I’ve just update the public CVS with some new directives as part of the effort we are doing to improve the upcoming installer:
Attacks:
Possible Successful Attack: Reverse Shell Access to the System
Possible POP3 Bruteforce against SRC_IP
Possible FTP Bruteforce against SRC_IP
Command execution against webserver on DST_IP
File /etc/passwd access on DST_IP
Possible SQL injection attempt against DST_IP
Possible attack against DST_IP (Symantec Remote Management RTVScan Exploit)
Possible sa account bruteforce against SRC_IP (SQL Server)
Possible VNC bruteforce against SRC_IP
Possible attack against DST_IP (Microsoft Server Service related attack)
Too many Cisco Firewall dropped events with destination DST_IP
Worms:
Possible Worm Infection against DST_IP
Possible Worm Infection against DST_IP via DCOM RPC vulnerability
Possible Worm Infection against DST_IP via Kill-Bill ASN1 vulnerability
Possible Worm Infection against DST_IP via Lsasrv.dll RPC vulnerability
Possible Worm Infection against DST_IP via WINS vulnerability
Possible attack against DST_IP (Microsoft Server Service related attack)
Possible worm scanning behavior on port DST_PORT
Misc:
Username gathering at SMTP server DST_IP