2:1

A tagged packet was logged.

105:1

Back Orifice traffic detected, unknown direction

105:2

Back Orifice client traffic detected

105:3

Back Orifice server traffic detected

105:4

Back Orifice length field >= 1024 bytes

106:1

Detected fragmented RPC records.

106:2

Detected multiple RPC records in the packet.

106:3

Large RPC record fragment. RPC fragment length is greater than packet data size.

106:4

Incomplete RPC segment. Packet data size is less than required RPC fragment length.

106:5

Zero-length RPC fragment.

112:1

ARP request is unicast, not broadcast.

112:2

Mismatch between ethernet source hardware address and ARP source hardware address.

112:3

Mismatch between ethernet destination hardware address and ARP destination hardware address in an ARP reply.

112:4

Attempted ARP cache overwrite attack. The ethernet source hardware address or ARP source hardware address 
doesn't match the one provided for this IP address in the configured host table.

116:1

The packet is not an IPv4 datagram (based on the ip header's version field).

116:2

The IPv4 header length (based on the header's length field) is less than the ip version 
4's minimum header length (20 bytes).

116:3

The total IPv4 datagram length is less than the length calculated using the ipv4 header length field.

116:4

The IPv4 options field has a bad/incorrect length.

116:5

The IPv4 options field is truncated.

116:6

The IPv4 datagram length is greater than the captured packet's length.

116:45

The TCP packet length is smaller than the minimum tcp header length (20 bytes).

116:46

The TCP data offset is less than five 32 bit words (20 bytes) and is invalid.

116:47

The TCP header length exceeds the packet's length.

116:54

The TCP options are invalid and/or have bad lengths.

116:55

The TCP options field is truncated.

116:56

A tcp packet was detected with the CC Echo field set.

116:57

A tcp packet was detected that contained obsolete TCP options.

116:58

A tcp packet was detected that contained experimental TCP options.

116:59

The TCP window scale option found with a length greater than 14.

116:95

A truncated UDP header has been detected.

116:96

An invalid UDP header detected. The header's length is less than 8 bytes.

116:97

The UDP length field is greater than the payload length.

116:98

The UDP length field is less than the payload length.

116:105

An ICMP packet was detected with the header truncated.

116:106

The ICMP packet's timestamp header is truncated.

116:107

The ICMP packet's address header is truncated.

116:109

The packet length is less than ethernet arp's minimum length of 28 bytes.

116:110

(eapol) truncated EAP header

116:111

(eapol) EAP key truncated 

116:112

(eapol) EAP header truncated

116:120

A bad PPPOE frame has been detected. The frames length is less than the PPPOE frame minimum (6 bytes).

116:130

A bad VLAN frame was detected due to either the packet being smaller 
than the minimum VLAN header size or the VLAN ID being invalid (0 or 4095).

116:131

An invalid LLC header has been detected (less than 3 bytes). 

116:132

(llc) bad extra LLC info

116:133

(wlan) bad 802.11 LLC header

116:134

(wlan) bad 802.11 extra LLC info

116:140

(token_ring) bad Token Ring header

116:141

(token_ring) bad Token Ring ETHLLC header

116:142

(token_ring) bad Token Ring MRLEN header

116:143

(token_ring) bad Token Ring MR header

116:150

A loopback IP was detected within a packet.

116:151

The same source and destination IP was detected.

116:160

The payload length is greater than the packet length.

116:161

There are multiple encapsulations within the GRE packet.

116:162

The detected GRE version field value is invalid (should be 0 or 1).

116:163

Invalid flag set in GRE header.

116:164

Invalid GRE v.1 PPTP header detected.

116:165

The GRE trans header length is greater than the payload length.

116:170

The MPLS frame is invalid. The MPLS header length is less than the MPLS minimum frame size (4 bytes).

116:171

The MPLS label 0 appears in bottom header when not decoding as an ip4 packet.

116:172

The MPLS label 1 appears in bottom header.

116:173

The MPLS label 2 appears in bottom header when not decoding as an ip6 packet.

116:174

A MPLS label 3 (Implicit NULL Label) appears in header.

116:175

A reserved MPLS label (4, 5 or 15) appears in header.

116:176

There were too many MPLS headers detected. (Use the mpls.max_stack_depth setting to set the max value).

116:180

The packet length is less than the expected GENEVE header length.

116:181

The version number in the GENEVE header is not valid (not equal to zero).

116:182

The packet length is less than the minimum GENEVE header length.

116:183

There are several scenarios for this event. 
1) The C flag is clear but critical options are present.
2) The C flag is set but critical options are absent.
3) If the critical header present bit is set the option's length cannot be 0.


116:184

The options length field extends past the end of the GENEVE header.

116:250

The ICMP error message's original IP header is truncated.

116:251

The ICMP error message's original IP packet's version and original IP header versions differ.

116:252

The ICMP error message's original datagram's length is less than the original IP's header length.

116:253

The ICMP error message's original IP packet's payload is less than 64 bits.

116:254

The ICMP error message's original IP packet's payload is greater than the expected max of 576 bytes.

116:255

An ICMP original IP is fragmented and the offset is not 0.

116:270

The IPv6 packet has a TTL value that is below the TTL limit.

116:271

The IPv6 header claims to not be an IPv6 packet.

116:272

The IPv6 packet has a truncated extension header.

116:273

The IPv6 packet has a truncated header.

116:274

The IPv6 datagram length field is less than the header field.

116:275

The IPv6 datagram's length is greater than the captured packet's length.

116:276

An IPv6 packet was detected with a destination address of ::0

116:277

An IPv6 packet with a multicast source address has been detected.

116:278

An IPv6 packet with a reserved multicast destination address has been detected.

116:279

The IPv6 header includes an undefined option type.

116:280

The IPv6 address includes an unassigned multicast scope value.

116:281

The IPv6 header includes an invalid value for the 'next header' field.

116:282

The IPv6 header includes a routing extension header followed by a hop-by-hop header.

116:283

The IPv6 header includes two routing extension headers. 

116:285

An ICMPv6 packet of type 2 (message too big) that contains an MTU field of less than 1280 bytes has been detected.

116:286

An ICMPv6 packet of type 1 (destination unreachable) that contains a non-RFC 2463 code has been detected.

116:287

An ICMPv6 router solicitation packet with a code not equal to 0 has been detected.

116:288

An ICMPv6 router advertisement packet with a code not equal to 0 has been detected.

116:289

An ICMPv6 router solicitation packet with the reserved field not equal to 0 has been detected.

116:290

An ICMPv6 router advertisement packet with the reachable time field set to greater than 1 hour was detected.

116:291

An IPV6 tunnel over IPv4 packet was received. The IPv6 header truncated which could possibly be a Linux kernel attack.

116:292

The IPv6 header has destination options followed by a routing header.

116:293

There are two or more IP (v4 and/or v6) encapsulation layers present.

116:294

The encapsulated security payload header was too short (less than 22 bytes).

116:295

The IPv6 header includes an option which is too big for the containing header.

116:296

The IPv6 packet includes out-of-order extension headers.

116:297

There are multiple GTP encapsulation layers present.

116:298

The packet data is smaller than the GTP header length making the packet invalid.

116:400

A XMAS attack detected.

116:401

A NMAP XMAS attack detected.

116:402

(tcp) DOS NAPTHA vulnerability detected.

