diff --git a/VERSION b/VERSION
index c5e6455836..6c23cedfbe 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-3.0 Alpha Release 3
+3.0 Alpha Release 4
diff --git a/data/sql/sqlite.sql b/data/sql/sqlite.sql
index e712ecfbe0..87450c3ddc 100644
--- a/data/sql/sqlite.sql
+++ b/data/sql/sqlite.sql
@@ -20,3 +20,10 @@ create table services (
 'name' VARCHAR(255),
 'desc' VARCHAR(1024)
 );
+
+create table vulns (
+'id' INTEGER PRIMARY KEY NOT NULL,
+'service_id' INTEGER,
+'name' VARCHAR(255),
+'data' TEXT
+);
diff --git a/data/sql/sqlite3.db b/data/sql/sqlite3.db
index 3569c91601..b26f9e2e6a 100644
Binary files a/data/sql/sqlite3.db and b/data/sql/sqlite3.db differ
diff --git a/lib/msf/base/serializer/readable_text.rb b/lib/msf/base/serializer/readable_text.rb
index 172a414d6d..ae60223d18 100644
--- a/lib/msf/base/serializer/readable_text.rb
+++ b/lib/msf/base/serializer/readable_text.rb
@@ -54,6 +54,26 @@ class ReadableText
 		tbl.to_s + "\n"
 	end
 
+	#
+	# Dumps an auxiliary's actions
+	#
+	def self.dump_auxiliary_actions(mod, indent = '', h = nil)
+		tbl = Rex::Ui::Text::Table.new(
+			'Indent'  => indent.length,
+			'Header'  => h,
+			'Columns' =>
+				[
+					'Name',
+					'Description'
+				])
+
+		mod.actions.each_with_index { |target, idx|
+			tbl << [ target.name || 'All' ]	
+		}
+
+		tbl.to_s + "\n"
+	end
+	
 	#
 	# Dumps the table of payloads that are compatible with the supplied
 	# exploit.
diff --git a/lib/msf/core/auxiliary.rb b/lib/msf/core/auxiliary.rb
index d4d75edc88..9f7abe5bbb 100644
--- a/lib/msf/core/auxiliary.rb
+++ b/lib/msf/core/auxiliary.rb
@@ -16,8 +16,10 @@ class Auxiliary < Msf::Module
 	#
 	# Auxiliary mixins
 	#
+	require 'msf/core/auxiliary/recon'
 	require 'msf/core/auxiliary/tcp'
-
+	require 'msf/core/auxiliary/udp'
+	
 	#
 	# Returns MODULE_AUX to indicate that this is an auxiliary module.
 	#
diff --git a/lib/msf/core/auxiliary/recon.rb b/lib/msf/core/auxiliary/recon.rb
new file mode 100644
index 0000000000..1e1595d6bc
--- /dev/null
+++ b/lib/msf/core/auxiliary/recon.rb
@@ -0,0 +1,17 @@
+module Msf
+
+###
+#
+# This module provides methods for establish a connection to a remote host and
+# communicating with it.
+#
+###
+
+module Auxiliary::Recon
+
+	def report_host(host)
+		p host
+	end
+
+end
+end
diff --git a/lib/msf/core/auxiliary/tcp.rb b/lib/msf/core/auxiliary/tcp.rb
index 7d3d78fa84..3cae646591 100644
--- a/lib/msf/core/auxiliary/tcp.rb
+++ b/lib/msf/core/auxiliary/tcp.rb
@@ -1,15 +1,14 @@
-#module Msf
-#
+module Msf
+
 ###
 #
 # This module provides methods for establish a connection to a remote host and
 # communicating with it.
 #
 ###
-#module Auxiliary::Remote::Tcp
-#
-#	include Exploit::Remote::Tcp
-#
-#end
-#end
 
+module Auxiliary::Tcp
+	include Exploit::Remote::Tcp
+
+end
+end
diff --git a/lib/msf/core/auxiliary/udp.rb b/lib/msf/core/auxiliary/udp.rb
new file mode 100644
index 0000000000..854bf2ae1c
--- /dev/null
+++ b/lib/msf/core/auxiliary/udp.rb
@@ -0,0 +1,14 @@
+module Msf
+
+###
+#
+# This module provides methods for establish a connection to a remote host and
+# communicating with it.
+#
+###
+
+module Auxiliary::Udp
+	include Exploit::Remote::Udp
+
+end
+end
diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 5977efaa6f..940f9e630c 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -99,22 +99,38 @@ class DBManager
 
 	#
 	# This method iterates the services table calling the supplied block with the
-	# host and service instances of each entry.
-	# TODO: use the find() block syntax instead
+	# service instance of each entry.
 	#
 	def each_service(&block)
 		services.each do |service|
 			block.call(service)
 		end
 	end
-
+	
 	#
 	# This methods returns a list of all services in the database
 	#
 	def services
 		Service.find(:all)
 	end
+
+	#
+	# This method iterates the vulns table calling the supplied block with the
+	# vuln instance of each entry.
+	#
+	def each_vuln(&block)
+		vulns.each do |vulns|
+			block.call(vulns)
+		end
+	end
 	
+	#
+	# This methods returns a list of all vulnerabilities in the database
+	#
+	def vulns
+		Vuln.find(:all)
+	end
+		
 	def get_host(context, address, comm='')
 		host = Host.find(:first, :conditions => [ "address = ? and comm = ?", address, comm])
 		if (not host)
@@ -125,21 +141,38 @@ class DBManager
 		return host
 	end
 	
-	
-	def get_service(host, proto, port)
-		port = Service.find(:first, :conditions => [ "host_id = ? and proto = ? and port = ?", host.id, proto, port])
-		if (not port)
-			port = Service.create(
-				:host       => host,
+	def get_service(context, host, proto, port)
+		rec = Service.find(:first, :conditions => [ "host_id = ? and proto = ? and port = ?", host.id, proto, port])
+		if (not rec)
+			rec = Service.create(
+				:host_id    => host.id,
 				:proto      => proto,
 				:port       => port,
-				:state      => ServiceState::Unknown
+				:state      => ServiceState::Up
 			)
-			framework.events.on_db_service(context, host, port)
+			framework.events.on_db_service(context, rec)
 		end
-		return port
+		return rec
 	end
 
+	def get_vuln(context, service, name, data='')
+		vuln = Vuln.find(:first, :conditions => [ "name = ? and service_id = ?", name, service.id])
+		if (not vuln)
+			vuln= Vuln.create(
+				:service_id => service.id,
+				:name       => name,
+				:data       => data
+			)
+			framework.events.on_db_vuln(context, vuln)
+		end
+
+		return vuln
+	end
+		
+	def has_host?(addr)
+		Host.find(:first, :conditions => [ "address = ?", addr])
+	end
+	
 end
 
 end
diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb
index 6464c225d4..5e3a21eb5b 100644
--- a/lib/msf/core/db_manager.rb
+++ b/lib/msf/core/db_manager.rb
@@ -26,15 +26,20 @@ class DBManager
 		@usable = false
 		@active = false
 		
-		begin
-			require 'rubygems'
-			require_gem 'activerecord'
-			
+		# This double-rescue is required to detect active record when
+		# it has been installed outside of gems
+		begin	
+			begin
+				require 'rubygems'
+				require_gem 'activerecord'
+				@usable = true	
+			rescue LoadError
+				require 'activerecord'
+				@usable = true
+			end
 			require 'msf/core/db_objects'
-
-			@usable = true
 		rescue ::Exception => e
-			elog("DBManager is not enabled due to load error: #{e.to_s}")
+			elog("DB is not enabled due to load error: #{e.to_s}")
 		end
 	end
 	
diff --git a/lib/msf/core/db_objects.rb b/lib/msf/core/db_objects.rb
index c5418a6dec..77952c1c9f 100644
--- a/lib/msf/core/db_objects.rb
+++ b/lib/msf/core/db_objects.rb
@@ -16,6 +16,20 @@ end
 
 # Service object definition
 class Service < ActiveRecord::Base
+	def host
+		Host.find(:first, :conditions => [ "id = ?", host_id ])
+	end
+end
+
+# Vuln object definition
+class Vuln < ActiveRecord::Base
+	def service
+		Service.find(:first, :conditions => [ "id = ?", service_id ])
+	end
+	
+	def host
+		Host.find(:first, :conditions => [ "id = ?", service.host_id ])
+	end
 end
 
 end
diff --git a/lib/msf/core/exceptions.rb b/lib/msf/core/exceptions.rb
index 67a5854cdd..bce3109148 100644
--- a/lib/msf/core/exceptions.rb
+++ b/lib/msf/core/exceptions.rb
@@ -253,5 +253,24 @@ class NoNopsSucceededError < RuntimeError
 	end
 end
 
+##
+#
+# Plugin exceptions
+#
+##
+
+class PluginLoadError < RuntimeError
+	include Exception
+	attr_accessor :reason
+
+	def initialize(reason='')
+		self.reason = reason
+		super
+	end
+	
+	def to_s
+		"This plugin failed to load:  #{reason.to_s}"
+	end
+end
 
 end
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index 3deb55d40a..f33159eee9 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -798,6 +798,12 @@ class Core
 					else
 						print_error("No exploit module selected.")
 					end
+				when "actions"
+					if (mod and mod.auxiliary?)
+						show_actions(mod)
+					else
+						print_error("No auxiliary module selected.")
+					end
 			end
 		}
 	end
@@ -808,7 +814,7 @@ class Core
 	def cmd_show_tabs(str, words)
 		res = %w{all encoders nops exploits payloads aux plugins}
 		if (active_module)
-			res.concat(%w{ options advanced evasion targets })
+			res.concat(%w{ options advanced evasion targets actions })
 		end
 		return res
 	end
@@ -1073,13 +1079,22 @@ class Core
 			when 'Msf::OptAddress'
 				case o.name
 					when 'RHOST'
-						res << option_values_last_target()
+						option_values_target_addrs().each do |addr|
+							res << addr
+						end
 					when 'LHOST'
 						res << Rex::Socket.source_address()
 					else
 				end
 				
 			when 'Msf::OptPort'
+				case o.name
+					when 'RPORT'
+					option_values_target_ports().each do |port|
+						res << port
+					end
+				end 
+				
 				if (res.empty?)
 					res << (rand(65534)+1).to_s
 				end
@@ -1133,13 +1148,39 @@ class Core
 	end
 
 	#
-	# Provide the last target address
+	# Provide the target addresses
 	#
-	def option_values_last_target
-		# Replace this once we start tracking these things...
-		return Rex::Socket.source_address()
+	def option_values_target_addrs
+		res = [ ]
+		res << Rex::Socket.source_address()
+		return res if not framework.db.active
+		
+		framework.db.each_host do |host|
+			res << host.address
+		end
+		
+		return res
 	end
-			
+
+	#
+	# Provide the target ports
+	#
+	def option_values_target_ports
+		res = [ ]
+		return res if not framework.db.active
+		return res if not self.active_module.datastore['RHOST']
+		host = framework.db.has_host?(self.active_module.datastore['RHOST'])
+		return res if not host
+
+		framework.db.each_service do |service|
+			if (service.host_id == host.id)
+				res << service.port.to_s
+			end
+		end
+
+		return res
+	end
+				
 protected
 
 	#
@@ -1205,7 +1246,12 @@ protected
 		mod_targs = Serializer::ReadableText.dump_exploit_targets(mod, '   ')
 		print("\nExploit targets:\n\n#{mod_targs}\n") if (mod_targs and mod_targs.length > 0)
 	end
-	
+
+	def show_actions(mod) # :nodoc:
+		mod_actions = Serializer::ReadableText.dump_auxiliary_actions(mod, '   ')
+		print("\nAuxiliary actions:\n\n#{mod_actions}\n") if (mod_actions and mod_actions.length > 0)
+	end
+		
 	def show_advanced_options(mod) # :nodoc:
 		mod_opt = Serializer::ReadableText.dump_advanced_options(mod, '   ') 
 		print("\nModule advanced options:\n\n#{mod_opt}\n") if (mod_opt and mod_opt.length > 0)
diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index 537131698d..3fde42a3e4 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -177,7 +177,6 @@ class Driver < Msf::Ui::Driver
 			rcfd.write(data)
 			rcfd.close
 		rescue ::Exception => e
-			# 
 		end
 	end
 	
diff --git a/plugins/db_sqlite3.rb b/plugins/db_sqlite3.rb
index 8396e68c8e..5117bb26c3 100644
--- a/plugins/db_sqlite3.rb
+++ b/plugins/db_sqlite3.rb
@@ -11,8 +11,6 @@ module Msf
 
 class Plugin::DBSQLite3 < Msf::Plugin
 
-
-
 	###
 	#
 	# This class implements an event handler for db events
@@ -22,6 +20,14 @@ class Plugin::DBSQLite3 < Msf::Plugin
 		def on_db_host(context, host)
 			puts "New host event: #{host.address}"
 		end
+		
+		def on_db_service(context, service)
+			puts "New service event: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state}"
+		end
+		
+		def on_db_vuln(context, vuln)
+			puts "New vuln event: host=#{vuln.host.address} port=#{vuln.service.port} proto=#{vuln.service.proto} name=#{vuln.name}"
+		end
 	end
 	
 	###
@@ -36,7 +42,7 @@ class Plugin::DBSQLite3 < Msf::Plugin
 		# The dispatcher's name.
 		#
 		def name
-			"DBDispatcher"
+			"Database Backend"
 		end
 
 		#
@@ -44,10 +50,13 @@ class Plugin::DBSQLite3 < Msf::Plugin
 		#
 		def commands
 			{
-				"db_hosts" => "List all hosts in the database db",
-				"db_services" => "List all services in the database db",
-				"db_insert" => "Insert a new host into the db",
-				"db_test"   => "Test",
+				"db_hosts"    => "List all hosts in the database",
+				"db_services" => "List all services in the database",
+				"db_vulns"    => "List all vulnerabilities in the database",
+				"db_add_host" => "Add one or more hosts to the database",
+				"db_add_port" => "Add a port to host",
+				"db_import_nessus_nbe" => "Import a Nessus scan result file (NBE)",
+				# "db_import_nmap_xml"   => "Import a Nmap scan results file (-oX)",
 			}
 		end
 
@@ -56,31 +65,79 @@ class Plugin::DBSQLite3 < Msf::Plugin
 				print_status("Host: #{host.address}")
 			end
 		end
-		
+
 		def cmd_db_services(*args)
-			framework.db.each_service do |host, service|
-				print_status("Service: host=#{host.address} port=#{service.port} port=#{service.proto}")
+			framework.db.each_service do |service|
+				print_status("Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state}")
 			end
 		end		
-
-		def cmd_db_insert(*args)
-			print_status("Inserting #{args.length.to_s} hosts...")
+		
+		def cmd_db_vulns(*args)
+			framework.db.each_vuln do |vuln|
+				puts "Vuln: host=#{vuln.host.address} port=#{vuln.service.port} proto=#{vuln.service.proto} name=#{vuln.name}"
+			end
+		end	
+		
+		def cmd_db_add_host(*args)
+			print_status("Adding #{args.length.to_s} hosts...")
 			args.each do |address|
 				framework.db.get_host(nil, address)
 			end
 		end
-		
-		def cmd_db_test(*args)
-			framework.db.get_host(nil, "1.2.3.4")
-			framework.db.get_host(nil, "1.2.3.5")
-			framework.db.get_host(nil, "1.2.3.6")
-			framework.db.each_host do |host|
-				print_status("Host: #{host.address}")
-			end	
-		end		
+
+		def cmd_db_add_port(*args)
+			if (not args or args.length < 3)
+				print_status("Usage: db_add_port [host] [port] [proto]")
+				return
+			end
+
+			host = framework.db.get_host(nil, args[0])
+			return if not host
+			
+			service = framework.db.get_service(nil, host, args[2].downcase, args[1].to_i)
+			return if not service
+			
+			print_status("Service: host=#{service.host.address} port=#{service.port} proto=#{service.proto} state=#{service.state}")
+		end
+
+		def cmd_db_import_nessus_nbe(*args)
+			if (not (args and args.length == 1))
+				print_status("Usage: db_import_nessus [nessus.nbe]")
+				return
+			end
+			
+			if (not File.readable?(args[0])) 
+				print_status("Could not read the NBE file")
+				return
+			end
+			
+			fd = File.open(args[0], 'r')
+			fd.each_line do |line|
+				r = line.split('|')
+				next if r[0] != 'results'
+				addr = r[2]
+				nasl = r[4]
+				hole = r[5]
+				data = r[6]
+				
+				m = r[3].match(/^([^\(]+)\((\d+)\/([^\)]+)\)/)
+				next if not m
+				
+				host = framework.db.get_host(nil, addr)
+				next if not host
+				
+				service = framework.db.get_service(nil, host, m[3].downcase, m[2].to_i)
+				service.name = m[1]
+				service.save
+				
+				vuln = framework.db.get_vuln(nil, service, "NSS-#{nasl.to_s}", data)
+			end
+		end
+			
 	end
 
