:20 (sip) Invite replay attack
+
+(sip) Invite replay attack
+
+140:21 (sip) illegal session information modification
+
+(sip) illegal session information modification
+
+140:22 (sip) response status code is not a 3 digit number
+
+(sip) response status code is not a 3 digit number
+
+140:23 (sip) empty Content-type header
+
+(sip) empty Content-type header
+
+140:24 (sip) SIP version is invalid
+
+(sip) SIP version is invalid
+
+140:25 (sip) mismatch in METHOD of request and the CSEQ header
+
+(sip) mismatch in METHOD of request and the CSEQ header
+
+140:26 (sip) method is unknown
+
+(sip) method is unknown
+
+140:27 (sip) maximum dialogs within a session reached
+
+(sip) maximum dialogs within a session reached
+
+141:1 (imap) unknown IMAP3 command
+
+(imap) unknown IMAP3 command
+
+141:2 (imap) unknown IMAP3 response
+
+(imap) unknown IMAP3 response
+
+141:4 (imap) base64 decoding failed
+
+(imap) base64 decoding failed
+
+141:5 (imap) quoted-printable decoding failed
+
+(imap) quoted-printable decoding failed
+
+141:7 (imap) Unix-to-Unix decoding failed
+
+(imap) Unix-to-Unix decoding failed
+
+141:8 (imap) file decompression failed
+
+(imap) file decompression failed
+
+142:1 (pop) unknown POP3 command
+
+(pop) unknown POP3 command
+
+142:2 (pop) unknown POP3 response
+
+(pop) unknown POP3 response
+
+142:4 (pop) base64 decoding failed
+
+(pop) base64 decoding failed
+
+142:5 (pop) quoted-printable decoding failed
+
+(pop) quoted-printable decoding failed
+
+142:7 (pop) Unix-to-Unix decoding failed
+
+(pop) Unix-to-Unix decoding failed
+
+142:8 (pop) file decompression failed
+
+(pop) file decompression failed
+
+143:1 (gtp_inspect) message length is invalid
+
+(gtp_inspect) message length is invalid
+
+143:2 (gtp_inspect) information element length is invalid
+
+(gtp_inspect) information element length is invalid
+
+143:3 (gtp_inspect) information elements are out of order
+
+(gtp_inspect) information elements are out of order
+
+143:4 (gtp_inspect) TEID is missing
+
+(gtp_inspect) TEID is missing
+
+144:1 (modbus) length in Modbus MBAP header does not match the length
+needed for the given function
+
+(modbus) length in Modbus MBAP header does not match the length
+needed for the given function
+
+144:2 (modbus) Modbus protocol ID is non-zero
+
+(modbus) Modbus protocol ID is non-zero
+
+144:3 (modbus) reserved Modbus function code in use
+
+(modbus) reserved Modbus function code in use
+
+145:1 (dnp3) DNP3 link-layer frame contains bad CRC
+
+(dnp3) DNP3 link-layer frame contains bad CRC
+
+145:2 (dnp3) DNP3 link-layer frame was dropped
+
+(dnp3) DNP3 link-layer frame was dropped
+
+145:3 (dnp3) DNP3 transport-layer segment was dropped during
+reassembly
+
+(dnp3) DNP3 transport-layer segment was dropped during reassembly
+
+145:4 (dnp3) DNP3 reassembly buffer was cleared without reassembling
+a complete message
+
+(dnp3) DNP3 reassembly buffer was cleared without reassembling a
+complete message
+
+145:5 (dnp3) DNP3 link-layer frame uses a reserved address
+
+(dnp3) DNP3 link-layer frame uses a reserved address
+
+145:6 (dnp3) DNP3 application-layer fragment uses a reserved function
+code
+
+(dnp3) DNP3 application-layer fragment uses a reserved function code
+
+148:1 (cip) CIP data is malformed
+
+(cip) CIP data is malformed
+
+148:2 (cip) CIP data is non-conforming to ODVA standard
+
+(cip) CIP data is non-conforming to ODVA standard
+
+148:3 (cip) CIP connection limit exceeded. Least recently used
+connection removed
+
+(cip) CIP connection limit exceeded. Least recently used connection
+removed
+
+148:4 (cip) CIP unconnected request limit exceeded. Oldest request
+removed
+
+(cip) CIP unconnected request limit exceeded. Oldest request removed
+
+149:1 (s7commplus) length in S7commplus MBAP header does not match