116:403

A SYN packet was sent to a multicast address.

116:404

IPv4 packet was detected with a zero TTL value.

116:405

The IPv4 packet contains an invalid frag bits combination (both MF and DF are set).

116:406

An invalid IPv6 UDP packet was detected. The checksum value is zero.

116:407

The IPv4 packet's frag offset + the datagram length field exceeds the maximum packet size (65535)

116:408

The IPv4 packet's source address is from the 'current net' (value of zero)

116:409

The IPv4 packet's destination address is to the 'current net' (value of zero)

116:410

The IPv4 packet has a multicast source address.

116:411

The IPv4 packet has a reserved source address.

116:412

The IPv4 packet has a reserved destination address.

116:413

The IPv4 packet has a broadcast source address.

116:414

The IPv4 packet has a broadcast destination address

116:415

ICMP4 packet to multicast destination address

116:416

ICMP4 packet to broadcast destination address

116:418

The ICMP4 packet 'type' is not known.

116:419

The TCP urgent pointer exceeds payload length or has no payload.

116:420

An invalid tcp flag combination was detected (SYN and FIN).

116:421

An invalid tcp flag combination was detected (SYN with RST)

116:422

The TCP packet is missing the acknowledgment flag for an established session.

116:423

The TCP packet is invalid because it doesn't have a SYN, ACK, or RST flag set.

116:424

The packet length is less than the minimum ethernet header size (14 bytes)

116:424

A truncated ethernet header was detected.

116:425

The IPv4 header is truncated.

116:426

The ICMP4 header is truncated.

116:427

The ICMPv6 header is truncated.

116:428

An IPv4 packet was received after the TTL limit.

116:429

An IPv6 packet has a zero hop limit count.

116:430

An invalid IPv4 packet was detected. The DF bit and an offset value are set.
 
116:431

The ICMPv6 type is unknown and not decoded.

116:432

An ICMPv6 packet to a multicast address was detected.

116:433

A tcp DDOS shaft SYN flood was detected.

116:434

An ICMP ping from NMAP was detected.

116:435

An ICMP icmpenum v1.1.1 packet was received (the payload length is zero and icmp seq number equals 666).

116:436

An ICMP host redirect packet was received.

116:437

An ICMP network redirect packet was received.

116:438

An ICMP packet with trace route ipopts was detected.

116:439

An ICMP packet with the source quench field set was detected.

116:440

Broadscan smurf scanner traffic was detected.

116:441

ICMP destination unreachable traffic was detected (communication administratively prohibited).

116:442

ICMP destination unreachable traffic detected (communication with destination host is administratively prohibited).

116:443

ICMP destination unreachable traffic detected (communication with destination network is administratively prohibited).

116:444

(ipv4) IPv4 option set

116:445

A large UDP packet was received (greater than 4000 bytes).

116:446

TCP port 0 traffic was detected.

116:447

UDP port 0 traffic was detected.

116:448

An IPv4 packet was detected that has the reserved bit set.

116:449

An IP packet has an unassigned/reserved IP protocol number.

116:450

An invalid/bad IP protocol number has been detected.

116:451

An ICMP path MTU denial of service attempt has been detected.

116:452

A Linux ICMP header DOS attempt has been detected.

116:453

(ipv6) ISATAP-addressed IPv6 traffic spoofing attempt

116:454

(pgm) PGM nak list overflow attempt

116:455

An IGMP IP options validation DOS attempt was detected.

116:456

The decoder detected more than the configured amount of IPv6 extension headers.

116:457

An ICMPv6 packet of type 1 (destination unreachable) was received with non-RFC 4443 code.

116:458

An invalid fragmentation packet was detected. Could be a possible BSD attack.

116:459

An ip fragment was received with a zero length payload.

116:460

The ICMPv6 node info query/response packet has a code value greater than 2.

116:461

An IPv6 packet was received with a routing type 0 extension header.

116:462

The ERSpan2 version is not equal to 1 (the value of 1 signals that it's ERSpan2).

116:463

The packet's length is less than the ERSpan2 headers minimum length (8 bytes).

116:464

The packet's length is less than the ERSpan3 header's minimum length (20 bytes).

116:465

The length of the packet received is less than the expected minimum of 16 bytes.

116:466

The authentication header length is greater than the packet data length.

116:467

The packet header length is less than the minimum FabricPath header size of 16 bytes.

116:468

The packet length is less than the Cisco Metadata header length.

116:469

The Cisco Metadata option length value is greater than zero. 

116:470

The Cisco metadata option type is not set to 1.

116:471

The Cisco Metadata security group tag value is invalid (0xFFFF).

116:472

The decoder detected that there were too many protocols present.

116:473

An ether type value is below the minimum of 0x0600 (1536) and therefore out of range.

116:474

An ICMPv6 packet was received that was not encapsulated in IPv6.

116:475

The IPv6 mobility header includes an invalid value for the payload protocol field.

119:1

URI has percent encoding of an unreserved character. The ignore_unreserved option designates
specific unreserved characters that are exempted from triggering this alert.

119:2

URI contains double-encoded hexadecimal characters. This alert can only be generated if
the iis_double_decode option is configured.

119:3

URI has non-standard %u-style Unicode encoding. This alert can only be generated if the percent_u
option is configured.

119:4

URI has Unicode encodings containing bytes that were not percent-encoded as required by the HTTP
RFC. This is sometimes called "bare byte" encoding. This alert can only be generated if the
utf8_bare_byte option is configured.

119:6

URI has two-byte or three-byte UTF-8 encoding. This alert can only be generated if the utf8 option
is configured.

119:7

URI includes a two-byte or three-byte unicode character that normalized through the unicode map to
some byte other than 0xFF. This alert can only be generated if the iis_unicode option is
configured.

119:8

URI path contains consecutive slash characters which are redundant. This alert can only be
generated if the simplify_path option is configured.

119:9

The backslash character appears in the path portion of a URI. This alert can only be generated if
the backslash_to_slash option is configured

119:10

URI path contains "/./" pattern repeating the current directory. Alternatively the path may end
with "/." repeating the current directory. This alert can only be generated if the simplify_path
option is configured.

119:11

URI path contains "/../" pattern moving upward a directory. Alternatively the path may end with
"/.." with the same effect. This alert can only be generated if the simplify_path option is
configured.

119:12

The HTTP start line has a tab character among the blank space separators.

119:13

HTTP start line or header line terminated by LF without a CR.

119:14

Normalized URI (after percent decoding) contains a forbidden character specified by the
bad_characters option.

119:15

URI path contains a segment (directory or file name) that is longer than the oversize_dir_length
parameter.

119:16

Chunk length as given in the chunk header exceeds maximum_chunk_length parameter.

119:18

The URI path has used /../ segments to go above the root of the directory tree. For example
/foo/../../bar which specifies an object not under the root directory /. This alert can only be
generated if the simplify_path option is configured.

119:19

HTTP header line exceeds maximum_header_length option bytes. This does not apply to the start line.
Header line length includes both header field name and value.

119:20

HTTP message has more than maximum_headers option header fields.

119:21

HTTP message has more than one Content-Length header value. This may be multiple header lines or
comma-separated values on one line.

119:24

Host header field appears more than once or has multiple values.

119:25

Length of HTTP Host header field value exceeds maximum_host_length option.

119:28

HTTP request uses POST or PUT method without delimiting the message body using either the
Content-Length header or Transfer-Encoding chunked.