 
+
 	def initialize(framework, opts)
 		super
 
@@ -94,8 +151,8 @@ class Plugin::DBSQLite3 < Msf::Plugin
 		FileUtils.copy(odb, ndb)
 		
 		if (not framework.db.connect("adapter" => "sqlite3", "dbfile" => ndb))
-			print_status("Failed to connect to the database :(")
-			return
+			File.unlink(ndb)
+			raise PluginLoadError.new("Failed to connect to the database")
 		end
 		
 		@dbh = DBEventHandler.new
@@ -107,7 +164,7 @@ class Plugin::DBSQLite3 < Msf::Plugin
 
 	def cleanup
 		framework.events.remove_db_subscriber(@dbh)
-		remove_console_dispatcher('DBDispatcher')	
+		remove_console_dispatcher('Database Backend')	
 	end
 
 	#
@@ -122,7 +179,7 @@ class Plugin::DBSQLite3 < Msf::Plugin
 	# more than 60 characters, but there are no hard limits.
 	#
 	def desc
-		"Loads a new SQLite3 db and intializes it"
+		"Loads a new sqlite3 database backend"
 	end
 
 protected
diff --git a/plugins/db_tracker.rb b/plugins/db_tracker.rb
new file mode 100644
index 0000000000..2a80c47da8
--- /dev/null
+++ b/plugins/db_tracker.rb
@@ -0,0 +1,63 @@
+module Msf
+
+###
+# 
+# This class hooks all socket calls and updates the database with
+# data gathered from the connection parameters
+#
+###
+
+class Plugin::DB_Tracer < Msf::Plugin
+
+	###
+	#
+	# This class implements a socket communication tracker
+	#
+	###
+	class DBTracerEventHandler
+		include Rex::Socket::Comm::Events
+
+		def on_before_socket_create(comm, param)
+		end
+
+		def on_socket_created(comm, sock, param)
+			# Ignore local listening sockets
+			return if not sock.peerhost
+
+			if (sock.peerhost != '0.0.0.0' and sock.peerport)
+
+				host = param.context['Msf'].db.get_host(param.context, sock.peerhost)
+				return if not host
+				
+				port = param.context['Msf'].db.get_service(param.context, host, param.proto, sock.peerport)
+				return if not port
+
+			end
+		end		
+	end
+	
+	def initialize(framework, opts)
+		super
+		
+		if(not framework.db.active)
+			raise PluginLoadError.new("The database backend has not been initialized")
+		end
+		
+		@eh = DBTracerEventHandler.new
+		Rex::Socket::Comm::Local.register_event_handler(@eh)
+	end
+
+	def cleanup
+		Rex::Socket::Comm::Local.deregister_event_handler(@eh)
+	end
+
+	def name
+		"db_tracker"
+	end
+
+	def desc
+		"Monitors socket calls and updates the database backend"
+	end
+
+end
+end
diff --git a/plugins/ips_filter.rb b/plugins/ips_filter.rb
index d3c637f16f..d89de7cd14 100644
--- a/plugins/ips_filter.rb
+++ b/plugins/ips_filter.rb
@@ -35,11 +35,11 @@ class Plugin::IPSFilter < Msf::Plugin
 	def initialize(framework, opts)
 		super
 		@ips_eh = IPSSocketEventHandler.new
-		Rex::Socket::Comm::Local.register_event_handler(@bps_eh)
+		Rex::Socket::Comm::Local.register_event_handler(@ips_eh)
 	end
 
 	def cleanup
-		Rex::Socket::Comm::Local.deregister_event_handler(@bps_eh)
+		Rex::Socket::Comm::Local.deregister_event_handler(@ips_eh)
 	end
 
 	def name
@@ -63,13 +63,19 @@ module SocketTracer
 
 	# Hook the write method
 	def write(buf, opts = {})
-		# Add hooks to filter all outgoing packets here
+		if (ips_match(buf))
+			$stderr.puts "*** Outbound write blocked due to possible signature match"
+			return
+		end
 		super(buf)
 	end
 
 	# Hook the read method
 	def read(length = nil, opts = {})
 		r = super(length, opts)
+		if (ips_match(r))
+			$stderr.puts "*** Incoming read may match a known signature"
+		end		
 		return r
 	end
 