+the length needed for the given S7commplus function
+
+(s7commplus) length in S7commplus MBAP header does not match the
+length needed for the given S7commplus function
+
+149:2 (s7commplus) S7commplus protocol ID is non-zero
+
+(s7commplus) S7commplus protocol ID is non-zero
+
+149:3 (s7commplus) reserved S7commplus function code in use
+
+(s7commplus) reserved S7commplus function code in use
+
+150:1 (file_id) file not processed due to per flow limit
+
+(file_id) file not processed due to per flow limit
+
+151:1 (iec104) Length in IEC104 APCI header does not match the length
+needed for the given IEC104 ASDU type id
+
+(iec104) Length in IEC104 APCI header does not match the length
+needed for the given IEC104 ASDU type id
+
+151:2 (iec104) IEC104 Start byte does not match 0x68
+
+(iec104) IEC104 Start byte does not match 0x68
+
+151:3 (iec104) Reserved IEC104 ASDU type id in use
+
+(iec104) Reserved IEC104 ASDU type id in use
+
+151:4 (iec104) IEC104 APCI U Reserved field contains a non-default
+value
+
+(iec104) IEC104 APCI U Reserved field contains a non-default value
+
+151:5 (iec104) IEC104 APCI U message type was set to an invalid value
+
+(iec104) IEC104 APCI U message type was set to an invalid value
+
+151:6 (iec104) IEC104 APCI S Reserved field contains a non-default
+value
+
+(iec104) IEC104 APCI S Reserved field contains a non-default value
+
+151:7 (iec104) IEC104 APCI I number of elements set to zero
+
+(iec104) IEC104 APCI I number of elements set to zero
+
+151:8 (iec104) IEC104 APCI I SQ bit set on an ASDU that does not
+support the feature
+
+(iec104) IEC104 APCI I SQ bit set on an ASDU that does not support
+the feature
+
+151:9 (iec104) IEC104 APCI I number of elements set to greater than
+one on an ASDU that does not support the feature
+
+(iec104) IEC104 APCI I number of elements set to greater than one on
+an ASDU that does not support the feature
+
+151:10 (iec104) IEC104 APCI I Cause of Initialization set to a
+reserved value
+
+(iec104) IEC104 APCI I Cause of Initialization set to a reserved
+value
+
+151:11 (iec104) IEC104 APCI I Qualifier of Interrogation Command set
+to a reserved value
+
+(iec104) IEC104 APCI I Qualifier of Interrogation Command set to a
+reserved value
+
+151:12 (iec104) IEC104 APCI I Qualifier of Counter Interrogation
+Command request parameter set to a reserved value
+
+(iec104) IEC104 APCI I Qualifier of Counter Interrogation Command
+request parameter set to a reserved value
+
+151:13 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+Values kind of parameter set to a reserved value
+
+(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values kind
+of parameter set to a reserved value
+
+151:14 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+Values local parameter change set to a technically valid but unused
+value
+
+(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values
+local parameter change set to a technically valid but unused value
+
+151:15 (iec104) IEC104 APCI I Qualifier of Parameter of Measured
+Values parameter option set to a technically valid but unused value
+
+(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values
+parameter option set to a technically valid but unused value
+
+151:16 (iec104) IEC104 APCI I Qualifier of Parameter Activation set
+to a reserved value
+
+(iec104) IEC104 APCI I Qualifier of Parameter Activation set to a
+reserved value
+
+151:17 (iec104) IEC104 APCI I Qualifier of Command set to a reserved
+value
+
+(iec104) IEC104 APCI I Qualifier of Command set to a reserved value
+
+151:18 (iec104) IEC104 APCI I Qualifier of Reset Process set to a
+reserved value
+
+(iec104) IEC104 APCI I Qualifier of Reset Process set to a reserved
+value
+
+151:19 (iec104) IEC104 APCI I File Ready Qualifier set to a reserved
+value
+
+(iec104) IEC104 APCI I File Ready Qualifier set to a reserved value