119:31

HTTP request method is not known to Snort. Snort is familiar with all RFC methods and dozens of
other methods.

119:32

HTTP request uses primitive HTTP format known as HTTP/0.9.

119:33

HTTP request URI has space character that is not percent-encoded.

119:34

HTTP connection has more than maximum_pipelined_requests simultaneous pipelined requests that have
not been answered.

119:102

Invalid status code in HTTP response. Either it is outside the range 100-599 or it is not a number.

119:104

HTTP response has Content-Type charset=utf-16le, utf-16be, utf-32le, or utf-32be, but UTF decoding
of the message body failed.

119:105

HTTP response has Content-Type charset=utf-7.

119:109

More than one level of JavaScript obfuscation. This alert can only be generated when
normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.

119:110

Consecutive whitespaces within a JavaScript exceed max_javascript_whitespaces configuration option.
This alert can only be generated when normalize_javascript  configuration option is true.

119:111

More than one encoding within JavaScript obfuscated data. This alert can only be generated when
normalize_javascript configuration option is true or enhanced JavaScript normalizer is enabled.

119:112

The HTTP message body contains compressed SWF file data with errors that cannot be decompressed. 

119:113

The HTTP message body contains compressed LZMA file data with errors that cannot be decompressed. 

119:114

The HTTP message body contains compressed PDF file data with errors that cannot be decompressed. 

119:115

The HTTP message body contains a compressed PDF file that uses a compression type other than
deflate ("FlateDecode" and "Fl").

119:116

The HTTP message body contains a PDF file with more than one compression applied.

119:117

The HTTP message body contains PDF file data with an error that made the start of the PDF compressed
stream unable to be located. 

119:201

HTTP inspector is unable to parse this flow. Either the connection is not actually using HTTP or
some sort of unrecoverable HTTP protocol error has occurred. This conclusion applies only to one
direction of the flow. The opposite direction may be OK.

119:202

Chunk length has five or more leading zeros.

119:203

White space characters before the first HTTP message or inserted between HTTP messages.

119:204

HTTP request message does not include a URI. There is nothing between the method and the version
except whitespace. Alternatively the 0.9 equivalent which is GET followed by nothing except
whitespace.

119:205

The reason phrase in an HTTP response message contains a control character.

119:206

There is more than one space (or other whitespace) character between two elements of an HTTP
request or status line.

119:207

The HTTP version in the start line begins with "HTTP/" but the remainder is not in the expected
<digit>.<digit> format.

119:209

An HTTP header line contains a format error. A well-formed header consists of a field name followed
by a colon followed by the field value.

119:210

A chunked transfer-encoded HTTP message body contains chunk extensions. A chunk extension is an
optional parameter following the chunk length in the chunk header.

119:211

The HTTP request URI is not well-formatted as one of the four types defined for the HTTP protocol.

119:212

The HTTP URI contains an unrecognized type of percent encoding.

119:213

A chunked transfer-encoded HTTP message body contains a misformatted chunk. The following conditions
make a chunk misformatted: there are at least five leading whitespaces before the chunk length in
the chunk header, there is an illegal character in the chunk length (expressed as the hex number in
ASCII), the chunk length is longer than 32 bits, the chunk header is terminated by lone CR ('\r')
without an LF ('\n'), the chunk header does not contain the length, or the chunk data is
terminated by a character other than CR or LF

119:214

A chunked transfer-encoded HTTP message body contains a chunk header with white space adjacent to
the chunk length. This covers leading and trailing whitespace.

119:215

An HTTP header name contains whitespace.

119:216

A gzip-encoded HTTP message body was found to have an excessive compression ratio during
decompression.

119:217

An error was encountered during decompression of a gzip-encoded HTTP message body.

119:218

An HTTP connection contains an HTTP 0.9 request followed by another request. There can only be one
0.9 response per connection because it ends the server-to-client connection. 

119:219

An HTTP connection contains an HTTP 0.9 request following a normal request.

119:220

An HTTP message has both Content-Length and Transfer-Encoding headers. These headers conflict since
the size of the message body will be determined by either the Content-Length value or by the chunked
transfer-encoding formatting.

119:221

An HTTP server sent a response with a status code implying there will be no body but also sent a
Transfer-Encoding or nonzero Content-Length header. The status codes that imply no message body are
the informational (1XX) codes, 204 No Content and 304 Not Modified. Transfer-Encoding and nonzero
Content-Length headers indicate that there will be a message body.

119:222

The HTTP Transfer-Encoding header value does not end with "chunked". The HTTP protocol specifies
that when a transfer coding is applied to a message, "chunked" must the last transfer coding applied
to the message body so that the length of the message body can be determined by the client.

119:223

An HTTP message includes a Transfer-Encoding header value that specifies other encodings before
"chunked."

119:225

The HTTP Content-Encoding header contains a coding other than gzip and deflate
decompression.

119:226

The HTTP Content-Encoding header contains an unknown coding.

119:227

The HTTP Content-Encoding header has multiple values, meaning multiple content encodings have been
applied.

119:228

An HTTP server response was seen before a corresponding client request.

119:229

The decompressed size of the PDF/SWF/ZIP file contained in the HTTP message body exceeded the
configured limit. The decompression limit can be configured with file_id.decompress_buffer_size.

119:230

An HTTP message header field name contains a nonprinting character.

119:231

The HTTP Content-Length header value is not a valid decimal length. 

119:232

The HTTP header contains a wrapped header line. This means that the header field value has been
folded onto multiple lines, indicated by beginning the continuation line with a space or horizontal
tab.

119:233

An HTTP header line is terminated by CR ('\r') without LF ('\n'). The HTTP protocol specifies that
header lines should be terminated by CRLF ('\r\n').

119:234

A chunked transfer-encoded HTTP message body contains a chunk terminated by a nonstandard separator.
The separator defined by the protocol that should terminate each chunk is CRLF ('\r\n').

119:235

A chunked transfer-encoded HTTP message body contains a chunk length that is terminated by LF ('\n')
without CR ('\r'). The protocol specifies that chunk lengths should be terminated by CRLF ('\r\n') 
as the line separator.

119:236

An HTTP server sent more than one response with 100 Continue status code. 

119:237

An HTTP server sent a response with a status code other than 100 Continue in response to a request
with an Expect header. The Expect header informs the server that the client will send a (presumably
large) message body, and requests that the server send an interim 100 Continue response if it can
handle the request.

119:238

An HTTP server sent an informational (1XX) response with a status code other than 100 Continue or
101 Switching Protocols.

119:239

An HTTP client sent an Expect header without sending a request message body. The Expect header
informs the server that the client will send a (presumably large) message body, and requests that
the server send an interim 100 Continue response if it can handle the request.

119:240

An HTTP 1.0 message contains a Transfer-Encoding header, which is disallowed for that version.

119:241

The Content-Transfer-Encoding field is used as an HTTP header. Content-Transfer-Encoding is a MIME
header and is not registered as an HTTP header.

119:242

The HTTP trailer contains a header field that is disallowed in chunked message trailers. 

119:243

The HTTP Age header field appears twice or has two values.

119:244

An HTTP Content-Encoding header has a value of "chunked", which is not a registered content 
encoding.

119:245

A partial content (status code 206) response was sent to a request without a Range header, meaning
the client did not request the message body be fragmented.