@@ -82,5 +88,2063 @@ module SocketTracer
 		super(*args)
 	end
 
+	def ips_match(data)
+		lp = localport
+		rp = peerport
+		
+		SIGS.each do |s|
+			begin
+				r = Regexp.new(s[1])
+				if (data.match(r))
+					$stderr.puts "*** Matched signature #{s[1]}"
+					return true
+				end
+			rescue ::Exception => e
+				$stderr.puts "*** Compiled error: #{s[1]}"
+			end
+		end
+		
+		return false
+	end
+	
+	SIGS = 
+	[
+		['stream', ".*[1-9][0-9]*, 6667 : USERID : UNIX : die.*"],
+		['stream', ".*\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a.*"],
+		['smb-open-filename', ".*(\000)?\.(\000)?\[e(\000)?x(\000)?e(\000)?\]"],
+		['http-url-parsed-param', ".*\/getlatestversion\?ver=.*"],
+		['dns-type-name', ".*[\s%\|;\?\&\'\"].*"],
+		['packet', "[\0200-\0377].*"],
+		['packet', ".*\x00\x0c.."],
+		['snmp-community', "internal"],
+		['stream', ".*\[login incorrect\].*"],
+		['stream', ".*\[permission denied\].*"],
+		['http-header-accept-encoding', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-url-parsed-param', ".*\/\[gwweb\.exe\?\].*"],
+		['http-url-parsed-param', ".*\/\[PortInformation\]\?[0-9][^0-9]?.*"],
+		['http-url-parsed-param', ".*\/\[StreamingStatistics\]\?[0-9].*"],
+		['http-url-parsed', "\[\/cgi-bin\/logout\.exe\]"],
+		['http-header-user-agent', ".*\[QuickTime\].*"],
+		['http-url-parsed', "\/examples\/jsp\/snp\/[^.]+\.snp"],
+		['http-request', "SSH.*"],
+		['http-request', "\xff(\xfb|\xfd).*"],
+		['http-request', "\[CONNECT\].*"],
+		['http-request', "\[CONNECT scs.yahoo.com\].*"],
+		['http-request', "\[CONNECT login.oscar.aol.com\].*"],
+		['http-header', ".*\[p2p-agent:.*Kazaa\].*"],
+		['http-header-user-agent', ".*\[topsearch\].*"],
+		['http-header-user-agent', ".*\[MSMSGS\].*"],
+		['http-url-parsed-param', ".*\/\[imagemap\.exe\]\?.*"],
+		['stream', "\[CONNECT\].*"],
+		['stream', "\[CONNECT\].*"],
+		['stream', "\[CONNECT\].*"],
+		['stream', "\[CONNECT\].*"],
+		['stream', "\[CONNECT\].*"],
+		['http-header-user-agent', "ICQ"],
+		['http-text-html', ".*<(a|A)[^>]*\s\[href\]=>.*"],
+		['http-text-plain', "\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a"],
+		['http-text-html', ".*<\[bgsound\]( |\x09|\x0A)+\[src\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?\\\\[^>]+>.*"],
+		['http-text-html', ".*<\[OBJECT\][^>]+\[classid\]=( |\x09|\x0A)?(\"|')?clsid:D27CDB6E-AE6D-11cf-96B8-444553540000.*>.*<\[PARAM\] \[NAME\]=\"?\[movie\].*\[VALUE\]=.*\.\[swf\]\?AAA\.XXXXXXXX[^>]+>.*"],
+		['line', ".*\[1 file\].*"],
+		['line', ".*\[bad command or filename\].*"],
+		['line', ".*\[command completed\].*"],
+		['line', ".*\[connection closed by foreign host\].*"],
+		['line', ".*uid=0.*"],
+		['line', ".*\[volume serial number\].*"],
+		['http-status', ".*\[HTTP\]\/[0-9]+[^\012]+404 .*"],
+		['http-data', ".*\x30\x08\x23\x00\x3C\xA6\x0F\xA5\x18\x04\x2D\xB1\x38\x53\xF4\xA6\x10\x5B\x7E\x8A\x7D\xA2\x80\xB0\x8C\x38\x53\xF3\x14\x04\x0A\xC3\x91\x14\x05\xED\x3D\xBE\xA2\x80\x81\x4F\x6F\x94\xD0\x04\x14\xD0.*"],
+		['http-data', ".*\x04\x42\x81\x91\xFF\xDA\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00\xF9\x05\xF9\x6F\x38\x9F\xDD\xE4\x5F\x59\xD7\xDF\x49\xE7\x9D\xF7\x82\x46\xE6\x73\x7C\x40\xFC\xE4\x7C\x52\x58\xE6\x37\x3A\x5F\x79\xBB\x01\x0E\x74\x6F\x59\xC2\x43\x6A\xA2\x71\x36\x87\xA3.*"],
+		['http-url-parsed-param', ".*\/s?bin\/halt.*"],
+		['http-url-parsed-param', ".*\[(\/usr)?\/s?bin\/(awk|bash|cat|chattr|chgrp|chmod|chown|cp|csh|dd|df|dir|dmesg|du|ed|gawk|groups|gunzip|install|kill|killall|last|link|ln|ls|lsattr)\].*"],
+		['http-url-parsed-param', ".*\[\/(usr)?\/s?bin\/(mail|mesg|mkdir|mkfifo|mknod|mktemp|more|mount|mv|netstat|nisdomainname|pidof|ps|rm|rmdir|sash|sed|sh|shred|sleep|stat|stty|tcsh|tempfile|touch|umount|unlink|utmpdump|uuidgen|vdir|wall|ypdomainname|halt|shutdown|restart|reboot|runlevel|swapoff|ctrlaltdel|mkswap|poweroff)\].*"],
+		['http-url-parsed-param', ".*\/\[dfire\.cgi\?.*IPONE\]=\|"],
+		['http-header-user-agent', ".*\[MoodLogic\].*"],
+		['http-url', ".*HandleSearch\.html\?searchTarget=.*&B1=Submit.*"],
+		['http-request', "\[CONNECT\] [0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?:[0-9]+ \/ \[HTTP\]\/1.0.*"],
+		['http-header', ".*\[Authorization\]:[ ]+\[Negotiate\]\x00.*"],
+		['http-url-parsed', ".*\/test\/realPath\.jsp.*"],
+		['http-url-parsed', ".*\/test\/jsp\/buffer(1|2|3|4)\.jsp.*"],
+		['http-url-parsed', ".*\/test\/jsp\/(comments|extends(1|2))\.jsp.*"],
+		['http-url-parsed', ".*\/test\/jsp\/page(AutoFlush|Double|Extends|Import2|Info|Invalid|IsErrorPage|IsThreadSafe|Language|Session)\.jsp.*"],
+		['http-url-parsed', ".*\/test\/jsp\/declaration\/IntegerOverflow\.jsp.*"],
+		['http-url-parsed-param', ".*\/examples\/jsp\/source.jsp\?(\?|\/+.*\/+).*"],
+		['ftp-banner', ".*WS_FTP Server ([0-3]|(4\.0\.[0-2])).*"],
+		['ftp-banner', ".*Serv-U FTP Server v([0-4]|(5\.0(\.[0-5])?[^0-9])).*"],
+		['ftp-banner', ".*Serv-U FTP-Server v([0-1]|(2\.[0-5])).*"],
+		['ftp-banner', ".*Serv-U FTP Server v([0-3]|(4\.[0-1])).*"],
+		['ftp-banner', ".*Serv-U FTP Server v([0-3]|(4\.[0-2])).*"],
+		['ftp-banner', ".*WS_FTP Server ([0-4]|(5\.\0\.[0-3])).*"],
+		['ftp-password', "\[(manager|public|private|default|security|1234qwer|123qwe|user|super|123456|000000|Internet|abcd|abc123|abc|1234567|123abc|88888888|password|asdfgh|computer|5201314|00000000|!@#$%^&*\(\)|654321|888888|123asd|11111|!@#$%^&\*|passwd|!@#$%^&\*\(|111111|asdf|sql|database|111|!@#$%|pass|!@#$|54321|server|!@#$%^|sybase|oracle|12345678|1|secret|test|11111111|admin|anyone|!@#$%^&)\]"],
+		['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['ftp-command', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['ftp-username', "anonymous|ftp"],
+		['stream', ".*\[login incorrect\].*"],
+		['stream', ".*\[not on system console\].*"],
+		['stream', ".*\[guest account not allowed\].*"],
+		['stream', ".*\[login failure\].*"],
+		['stream', ".*\[server allows NTLM authentication \].*"],
+		['stream', ".*\[login failed\].*"],
+		['stream', ".*\[permission denied\].*"],
+		['stream', ".*cat( |\x09)+\/etc\/passwd.*"],
+		['stream', ".*halt( |\x09)*(\x0a|\x0d).*"],
+		['packet', "\X AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA  AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA \X"],
+		['stream', ".*\xaa..\x14\x48.....\x00\[L\x00o\x00g\x00i\x00n\x00 \x00f\x00a\x00i\x00l\x00e\x00d\].*"],
+		['smtp-command-line', "(\[HELO\]|\[EHLO\]) \[localhost\]"],
+		['smtp-data-text-plain', "\x58\x35\x4f\x21\x50\x25\x40\x41\x50\x5b\x34\x5c\x50\x5a\x58\x35\x34\x28\x50\x5e\x29\x37\x43\x43\x29\x37\x7d\x24\x45\x49\x43\x41\x52\x2d\x53\x54\x41\x4e\x44\x41\x52\x44\x2d\x41\x4e\x54\x49\x56\x49\x52\x55\x53\x2d\x54\x45\x53\x54\x2d\x46\x49\x4c\x45\x21\x24\x48\x2b\x48\x2a"],
+		['packet', "\x45\x00\x32\x00.*"],
+		['packet', ".*\X00 00 01 87 03 00 00 00\X.*"],
+		['smb-connect-path', "\\\00?\\\00?.*\\\00?I\00?P\00?C\00?$\00?.*"],
+		['pop3-user', "x#99999999"],
+		['pop3-user', "root"],
+		['http-url-parsed', "\/v[0-9][0-9][0-9]\/mainbar\/index.html.*"],
+		['dns-type-name', "\x00\x01c3312\.z1301\.winmx\.com.*"],
+		['dns-type-name', "\x00\x01\[test\].*\[\.winmx\.com\]"],
+		['packet', "1"],
+		['packet', "8.*"],
+		['dns-type-name', "\x00\x01\[c\][0-9]+\[\.z\][0-9]+\[\.winmx\.com\]"],
+		['http-header-user-agent', ".*\[DC\]\+\+.*"],
+		['stream', ".*$Key [^\0174]*\0174$ValidateNick .*"],
+		['http-url-parsed-param', "\[\/ver\/ver.php\?ver\]=[0-9]\.[0-9][0-9]\.[0-9]&\[app\]=[0-9][0-9].*"],
+		['packet', "\xe3....\x16.*"],
+		['packet', "\xe3....\x01.*"],
+		['packet', "\xe3....\x19.*"],
+		['packet', "\xe3....\x14.*"],
+		['packet', "\xe3....\x15.*"],
+		['packet', "\xe3\x96.*"],
+		['packet', "\xe3\x97.*"],
+		['http-header-user-agent', ".*\[Shareaza\].*"],
+		['stream', ".*UserAgent: KazaaClient [^\010]*\r\nX-Kazaa-Username:.*"],
+		['stream', ".*Server: KazaaClient.*X-Kazaa-Username:.*"],
+		['packet', "\x27\x00\x00\x00\xa9\x80KaZaA\x00"],
+		['stream', "GET \/.hash=([a-f]|[0-9])+.*KaZaA.*"],
+		['stream', ".*\[BitTorrent protocol\].*"],
+		['http-url-parsed-param', ".*\[announce\][^?]*\?[^ ]*\[info_hash\].*"],
+		['http-url-parsed-param', ".*\[scrape\][^?]*\?[^ ]*\[info_hash\].*"],
+		['packet', "\xe3\x0a.*"],
+		['packet', "\xe3\x0b.*"],
+		['packet', "\xe3\x0e.*"],
+		['packet', "\xe3\x21.*"],
+		['packet', "\xe3\x13.*"],
+		['ssh-header', "SSH-1.5-OpenSSH-1.2.3"],
+		['stream', ".*\.\[mp3\].*"],
+		['stream', ".*\.\[mp3\].*"],
+		['stream', ".*\.\[mp3\].*"],
+		['stream', ".*\.\[mp3\].*"],
+		['stream', ".*\.\[mp3\].*"],
+		['stream', ".*\.\[mp3\].*"],
+		['packet', ".*\x00\xcb\x00.*"],
+		['packet', ".*\x00\xcb\x00.*"],
+		['packet', ".\x00\x02\x00.*"],
+		['packet', ".\x00\x02\x00.*"],
+		['stream', ".*anon@napster.com.*"],
+		['packet', ".\x00\x06\x00.*"],
+		['packet', ".\x00\x06\x00.*"],
+		['packet', ".\x00\x5f\x02.*"],
+		['packet', ".\x00\x5f\x02.*"],
+		['http-header-user-agent', ".*\[MLdonkey\].*"],
+		['stream', ".*GNUTELLA OK.*"],
+		['stream', "GNUTELLA CONNECT\/0\.[0-9].*"],
+		['stream', ".*GNUTELLA\/0\.[0-9] 200 OK(\x0d)?\n.*"],
+		['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['http-header-user-agent', "\[gator\].*"],
+		['http-header-user-agent', ".*\[new\.net\].*"],
+		['http-header-user-agent', ".*\[DA\] [1-9]\.[0-9].*"],
+		['http-header', ".*Oracle9iAS-Web-Cache\/(9\.0\.(0\.4\.0|2\.3\.0|3\.1\.0|4\.0\.0)|2\.0\.0\.4\.0).*"],
+		['stream', ".*ADMINISTRATOR.*"],
+		['stream', ".*\[invalid login\].*"],
+		['packet', "NQ.*"],
+		['packet', "ST.*"],
+		['packet', "ST.*"],
+		['ftp-password', "cis@security\.check"],
+		['http-url-parsed', "\[Nikto\]-[0-9][0-9]?\.[0-9][^\00]+\.\[htm\]"],
+		['http-header-user-agent', ".*\(Nikto\/.*"],
+		['http-url', ".*search%3f<balisexss>%22%27.*"],
+		['stream', ".*\x00\x01\x00\x03\x00\x01\x00.*"],
+		['packet', "> .*"],
+		['packet', "> .*"],
+		['packet', "> .*"],
+		['stream', ".*cat \/etc\/passwd.*"],
+		['packet', ".*cat \/etc\/passwd.*"],
+		['stream', ".*\/usr\/(bin\/X11|X11R6\/bin)\/xterm.*"],
+		['packet', ".*\/usr\/(bin\/X11|X11R6\/bin)\/xterm.*"],
+		['packet', ".*\x2b\x06\x10\x40\x14\xd1\x02\x19.*"],
+		['packet', ".*WHATISIT.*"],
+		['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/group.*"],
+		['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/inetd.conf.*"],
+		['stream', ".*cat( |\x09)*>( |\x09)*\/etc\/passwd.*"],
+		['stream', ".*cat( |\x09)*>>( |\x09)*\.rhosts"],
+		['stream', ".*cat( |\x09)*>>( |\x09)*\/etc\/passwd.*"],
+		['stream', ".*cd( |\x09)+\/bin\/\..*"],
+		['stream', ".*cd( |\x09)+\/usr\/\..*"],
+		['stream', ".*cd( |\x09)+\/var\/\..*"],
+		['stream', ".*cd( |\x09)+\.\.\..*"],
+		['stream', ".*id( |\x09)*\x0d.*"],
+		['stream', ".*mkdir( |\x09)+\.\..*"],
+		['stream', ".*nc .*"],
+		['stream', ".*nmap .*"],
+		['stream', ".*reboot.*"],
+		['stream', ".*shutdown.*"],
+		['stream', ".*strobe .*"],
+		['stream', ".*su( |\x09)+bin( |\x09)*\x0d.*"],
+		['stream', ".*su(( |\x09)+(root|-l root|- root|-))?( |\x09)*\x0d.*"],
+		['stream', ".*telnet[^\015]+21( |\x09)*\x0d.*"],
+		['stream', ".*telnet[^\015]+25( |\x09)*\x0d.*"],
+		['stream', ".*telnet[^\015]+80( |\x09)*\x0d.*"],
+		['stream', ".*vi( |\x09)+\/etc\/group( |\x09)*\x0d.*"],
+		['stream', ".*vi( |\x09)+\/etc\/passwd( |\x09)*\x0d.*"],
+		['stream', ".*xhost( |\x09)+.*"],
+		['stream', ".*xhost( |\x09)+\+( |\x09)*\x0d.*"],
+		['stream', ".*\[to su root\].*"],
+		['telnet-user', "cisco"],
+		['http-url-parsed', ".*conf\/httpd\.conf"],
+		['http-url-parsed', ".*\[\/admin_files\].*"],
+		['http-url-parsed-param', ".*\X20\X\/\[session\/adminlogin\]\?.*RCpage=\/\[sysadmin\]"],
+		['http-url-parsed', ".*\[\/ax-admin\.cgi\]"],
+		['http-url-parsed', ".*\[\/axs\.cgi\]"],
+		['http-url-parsed', ".*\/\[bigconf\.cgi\]"],
+		['http-url-parsed', ".*\[\/cgi-bin\/cachemgr\.cgi\]"],
+		['http-url-parsed', ".*\/\[day5data(copier|notifier)\.cgi\].*"],
+		['http-url-parsed', ".*\[\/environ\.cgi\]"],
+		['http-url-parsed', ".*\/\[filemail\.pl\]"],
+		['http-url-parsed', ".*\/\[finger(\.cgi|\.pl)?\]"],
+		['http-url-parsed', ".*\/\[flexform(\.pl|\.cgi)?\]"],
+		['http-url-parsed', ".*\[\/LWGate(\.cgi|\.pl)?\]"],
+		['http-url-parsed', ".*\[\/man\.sh\]"],
+		['http-url-parsed', ".*\[\/ministats\/admin\.cgi\]"],
+		['http-url-parsed', ".*\/\[mmstdod\.cgi\]"],
+		['http-url-parsed', ".*\/\[perlshop\.cgi\]"],
+		['http-url-parsed', ".*\/\[post-query\]"],
+		['http-url-parsed', ".*\[\/responder\.cgi\]"],