+
+151:20 (iec104) IEC104 APCI I Section Ready Qualifier set to a
+reserved value
+
+(iec104) IEC104 APCI I Section Ready Qualifier set to a reserved
+value
+
+151:21 (iec104) IEC104 APCI I Select and Call Qualifier set to a
+reserved value
+
+(iec104) IEC104 APCI I Select and Call Qualifier set to a reserved
+value
+
+151:22 (iec104) IEC104 APCI I Last Section or Segment Qualifier set
+to a reserved value
+
+(iec104) IEC104 APCI I Last Section or Segment Qualifier set to a
+reserved value
+
+151:23 (iec104) IEC104 APCI I Acknowledge File or Section Qualifier
+set to a reserved value
+
+(iec104) IEC104 APCI I Acknowledge File or Section Qualifier set to a
+reserved value
+
+151:24 (iec104) IEC104 APCI I Structure Qualifier set on a message
+where it should have no effect
+
+(iec104) IEC104 APCI I Structure Qualifier set on a message where it
+should have no effect
+
+151:25 (iec104) IEC104 APCI I Single Point Information Reserved field
+contains a non-default value
+
+(iec104) IEC104 APCI I Single Point Information Reserved field
+contains a non-default value
+
+151:26 (iec104) IEC104 APCI I Double Point Information Reserved field
+contains a non-default value
+
+(iec104) IEC104 APCI I Double Point Information Reserved field
+contains a non-default value
+
+151:27 (iec104) IEC104 APCI I Cause of Transmission set to a reserved
+value
+
+(iec104) IEC104 APCI I Cause of Transmission set to a reserved value
+
+151:28 (iec104) IEC104 APCI I Cause of Transmission set to a value
+not allowed for the ASDU
+
+(iec104) IEC104 APCI I Cause of Transmission set to a value not
+allowed for the ASDU
+
+151:29 (iec104) IEC104 APCI I invalid two octet common address value
+detected
+
+(iec104) IEC104 APCI I invalid two octet common address value
+detected
+
+151:30 (iec104) IEC104 APCI I Quality Descriptor Structure Reserved
+field contains a non-default value
+
+(iec104) IEC104 APCI I Quality Descriptor Structure Reserved field
+contains a non-default value
+
+151:31 (iec104) IEC104 APCI I Quality Descriptor for Events of
+Protection Equipment Structure Reserved field contains a non-default
+value
+
+(iec104) IEC104 APCI I Quality Descriptor for Events of Protection
+Equipment Structure Reserved field contains a non-default value
+
+151:32 (iec104) IEC104 APCI I IEEE STD 754 value results in NaN
+
+(iec104) IEC104 APCI I IEEE STD 754 value results in NaN
+
+151:33 (iec104) IEC104 APCI I IEEE STD 754 value results in infinity
+
+(iec104) IEC104 APCI I IEEE STD 754 value results in infinity
+
+151:34 (iec104) IEC104 APCI I Single Event of Protection Equipment
+Structure Reserved field contains a non-default value
+
+(iec104) IEC104 APCI I Single Event of Protection Equipment Structure
+Reserved field contains a non-default value
+
+151:35 (iec104) IEC104 APCI I Start Event of Protection Equipment
+Structure Reserved field contains a non-default value
+
+(iec104) IEC104 APCI I Start Event of Protection Equipment Structure
+Reserved field contains a non-default value
+
+151:36 (iec104) IEC104 APCI I Output Circuit Information Structure
+Reserved field contains a non-default value
+
+(iec104) IEC104 APCI I Output Circuit Information Structure Reserved
+field contains a non-default value
+
+151:37 (iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern
+detected
+
+(iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern detected
+
+151:38 (iec104) IEC104 APCI I Single Command Structure Reserved field
+contains a non-default value
+
+(iec104) IEC104 APCI I Single Command Structure Reserved field
+contains a non-default value
+
+151:39 (iec104) IEC104 APCI I Double Command Structure contains an
+invalid value
+
+(iec104) IEC104 APCI I Double Command Structure contains an invalid
+value
+
+151:40 (iec104) IEC104 APCI I Regulating Step Command Structure