119:246

An HTTP start line contains a version field where the letters in 'HTTP' are not all upper case.

119:247

There is whitespace embedded in the Content-Length header value other than leading and trailing
whitespace.

119:248

While decompressing a gzip-encoded message body, the zipped data stream ended before the end of the 
message body, so there is unexpected non-gzip data following the compressed data. 

119:249

There is an HTTP parameter key that is repeated at least 100 times within a request query.

119:250

There is an HTTP/2 Transfer-Encoding header value other than identity. The HTTP/2 protocol specifies
that the chunked transfer encoding is not allowed.

119:251

An HTTP/2 message header contained a Content-Length header value, but the actual message body
transferred is larger than that value. The Content-Length header is not used to determine
the length of the message body for HTTP/2 traffic.

119:252

An HTTP/2 message header contained a Content-Length header value, but the actual message body
transferred is smaller than that value. The Content-Length header is not used to determine
the length of the message body for HTTP/2 traffic.

119:253

An HTTP client sent a CONNECT request with a request message body.

119:254

There was traffic from an HTTP client after the client sent a CONNECT request but before the CONNECT
response from the server was received.

119:255

An HTTP server sent a successful (2XX) CONNECT response with a Content-Length header.

119:256

An HTTP server sent a successful (2XX) CONNECT response with a Transfer-Encoding header.

119:257

An HTTP server sent a CONNECT response with an informational (1XX) status code.

119:258

An HTTP CONNECT response was received before the request message from the client was completed.

119:259

A Content-Disposition HTTP header field contains a malformed filename parameter.

119:260

The TCP connection was closed before the full HTTP message body was transferred. The length of the
full message body was determined by the Content-Length HTTP header field.

119:261

The TCP connection was closed before the full HTTP message body was transferred. The message uses
the chunked transfer-encoding, so this means there was no well-formed chunk of length zero to
terminate the message.

119:262

The scheme portion of an HTTP URI is longer than 10 characters.

119:263

A client sent a request to upgrade an HTTP/1 connection to HTTP/2.

119:264

A server granted a request to upgrade a connection from HTTP/1 to HTTP/2.

119:268

When HTML <script> tag contains a reference to an external script, it must not contain
any executable JavaScript code. This alert is raised if executable (i.e. not comment) code
is found inside a script tag that has an external reference. This alert is raised
by the enhanced JavaScript normalizer.

119:269

In HTML, a script tag must not be self-closing (written as <script /> without a following
end-tag). If a self-closing "short-form" script tag is encountered, this alert is raised.
This alert is raised by the enhanced JavaScript normalizer.

119:272

There are consecutive commas, possibly separated by whitespace, in an HTTP Accept-Encoding header.
This pattern constitutes a Microsoft Windows HTTP protocol stack remote code execution attempt.
Reference: CVE-2021-31166.

119:275

The HTTP version in the start line has a valid 1.<subversion> format, but the subversion is not 0 or 1.

119:276

The HTTP version in the start line has a valid format but the version is 0.

119:277

The HTTP version in the start line has a valid format but the version is higher than 1. This alert
does not apply to HTTP/2 or HTTP/3 traffic.

119:278

The HTTP message body is gzip encoded and the FEXTRA flag is set in the gzip header.

119:279

HTTP Status-Line failed validation checks. Checks include minimum length, format, characters used, etc.

119:280

HTTP message headers longer than 63780 bytes

119:281

HTTP Request-Line failed validation checks. Checks include minimum length, format, characters used, etc.

119:282

Packet with more than 20 white space characters when an HTTP Start-Line is required.

119:283

HTTP message Status-Line longer than 63780 bytes

119:284

Connection closed in the middle of a Request-Line or Status-Line.

119:285

HTTP message Request-Line longer than 63780 bytes

119:286

HTTP/2 preface received instead of an HTTP/1 method

119:287

HTTP request method is not on allowed methods list or is on disallowed methods list.

121:1

Invalid flag set on HTTP/2 frame header

121:2

HPACK integer value has leading zeros

121:3

HTTP/2 stream initiated with invalid stream ID. Either server initiated push promise with
odd promised stream ID or new stream with stream ID that is not greater than the last one
seen on this side.

121:4

HTTP/2 Headers, Continuation or Push promise frame without the END_HEADERS flag set was 
not followed by a Continuation frame.

121:5

HTTP/2 Continuation frame not preceded by Headers, Continuation or Push promise frame
without the END_HEADERS flag.

121:6

HTTP/2 headers HPACK decoding error

121:7

HTTP/2 connection preface does not match

121:8

HTTP/2 request missing required header field. CONNECT request without authority, 
non-CONNECT request without a scheme, or http/https scheme without a path.

121:9

HTTP/2 response has no status code

121:10

HTTP/2 CONNECT request with scheme or path

121:11

HTTP/2 settings frame error: stream ID isn't 0, length isn't multiple of 6, or ACK flag is
set and length isn't 0.

121:12

Unknown parameter in HTTP/2 settings frame. Parameter identifier is not one of
the six RFC-defined values.

121:13

Invalid HTTP/2 frame sequence. Frame type is not valid for current stream state.

121:14

HTTP/2 dynamic table has more than 512 entries

121:15

HTTP/2 push promise frame with promised stream ID already in use

121:16

HTTP/2 padding length is bigger than frame data size

121:17

HTTP/2 pseudo-header after regular header

121:18

HTTP/2 pseudo-header in trailers

121:19

Invalid HTTP/2 pseudo header. For response only :status is valid. For request only :authority,
:method, :path and :scheme are valid. Any other pseudo-header or seeing one of these more
than once will trigger the alert. 

121:20

HTTP/2 trailers without END_STREAM bit

121:21

HTTP/2 push promise frame sent when prohibited by receiver. Receiver prohibited push 
promise by sending settings frame with SETTINGS_ENABLE_PUSH 0.

121:22

Padding flag set on HTTP/2 frame with zero length

121:23

HTTP/2 push promise frame in client-to-server direction

121:24

Invalid HTTP/2 push promise frame, length is less than promised stream ID length.

121:25

HTTP/2 push promise frame sent at invalid time. Client didn't send headers yet for this
stream, END_STREAM already seen on server side or server side in error state.

121:26

Invalid SETTINGS_ENABLE_PUSH value sent in HTTP/2 settings frame

121:27

HTTP/2 flow exceed concurrent streams limit, as configured by concurrent_streams_limit.

121:28

Invalid HTTP/2 RST_STREAM frame. Stream ID is not 0 or length is not 4.

121:29

HTTP/2 RST_STREAM frame sent at invalid time. Stream is not in idle state, already started
with a push promise or headers frame.

121:30

Uppercase HTTP/2 header field name

121:31

HTTP/2 window update frame length is not 4

121:32

HTTP/2 window update frame with zero increment

121:33

HTTP/2 request without a method

121:34

HTTP/2 HPACK table size update not at the start of a header block

121:35

More than two HTTP/2 HPACK table size updates in a single header block

121:36

HTTP/2 HPACK table size update exceeds max value set by decoder in SETTINGS frame

121:37

Nonempty HTTP/2 Data frame where a message body was not expected.

121:38

HTTP/2 non-Data frame longer than 63780 bytes. For HEADERS and PUSH_PROMISE frames this includes the
size of any following continuation frames.