+		['http-url-parsed', ".*\/\[search\.vts\]"],
+		['http-url-parsed', ".*\[\/snork(erz)?\.(bat|cmd)\]"],
+		['http-url-parsed', ".*\[\/store\.cgi\]"],
+		['http-url-parsed', ".*\/\[textcounter\.pl\]"],
+		['http-url-parsed', ".*\/\[uploader\.exe\]"],
+		['http-url-parsed', ".*\/\[w3tvars\.pm\]"],
+		['http-url-parsed', ".*\[\/webdriver\]"],
+		['http-url-parsed', ".*\/\[web-map\.cgi\].*"],
+		['http-url-parsed', ".*\/\[cgi-bin\/www-sql\].*"],
+		['http-url-parsed', ".*\[\/cgi-bin\/MachineInfo\]"],
+		['http-url-parsed', ".*\/\[wais\.pl\]"],
+		['http-url-parsed', ".*\/admin\.pl.*"],
+		['http-url-parsed', ".*\/edit\.pl"],
+		['http-url-parsed', ".*\/files\.pl"],
+		['http-url-parsed', ".*\/maillist\.pl"],
+		['http-url-parsed', ".*\/rwwwshell\.pl"],
+		['http-url-parsed', ".*\/upload\.pl"],
+		['http-url-parsed', ".*\/wwwadmin\.pl.*"],
+		['http-url-parsed', ".*\[\/cfappman\/(index\.cfm)?\].*"],
+		['http-url-parsed', ".*\/\[cfdocs\/cfmlsyntaxcheck\.cfm\].*"],
+		['http-url-parsed', ".*\[\/cfdocs\/exampleapp\/\].*"],
+		['http-url-parsed', ".*\[\/cfdocs\/examples\/\].*"],
+		['http-url-parsed', ".*\[\/cfdocs\/snippets\/\].*"],
+		['http-url-parsed', ".*\[\/cfide\/administrator\/startstop\.html\].*"],
+		['http-url-parsed-param', ".*\?\[DeleteDocument\].*"],
+		['http-url-parsed-param', ".*\?\[EditDocument\].*"],
+		['http-url-parsed', ".*\[\/(catalog|domcfg|domlog|names|log)\.nsf\].*"],
+		['http-url-parsed', ".*\[\/_vti_(bin|pvt)\/\].*"],
+		['http-url-parsed', ".*\[\/cfgwiz\.exe\].*"],
+		['http-url-parsed', ".*\[\/admcgi\/contents\.htm\].*"],
+		['http-url-parsed', ".*\[\/scripts\/Fpadmcgi\.exe\].*"],
+		['http-url-parsed', ".*\[admisapi\/fpadmin\.htm\].*"],
+		['http-url-parsed', ".*\[\/fp(remadm|srvadm)\.exe\].*"],
+		['http-url-parsed', ".*\[\/author\.dll\].*"],
+		['http-url-parsed', ".*\[\/msdac\/\].*"],
+		['http-url-parsed', ".*\[\/scripts\/proxy\/w3proxy\.dll\].*"],
+		['http-url-parsed', ".*\[\.cnf\].*"],
+		['http-url-parsed', ".*\[\/_mem_bin\/\].*"],
+		['http-url-parsed', "\[\/msadc\/samples\/adctest\.asp\].*"],
+		['http-url-parsed', ".*\[\/Form_JScript\.asp\].*"],
+		['http-url-parsed', ".*\[\/scripts\/cpshost\.dll\].*"],
+		['http-url-parsed-param', ".*\[&del \/s c:\/\].*"],
+		['http-url-parsed', ".*\[\/ServerVariables_Jscript\.asp\].*"],
+		['http-url-parsed-param', ".*\[\/scripts\/tools\/getdrvr?s\.exe\].*"],
+		['http-url-parsed', ".*\[global\.asa\].*"],
+		['http-url-parsed', ".*\[\/scripts\/perl\].*"],
+		['http-url-parsed', ".*\/scripts\/postinfo\.asp.*"],
+		['http-url-parsed', ".*\/samples\/search\/queryhit\.htm.*"],
+		['http-url-parsed', ".*\[readme\.eml\].*"],
+		['http-url-parsed', ".*\[\/scripts\/repost\.asp\].*"],
+		['http-url-parsed', ".*\/scripts\/\X20\X.*"],
+		['http-url-parsed', ".*\[\/SiteServer\/Publishing\/viewcode\.asp\].*"],
+		['http-url-parsed', ".*\[\/Sites\/(Samples\/)?Knowledge\/Membership\/Inspired(tutorial)?\/ViewCode\.asp\].*"],
+		['http-url-parsed', ".*\[\/Sites\/Samples\/Knowledge\/(Push|Search)\/ViewCode\.asp\].*"],
+		['http-url-parsed', ".*\[\/site\/iisamples\].*"],
+		['http-url-parsed', ".*\[\/srchadm\].*"],
+		['http-url-parsed', ".*\[\/samples\/isapi\/srch\.htm\].*"],
+		['http-url-parsed', ".*\[\/SWEditServlet\].*"],
+		['http-url-parsed', ".*\[\/viewcode\.asp\].*"],
+		['http-url-parsed', ".*\[\/scripts\/((samples\/search)|srchadm)\/webhits\.exe\].*"],
+		['http-url-parsed', ".*\/backup(\/.*)?"],
+		['http-url-parsed', ".*\[\/intranet\/\].*"],
+		['http-url-parsed', ".*\/htgrep.*"],
+		['http-url-parsed-param', ".*\[\/\?PageServices\].*"],
+		['http-url-parsed', ".*\/nph-publish"],
+		['http-request', "\[GETPROPERTIES\]\X20\X.*"],
+		['http-url-parsed-param', ".*\[\/PSUser\/PSCOErrPage\.htm\?\].*"],
+		['http-url-parsed-param', ".*\/dsgw\/bin\/search\?.*context=.*"],
+		['http-url-parsed', ".*\[\/cgi-dos\/args\.bat\].*"],
+		['http-url-parsed-param', ".*\/ping\?.*query=.*"],
+		['http-url-parsed', ".*\/ews\/architext_query\.pl.*"],
+		['http-url-parsed', ".*\[\/dcforum\.cgi\]"],
+		['http-url-parsed', ".*\[\/sendform\.cgi\]"],
+		['http-url-parsed', ".*\[\/sendmessage\.cgi\]"],
+		['http-header', ".*User-Agent: Webtrends Security Analyzer.*"],
+		['http-url-parsed-param', ".*\?.*\[PHP_AUTH_USER=boogieman\].*"],
+		['http-url-parsed', ".*\/code\.php3.*"],
+		['http-url-parsed', ".*\/violation\.php3.*"],
+		['line', ".*\[directory listing of\].*"],
+		['http-url-parsed', ".*\[\/contextAdmin\/contextAdmin\.html\].*"],
+		['http-url-parsed-param', ".*\/bin\/ls.*"],
+		['http-url-parsed-param', ".*\/bin\/ls.*\|.*"],
+		['http-url-parsed-param', ".*\/bin\/ps.*"],
+		['http-url-parsed-param', ".*\/bin\/bash.*"],
+		['http-url-parsed-param', ".*\/bin\/cc.*"],
+		['http-url-parsed-param', ".*\/bin\/chgrp.*"],
+		['http-url-parsed-param', ".*\/bin\/chmod.*"],
+		['http-url-parsed-param', ".*\/bin\/chown.*"],
+		['http-url-parsed-param', ".*\/bin\/chsh.*"],
+		['http-url-parsed-param', ".*\/bin\/cpp.*"],
+		['http-url-parsed-param', ".*\/bin\/csh.*"],
+		['http-url-parsed-param', ".*\/bin\/echo.*"],
+		['http-url-parsed-param', ".*\/bin\/g\+\+.*"],
+		['http-url-parsed-param', ".*\/bin\/gcc.*"],
+		['http-url-parsed-param', ".*\/s?bin\/id((\040|%20|>|\|).*)?"],
+		['http-url-parsed', ".*\/~root(\/.*)?"],
+		['http-url-parsed-param', ".*\/etc\/inetd\.conf.*"],
+		['http-url-parsed-param', ".*\/etc\/motd.*"],
+		['http-url-parsed-param', ".*\/etc\/shadow.*"],
+		['http-url-parsed', ".*\/args\.bat.*"],
+		['http-url-parsed', ".*\/args\.cmd.*"],
+		['http-url-parsed-param', ".*\[cd\]\X20\X\.\."],
+		['http-url-parsed-param', ".*\[tftp\.exe\].*"],
+		['http-url-parsed-param', ".*\[nc\.exe\].*"],
+		['http-url-parsed-param', ".*\[net localgroup administrators \/add\].*"],
+		['http-url-parsed-param', ".*\[perl\.exe\].*"],
+		['http-url-parsed', ".*\[rcmd\.exe\].*"],
+		['http-url-parsed-param', ".*\[telnet\.exe\].*"],
+		['http-url-parsed-param', ".*\[\/ws_ftp\.ini\].*"],
+		['http-url-parsed-param', ".*\[wsh\.exe\].*"],
+		['http-url-parsed', "\[\/cybercop\].*"],
+		['http-url', ".*\/nessus_is_probing_you_"],
+		['http-url-parsed', ".*\/(b?a|k|ch?|z|tc|rk?|pdk|sa|ad)?sh"],
+		['http-url-parsed', "\/\[scripts\/samples\/search\]\/[^\00]+\.(idq|exe)"],
+		['http-url-parsed', ".*\/\[newdsn\.exe\]"],
+		['http-url-parsed', ".*\.\[htw\]"],
+		['http-url-parsed', ".*\/(r|w)\[guest\.exe\]"],
+		['http-url-parsed', ".*\/\[alibaba\.pl\]"],
+		['http-url-parsed', ".*\/\[FormHandler\.cgi\]"],
+		['http-url-parsed', ".*\/\[test\.cgi\]"],
+		['http-header-user-agent', "VoidEYE CGI security scanner"],
+		['http-url-parsed', ".*\/\[win-c-sample\.exe\]"],
+		['http-url-parsed', ".*\/\[search97\.vts\]"],
+		['ftp-command', "\[mkd\]"],
+		['line', "MKD \..*"],
+		['packet', "\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e\x2e.*"],
+		['http-url-parsed', ".*\[AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\.cfm\].*"],
+		['packet', ".*\x0Ahelp\x0Aquit\x0A.*"],
+		['packet', "............\x01.*"],
+		['packet', "....\xFF\xFF.*"],
+		['stream', ".*YMSG..\x00\x00..\x00\x06.*"],
+		['stream', ".*\[nick\].*"],
+		['stream', "YMSG..\x00\x00\x00..(W|L).*"],
+		['msn-message', ".*text\/plain.*"],
+		['packet', "VER [0-9]+ (MSNP[0-9]+ )+CVR0\015\012"],
+		['packet', "CAL [0-9]+ .*"],
+		['packet', "RNG [0-9]+ ([0-9]+\.)+[0-9]+:1863 CKI.*"],
+		['stream', ".*\x2a\x02....\x00\x01\x00\x02.*"],
+		['stream', ".*\x2a\x02....\x00\x01\x00\x03.*"],
+		['stream', ".*\x2a\x02....\x00\x04\x00\x06.*"],
+		['stream', ".*\x2a\x02....\x00\x04\x00\x07.*"],
+		['stream', ".*\x2a\x04..\x00\x00.*"],
+		['stream', "OFT2.*OFT_Windows ICBMFT V1.1 32.*"],
+		['stream', ".*Server: AIM HTTP\/1\.0 \(aim_http_proxy\)\x0d\x0a.*"],
+		['packet', "\x00\x01.*"],
+		['line', "550 .*\[user unknown\].*"],
+		['smtp-banner', ".*MERCUR SMTP-Server \(v([0-2]|(3\.[0-2])).*"],
+		['smtp-banner', ".*MERCUR SMTP-Server \(v((3\.([3-9]|([0-2][0-9])))|(4\.[0-2][^0-9])).*"],
+		['smtp-banner', ".*CMailServer ([0-4]|5\.([0-1]|2)[^0-9]).*"],
+		['smtp-command-line', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['smtp-from', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['smtp-rcpt', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['stream', "\[quit\].*"],
+		['smtp-mime-content-name', ".*\.\[zip\]"],
+		['smtp-mime-content-filename', ".*\.\[(w|e)mf\]"],
+		['smtp-mime-content-filename', ".*\.\[zip\]"],
+		['smtp-mime-content-filename', ".*\.\[hta\]"],
+		['smb-calling-name', "\[localhost\]\x20\x20\x20\x20\x20\x20\x20"],
+		['smb-open-filename', ".*\.\000?\[z\000?i\000?p\000?\]"],
+		['stream', ".*ftp:.*"],
+		['stream', ".*\x07\x61\x75\x74\x68\x6f\x72\x73\x04\x62\x69\x6e\x64\x00\x00\x10\x00\x03.*"],
+		['packet', ".*\x07\[version\]\x04\[bind\]\x00.*"],
+		['packet', "Server is online"],
+		['stream', "(get[A-z]+|scrnsav).*"],
+		['packet', "[A-z]:\\.*"],
+		['http-status', "Desconectado Web Serve CT.*"],
+		['stream', ".*@.*@.*"],
+		['finger-user', "search.*"],
+		['stream', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['finger-user', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['packet', "\x00\x00\x07\xa2\x08\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['http-request', "PROPFIND \/.*"],
+		['http-request', "HEAD \/~root.*"],
+		['http-request', "(GET|POST) \/\/ HTTP\/1\.0"],
+		['http-request', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-header', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-header-accept', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-header-content-encoding', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-header-content-language', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-header-content-location', ".*([\000-\010]|[\013-\014]|[\016-\032]|[\034-\037]|[\0177-\0377]).*"],
+		['http-url-parsed-param', ".*%1u%1u.*"],
+		['http-url', "([\001-\045]|[\047-\076]|[\0100-\0377])*\[%2Easp\].*"],
+		['http-url-parsed', "\[\/scripts\/iisadmin\].*"],
+		['http-url-parsed-param', "\/\[iissamples\]\/[^\077]*\/\[codebrws\.asp\]\?[^\000]*\[source=\].*"],
+		['http-url-parsed', ".*\[\/bdir\.htr\].*"],
+		['http-url-parsed-param', "\/\[ms(adc|dac)\/Samples\/SELECTOR\/showcode\.asp\]\?[^ ]*\[source\]=.*"],
+		['http-url-parsed-param', ".*\[#filename=(\"|')?\.(asp|exe)(\"|')?\].*"],
+		['http-header', ".*\[xp_enumdsn\].*"],
+		['http-url-parsed', ".*\[\/search\/(advsearch|query|search)\.asp\].*"],
+		['http-url-parsed', ".*\[xp_filelist\].*"],
+		['http-url-parsed-param', ".*\.\[htw\?.*CiWebHitsFile=\][^&]+\.\[asp\].*"],
+		['http-url-parsed', ".*(\x20)+\.\[htr\].*"],
+		['http-header', ".*\[xp_regread\].*"],
+		['http-url-parsed', ".*\/\[_vti_bin\/_vti_aut\/fp30reg.dll?.*<script.*>\].*"],
+		['http-url-parsed-param', "\[\/iissamples\/sdk\/asp\/docs\/CodeBrws\.asp\?.*Source=\].*"],
+		['http-url-parsed-param', ".*\/\[iissamples\]\/.*"],
+		['http-header', "\[Translate: *f\]"],
+		['http-url-parsed-param', "\/xxxiischeckxxx"],
+		['http-url-parsed', "\[\/msadc\/msadcs.dll\]"],
+		['http-url-parsed-param', ".*\/\[SQLQHit\.asp\?CiColumns\]=\*&CiScope=(webinfo|extended_fileinfo|extended_webinfo|fileinfo).*"],
+		['http-url-parsed-param', "\/\[level\]\/(1[6-9]|[2-9][0-9])\/\[exec\]\/.*"],
+		['http-url-parsed', ".*\[\/_vti_pvt\/(authors|users)\.pwd\].*"],
+		['http-url-parsed', ".*\[\/_private\/(orders|register|registrations|form_results)\.(htm|txt)\].*"],
+		['http-url-parsed', ".*\[\/_vti_bin\/shtml\.(dll|exe)\/.*\.(html|htm|asp|shtml)\].*"],
+		['http-url-parsed-param', ".*\/etc\/passwd.*"],
+		['http-url-parsed-param', ".*\/etc\/hosts\.allow.*"],
+		['http-url-parsed', ".*\/\.nsconfig"],
+		['http-url', "((\\|%5\[c\])+)?\[cgi-bin\].*"],
+		['http-url-parsed', "\[\/portal\/diag\]\/?"],
+		['http-url-parsed-param', ".*\[win\.ini\].*"],
+		['http-url-parsed', ".*\/\[chat\]\/!(\[pwds\]|\[nicks\])\.\[txt\]"],
+		['http-url-parsed-param', ".*\/\[cutenews\]\/\[index\.php\]\?\[debug\]"],
+		['http-url-parsed', ".*\.\[chm\]"],
+		['http-request', "\[INDEX\] \/ HTTP\/1\.0.*"],
+		['http-url-parsed-param', ".*\/\?wp-verify-link"],
+		['http-url-parsed-param', ".*\/\?wp-cs-dump"],
+		['http-url-parsed-param', ".*\/\?wp-ver-info"],
+		['http-url-parsed-param', ".*\/\?wp-ver-diff"],
+		['http-url-parsed-param', ".*\/\?wp-start-ver"],
+		['http-url-parsed-param', ".*\/\?wp-stop-ver"],
+		['http-url-parsed-param', ".*\/\?wp-uncheckout"],
+		['http-url-parsed-param', ".*\/\?wp-html-rend"],