+Reserved field contains a non-default value
+
+(iec104) IEC104 APCI I Regulating Step Command Structure Reserved
+field contains a non-default value
+
+151:41 (iec104) IEC104 APCI I Time2a Millisecond set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Millisecond set outside of the
+allowable range
+
+151:42 (iec104) IEC104 APCI I Time2a Minute set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Minute set outside of the allowable
+range
+
+151:43 (iec104) IEC104 APCI I Time2a Minute Reserved field contains a
+non-default value
+
+(iec104) IEC104 APCI I Time2a Minute Reserved field contains a
+non-default value
+
+151:44 (iec104) IEC104 APCI I Time2a Hours set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Hours set outside of the allowable
+range
+
+151:45 (iec104) IEC104 APCI I Time2a Hours Reserved field contains a
+non-default value
+
+(iec104) IEC104 APCI I Time2a Hours Reserved field contains a
+non-default value
+
+151:46 (iec104) IEC104 APCI I Time2a Day of Month set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Day of Month set outside of the
+allowable range
+
+151:47 (iec104) IEC104 APCI I Time2a Month set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Month set outside of the allowable
+range
+
+151:48 (iec104) IEC104 APCI I Time2a Month Reserved field contains a
+non-default value
+
+(iec104) IEC104 APCI I Time2a Month Reserved field contains a
+non-default value
+
+151:49 (iec104) IEC104 APCI I Time2a Year set outside of the
+allowable range
+
+(iec104) IEC104 APCI I Time2a Year set outside of the allowable range
+
+151:50 (iec104) IEC104 APCI I Time2a Year Reserved field contains a
+non-default value
+
+(iec104) IEC104 APCI I Time2a Year Reserved field contains a
+non-default value
+
+151:51 (iec104) IEC104 APCI I a null Length of Segment value has been
+detected
+
+(iec104) IEC104 APCI I a null Length of Segment value has been
+detected
+
+151:52 (iec104) IEC104 APCI I an invalid Length of Segment value has
+been detected
+
+(iec104) IEC104 APCI I an invalid Length of Segment value has been
+detected
+
+151:53 (iec104) IEC104 APCI I Status of File set to a reserved value
+
+(iec104) IEC104 APCI I Status of File set to a reserved value
+
+151:54 (iec104) IEC104 APCI I Qualifier of Set Point Command ql field
+set to a reserved value
+
+(iec104) IEC104 APCI I Qualifier of Set Point Command ql field set to
+a reserved value
+
+175:1 (domain_filter) configured domain detected
+
+(domain_filter) configured domain detected
+
+256:1 (dpx) too much data sent to port
+
+(dpx) too much data sent to port
11.8. Command Set
* rem (ips_option): rule option to convey an arbitrary comment in
the rule body
* replace (ips_option): rule option to overwrite payload data; use
- with rewrite action
+ with "rewrite" action; works for raw packets only
* reputation (inspector): reputation inspection
* rev (ips_option): rule option to indicate current revision of
signature
* ips_action::react: send response to client and terminate session
* ips_action::reject: terminate session with TCP reset or ICMP
unreachable
- * ips_action::rewrite: overwrite packet contents
+ * ips_action::rewrite: overwrite packet contents with the "replace"
+ option content
* ips_option::ack: rule option to match on TCP ack numbers
* ips_option::appids: detection option for application ids
* ips_option::asn1: rule option for asn1 detection
* ips_option::rem: rule option to convey an arbitrary comment in
the rule body
* ips_option::replace: rule option to overwrite payload data; use
- with rewrite action
+ with "rewrite" action; works for raw packets only
* ips_option::rev: rule option to indicate current revision of
signature
* ips_option::rpc: rule option to check SUNRPC CALL parameters
projects / thirdparty / snort3.git / commitdiff