121:39

HTTP/2 inspector is unable to parse this flow. Either the connection is not actually using HTTP/2 or
some sort of unrecoverable HTTP/2 protocol error has occurred. This conclusion applies only to one
direction of the flow. The opposite direction may be OK.

121:40

Invalid HTTP/2 PRIORITY frame. Stream ID is 0 or length is not 5.

121:41

Invalid HTTP/2 GOAWAY frame. R bit is set or stream ID is not 0 or length is less than 8.

122:1

Basic one host to one host TCP portscan where multiple TCP ports are scanned on
the destination host from a single host

122:2

Decoy TCP portscan where the real scanner's host address was mixed with
multiple decoy hosts to connect to a single port multiple times

122:3

One host to many hosts TCP portsweep where multiple TCP ports are scanned on
each destination host

122:4

Many hosts to one host TCP distributed portscan where many hosts connect to
a single destination host and multiple ports are scanned on the destination
host

122:5

Filtered one host to one host TCP portscan where multiple firewall filtered TCP
ports are scanned on the destination host from a single host

122:6

Filtered decoy TCP portscan where the real scanner's host address was mixed
with multiple decoy hosts to connect to a single firewall filtered port
multiple times

122:7

Filtered one host to many hosts TCP portsweep where multiple firewall filtered
TCP ports are scanned on each destination host

122:8

Filtered many hosts to one host TCP distributed portscan where many hosts
connect to a single destination host and multiple firewall filtered ports
are scanned on the destination host

122:9

One host to one host IP protocol scan where multiple IP protocols are scanned
on the destination host from a single host

122:10

Decoy IP protocol scan where the real scanner's host address was mixed with
multiple decoy hosts to scan IP protocols on a single host multiple times

122:11

One host to many hosts IP protocol sweep where multiple IP protocols are
scanned on each host

122:12

Many hosts to one host distributed IP protocol scan where many hosts attempt
to scan multiple IP protocols on a single destination host

122:13

Filtered one host to one host IP protocol scan where multiple firewall filtered
IP protocols are scanned on the destination host from a single host

122:14

Filtered decoy IP protocol scan where the real scanner's host address was mixed
with multiple decoy hosts to scan firewall filtered IP protocols on a single
host multiple times

122:15

Filtered one host to many hosts IP protocol sweep where multiple firewall
filtered IP protocols are scanned on each host

122:16

Filtered many hosts to one host distributed IP protocol scan where many hosts
attempt to scan multiple firewall filtered IP protocols on a single destination
host

122:17

Basic one host to one host UDP portscan where multiple UDP ports are scanned on
the destination host from a single host

122:18

Decoy UDP portscan where the real scanner's host address was mixed with
multiple decoy hosts to scan a single UDP port on the single destination host
multiple times

122:19

One host to many hosts UDP portsweep where multiple UDP ports are scanned on
each destination host from a single host

122:20

Many hosts to one host distributed UDP portscan where many hosts scan multiple
UDP ports on a single destination host

122:21

Filtered one host to one host UDP portscan where multiple firewall filtered UDP
ports are scanned on the destination host from a single host

122:22

Filtered decoy UDP portscan where the real scanner's host address was mixed with
multiple decoy hosts to scan a single firewall filtered UDP port on the single
destination host multiple times

122:23

Filtered one host to many hosts UDP portsweep where multiple firewall filtered
UDP ports are scanned on each destination host from a single host

122:24

Filtered many hosts to one host distributed UDP portscan where many hosts scan
multiple firewall filtered UDP ports on a single destination host

122:25

One host to many hosts ICMP sweep scan where multiple ICMP scan occurred on
each destination host from a single host

122:26

Filtered one host to many hosts ICMP sweep scan where multiple ICMP scan occurred on
each firewall filtered destination host from a single host

122:27

open port

123:1

Received inconsistent IP options on fragmented packets.

123:2

Received indicators of a teardrop attack on fragmented packets.

123:3

Received short fragment, possible DOS attempt (possible boink/bolt/jolt attack). The minimum length
required to throw this alert is specified by stream_ip.min_frag_length.

123:4

Overlap anomaly: fragment packet ends after defragmented packet.

123:5

Received a zero-byte fragment.

123:6

Bad fragment size encountered, packet size is negative.

123:7

Bad fragment size encountered, packet size is greater than 65536.

123:8

Fragmentation results in overlap between segments.

123:11

TTL value is less than configured minimum, not using for reassembly. Minimum TTL can be configured
with stream_ip.min_ttl.

123:12

Fragment overlap limit exceeded, event will be raised for all successive fragments. The max fragment
overlaps that can occur before alerting is configurable by changing stream_ip.max_overlaps.

123:13

Received a tiny fragment (less than minimum fragment length).

124:1

SMTP command exceeds the configured max_command_line_len.

124:2

SMTP data header exceeds the configured max_header_line_len.

124:3

SMTP response exceeds the configured max_response_line_len.

124:4

SMTP command that is specified in the alt_max_command_line_len array is detected, and its length
exceeds the maximum length that is configured in the array.

124:5

Command did not match valid_cmds list.

124:6

Invalid command(invalid_cmds) is detected.

124:7

SMTP header name exceeds 64 characters.

124:8

Microsoft Exchange X-Link2State command exceeds maximum length of 520 characters.

124:10

Base64 decoding failed.

124:11

Quoted-printable data decoding failed.

124:13

Uudecoding failed.

124:14

Cyrus SASL authentication attack is detected.

124:15

AUTH command exceeds the configured max_auth_command_line_len.

124:16

File decompression failed.

124:17

SMTP STARTTLS command injection attempt.

125:1

TELNET command is detected on FTP control channel.

125:2

Invalid FTP command is detected.

125:3

The length of a FTP command parameter is longer than the configured maximum parameter length.

125:4

One or more FTP command parameters are malformed.

125:5

FTP command parameter had invalid string format. Two or more than '%' signs are detected in FTP command parameter.

125:6

FTP response message is longer than the maximum configured response length.

125:7

FTP traffic is encrypted

125:8

FTP servers can allow an attacker to connect to arbitrary ports on machines other than the FTP client. This is called as FTP bounce attempt and bounce attempt has been detected.

125:9

Evasive (incomplete) TELNET command is detected on FTP control channel.

126:1

Consecutive Telnet AYT(Are you There) commands are detected beyond the configured AYT threshold limit.

126:2

Telnet traffic is encrypted.

126:3

Telnet subnegotiation begin command is detected without subnegotiation end.

128:1

SSH challenge-response overflow exploit. Amount of data transferred from client is more than configured maximum.

128:2

SSH1 CRC32 exploit. Amount of data transferred from client is more than configured maximum.

128:3

SSH version string is greater than the configured maximum.

128:5

SSH bad message direction.

128:6

SSH payload size incorrect for the given payload.

128:7

Failed to detect SSH version string.

129:1

Received a TCP SYN on an already established TCP session.

129:2

Data present on SYN packet.

129:3

Data was sent on a stream not accepting data. The stream is in the
TIME-WAIT, FIN-WAIT, CLOSED, or CLOSE-WAIT state.

129:4

The TCP timestamp is outside of PAWS (protection against wrapped sequences) window.

129:5

Bad segment, adjusted size <= 0 (deprecated)

129:6

Window size (after scaling) is larger than policy allows. stream_tcp.max_window can be increased to
allow for larger window sizes if desired.