+		['http-url-parsed-param', ".*\/\?wp-usr-prop"],
+		['stream', ".*GET \/%3CSCRIPT%3Ealert%28document%3EURL%29%3C\/SCRIPT%3E\/.*"],
+		['http-header-referer', ".*<\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\][^>]*>.*"],
+		['http-url-parsed-param', ".*\[compte\.php\?achat=1&valider=1&identifiant='%20OR%20''='&password='%20OR%20\]''='.*"],
+		['http-url-parsed', ".*\/(config|orders)\/(check|import)\.txt"],
+		['http-url-parsed-param', "\/*\[\/carbo\.dll\?.*icatcommand=\/?\.\.\/\]"],
+		['http-url-parsed-param', ".*\?\?\?\?\?\?\?.*"],
+		['http-url-parsed', ".*\[\.html\/\.\.\.\.\.\.\].*"],
+		['http-url-parsed-param', ".*\[tuxadm\.exe\]\?[^\012]*INIFILE=.*"],
+		['http-url-parsed-param', ".*\[\/webplus\.exe\?about\].*"],
+		['http-url-parsed-param', ".*\[\/webplus\.exe\?.*script=\][^&]+\.\[wml::\$DATA\].*"],
+		['http-url-parsed', ".*\[\/cfide\/administrator\/(index.cfm)?\].*"],
+		['http-url-parsed', ".*\/\[application\.cfm\].*"],
+		['http-url-parsed', ".*\[\/cfcache\.map\].*"],
+		['http-url-parsed-param', ".*\/\[getfile\.cfm\?.*FilePath=([a-z]:|\/?\.\.\/)\].*"],
+		['http-url-parsed', ".*\/\[onrequestend\.cfm\].*"],
+		['http-url-parsed', ".*\[;\.jsp\]"],
+		['http-text-html', ".*body {.*font-size: [1-9][0-9][0-9][0-9][0-9][0-9][0-9]px;.*}.*"],
+		['stream', ".*\x46\x57\x53\x04\x4e\x00\x00\x00\x78\x00\x05\x5f\x00\x00\x0f\xa0\x00\x00\x0c\x01\x00\x43\x02\xff\xff\xff\xa7\x00\x01\x00\x70\x7d\x09\xc4\x07\xd0\x9c\x40\x01\x00\xff\x00\x00\x01\x14\x00\x00\x00\x00\x11\x35\xc9\xc4\x07\xd1\xf6\xbe\x83\xb2\x0c\x1d\xb0\x60\xec.*"],
+		['http-text-html', ".*<object id=objSWF33  classid=\"clsid:d27cdb6e-ae6d-11cf-96b8-444553540000\".*<param name=\"src\" value=\"\[([a-z]|[0-9])+\.php\]\">"],
+		['stream', "\x4f\x4b\x0d\x0a\x0d\x0a\x39\x2e\x39\x39\x0d\x0a\x0d\x0a.*"],
+		['http-text-html', ".*<\[img\][^>]*\[width\][ ]*=[ ]*('|\")?[2-3][0-9][0-9][0-9][0-9]('|\")*[^<]*\[height\][ ]*=[ ]*('|\")?[1-9][0-9][0-9][0-9][0-9][0-9]+.*"],
+		['http-text-html', ".*<\[IMG\][^>]+\[src\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*::(\"|')?[^>]+onError( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*this\.src=('|\")?::('|\")?;('|\")?[^>]*>.*"],
+		['http-text-html', ".*\[<iframe src=\"?.*\.scm\"?.*mhtml:file:\/\/\/C:\/Program%20Files\/ICQ\/Sounds\/.*!file:\/\/\/\].*"],
+		['http-text-html', ".*<\[iframe\][^>]+\[src\]( |\012|\011)*=( |\012|\011)*(\"|')?.*\.\[jnlp\](\"|')?.*\[mhtml:file:\/\/\/C:\/Program%20Files\/Java%20Web%20Start\/\.javaws\/cache\/http\/\][^>]*!\[file\]:\/\/\/.*"],
+		['http-text-html', ".*\[<iframe src=\"?.*\.wsz\"?.*mhtml:file:\/\/\/C:\/Program%20Files\/Winamp\/Skins.*!file:\/\/\/\].*"],
+		['http-text-html', ".*\[ftp:\/\/\"><script>\].*"],
+		['http-text-html', ".*<\[script>.*'<'\+'script>.*<\/'+'script>'.*<\/script\]>.*"],
+		['http-text-html', ".*<\[img\][^>]*\[src\]=( |\x09|\x0A)*(\"|')?\[gopher\]:\/\/[^\/]+\/[^%]*%09 0[^>]*>.*"],
+		['stream', ".*\+ABSTRACT:\x0d\x0a.*\x68\x5e\x56\xc3\x90\x54\x59\xff\xd1\x58\x33\xc9\xb1\x1c\x90\x90\x90\x90\x03\xf1\x56\x5f\x33\xc9\x66\xb9\x95\x04\x90\x90\x90\xac\x34\x99\xaa\xe2\xfa\x71\x99\x99\x99\x99\xc4\x18\x74\x40\xb8\xd9\x99\x14\x2c\x6b\xbd\xd9\x99\x14\x24\x63\xbd\xd9\x99\xf3\x9e\x09\x09\x09\x09\xc0\x71\x4b\x9b\x99\x99\x14\x2c\xb3\xbc\xd9\x99\x14\x24\xaa\xbc\xd9\x99\xf3\x93\x09\x09\x09\x09\xc0\x71\x23\x9b\x99\x99\xf3\x99\x14\x2c\x40\xbc\xd9\x99\xcf\x14\x2c\x7c\xbc\xd9\x99\xcf\x14\x2c.*"],
+		['http-text-html', ".*http:\/\/toolbar\.google\.com\/command\?script=\[document\.body\.insertAdjacentHTML\]\(.*<object[^>]*codebase=c:\/.*"],
+		['http-text-html', ".*http:\/\/toolbar\.google\.com\/command\?script=\[document.body.insertAdjacentHTML\]\(.*<iframe id=\[oFileRead\] src=file:\/\/.*"],
+		['stream', ".*\xff\xfe\x3c\x00\x65\x00\x6d\x00\x62\x00\x65\x00\x64\x00\x0d\x00\x73\x00\x72\x00\x63\x00\x3d\x00\x22\x00\x68\x00\x74\x00\x74\x00.*"],
+		['http-text-html', ".*hcp:\/\/system\/DFS(\/|\\)uplddrvinfo\.htm\?file:\/\/.*"],
+		['http-text-html', ".*oVuln\.NavigateAndFind\(\"javascript:alert\(document\.cookie\)\",\"\",\"\"\);.*"],
+		['http-text-html', ".*alert\(fVuln\(\"ElementIdInNewDoc\"\)\.document\.cookie\);.*"],
+		['http-text-html', ".*fVuln\(\"javascript:alert\(dialogArguments\.document\.cookie\)\",oWin,\"\"\);.*"],
+		['http-text-html', ".*\.pasteHTML\([^>]*javascript:alert\(document\.cookie\).*"],
+		['http-text-html', ".*alert\(oVuln\.getData\(\"text\"\)\); or oVuln\.setData\(\"text\",\"data\"\);.*"],
+		['http-text-html', ".*replace\('mk:@MSITStore:C:'.*"],
+		['http-text-html', ".*<\[frameset\][^>]*\[cols\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')?( |\x09|\x0A)*[^>]*,\*,\*,\*,\*,\*,\*,\*,\*,\*.*"],
+		['http-text-html', ".*<\[object\][^>]*\[type\]=\"\x5b\xb8\xff\xff\xff\x99\x35\x4f\xfb\xea\x99\x40\x81\x38\x78\x56\x34\x12\x75\xf7\x83\xc0\x04\xff\xd0\x2f\x2f\x2f.*"],
+		['http-text-html', ".*\.write\(\"[^\012]*<\[HR\] [^>]*\[align\]='?\".*"],
+		['http-text-html', ".*\.\[location\.href\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')\[javascript\]:[^;]*<\[script\]>.*"],
+		['http-text-html', ".*<\[a href\]=\042\[http\]:\/\/[^>]+\.[^>]+(\x00\x00|%00%00)[^>]+>.*"],
+		['http-text-html', ".*=\s+\[window\.screen(left|top\])-.*"],
+		['http-text-html', ".*<\[SCRIPT\][^>]+((\[LANGUAGE\]\s*=\s*(\042|\047)?\[XML\][^>]+\[SRC\]\s*=)|(\[SRC\]\s*=[^>]+\[LANGUAGE\]\s*=\s*(\042|\047)?\[XML\]))[^>]*>.*"],
+		['http-url-parsed', ".*\.idc"],
+		['http-status', ".*403 Forbidden.*"],
+		['http-text-html', ".*<[^>]*=(\047|\042)?\[disk(s)?\]:\/\/[^>]*\.\[dmg\][^>]*>.*"],
+		['http-url-parsed-param', ".*\[\/ad\.cgi\?(value|file)=\/?\.\.\/\].*"],
+		['http-url-parsed-param', ".*\[\/windmail\.exe\?%20-n\].*"],
+		['http-url-parsed-param', ".*\/\[cgi-bin\/htmlscript\](\?|\/)\/?\.\.\/.*"],
+		['http-url-parsed-param', ".*\[\/search\.pl\?.*form=.*%00\]"],
+		['http-url-parsed', ".*\[\/quikstore\.cfg\]"],
+		['http-url-parsed-param', "\/\[cgi-bin\/sojourn\.cgi\]\?[^\012]*\[cat\]=[^&]*\/?\.\.\/.*"],
+		['http-url-parsed-param', ".*\/\[store\.cgi\]\?[^\012]*\[(product|StartID)\]=.*\.\.\/.*"],
+		['http-url-parsed-param', ".*\/\[cgi-bin\][^\077]*\[\/(ftp\/)?ftp\.pl\?\][^\000]*\[dir\]=\/?\.\.\/.*"],
+		['http-url-parsed-param', ".*\[\/way-board\.cgi\?.*db=.*%00\]"],
+		['http-url-parsed', ".*\/AT-admin\.cgi.*"],
+		['http-url-parsed-param', ".*\[\/web_store\.cgi\]\?[^?]*\[page=\/?\.\.\/\].*"],
+		['http-url-parsed-param', ".*\/\[faxsurvey(\?|\/)(\/|\.\.)+(bin|etc)\].*"],
+		['http-url-parsed-param', ".*(Count\.cgi|Count\.exe)\?user=a%90%BF8%EE%FF%BF8.*"],
+		['http-url-parsed-param', ".*\[newsadmin\/upload\.php\?.*userinfo..*=hop&.*userinfo..*=100\].*"],
+		['http-url-parsed-param', ".*\[admin\.php\?.*en_log_id=0&.*action=(users|config)\].*"],
+		['http-url-parsed', ".*\[\/ip\.txt\]"],
+		['http-url-parsed-param', ".*\[admin\.php4\?.*reg_login=1\].*"],
+		['http-url-parsed', ".*\[admin\/admin_phpinfo\.php4\].*"],
+		['http-url-parsed-param', ".*\[viewimg\.php\?.*path=viewimg\.php&.*form=1&.*var=1\].*"],
+		['http-url-parsed', "\/cgi-bin\/rwcgi60(\/|\/showenv)?"],
+		['http-url', ".*cgi-bin\/redir\.exe\?\[URL=http(:\/\/|%3A%2F%2F).*%0D%0A%0D%0A%3CSCRIPT%3E\].*"],
+		['http-url-parsed', "\/cgi-isapi\/..*"],
+		['http-url-parsed-param', ".*\/\[cgi-bin\/texis\.exe\][^ ](-dump|-version).*"],
+		['http-url-parsed', ".*\/\[(formmail|contact|mailform|mail|fmail|feedback|cgie?mail|sender|ezformml|mailer)(\.(cgi|pl|exe))?\]"],
+		['http-url-parsed-param', ".*\/\[test-cgi\]\/\052*\?[^\00]*\052.*"],
+		['http-url-parsed-param', ".*\/\[mlog\.phtml\]\?\[screen\]=\/.*"],
+		['http-url-parsed', ".*\/cgi-bin\/dumpenv\.pl"],
+		['http-url-parsed-param', ".*\/\[sendtemp\.pl\]\?.*\.\.\/.*"],
+		['http-url-parsed-param', ".*\[command=X&type=\";\].*"],
+		['http-url-parsed-param', "\/userprefs\.cgi\?Bugzilla_login=[^&]+&Bugzilla_password=[^&]+&bank=footer&dosave=1&mybugslink=1%27%20%2cgroupset=%279223372036854775807"],
+		['http-url-parsed-param', ".*editproducts\.cgi\?Bugzilla_login=[^&]&Bugzilla_password=[^&]&version=unspecified&product=[^&]+&action=new"],
+		['http-url-parsed', "\/mail\/[^ ]+\.nsf"],
+		['http-url', "\/\.nsf\/\.\.\/[^ ]*"],
+		['http-url-parsed-param', ".*\?[^ ]*\.\.\/.*"],
+		['http-url-parsed', ".*\.www_?acl"],
+		['http-header', ".*\[xp_availablemedia\].*"],
+		['http-url', "\/\.\.\.\.?\.?.*"],
+		['http-url-parsed-param', ".*\.\[php\]\?xoopsOption=.*"],
+		['http-url-parsed', "\/user_settings?\.cfg"],
+		['http-url-parsed', ".*\[(lpt|com)[0-9]\.xtp\]"],
+		['http-url-parsed', ".*dscgi\/ds\.py\/ApplyUpload\/Collection-10.*"],
+		['stream', ".*(\[GET\]|\[POST\])[^\011]+\/\[cgi-bin\/\.cobalt\/alert\/service\.cgi\]\?[^\011]*\[service=\](<|%3C).*"],
+		['http-url-parsed-param', ".*\/include\/(oci8|postgres65|mysql|mysql7|msql)\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
+		['http-url-parsed-param', ".*\/include\/postgres\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
+		['http-url-parsed-param', ".*\/user\/(agora_user|ldap_example)\.php\?.*inc_dir=http:\/\/.*&ext=txt.*"],
+		['http-url-parsed-param', ".*\/doc\/admin\/(index|help[0-9]+)\.php\?ptinclude=http:\/\/.*"],
+		['http-url', ".*\.php<\?.*"],
+		['http-url-parsed-param', ".*\/(\[(index|inc\.lib|inc\.cp)\.php\]\?[^ ]*\[sfx\]=|\[lib\/(comment|weblog)\.add\.php\])"],
+		['http-url-parsed', "\/modules\/(Downloads\/voteinclude|Your_Account\/navbar|Forums\/(attachment|auth)|News\/comments|Web_Links\/voteinclude|WebMail\/contactbook)\.php.*"],
+		['http-url-parsed', "\/modules\/Private_Messages\/(functions|index|read|reply)\.php.*"],
+		['http-header-user-agent', "Mozzarella\/1\.37\+\+.*"],
+		['http-url-parsed', ".*\.\[hts\]\."],
+		['ftp-password', "\+"],
+		['ftp-password', "blueskies"],
+		['line', "STOR.*space\.asp.*"],
+		['stream', ".*USER private\r\nPASS #\x0d\x0a.*"],
+		['ftp-username', "(lp|nuucp|EZsetup|demos|OutOfBox|guest|4Dgifts)"],
+		['stream', ".*\[password required. but none set\].*"],
+		['packet', ".*\x00\x00\x00\x00....\x00\x01\x86\xa0....\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['stream', ".*\[SELECT +(UserName|\*) +FROM +ALL_USERS\].*"],
+		['packet', "\x0A.*"],
+		['stream', ".*\[s\00p\00_\00(a\00d\00d\00_\00j\00o\00b|a\00d\00d\00_\00j\00o\00b\00s\00t\00e\00p|a\00d\00d\00_\00j\00o\00b\00s\00e\00r\00v\00e\00r|s\00t\00a\00r\00t\00_\00j\00o\00b)\].*"],
+		['smtp-mime-content-filename', "\[explorer\.doc\]"],
+		['smtp-mime-content-filename', "\[explorer\.doc\]|\[resume1\.doc\]|\[normal\.dot\]"],
+		['stream', ".*\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00(\x01|\x02|\x03)\x00\x00\x00(\x02|\x05|\x06).*"],
+		['packet', ".*\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xa5\x00\x00\x00(\x01|\x02|\x03)\x00\x00\x00(\x02|\x05|\x06).*"],
+		['stream', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
+		['stream', ".*\.write\((\"|')<\[HR align\]=.*"],
+		['pop3-command-line', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[zip\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[bas\]\".*"],
+		['stream', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
+		['packet', "\r\n"],
+		['stream', "........[\0001-\0377][\0000-\0377].*"],
+		['stream', "VERS[ ]*.*"],
+		['smb-open-filename', "\[\0134(\000)?S(\000)?A(\000)?M(\000)?R(\000)?\]"],
+		['ftp-password', "-saint.*"],
+		['smtp-from', ".*nessus.*"],
+		['stream', ".*can't hide from me.*"],
+		['ftp-password', "retina@example.org"],
+		['smtp-from', "<(cis|scan)@cerberus.*"],
+		['ftp-password', "-iss@iss"],
+		['ftp-password', "-satan.*"],
+		['ftp-password', "ddd@"],
+		['http-url-parsed', ".*\/\[cgi-bin\/test-cgi\].*"],
+		['http-url-parsed', "\/\[server-info\]"],
+		['http-url', "\/\[server%20logfile\]"],
+		['ftp-pathname', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
+		['ftp-pathname', ".*\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x2c.*"],
+		['ftp-pathname', ".*\x90\x31\xC0\x99\x52\x52\xB0\x17\xCD\x80\x68\xCC\x73\x68.*"],
+		['ftp-pathname', ".*\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03\xe0\xf9\x5e\xb0\x3d\x8d\x5e\x10\xcd\x80\x31\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\xe8\xac\xff\xff\xff.*"],
+		['ftp-pathname', "aaaa\x01\x88\x5f\x01\x01\x87\xe5\xca%u%u%u%u%u.*"],