129:7

Limit on number of overlapping TCP packets per session was reached. stream_tcp.overlap_limit can be increased
to allow for more overlaps per session, if desired.

129:8

Data was sent on stream after a TCP reset was sent, and the stream is in
CLOSED state.

129:9

TCP client is possibly hijacked, MAC addresses on received packets differ from what was originally
seen on this flow.

129:10

TCP server is possibly hijacked, MAC addresses on received packets differ from what was originally
seen on this flow.

129:11

Received TCP data with no TCP flags set.

129:12

Consecutive (in the order of received packets, not the order of sequence numbers) TCP small segments exceed the configured threshold. The size required to be a small segment can be configured via stream_tcp.small_segments.maximum_size, and the maximum number of these small segments can be configured
with int stream_tcp.small_segments.count.

129:13

stream_tcp detected a 4-way handshake, which includes a TCP SYN (without ACK) in response to
the initiating client SYN. stream_tcp.require_3whs = 0 should be set to ensure this can be
detected in all cases.

129:14

TCP timestamp is missing, which could cause a failure in PAWS checking,
or RTT calculation.

129:15

TCP reset was requested outside window (bad RST).

129:16

TCP Anomaly: FIN number is greater than prior FIN while the connection
is in TIME-WAIT.

129:17

TCP Anomaly: ACK number is greater than prior FIN while the connection
is in FIN-WAIT-2.

129:18

Data was sent on stream after TCP reset received.

129:19

TCP window was closed before receiving data.

129:20

The TCP 3-way handshake was not seen for this TCP session.

131:1

DNS Response Resource Record Type is Obsolete.

131:2

DNS Response Resource Record Type is Experimental.

131:3

DNS Response Resource Record Type is Client rdata Overflow.

133:2

Invalid NetBIOS session service type specified in the header. Valid types are keep alive, request from client, positive response, negative response, and retarget response from the server.

133:3

Invalid SMB message type specified in the header. Either a request was made by server or a response was given by client.

133:4

SMB id not equal to \xffSMB for SMB1 or not \xfeSMB for SMB2.

133:5

Invalid word count for the command or structure size. SMB commands have specific word counts and if a command with word count not matching with the required word count, this alert is raised.

133:6

Bad byte count for the command. Either word count is zero and byte count isn't or byte count is not in the range of minimum and maximum required byte count for the SMB command.

133:7

Bad format type for the SMB command.

133:8

Bad Offset. Offset points to beginning of SMB header. Offset is bad, if it points to the data already looked at or after the end of payload.

133:9

SMB command has a field containing total amount of data to be transmitted. If this field is zero, an alert is raised.

133:10

NetBIOS data length value is less than size of the SMB header.

133:11

Remaining NetBIOS data length is less than SMB command length.

133:12

Remaining NetBIOS data length is less than the SMB command byte count.

133:13

Remaining NetBIOS data length is less than SMB command data size.

133:14

Total data count is less than SMB command data size. Total data count must always be greater than or equal to current data size.

133:15

Total data sent in transaction is greater than SMB command total data expected.

133:16

Byte count in the SMB command header is less than the command data size.

133:17

Byte count minus predetermined value for the SMB command is not equal to data size. 

133:18

Excessive SMB tree connect requests with pending tree connect responses. Tree connect requests queue up and wait for server response. This alert raised for excessing pending tree connect requests.

133:19

Excessive SMB read requests with pending read responses. After client is done writing data, read request is queued and gets dequeued upon receiving response. This alert raised for excessive pending read requests

133:20

Excessive command chaining. Number of SMB chained commands in a single request is greater than or equal to the configured value.

133:21

It is possible to chain multiple Session Setup AndX commands within the same request. There is, however, only one place in the SMB header to return a login handle (or Uid). Windows does not allow this behavior, however Samba does. This is an anomalous behavior.

133:22

It is possible to chain multiple Tree Connect AndX commands within the same request. There is, however, only one place in the SMB header to return a tree handle (or Tid). Windows does not allow this behavior, however Samba does. This is anomalous behavior.

133:23

When a Session Setup AndX request is sent to the server, the server responds with a user id or login handle. This is used by the client in subsequent requests to indicate that it has authenticated. A Logoff AndX request is sent by the client to indicate it wants to end the session and invalidate the login handle. With SMB commands that are chained after a Session Setup AndX request, the login handle returned by the server is used for the subsequent chained commands. The combination of a Session Setup AndX command with a chained Logoff AndX command, essentially logins in and logs off in the same request and is anomalous behavior.

133:24

A SMB Tree Connect AndX command is used to connect to a share. The Tree Disconnect command is used to disconnect from that share. The combination of a Tree Connect AndX command with a chained Tree Disconnect command, essentially connects to a share and disconnects from the same share in the same request and is anomalous behavior. 

133:25

An SMB Open AndX or Nt Create AndX command is used to open/create a file handle. The Close command is used to close that file handle. The combination of a Open AndX or Nt Create AndX command with a chained Close command, essentially opens and closes the file handle in the same request and is anomalous behavior. 

133:26

Invalid SMB shares configured. It looks for a Tree Connect or Tree Connect AndX to the share.

133:27

Major version contained in the connection oriented DCE/RPC header is not equal to 5.

133:28

Minor version contained in the connection oriented DCE/RPC header is not equal to 0.

133:29

Connection oriented DCE/RPC PDU type contained in the header is not a valid PDU type.

133:30

Fragment length less than connection oriented DCE/RPC header size.

133:31

Connection oriented DCE/RPC remaining fragment length less than size needed.

133:32

In connection oriented DCE/RPC Client's Bind or Alter Context request, there are no context items specified.

133:33

In connection oriented DCE/RPC Client's Bind or Alter context request, there are no transfer syntaxes to go with the requested interface.

133:34

Connection oriented DCE/RPC non-last fragment is less than the size of the negotiated maximum fragment length. Most evasion techniques try to fragment the data as much as possible and usually each fragment comes well below the negotiated transmit size. 

133:35

Connection oriented DCE/RPC fragment length greater than maximum negotiated fragment length.

133:36

Alter context byte order different from bind. The byte order of the request data is determined by the Bind in connection-oriented DCE/RPC for Windows. It is anomalous behavior to attempt to change the byte order.

133:37

Call id of non first/last fragment different from call id established for fragmented request in connection oriented DCE/RPC. The call id for a set of fragments in a fragmented request should stay the same.

133:38

Connection-oriented DCE/RPC opnum of non first/last fragment different from opnum established for fragmented request. The operation number specifies which function the request is calling on the bound interface. If a request is fragmented, this number should stay the same for all fragments. 

133:39

Connection-oriented DCE/RPC context id of non first/last fragment different from context id established for fragmented request. The context id is a handle to a interface that was bound to. If a request if fragmented, this number should stay same for all fragments.

133:40

Connection-less DCE/RPC invalid major version.  Major version is not equal to 4.

133:41

Connection-less DCE/RPC PDU type is not a valid PDU type.

133:42

Connection-less DCE/RPC packet data length is less than size of the header.

133:43

Connection-less DCE/RPC bad sequence number. The sequence number used in a request is the same or less than a previously used sequence number on the session.

133:44

Invalid SMB version 1 seen.

133:45

Invalid SMB version 2 seen.

133:46

SMB invalid user, tree connect, file binding seen.

133:47

SMB excessive command compounding seen.