+		['ftp-command', ".*\x31\xdb\x89\xd8\xb0\x17\xcd\x80\xeb\x66\x5e\x89\xf3\x80\xc3\x0f\x39\xf3\x7c\x07\x80\x2b\x02\xfe\xcb\xeb\xf5\x31\xc0\x88\x46\x01\x88\x46\x08\x88\x46\x10\x8d\x5e\x07\xb0\x0c\xcd\x80\x8d\x1e\x31\xc9\xb0\x27\xcd\x80\x31\xc0\xb0\x3d\xcd\x80\x31\xc0\x8d\x5e\x02\xb0\x0c\xcd\x80\x31\xc0\x88\x46\x03\x8d\x5e\x02\xb0\x3d\xcd\x80\x89\xf3\x80\xc3.*"],
+		['ftp-pathname', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0.*"],
+		['ftp-pathname', ".*\x41\x41\x29\xc0\x50\xb0\x17\x50\xcd\x80\x29\xc0\x50\xbf\x66\x69\x73\x68.*"],
+		['ftp-pathname', "\x41\x2a\x2f\x2e\x2e\x2f\x41\x2a\x2f\x2e\x2e\x2f\x41\x2a\x2f.*"],
+		['ftp-pathname', ".*\x80\xe8\xc5\xff\xff\xff\xff\xff\xff\x30\x64\x65\x76\x30\x63\x64.*"],
+		['ftp-pathname', ".*\xe8\x97\xff\xff\xff\xff\xff\xff\x45\x45\x32\x32\x33\x32\x32\x33.*"],
+		['ftp-password', "fts\@undernet.org"],
+		['ftp-password', "-cklaus.*"],
+		['smtp-command-line', "\[vrfy\] netect-.*"],
+		['packet', ".*\x00\x00\x00\x60\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00.*"],
+		['stream', ".*SSH_Version_Mapper.*"],
+		['stream', ".*\x0A     .*"],
+		['finger-host', "localhost"],
+		['packet', ".*AAAAAAAAAAAAAAAA.*"],
+		['smtp-command-line', "\[ehlo cybercop\]"],
+		['smtp-command-line', "\[expn cybercop\]"],
+		['packet', ".*cybercop.*"],
+		['ssh-header', "USER AMAP"],
+		['http-request', "USER AMAP"],
+		['pop3-user', "AMAP"],
+		['ssh-header', "GET \/ HTTP\/1\.0"],
+		['smtp-command-line', "GET \/ HTTP\/1\.0"],
+		['ssh-header', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
+		['smtp-command-line', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
+		['http-request', "\x80\x80\x01\x03\x01\x00\x57\x00\x00\x00\x20\x00\x00\x16\x00\x00\x13\x00\x00"],
+		['ssh-header', "\x00\x00\x01\x06\xff\xff\xff\xff"],
+		['smtp-command-line', "\x00\x00\x01\x06\xff\xff\xff\xff"],
+		['http-request', "\x00\x00\x01\x06\xff\xff\xff\xff"],
+		['packet', "............\x0e.*"],
+		['packet', ".......\x08\x00\x0a.*"],
+		['packet', ".......\x2b.*"],
+		['packet', ".......\x11.*"],
+		['line', "550 .*\[relay access denied\].*"],
+		['line', "550 .*\[relaying denied\].*"],
+		['line', "550 .*\[relaying is prohibited\].*"],
+		['smtp-mime-content-filename', ".*\[[a-z]\.[a-z]\.[a-z]\.[a-z]\.([a-z]\.?)*\]"],
+		['smtp-command-line', "( |\x09)*\[help\].*"],
+		['smtp-command-line', ".*\[BDAT \].*"],
+		['smtp-mime-content-filename', ".*\.\[crt\]"],
+		['smtp-mime-content-filename', ".*\.\[mdb\]"],
+		['smtp-mime-content-filename', ".*\.\[url\]"],
+		['smtp-header-line', "\[(Content-Type: )?multipart\/mixed; boundary\]=\"\".*"],
+		['smtp-header-from', ".*\"\"\"\"\"\"@.*"],
+		['smtp-rcpt', "[^@]+@[^\040]+@[^@]+"],
+		['dhcp-option', "\x0c.*<.*"],
+		['stream', ".*200 .*[0-9]+ (%\[[a-z]\])+.*"],
+		['smb-open-filename', ".*\.(\00)?\[j(\00)?o(\00)?b\](\00)?"],
+		['smb-open-filename', ".*\[a(\000)?u(\000)?t(\000)?o(\000)?r(\000)?u(\000)?n(\000)?\.(\000)?i(\000)?n(\000)?f(\000)?\]"],
+		['smb-open-filename', "\\00?w\00?i\00?n\00?r\00?e\00?g\00?"],
+		['stream', ".*\xe9\xac\x10\x05\xe8\x97\x6c\x8d\x46\x88\x94\x61\x08\xd4\x62\xe8\x94\x61\x45\x6e\xb5\x45\xe8\x9f\x3b\x90\x00\x0b\xa0\x00\x0b\x85\x00\x0c\xd8\x05\x08\xd5\xe2\xb9\xff\x10\x0b\x82\x70\x00\xcd\x80\x8d\x5e\x2b\x83\xd0.*"],
+		['stream', ".*\x40\x00\x2e\x10\x00\x90\x3e\x0d\x59\x21\x02\x00\x82\x10\x20\x59\x1d\x02\x00\xa0\x10\x08\x90\x3e\x0c\xc9\x21\x02\x1f\xf8\x21\x02\x05\x09\x1d\x02\x00\x90\x3e\x0c\xc8\x21\x02\x03\xd9\x1d\x02\x00\x90\x10\x01\x08\x21.*"],
+		['stream', ".*\xe9\xd4\x10\x05\xe3\x1c\x05\x05\x0b\x01\x7c\xd8\x03\x1c\x05\x05\x05\x65\x0b\x05\xcd\x80\x89\x46\x28\xb9\xff\x10\x05\x18\xd4\x62\x50\x50\xb8\x88\x00\x0c\xd8\x08\xd4\x62\x50\x50\xb8\x3d\x00\x0c\xd8\x08\xb4\x62\x85\x05\x0b\x8a.*"],
+		['stream', ".*\xe9\x79\x10\x05\xe5\x0b\x82\x00\x0c\xd8\x08\x5c\x0f\x85\xe6\x00\x08\xd5\x63\x88\x95\x62\x88\xd4\x64\x08\x94\x62\xc8\xd4\x64\x38\x94\x63\x08\xd4\x63\x05\x08\xd4\x62\x85\x05\x25\x0b\x83\xb0\x00\xcd\x80\x50\x50\xb8\x10\x00.*"],
+		['stream', "\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61.*"],
+		['packet', ".*\xAB\xCD\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x20\x20\x20\x20\x02\x61.*"],
+		['packet', ".*\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff\xff\xff\/bin\/.*"],
+		['packet', ".*\xb0\x3b\x53\x53\x56\x56\xeb\x10\xe8\xe5\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\xb0\x3b\x53\x53\x56\x56\xeb\x10\xe8\xe5\xff\xff\xff\/bin\/.*"],
+		['packet', ".*\xff\xff\/bin\/sh\/\xff\x2d\x63\xff.*"],
+		['stream', ".*\xff\xff\/bin\/sh\/\xff\x2d\x63\xff.*"],
+		['packet', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
+		['stream', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
+		['packet', ".*\xc7\x06\x2f\x62\x69\x6e\xc7\x46\x04\x2f\x73\x68\x41\x30\xc0\x88\x46\x07\x89\x76\x0c\x8d\x56\x10\x8d\x4e.*"],
+		['stream', ".*\xc7\x06\x2f\x62\x69\x6e\xc7\x46\x04\x2f\x73\x68\x41\x30\xc0\x88\x46\x07\x89\x76\x0c\x8d\x56\x10\x8d\x4e.*"],
+		['packet', ".*\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe6.*"],
+		['stream', ".*\xeb\x15\x59\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb3\x01\xb2\x50\xcd\x80\x31\xc0\xb0\x01\xcd\x80\xe8\xe6.*"],
+		['packet', ".*\xe8.\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
+		['packet', ".*\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82.*"],
+		['stream', ".*\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82\x4f\xff\xfb\x82.*"],
+		['packet', ".*\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34.*"],
+		['stream', ".*\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34\x24\x0f\x12\x34.*"],
+		['packet', ".*\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25.*"],
+		['stream', ".*\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25\x03\xe0\xf8\x25.*"],
+		['packet', ".*\x03\xff\xff\xcc\/bin\/.*"],
+		['stream', ".*\x03\xff\xff\xcc\/bin\/.*"],
+		['packet', ".*\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f.*"],
+		['stream', ".*\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f\x47\xff\x04\x1f.*"],
+		['packet', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
+		['stream', ".*\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80.*"],
+		['packet', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31.*"],
+		['stream', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31.*"],
+		['packet', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['packet', ".*\xb0\xb5\xcd\x80.*"],
+		['stream', ".*\xb0\xb5\xcd\x80.*"],
+		['packet', ".*\xb0\x17\xcd\x80.*"],
+		['stream', ".*\xb0\x17\xcd\x80.*"],
+		['packet', ".*\x90\x90\x90\x90\x90\x90\x31\xc0\x89\xc3\xb0\x02\xcd\x80\x38\xc3\x74\x05\x8d\x43\x01\xcd\x80\x31\xc0\x89\x45\x10\x40\x89\xc3\x89\x45\x0c\x40\x89\x45\x08\x8d\x4d\x08\xb0\x66\xcd\x80\x89\x45\x08\x43\x66\x89\x5d\x14\x66\xc7\x45\x16\x07\xd3\x31\xd2\x89\x55\x18\x8d\x55\x14\x89\x55\x0c\xc6\x45\x10\x10\xb0\x66\xcd\x80\x40\x89\x45\x0c\x43\x43\xb0\x66\xcd\x80\x43\x89\x45\x0c\x89\x45\x10\xb0\x66\xcd\x80\x89\xc3\x31\xc9\xb0\x3f.*"],
+		['packet', ".*\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80.*"],
+		['stream', ".*\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80\x08\x21\x02\x80.*"],
+		['packet', ".*\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80.*"],
+		['stream', ".*\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80\x0b\x39\x02\x80.*"],
+		['packet', ".*\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11.*"],
+		['stream', ".*\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11\x80\x1c\x40\x11.*"],
+		['packet', ".*\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08.*"],
+		['stream', ".*\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08\x3f\xff\x90\x08.*"],
+		['packet', ".*\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0.*"],
+		['stream', ".*\x20\x3b\x91\xd0\x20\x08\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0.*"],
+		['packet', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
+		['stream', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
+		['packet', ".*\x25\x0b\xcb\xc8\xa4\x14\xaf\x75\x27\x1c\xdc\x88.*"],
+		['stream', ".*\x25\x0b\xcb\xc8\xa4\x14\xaf\x75\x27\x1c\xdc\x88.*"],
+		['packet', ".*\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13.*"],
+		['packet', ".*\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6.*"],
+		['stream', ".*\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6\x13\xc0\x1c\xa6.*"],
+		['stream', ".*\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13\xa6\x1c\xc0\x13.*"],
+		['packet', ".*\x90\x1a\x40\x90\x82\x10\x20\x2e\x91\xd0\x20.*"],
+		['stream', ".*\x90\x1a\x40\x90\x82\x10\x20\x2e\x91\xd0\x20.*"],
+		['packet', ".*\x82\x10\x20\x17\x91\xd0\x20\x08.*"],
+		['stream', ".*\x82\x10\x20\x17\x91\xd0\x20\x08.*"],
+		['packet', ".*\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32\x2e\x64\x6c\x6c\x00.*"],
+		['stream', ".*\x6E\x64\x6C\x65\x41\x00\x73\x68\x65\x6C\x6C\x33\x32\x2e\x64\x6c\x6c\x00.*"],
+		['packet', ".*\xbf\xff\xd0\x8b\xf0\x5a\x43\x53\x52\x32\xe4\x83\xc3\x04\x88\x23\xb8\x28.*"],
+		['stream', ".*\xbf\xff\xd0\x8b\xf0\x5a\x43\x53\x52\x32\xe4\x83\xc3\x04\x88\x23\xb8\x28.*"],
+		['snmp-community', "\[\*?ilmi\]"],
+		['snmp-oid', "\x2b\x06\x01\x04\x01\x4D.*"],
+		['packet', "\x01\x00\x00\x00\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['snmp-oid-parsed', "\.1\.3\.6\.1\.4\.1\.11\.2\.3\.9\.1\.1\.13\.0"],
+		['packet', ".*\x30\x11\x06\x0d\x2b\x06\x01\x04\x01\x9e\x73\x02\x01\x0d\x01\x02(\x01|\x02).*"],
+		['stream', ".*Host \[v\]ersion [2-4]\..*"],
+		['packet', "(list|hide|show|info|proc|error|chat)"],
+		['stream', "conadministrator"],
+		['packet', "14Y3K[0-9]?[0-9]?[0-9]?[0-9]?[0-9]?"],
+		['packet', "Y3K.*"],
+		['packet', ".*--Ahhhhhhhhhh.*"],
+		['stream', ".*\* Doly trojan.*"],
+		['stream', ".*(INFO|scrnerron|scrnerroff|hidebar|showbar|runprog|OpenDL|CloseDL).*"],
+		['packet', "0`[A-z][A-z][A-z][A-z]"],
+		['stream', "ER 0\x0d\x0a.*"],
+		['stream', ".*OK\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20.*"],
+		['stream', ".*Connected to host \(.*"],
+		['stream', ".*Blade Runner ver .*"],
+		['stream', "\x20Remote > OK\.\.\..*"],
+		['stream', ".*\x0c\x00\x00\x00\x0e\x00\x00\x00Screen Capture\x0c.*"],
+		['packet', "(CURDIR|DRIVES|CD [A-Z]:\\)\x0d"],
+		['packet', "\*\?!\?[A-Z][A-Z].*\x0d"],
+		['stream', ".*CAFEiNi [0-9]\.[0-9].*"],
+		['stream', "\x20>>\x20\x20MTX Celine Trojan.*"],
+		['packet', "accept:.*"],
+		['stream', "(%NBMSGRESULT|@1%DONE|004200[0-9][0-9]T?).*"],
+		['stream', "Conectado!.*"],
+		['stream', "\|DRVS\|[A-Z],.*"],
+		['stream', "\|ENUMDRVS\|.*"],
+		['stream', "\x50\x6f\x6c\xb9\x63\x7a\x6f\x6e\x6f\x2e\x2e\x2e.*"],
+		['stream', "DCIClient[0-9][0-9].*"],
+		['stream', "DCIServer[0-9][0-9].*"],
+		['packet', "001"],
+		['packet', "085"],
+		['stream', "\/MSG,Rootbeer Rules!.*"],
+		['stream', ".*\x0d\x0aDRaT Version.*"],
+		['stream', ".*\x20\x20\x20DTr v\.[0-9]\.[0-9].*"],
+		['packet', "(s?invisible|s?visible|sunenabled|s?enabled|disabled|\[N\]umlock|\[C\]aps|\[S\]croll|emessage from duddie|progid|crazy);?"],
+		['stream', ".*ECLYPSE v[0-9]\.[0-9].*"],
+		['packet', "Execute[A-Z][A-z]+.*"],
+		['stream', "Frenzy [0-9](\.|[0-9]).*"],
+		['packet', "(icq|gui|cli|det|eet|gaa|sth|sts|eyo|eyf|tiz|wvr|rab|rao)"],
+		['packet', "(password|FileSend|FileGet|MsgBox|unkillbutton|killbutton|lockCAD|unlockCAD|disconnect);"],
+		['stream', "GirlFriend Server [0-9].*"],
+		['packet', "(hidetaskbar|showtaskbar|openformessage|test|hidedesktop|showdesktop)"],
+		['stream', ".*R_Server version:[0-9].*"],
+		['packet', "Execute[A-z].*"],
+		['packet', "(hidestart|showstart|hidetaskbar|showtaskbar|4testmassage)"],
+		['stream', ".*intrudordedicated.*"],
+		['stream', ".*Kid Terror [0-9]\.[0-9].*"],
+		['stream', "\|FOLDERS\|xxxROOTxxx"],
+		['packet', ".*SH@H SERVER [0-9]\.[0-9]*"],
+		['packet', "(x|w|r|tbarh|tbars|rappv)"],
+		['stream', "00Ver\. [0-9]\.[0-9]+,.*"],
+		['stream', ".*(\xa9HaHa |\xd0\"[0-9][0-9][0-9]\" \"[0-9][0-9]?[0-9]?\").*"],
+		['packet', "\.(hidetask|showtask|notepad)"],
+		['stream', ".*One Server.*"],
+		['packet', "(messagebox|inputboxman)"],
+		['packet', "(0400004.*|25|31)"],
+		['stream', "220 Mandar\/Receber Arquivos no PCI\.\x0d\x0a.*"],
+		['stream', ".*Product Name       :.*"],
+		['packet', "(get drives|get user|get info)"],
+		['packet', "0x100"],
+		['stream', "Hook\x0d\x0a\x0d\x0a\0133\.remote hack.*"],
+		['stream', ".*(get|kill [0-9]+)OK.*"],
+		['packet', ".?Connected to The Revenger.*"],
+		['stream', ".*(WINDIR|SYSDIR|ABCJZDATEIEV|FILELAENGE|GETUSER|COUNTRY).*"],