133:48

SMB Data count is zero.

133:50

Maximum number of outstanding SMB requests exceeded.

133:51

Multiple outstanding SMB requests with same MID. When a client sends a request it uses a value called the MID (multiplex id) to match a response, which the server is supposed to echo, to a request.

133:52

Deprecated dialect negotiated. In the Negotiate request a client gives a list of SMB dialects it supports, normally in order from least desirable to most desirable and the server responds with the index of the dialect to be used on the SMB session. If the client doesn't offer it as a supported dialect or the server chooses a lesser dialect, it is deprecated dialect negotiated.

133:53

Deprecated SMB command used. There are a number of commands that are considered deprecated and/or obsolete by Microsoft (see MS-CIFS and MS-SMB). Detected use of a deprecated/obsolete command.

133:54

Unusual SMB command used. There are some commands considered unusual in the context they are used. Some of the commands such as : TRANS_READ_NMPIPE/TRANS_WRITE_NMPIPE/TRANS2_OPEN2/NT_TRANSACT_CREATE/NT_TRANSACT_CREATE.

133:55

Transaction SMB commands have a setup count field that indicates word count in the transaction setup, Alert raised if setup count is invalid for transaction command.

133:56

Client attempted multiple SMB dialect negotiations on session. There can be only one Negotiate transaction per session and it is the first thing a client and server do to determine the SMB dialect each supports.

133:57

SMB client attempted to create or set a file's attributes to readonly/hidden/system. Malware will often set a files attributes to ReadOnly/Hidden/System if it is successful in installing itself as a Windows service or is able to write an autorun.inf file since it doesn't want the user to see the file and the default folder options in Windows is not to display Hidden files.

133:58

SMB file offset provided is greater than file size specified.

133:59

SMB protocol allows multiple smb commands to be grouped in a single packet. Next command specified in SMB2 header is greater than the payload boundary.

134:1

(latency) rule tree suspended due to latency

134:2

(latency) rule tree re-enabled after suspend timeout

134:3

(latency) packet fastpathed due to latency

135:1

A TCP SYN was received.

135:2

A TCP session was established.

135:3

A TCP session was cleared.

136:1

The flow was blocked based on the source IP address, since it
appears on the IP reputation block list. Configure either the discovery filter,
or the reputation IP lists to change this behavior.

136:2

The flow was trusted based on the source IP address, since it
appears on the IP reputation trust list. Configure either the discovery filter,
or the reputation IP lists to change this behavior.

136:3

The flow was monitored based on the source IP address, since it
appears on the IP reputation monitor list. Configure either the discovery filter,
or the reputation IP lists to change this behavior.

136:4

The flow was blocked based on the destination IP address, since it
appears on the IP reputation block list. If the flow contained proxy traffic,
the IP address could also be the address of the (inner-layer) proxied connection.
Configure either the discovery filter, or the reputation IP lists to change this behavior.

136:5

The flow was trusted based on the destination IP address, since it
appears on the IP reputation trust list. If the flow contained proxy traffic,
the IP address could also be the address of the (inner-layer) proxied connection.
Configure either the discovery filter, or the reputation IP lists to change this behavior.

136:6

The flow was monitored (passed to further inspection) based on
the destination IP address, since it appears on the IP reputation monitor list. If
the flow contained proxy traffic, the IP address could also be the address of the
(inner-layer) proxied connection. Configure either the discovery filter, or the reputation IP
lists to change this behavior.

137:1

An invalid SSL client HELLO was received after an SSL server HELLO has been detected.

137:2

An invalid SSL server HELLO was received without an SSL client HELLO having been detected.

137:3

An SSL heartbeat read overrun attempt has been detected.

137:4

A large SSL heartbeat response was detected.

140:2

SIP Request_URI header field is empty.

140:3

SIP Request_URI header field is larger than the defined length in configuration.

140:4

SIP Call-ID header field is empty.

140:5

SIP Call-ID header field is larger than the defined length in configuration.

140:6

SIP header field CSeq number is too large or negative.
The CSeq number value must be expressible as a 32-bit unsigned integer and
must be less than 2^31.

140:7

The request name in the CSeq is larger than the defined length in configuration.

140:8

SIP From header field is empty.

140:9

SIP From field in header is larger than the defined length in configuration.

140:10

SIP To field in header is empty.

140:11

SIP To field in header is larger than the defined length in configuration.

140:12

SIP Via field in header is empty.

140:13

SIP Via field in header is larger than the defined length in configuration.

140:14

SIP contact field in header is empty.

140:15

SIP contact field in header is larger than the defined length in configuration.

140:16

SIP content length is too large or negative. 

140:17

SIP packet has multiple requests in a single packet.

140:18

Inconsistencies present between the Content-Length in SIP header and actual
body data.

140:19

SIP request name field is invalid in response.

140:20

SIP received authenticated invite message, but no challenge from server is
received. This is the case of Invite replay attack.

140:21

SIP received authenticated invite message, but session information has been
changed. This is different from re-INVITE, where the dialog has been
established and authenticated.

140:22

SIP response status code is not a 3 digit number.

140:23

SIP Content-type header field is empty.

140:24

SIP version is invalid. SIP version other than 1.0, 1.1, and 2.0 is invalid.

140:25

Mismatch in method of request and the CSEQ header detected.

140:26

SIP method is unknown.

140:27

SIP dialog numbers in the stream session exceeds the maximal value.

141:1

Unknown IMAP3 command is detected.

141:2

Unknown IMAP3 response is detected.

141:4

Base64 decoding failed.

141:5

Quoted-printable decoding failed.

141:7

Uudecoding failed.

141:8

File decompression failed.

142:1

Unknown POP3 command is detected.

142:2

Unknown POP3 response is detected.

142:4

Base64 decoding failed.

142:5

Quoted-printable decoding failed.

142:7

Uudecoding failed.

142:8

File decompression failed.

143:1

gtp_inspect detected invalid message length

143:2

gtp_inspect detected invalid information element length

143:3

gtp_inspect detected information elements are out of order

143:4

gtp_inspect detected tunnel endpoint identifier having zero

144:1

Length in Modbus MBAP header does not match the length needed for the given function 
or length mismatch discovered while parsing the PDU

144:2

Modbus protocol ID is non-zero

144:3

Modbus using reserved function code

145:1

DNP3 link-layer frame contains bad CRC

145:2

DNP3 link-layer frame is truncated or frame length is invalid

145:3

DNP3 transport-layer segment sequence number is incorrect

145:4

DNP3 transport-layer segment flag violation is detected, FIR flag was set in
middle fragment

145:5

DNP3 link-layer frame uses a reserved address (0xFFF0 to 0xFFFB)

145:6

DNP3 application-layer fragment uses an undefined function code, defined
function codes: Requests (0 to 33) and Responses (129 to 131)

148:1

(cip) CIP data is malformed

148:2

(cip) CIP data is non-conforming to ODVA standard

148:3

(cip) CIP connection limit exceeded. Least recently used connection removed

148:4

(cip) CIP unconnected request limit exceeded. Oldest request removed

149:1

(s7commplus) length in S7commplus MBAP header does not match the length needed for the given S7commplus function

149:2

(s7commplus) S7commplus protocol ID is non-zero

149:3

(s7commplus) reserved S7commplus function code in use

150:1

(file_id) file not processed due to per flow limit

151:1

(iec104) Length in IEC104 APCI header does not match the length needed for the given IEC104 ASDU type id

151:2

(iec104) IEC104 Start byte does not match 0x68

151:3

(iec104) Reserved IEC104 ASDU type id in use

151:4

(iec104) IEC104 APCI U Reserved field contains a non-default value

151:5

(iec104) IEC104 APCI U message type was set to an invalid value

151:6

(iec104) IEC104 APCI S Reserved field contains a non-default value

151:7

(iec104) IEC104 APCI I number of elements set to zero

151:8

(iec104) IEC104 APCI I SQ bit set on an ASDU that does not support the feature

151:9

(iec104) IEC104 APCI I number of elements set to greater than one on an ASDU that does not support the feature

151:10

(iec104) IEC104 APCI I Cause of Initialization set to a reserved value

151:11

(iec104) IEC104 APCI I Qualifier of Interrogation Command set to a reserved value

151:12

(iec104) IEC104 APCI I Qualifier of Counter Interrogation Command request parameter set to a reserved value

151:13

(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values kind of parameter set to a reserved value

151:14

(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values local parameter change set to a technically valid but unused value

151:15

(iec104) IEC104 APCI I Qualifier of Parameter of Measured Values parameter option set to a technically valid but unused value

151:16

(iec104) IEC104 APCI I Qualifier of Parameter Activation set to a reserved value

151:17

(iec104) IEC104 APCI I Qualifier of Command set to a reserved value

151:18

(iec104) IEC104 APCI I Qualifier of Reset Process set to a reserved value

151:19

(iec104) IEC104 APCI I File Ready Qualifier set to a reserved value

151:20

(iec104) IEC104 APCI I Section Ready Qualifier set to a reserved value

151:21

(iec104) IEC104 APCI I Select and Call Qualifier set to a reserved value

151:22

(iec104) IEC104 APCI I Last Section or Segment Qualifier set to a reserved value

151:23

(iec104) IEC104 APCI I Acknowledge File or Section Qualifier set to a reserved value

151:24

(iec104) IEC104 APCI I Structure Qualifier set on a message where it should have no effect

151:25

(iec104) IEC104 APCI I Single Point Information Reserved field contains a non-default value

151:26

(iec104) IEC104 APCI I Double Point Information Reserved field contains a non-default value

151:27

(iec104) IEC104 APCI I Cause of Transmission set to a reserved value

151:28

(iec104) IEC104 APCI I Cause of Transmission set to a value not allowed for the ASDU

151:29

(iec104) IEC104 APCI I invalid two octet common address value detected

151:30

(iec104) IEC104 APCI I Quality Descriptor Structure Reserved field contains a non-default value

151:31

(iec104) IEC104 APCI I Quality Descriptor for Events of Protection Equipment Structure Reserved field contains a non-default value

151:32

(iec104) IEC104 APCI I IEEE STD 754 value results in NaN

151:33

(iec104) IEC104 APCI I IEEE STD 754 value results in infinity

151:34

(iec104) IEC104 APCI I Single Event of Protection Equipment Structure Reserved field contains a non-default value

151:35

(iec104) IEC104 APCI I Start Event of Protection Equipment Structure Reserved field contains a non-default value

151:36

(iec104) IEC104 APCI I Output Circuit Information Structure Reserved field contains a non-default value

151:37

(iec104) IEC104 APCI I Abnormal Fixed Test Bit Pattern detected

151:38

(iec104) IEC104 APCI I Single Command Structure Reserved field contains a non-default value

151:39

(iec104) IEC104 APCI I Double Command Structure contains an invalid value

151:40

(iec104) IEC104 APCI I Regulating Step Command Structure Reserved field contains a non-default value

151:41

(iec104) IEC104 APCI I Time2a Millisecond set outside of the allowable range

151:42

(iec104) IEC104 APCI I Time2a Minute set outside of the allowable range

151:43

(iec104) IEC104 APCI I Time2a Minute Reserved field contains a non-default value

151:44

(iec104) IEC104 APCI I Time2a Hours set outside of the allowable range

151:45

(iec104) IEC104 APCI I Time2a Hours Reserved field contains a non-default value

151:46

(iec104) IEC104 APCI I Time2a Day of Month set outside of the allowable range

151:47

(iec104) IEC104 APCI I Time2a Month set outside of the allowable range

151:48

(iec104) IEC104 APCI I Time2a Month Reserved field contains a non-default value

151:49

(iec104) IEC104 APCI I Time2a Year set outside of the allowable range

151:50

(iec104) IEC104 APCI I Time2a Year Reserved field contains a non-default value

151:51

(iec104) IEC104 APCI I a null Length of Segment value has been detected

151:52

(iec104) IEC104 APCI I an invalid Length of Segment value has been detected

151:53

(iec104) IEC104 APCI I Status of File set to a reserved value

151:54

(iec104) IEC104 APCI I Qualifier of Set Point Command ql field set to a reserved value

154:1

Enhanced JavaScript normalizer has encountered nested unescape functions

154:2

Enhanced JavaScript normalizer has encountered mixed unescape sequence

154:3

Enhanced JavaScript normalizer has encountered a symbol that is not expected as a part of a valid
JavaScript statement, making further normalization impossible.

154:4

HTML <script> tag must not have a nested <script> tag inside it. If a nested tag is
encountered, this alert is raised. This alert is raised by the enhanced JavaScript normalizer.

154:5

This alert is raised when </script> end-tag is encountered inside a JavaScript comment
or literal, which is a syntax error, as the last comment or literal is not closed before
script end. This alert is raised by the enhanced JavaScript normalizer.

154:6

JavaScript normalization includes identifier substitution, which brings arbitrary JavaScript
identifiers to a common form. Amount of unique identifiers to normalize is limited,
for memory considerations, with http_inspect.js_norm_identifier_depth parameter. When this
threshold is reached, a corresponding alert is raised. This alert is not expected for typical
network traffic and may be an indication that an attacker is trying to exhaust resources.
This alert is raised by the enhanced JavaScript normalizer.

154:7

In JavaScript, template literals can have substitutions, that in turn can have nested
template literals, which requires a stack to track for proper whitespace normalization.
Also, the normalization tracks the current bracket scope, which requires a stack as well.
When the depth of nesting exceeds limit set in http_inspect.js_norm_max_tmpl_nest or in
http_inspect.js_norm_max_bracket_depth, this alert is raised. This alert is not expected
for typical network traffic and may be an indication that an attacker is trying to exhaust
resources. This alert is raised by the enhanced JavaScript normalizer.

154:8

This alert is raised for the following situation. During JavaScript normalization
some data can be lost and not normalized. Usually it happens when rules have file_data and
js_data ips options and fast-pattern (FP) search is applying to file_data. Some data
doesn’t match file_data FP search and JavaScript normalization won't be executed for it.
The following normalization for inline/external scripts will be stopped for current
request within the flow. This alert is raised by the enhanced JavaScript normalizer.

154:9

To resolve variable names in JavaScript, a current stack of variable scopes has to be tracked.
When the depth of nesting exceeds the limit set in http_inspect.js_norm_max_scope_depth,
this alert is raised. This alert is not expected for typical network traffic and may be
an indication that an attacker is trying to exhaust resources. This alert is raised
by the enhanced JavaScript normalizer.

175:1

(domain_filter) configured domain detected

256:1

(dpx) too much data sent to port