+		['stream', "-=COM:.*"],
+		['packet', "0\.9[0-1]"],
+		['packet', "The Unexplained\.\.\..*"],
+		['packet', "(download[A-z]:\\|msg%|tit%).*"],
+		['stream', ".*LoginUploaderServer.*"],
+		['stream', "[^|]+\|[^|]+\|cmd:.*"],
+		['packet', "(fil[A-z]:\\.*|msg.*|apa)"],
+		['stream', "MANAGER_FILE_GETDRIVES\x00\x09\x00"],
+		['packet', "PING\x00\x09\x00"],
+		['stream', "0400000000.*"],
+		['packet', "0[0-9]00000000"],
+		['stream', "WindowsMite Server v1.0 Port 65530.*"],
+		['stream', "WinCrash Server [0-9].*"],
+		['stream', "This Program can not be opered by a Telnet Conection\.Use WinCrash Client 1\.03\.  Get it at www\.wincrash\.cjb\.net.*"],
+		['http-text-html', ".*WANRemote 3\.0 - Main Menu.*"],
+		['packet', "(text:.*|opennotepad|config|listen|stop listen)"],
+		['packet', "(CDTRAY\/OPEN|FLASH-COLORS\/.*)"],
+		['stream', "\x01\x00\x00\x00\x01\x00\x00\x00\x08\x08.*"],
+		['stream', "# \+---------------------------\+.*"],
+		['stream', "[^Y]+YOU ARE NOW CONNECTED TO[^C]+C r e d i t s[^v]+v2\.[0-9]+\..*"],
+		['http-url-parsed', ".*\/test\/tracker\.exe.*"],
+		['telnet-user', "\[backdoor\]"],
+		['telnet-user', "\[d13hh\][[]"],
+		['telnet-user', "friday"],
+		['telnet-user', "hax0r"],
+		['telnet-user', "lrkr0x"],
+		['telnet-user', "r00t"],
+		['telnet-user', "rewt"],
+		['telnet-user', "satori"],
+		['telnet-user', "StoogR"],
+		['telnet-user', "w00w00"],
+		['telnet-user', "wank"],
+		['telnet-user', "wh00t"],
+		['stream', ".*BN.*"],
+		['stream', ".*FC .*"],
+		['stream', ".*c:\\.*"],
+		['stream', "[0-9]+\x00[^\0]+\x00bin\x00.*"],
+		['stream', "[0-9]+\x00[^\0]+\x00echo\x00.*"],
+		['stream', "[0-9]+\x00[^\0]+\x00root\x00.*"],
+		['finger-user', "\."],
+		['finger-user', "0"],
+		['stream', "[^@]* .*"],
+		['stream', ".*\x00.*"],
+		['stream', ".*\|.*"],
+		['finger-user', "root"],
+		['finger-user', "\/.*"],
+		['finger-host', ".*([\000-\010]|[\013-\014]|[\016-\037]|[\0177-\0377]).*"],
+		['stream', ".*killme.*"],
+		['stream', ".*betaalmostdone.*"],
+		['stream', ".*gOrave.*"],
+		['stream', ".*dos .*"],
+		['stream', ".*killdead.*"],
+		['stream', ".*mdie .*"],
+		['stream', ".*mdos .*"],
+		['stream', ".*mping .*"],
+		['stream', ".*msize .*"],
+		['packet', ".*HELLO.*"],
+		['packet', ".*PONG.*"],
+		['packet', ".*HELLO.*"],
+		['packet', ".*PONG.*"],
+		['stream', ".*trinoo>.*"],
+		['packet', ".*[[][]]\.\.Ks.*"],
+		['packet', ".*bbb .*"],
+		['packet', ".*d1e .*"],
+		['packet', ".*png .*"],
+		['packet', ".*alive.*"],
+		['packet', ".*alive.*"],
+		['packet', ".*alive tijgu.*"],
+		['stream', ".*!@#\x0d.*"],
+		['packet', "newserver"],
+		['packet', "pong"],
+		['packet', "pong"],
+		['packet', "pong"],
+		['packet', "pong"],
+		['packet', "ping.*"],
+		['http-url-parsed', ".*org\.apache\.catalina\.servlets\.DefaultServlet\/[^ ]\.jsp.*"],
+		['http-header-referer', "http:\/\/host\/xxxxxx\/exp\.php\?hi_lames=haha"],
+		['http-url-parsed-param', ".*\[htgrep(\/|\?)file=index\.html&hdr=\/\].*"],
+		['stream', ".*\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a\x0d\x0a.*"],
+		['http-url-parsed-param', "\/bin\/wintty\.exe\?%2dt\+.*"],
+		['http-url-parsed', ".*\/\[WEB-INF\]\.(\.)?\/"],
+		['http-header', "\[Content-Length\]: -.*"],
+		['http-url-parsed-param', ".*\x0d?\x0a(\040|\011)*([A-z]|[0-9]|-)+:.*"],
+		['http-request', "\[CONNECT\] .+\..+\..+\..+:[0-9]+ HTTP\/.*"],
+		['http-url-parsed-param', ".*\[\/newdsn\.exe\]\?[^\012]*\[dbq\]=\/?\.\.\/.*"],
+		['http-url-parsed', "\/\[adsamples\/config\/site\.csc\].*"],
+		['http-url-parsed-param', "\/\[iissamples\/exair\/howitworks\/codebrws\.asp\?*source=\].*"],
+		['http-url-parsed', ".*\[\/(cgi-bin|scripts)\/cmd(32)?\.exe\]"],
+		['http-header', ".*\[xp_cmdshell\].*"],
+		['http-url', ".*\[%(0a|20)\.pl\].*"],
+		['http-request', "GET x HTTP\/1\.0.*"],
+		['http-url-parsed', ".*\/\[repair\/sam\]\._.*"],
+		['http-url-parsed', ".*\/(\[winnt\]|\[windows\])\/\[system32\]\/\[cmd\.exe\].*"],
+		['http-data', ".*<[^>]+xmlns:.=.\[DAV\][^>]+>.*<u:.+"],
+		['http-url', "\/%69%6E%64%65%78%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E%2E.*"],
+		['http-url-parsed-param', ".*\?[^ ]*<%00\[script\].*"],
+		['http-url-parsed', ".*\[(scripts|msadc)\/sensepost\.exe\].*"],
+		['http-url-parsed-param', ".*\.\[htw\]\?[^\000]*\[CiWebHitsFile\]=[^&]+(%20|\[(qfullhit|qsumrhit)\.htw\]).*"],
+		['http-url-parsed', ".*\[msadcs\.dll\/VbBusObj\].*"],
+		['http-data', ".*\[SELECT DAV:displayname from\]\x0a?[ ]*\[SCOPE\]\(\".*"],
+		['http-data', ".*<a:displayname \/><u:VVVVVVVVVVVVVV.*"],
+		['http-url-parsed-param', ".*\/scripts\/convert\.bas\?\/?\.\.\/.*"],
+		['http-url-parsed', ".*\/local\/httpd$map\.conf.*"],
+		['http-url-parsed', ".*\/(-)+\/\*(\.\*)?.*"],
+		['http-url-parsed-param', ".*\[\/StreamingStatistics\?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9])\].*"],
+		['http-url-parsed-param', ".*\[\/PortInformation\?([1-9][0-9][0-9][0-9][0-9][0-9]|[3-9][2-9][7-9][6-9][8-9]|[3-9][3-9][0-9][0-9][0-9])\].*"],
+		['http-url-parsed', ".*\/\[vti_pvt\/administrators\.pwd\].*"],
+		['http-url-parsed-param', ".*\/\[_vti_bin\/_vti_aut\/dvwssr\.dll\?\].*"],
+		['http-url-parsed-param', ".*\/\.\.\.\.\/.*"],
+		['http-url-parsed', ".*\/\[_vti_pvt\/services\.pwd\].*"],
+		['http-url-parsed', "\/\[main\]\/\[(config\.bin|profile\.wlp|event\.logs)\]"],
+		['http-url-parsed-param', ".*\[\/win-c-sample\.exe\?.*(cmd\.exe|command\.com)\]"],
+		['http-request', "GET \/[^ ]* HTTP\/...[^\012]*\.[0-9].*"],
+		['stream', "\[(GET|POST|HEAD)\] \/[^ ]* HTTP\/...[^ ]*\.[0-9].*"],
+		['http-url', "\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
+		['http-url-parsed', ".*\/wwwboard\/passwd\.txt.*"],
+		['http-url-parsed-param', ".*\.htaccess"],
+		['http-url-parsed', ".*\[admin_files\/order\.log\]"],
+		['http-url-parsed', "\/fpdb\/shop.mdb.*"],
+		['http-url-parsed', "\/\[WEB-INF\]\.\/.*"],
+		['http-url', "\/\[upnp\/service\/(%2e|\.)(%2e|\.)(%2f|\/)netgear\.cfg\].*"],
+		['http-url', ".*\.\[jsp\](%00|%20).*"],
+		['http-url-parsed-param', ".*\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\"\">>>>>>>>>>>>.*"],
+		['http-url-parsed-param', "\/\[cgi-bin\]\/\[cart32.exe\]\/\[expdate\]"],
+		['http-url-parsed-param', ".*\/\.\[htpasswd\]"],
+		['http-url-parsed', "\/ver\.asp"],
+		['http-url-parsed-param', ".*\[boot\.ini\].*"],
+		['http-url-parsed', ".*\/\[XSQLConfig\.xml\]"],
+		['http-url-parsed', ".*\.\[DS_Store\]"],
+		['http-request', "\[GET\]\.\..*"],
+		['http-url', "(%%%|%%%%%)"],
+		['stream', "\[(GET|HEAD|POST|PUT|DELETE|LINK|UNLINK)\][^\012]*\[http:\/\/\]@@+[^\012]*[\012].*"],
+		['http-url-parsed-param', ".*\[http\]:\/\/?@@+.*"],
+		['http-url-parsed', ".*\.\[(w|e)mf\]"],
+		['http-url-parsed', ".*\.\[job\]"],
+		['http-url-parsed-param', ".*\Xeb 5f 9a ff ff ff ff 07 ff c3 5e 31 c0 89 46 9d\X.*"],
+		['http-url-parsed', ".*\.\[jsp\](\+|\\).*"],
+		['stream', "\x7c\x53\x61\x4d\x61\x4e\x7c"],
+		['http-header-host', ".*([\000-\054]|\057|[\073-\0100]|[\0133-\0136]|\0140|[\0173-\0377]).*"],
+		['http-url-parsed-param', ".*\.\[htw\]\?[^ ]*\[CiWebHitsFile\]=[^&]+&\[CiRestriction\]=\"<.*"],
+		['http-url-parsed', ".*(<|&\[lt\];)\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\][^>]*(>|&\[gt\];).*"],
+		['http-url-parsed-param', ".*\?[^<]*(<|%(\[u\]00)?3\[C\])\/?\[(SCRIPT|OBJECT|APPLET|EMBED|FORM|IFRAME|META)\].*(>|%(\[u\]00)?3\[E\]).*"],
+		['http-url', ".*search\.php\?search=a(%27%20|%25%27).*"],
+		['http-url', ".*\[(discuss\.asp\?discussblurbid=|author\.asp\?authornumber=).*%3B%20FLUSH%20PRIVILEGES%3B\].*"],
+		['stream', "\[(GET|POST)[ ]+\/SimpleBar\.dll\/RunReport\]\?.*"],
+		['http-url-parsed-param', ".*edit\.php\?a=pre&submit=&auth=1&sid=[0-9]+--"],
+		['http-url-parsed-param', ".*\/modules\.php(\?|\/)[^ ]+&sortby=\[(select|insert|uname|update|explain)\].*"],
+		['http-url-parsed-param', ".*\/\[browse_item_details\.asp\]\?[^\012]*Item_ID=[^;]*;.*"],
+		['http-url', ".*\/([a-z]|[A-Z]|\.)+\.%00\.txt.*"],
+		['http-url', "\/ext\.ini\.% ?00\.txt"],
+		['http-request', "GET[ ]+HTTP\/1\.0"],
+		['http-url', "\/(\.\.\.\/)+\/.*"],
+		['http-url-parsed-param', ".*\[mfcisapicommand=PassThru\].*"],
+		['http-url-parsed-param', ".*\/\[apexec\.pl\?.*template\]=\/?\.\.\/.*%00.*"],
+		['http-url-parsed', ".*\/fezmall2000\/mall_log_files\/forder\.log"],
+		['http-url-parsed', ".*\[\/servlet\/ServletExec\].*"],
+		['http-url-parsed-param', ".*\/\[websendmail\?.*query\]=';.*"],
+		['http-url', ".*(user_logged_in=true|user_dnstools_administrator=YES).*"],
+		['http-url', ".*db4web_c\.exe\/(([a-z]|[A-Z]|[0-9])*\/)*.%3A%5C.*"],
+		['http-url', ".*\/\[db4web_c\]\/[^ ]*\/\/.*"],
+		['stream', ".*\[GET[ ]+\/surf\/scwebusers\].*"],
+		['http-url-parsed-param', ".*\/Carello\.dll\?VBEXE=[a-z]:\\\.\\.*"],
+		['stream', ".*\[(GET|POST)\] \/cgi-bin\/\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\\.\.\\winnt\/.*"],
+		['http-url-parsed', ".*\/web\/usermgr\/userlist\.asp.*"],
+		['http-url-parsed-param', ".*\[tuxadm\.exe\]\?[^\012]*INIFILE=\[(CON|AUX|COM1|COM2|COM3|COM4)\].*"],
+		['http-url-parsed-param', ".*\/\[catalog_type\.asp\]\?[^\00]*\[ProductType\]=\|\[shell\]\(.*"],
+		['http-url-parsed-param', "\/\[cgi-bin\/webplus\?.*script=\/?\.\.\/\]"],
+		['http-url-parsed-param', ".*\[\/webplus\.cgi\?.*Script=\/webplus\/webping\/webping\.wml\].*"],
+		['http-url-parsed-param', ".*bb-hist.sh\?.*\.\.\/\.\..*"],
+		['http-url-parsed-param', ".*\/cgi-bin\/bb-(hist|histlog|hostsvc|rep|replog|ack)\.sh\?.*[A-Z]+=\/"],
+		['http-url', ".*%00.\[jsp\]"],
+		['http-url', ".*%00x"],
+		['http-url-parsed-param', ".*\[ExprCalc\.cfm\?.*OpenFilePath=\].*"],
+		['http-text-html', ".*\[codeBase=hhctrl\.ocx\].*"],
+		['http-text-html', ".*<[^>]*\[telnet\]:\/\/(-|(&055;)|(%55))(n|f)((%20)| |%2f|\/|\.\.\/)+[^>]*>.*"],
+		['http-text-html', ".*<[^>]*\[notes\]:( |\011)?(\042|\047)?=[\0134][\0134][^>]*[\0134]\[notes\.ini\][^>]*>.*"],
+		['http-text-html', ".*<\[img\][^>]+(\[width\]|\[height\])=[0-9][0-9][0-9][0-9][0-9][0-9]+[^>]*>.*"],
+		['http-data', "\0377WPC..\000\000\001\012.*"],
+		['http-url-parsed', ".*\.\[w(al|sz)\]"],
+		['http-header-content-type', "\[application\/hta\]"],
+		['http-text-html', ".*<\[iframe\][^>]*\[src=\][^>]+\.\[exe\][^>]*>.*"],
+		['http-data', ".* = (\"|')\x33\xdb\x8b\xd4\x80\xc6\xff\xc7\x42\xfc\x63\x6d\x64\x01\x88\x5a\xff\x8d\x42\xfc\x8b\xf5\x56\x52\x53\x53\x53\x53\x53\x53\x50\x53\xb8\x41\x77\xf7\xbf\xff\xd0\xb8\xf8\xd4\xf8\xbf\xff\xd0\xcc(\"|').*"],
+		['http-data', "BM....\00\00\00\00[\0200-\0377].*"],
+		['http-header', "\[content-disposition\]:(\040|\011)*\[attachment\](\040|\011)*;(\040|\011)*\[filename\](\040|\011)*=(\040|\011)*[^\000]*\.{[^\055]+-[^\055]+-[^\055]+-[^\055]+-[^\055]+}.*"],
+		['http-text-html', ".*<\[SCRIPT\].*(\[Create\]|\[ActiveX\])\[Object\](\((\"|\')?|[ ]+)\[Shell\.Application\].*\[\.ShellExecute\].*"],
+		['http-text-html', ".*<\[SCRIPT\].*=( |\x09)*\[location\.assign\]( |\x09)*;.*"],
+		['http-text-html', ".*<\[iframe\][^>]+\[src\]=(\047|\042)?\[mhtml\]:[^\041]+\041[^>]+.*"],
+		['http-text-html', ".*<\[a\][^>]*\[href\](\040|\011)*=(\040|\011)*(\"|')?\\\\.*"],
+		['http-header-content-location', ".*\?[0-5][0-5][0-5];.*"],
+		['http-text-html', ".*\[document\.execCommand\(\"SaveAs\"\][^\051]*\.\[(pif|scr|exe|cmd|bat|zip|com|js)\]\"\).*"],
+		['http-text-html', ".*<[^>]*\[(href|src)\](\040|\011)*=(\040|\011)*(\"|')?\[shell:\].*"],
+		['http-text-html', ".*\.initKeyEvent(\(| )(\"|')?keypress(\"|')?, ?(\"|')?true(\"|')?, ?(\"|')?true(\"|')?, ?(\"|')?window(\"|')?, ?(\"|')?(false|true)(\"|')?, ?(\"|')?false(\"|')?, ?(\"|')?(false|true)(\"|')?, ?(\"|')?false(\"|')?, ?45, ?0, ?(\"|')?text(\"|')?\)?;.*"],
+		['http-text-html', ".*classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11.*"],
+		['http-data', "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a....IHDR(([^\00])|(\00[^\00])|(\00[\00][\0177-\0377])).*"],
+		['http-data', "\x89\x50\x4e\x47\x0d\x0a\x1a\x0a....IHDR....(([^\00])|(\00[^\00])|(\00[\00][\0177-\0377])).*"],
+		['http-text-html', ".*<([a-z]|[A-Z])+[^>]+\[hcp\]:\/\/([\000-\041]|[\043-\046]|[\050-\0377])*(\"|&\[quot\];|&#34;)([\000-\041]|[\043-\046]|[\050-\0377])*-\[url\][ ]+(\"|&\[quot\];|&#34;).*"],
+		['http-url-parsed', "\/cgi-bin\/nph-test-cgi"],
+		['http-url-parsed', ".*\/\[(prn|con|aux|nul|com\][1-9]|\[lpt\][1-9])\.(\[asp|cgi|html?)\].*"],
+		['http-url-parsed-param', ".*\[cmd1?\.exe=?\].*"],
+		['http-url-parsed-param', ".*\[scripts\/root\.exe\].*"],
+		['http-url-parsed-param', ".*\[rguest\.exe\?.*template=[a-z]:\].*"],
+		['http-url-parsed-param', ".*\[wguest\.exe\?.*template=[a-z]:\].*"],
+		['http-url-parsed-param', ".*\/search\.cgi\?.*keys.*cat(e|i)gory=\.\.\/.*"],
+		['http-url-parsed-param', ".*\/cgi-bin\/bizdb1-search\.cgi(\?|\/)[^\012]*\[dbname=\].*"],
+		['http-url-parsed-param', ".*\[\/survey\.cgi\]\?.*(\||<|>|;).*"],
+		['http-url-parsed-param', ".*\/\[whois_raw\.cgi\]\?[^\00]*\[fqdn\]=[^\00]*(%0A|%20).*"],
+		['http-url-parsed-param', ".*\/\[Poll_It_SSI\][^.]*\.\[cgi\]\?[^\012]*\[data_dir\]=[^\012]*%00"],
+		['http-url-parsed-param', ".*\[\/(post32\.exe|lsindex2\.bat)\|\]"],
+		['http-url-parsed', "\[\/_private\/shopping_cart\.mdb\]"],
+		['http-url-parsed-param', ".*\/\[formmail\.cgi\?.*env_report\]=[A-Z]+"],
+		['http-url', ".*\[\/shop\.cgi\/page=\/?\.\.\/\].*"],
+		['http-url-parsed-param', ".*\/\[info2www\]\?\((\.\.\/)+[^\0174]*\|\).*"],
+		['http-url-parsed-param', ".*\/\[hsx\.cgi\?.*show\]=\?\.\.\/.*%00"],
+		['http-url-parsed-param', ".*\[\/cached_feed\.cgi\?.*\.\.\/\]"],
+		['http-url', ".*%00.*"],
+		['http-url-parsed-param', ".*\[\/ows-bin\/.*\]\?&"],
+		['http-url-parsed-param', ".*\[\/webspirs\.cgi\?.*sp.nextform=\/?\.\.\/\]"],
+		['http-url-parsed-param', ".*\[YaBB\.pl\?.*num\]=.*(\/?\.\.\/|%00).*"],
+		['http-url-parsed-param', "\/\[cgi-bin\/infosrch\.cgi\?.*fname\]=\|"],
+		['http-url-parsed-param', ".*\/\[authenticate\.cgi\?.*PASSWORD.*config\.ini\].*"],
+		['http-url-parsed-param', ".*\[\/commerce\.cgi\?.*page=\/?\.\.\/.*%00\].*"],
+		['http-url-parsed-param', ".*\[\/dcboard\.cgi\]\?.*(\||;|\/?\.\.\/).*"],
+		['http-url-parsed', ".*\/aglimpse[^|]*\|.*"],
+		['stream', "\[POST\] \[\/cgi-bin\/w3-msql\/\][^\000]+\[content-length\]:[ ]+[1-9][0-9][0-9][0-9]+.*"],
+		['http-url-parsed-param', ".*\/\[main\.cgi\]\?[^\012]*\[filename\]=\/?\.\.\/.*"],
+		['http-url-parsed-param', ".*\/\[print\.cgi\]\?[^\012]*\[board\]=\/?\.\.\/.*"],
+		['http-header', "\[content-length\]:.*\x8b\x74\x24\xfc\xb8\x2e\x61\x68\x6d\x05\x01\x01\x01\x01\x39\x06.*"],
+		['http-url', "query\?mss=.*(\.\.|%2e%2e).*"],
+		['http-url', "\[\/cgi-bin\/htsearch\?exclude=%60.*\]"],
+		['http-url-parsed-param', ".*\/\[emumail\.cgi\]\?[^\012]*type=[^&]*%00.*"],
+		['http-header-user-agent', ".*Hackscape\/1\.0 (j00r asS gonna gets 0wned).*"],
+		['stream', ".*POST \/cgi-bin\/formtest\.cgi HTTP\/1\.0\x0aConnection: close\x0aUser-Agent: (\x90)+\xeb\x30\x5e\x89\x76\x3b\x31\xc0\x88\x46\x08\x88\x46\x0b\x88\x46\x3a\x89\x46\x47\xb0\x0b\x8d\x5e\x09.*"],
+		['http-url', "\x2f\x63\x67\x69\x2d\x62\x69\x6e\x2f\x73\x61\x6d\x70\x6c\x65\x33\x2e\x63\x67\x69\x3f\x6e\x61\x6d\x65\x3d(\x58\x58)+\x24\xfc\xff\xbf\x26\x61\x64\x64\x72\x65\x73\x73\x3d\x74\x65\x73\x74\x26\x74\x65\x6c\x65\x70\x68\x6f\x6e\x65\x3d\x74\x65\x73\x74\x20\x48\x54\x54\x50\x2f.*"],
+		['http-url-parsed-param', ".*smartsearch\.cgi\?[^ ]*keywords=\|.*"],
+		['http-url-parsed-param', ".*\[parse_xml\.cgi(\?|\/)filename\]=\.\.\.?\/.*"],
+		['http-header-cookie', ".*lang=([^A-z]|[\0133-\0140]).*"],
+		['http-url-parsed-param', ".*\/none\.php\?(\.\.:|\/).*"],
+		['http-url-parsed-param', ".*\/\[viewCart\.asp\]\?[^\00]*\[userID\]=[^&]*'.*"],
+		['http-url-parsed-param', "\/reports\.cgi\?output=show_chart&product=[^&]+&datasets=1"],
+		['http-request', "\[GET\] \/cgi-bin\/helpout\.exe (HTTP|HTTP\/)?"],
+		['http-url-parsed', "\/(\[webadmin\]|\[names\]|\[log\])\.\[ntf\]..........[^\012]*\.\[nsf\]"],
+		['http-url-parsed', ".*\.(pl|exe|csp)(\.| \.|%20\.|%20%2\[e\])"],
+		['http-request', "\[GET !\"#\].*"],
+		['http-url-parsed', "\/servlet\/con"],
+		['http-url', "\/sw[0-9]+\/cgi\/device_reset\?.*"],
+		['http-url-parsed', "%"],
+		['stream', ".*POST \/cgi-bin\/\[([a-z]|[0-9]|\.)+\] HTTP\/1\.0\x0d\x0aContent-Length: 111111111111111111111111111\x0d\x0a\x0d\x0aA\x0d\x0a\x0d\x0a.*"],
+		['http-request', "\[OPTIONS \/AAAAAAAAAAAA[A]+\.html\].*"],
+		['stream', "GET \/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/[^ ]* HTTP\/1\.[0-1].*"],
+		['http-url-parsed', "(\/aux\/aux\/|\/con\/con)"],
+		['http-url-parsed-param', "\/cgi-bin\/hpnst\.exe(\?|\/)c=p\+i=hpnst\.exe"],
+		['http-header', "(connection|range):"],
+		['http-url-parsed-param', "\/emailpwdreset\.srf\?lc=1033&em=[^@]+@hotmail\.com&[^\012]*prefem=[^@]+@([^h]|[^H])[^&]+&rst=1"],
+		['stream', ".*(uname|bin\/ls|bin\/id|bin\/nc|bin\/g?cc|bin\/(send)?mail|ifconfig|bin\/(k|ba|z|c|tc)?sh).*"],
+		['http-url-parsed-param', ".*\[\/admin\/browse.asp?.*FilePath=(c|d|e|f|g):\\.*&Opt=2&.*level=0\].*"],
+		['http-url-parsed-param', "\/cgi-bin\/wrap\?\/?\.\.\/.*"],
+		['http-url-parsed', "\/cgi-bin\/\.cobalt\/overflow\/overflow\.cgi"],
+		['http-url-parsed', "\/cgi-bin\/\.cobalt\/overflow\/overflowTestEmail\.cgi"],
+		['stream', ".*GET \/\.cobalt\/sysManage\/\.\.\/admin\/[^\040]+ HTTP\/1\.[0-1].*"],
+		['stream', ".*(GET|POST) \[\/cgi-bin\/\.cobalt\/alert\/service\.cgi\]\?.*service=\/\[AAAAAAAAAAAAAAA[A]+\].*"],
+		['http-url-parsed-param', ".*\/\[my?log\.p?html\?.*screen\]=.*\/.*"],
+		['http-url-parsed-param', ".*\/\[php\.cgi\]\?(\/|\.\.)"],
+		['http-url-parsed-param', ".*\/[^.]*\.\[php\]\?[^\012]*_PHPLIB\x5Blibdir\x5D=.*"],
+		['http-url', ".*dostuff.php.*"],
+		['http-url', ".*\[member\.php\?.*&+member='%20OR%20(password='PASSWORD|status='ADMINIST)\].*"],
+		['http-url', ".*\[\/misc\.php\?.*&?send=yes.*&loser='%20OR%20password='PASSWOR\].*"],
+		['http-url', ".*\[\/pm\.php\?.*action=reply.*&pmid=.+\].*"],
+		['http-url-parsed', ".*midicart\.mdb.*"],
+		['http-url-parsed-param', ".*\[index\.php\]\?[^\012]*\[m=projects\][^\012]*&\[user_cookie\]=1.*"],
+		['http-url-parsed-param', ".*class\.atkdateattribute\.js\.php(\?|\/).*&?config_atkroot=(http|ftp):.*"],
+		['http-url', ".*summary_graph_functions\.php\?.*\[g_jpgraph_path=http(:\/\/|%3A%2F%2F)\].*"],
+		['http-url', ".*login_page\.php\?.*g_meta_include_file=http(:\/\/|%3A%2F%2F).*"],
+		['http-url-parsed-param', ".*\/(template|reply)\.php(\?|\/)nm=\.\.\/users.*"],
+		['http-url', ".*board\.php\?boardid=[^\/]*%27,%20userid=%27.*"],
+		['http-url-parsed-param', ".*calendar\.php\?calbirthdays=[0-9][^ ]*&action=getday[^ ]*&comma=%22;echo.*"],
+		['http-url-parsed-param', ".*customize\.php\?l=http:\/.*"],
+		['http-url', ".*avatar\.php\?img=3D\.\.\/secret\/connect\.php.*"],
+		['http-url-parsed-param', ".*\/aff_news\.php\?chemin=http:\/\/.*"],
+		['http-url', ".*\.php\?uid='%20OR%20''='&pwd='%20OR%20''='"],
+		['http-url-parsed-param', ".*\[customize\.php\]\?\l=\/.*"],
+		['http-url-parsed-param', ".*\/email\.php(\?|\/)[^&]+&cer_skin=http:\/\/.*"],
+		['http-url-parsed-param', ".*\/lib\/emailreader_execute_on_each_page\.inc\.php(\?|\/)emailreader_ini=http:\/.*"],
+		['http-url-parsed-param', ".*\/\[ssi\.php\](\?|\/)[^\012]*\[sourcedir=(\"|')?http\]:\/\/.*"],
+		['http-url-parsed-param', ".*\[mainfile\.php\]\?[^ ]*MAIN_PATH=\[(http|ftp)\]:\/\/.*"],
+		['http-url-parsed-param', ".*\/artlist\.php\?root_path=http:\/\/.*"],
+		['http-url-parsed-param', ".*\/config\.php\?root_path=http:\/\/.*"],
+		['http-url-parsed-param', ".*\/thatfile\.php\?root_path=http:\/\/.*"],
+		['http-url-parsed-param', ".*\/auth\.inc\.php\?user=JyBPUiAnJz0nOjE6JyBPUiAnJz0n.*"],
+		['http-url', ".*\/modules\.php\?name=News&file=article&sid=[0-9]+%20or%20.*"],
+		['http-url-parsed-param', ".*modules\.php(\?|\/)name=Search([^\012]|[^\015])*&days=[0-9]+\+or\+mid\(a\.pwd.*"],
+		['http-url-parsed-param', ".*\[modules\.php\](\?|\\)[^\012]*(c|l|art|sec)id=-?[0-9]+(\+|%20)\[UNION\](\+|%20).*"],
+		['http-url-parsed-param', ".*\/\[modules\.php\]\?[^\012]*&\[sid\]=[^&]*\[UNION\].*"],
+		['http-url-parsed-param', ".*\[index\.php(\?|\/)forum_id=[0-9]+\+or\].*"],
+		['http-url-parsed-param', ".*\/\[prefs\.php\](\?|\/)([^ ]|[^\012]|[^\015])*&lang=\/\.\.\/.*"],
+		['http-url-parsed-param', ".*\[profile\.php\]\?[^\012]*\[mode=viewprofile\][^\012]*&\[u\]='.*"],
+		['http-url-parsed-param', ".*search\.php\?[^\012]*search_id=[0-9]+(\+|%20)\[union\].*"],
+		['http-url-parsed-param', ".*(captionator|errors\/(configmode|needinit|reconfigure|unconfigured))\.php\?GALLERY_BASEDIR=.*"],
+		['http-url-parsed-param', ".*\/\[setup\.cgi\]\?[^\012]*\[todo=debug\].*"],
+		['http-url', ".*(SnoopServlet|TroubleShooter).*"],
+		['http-url-parsed', ".*\/examples\/servlet\/(AUX|LPT1|CON|PRN).*"],
+		['http-url', ".*\x00\.jsp"],
+		['http-request', ".*\x00\.\[jsp\].*"],
+		['http-url-parsed', "\/cgi-bin\/rpm_query"],
+		['stream', ".*NOTIFY \* HTTP\/1\.1\x0d\x0aHOST: 239\.255\.255\.250:1900\x0d\x0a.*USN: uuid:QB0X\x0d\x0a\x0d\x0a\x0d\x0a.*"],
+		['stream', ".*\xE3\x24\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xE3\x03\x00\x00\x00\x4E\x00\x00.*"],
+		['stream', ".*\xc4\x01\x13\x00\xf0\x03\xea\x03\x01\x00\xea\x03\x06\x00\xae\x01\x4d\x53\x54\x53\x43\x00\x11\x00\x00\x00\x01\x00\x18\x00\x01\x00\x03\x00\x00\x02\x00\x00\x00\x00\x05\x04\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x1c\x00\x08\x00\x01\x00\x01\x00\x01\x00\x00\x05\x00\x04\x00\x00\x01\x00\x01\x00\x00\x00\x01\x00\x00\x00\x03\x00\x58\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x14\x00\x00\x00\x01\x00\x00\x00\x2a\x00\x01\x00\x01\x01\x01\x00\x00\x01\x01\x01\x00\x01\x00\x00.*"],
+		['stream', ".*@PJL RDYMSG DISPLAY =.*"],
+		['stream', ".*@PJL RDYMSG DISPLAY =.*"],
+		['http-url-parsed-param', "(.*\/error\?\/?)|(\?)"],
+		['stream', ".*\[POST \/plugins\/framework\/script\/content\.hts\].*"],
+		['http-url-parsed-param', ".*\[\/plugins\/framework\/framework\.ini\].*"],
+		['ftp-pathname', "\*\?AAAAAA.*"],
+		['ftp-sitestring', "\[cpwd\].*"],
+		['stream', ".*\x4d\x4b\x44\x20\x90\x90\x90\x90\x90\x31\xdb\x31\xc9\xeb\x12\x5e\xbf\x10\x10\x10\x10\xb1\x21\x29\x7e\x01\x83\xc6\x04\xe2\xf8\xeb\x05\xe8\xe9\xff\xff\xff\xff\xff\xff\x90\xfb\x5d\x6e\x41\xd0\xc0\x27\x63\x63\xaa\x10\x10\x10\x10\x17\x10\x41\xd0\xc0\x60\x9d\x8e.*"],
+		['ftp-put-filename', "\/bin\/(ls|cd).*"],
+		['ftp-sitestring', "\[exec\].*"],
+		['ftp-pathname', "@\/\.\.@\/\.\..*"],
+		['ftp-pathname', ".*-w [1-9][0-9][0-9][0-9][0-9].*"],
+		['ftp-pathname', "\*\*\*\*\*\*\*\*\*.*"],
+		['ftp-password', "root"],
+		['ftp-pathname', ".*\.%20\..*"],
+		['line', "\[CWD\] .*\.\.\/\.\."],
+		['ftp-get-filename', "\/?\.\.\/\.\.\/\.\.\/.*"],
+		['ftp-put-filename', ".*\.\.\/autoexec\.bat"],
+		['ftp-pathname', ".*\.?\*\.?\/\.?\*?\??\.?\/\*?.*"],
+		['ftp-username', ".*(%[0-9]*(n|h|s|x))+.*"],
+		['ftp-username', "\[root\]"],
+		['telnet-user', "root"],
+		['http-url-parsed-param', ".*(c|d)\/inetpub\/scripts\/root\.exe\?.*"],
+		['http-url-parsed-param', ".*(c|d)\/winnt\/system32\/cmd\.exe\?.*"],
+		['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\ImagePath.*"],
+		['smtp-data-line', ".*http:\/\/www\.friendgreetings\.com\/pickup\/pickup\.aspx.*"],
+		['smtp-mime-content-filename', "(\[your_details\]|\[application\]|\[document\]|\[screensaver\]|\[movie\])\.zip.*"],
+		['http-url-parsed-param', "\/(1|\[scr\])\.php"],
+		['http-url-parsed-param', "\/search\?(p|q)=inurl:\*\.php\?\*=.*"],
+		['http-url', "\[\/scripts\/root\.exe\?\/c\+dir\]"],
+		['http-url', "\[\/MSADC\/root\.exe\?\/c\+dir\]"],
+		['http-url', "\[\/scripts\/\.\.%255c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
+		['http-url', "\[\/_(vti|mem)_bin\/\.\.%255c\.\.\/\.\.%255c\.\.\/\.\.%255c\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
+		['http-url', "\[\/scripts\/\.\.(%c1%1c|%c0%af|%c1%9c)\.\.\/winnt\/system32\/cmd\.exe\?\/c\+dir\]"],
+		['smtp-data-line', ".*<iframe src=3Dcid:EA4DMGBP9p height=3D0 width=3D0>.*"],
+		['smb-open-filename', ".*\.\[(\x00)?N(\x00)?W(\x00)?S(\x00)?\]"],
+		['smb-open-filename', ".*\.\[(\x00)?E(\x00)?M(\x00)?L(\x00)?\].*"],
+		['http-url', ".*\x2f\x64\x65\x66\x61\x75\x6c\x74\x2e\x69\x64\x61\x3f\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x4e\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x36\x38\x35\x38\x25\x75\x63\x62\x64\x33\x25\x75\x37\x38\x30\x31\x25\x75\x39\x30\x39\x30\x25\x75\x39\x30\x39\x30\x25\x75\x38\x31\x39\x30\x25\x75\x30\x30\x63\x33\x25\x75\x30\x30\x30\x33\x25\x75\x38\x62\x30\x30\x25\x75\x35\x33\x31\x62\x25\x75\x35\x33\x66\x66\x25\x75\x30\x30\x37\x38\x25\x75\x30\x30\x30\x30.*"],
+		['stream', ".*\[BEGIN +ctxsys\.driload\.validate_stmt\]\(.*"],
+		['stream', ".*ORA-01017:( invalid username\/password; logon denied)?.*"],
+		['stream', ".*adamswoodXXXXX.*"],
+		['stream', ".*scotttigerXXXXX.*"],
+		['stream', ".*blakepaperXXXXX.*"],
+		['stream', ".*clarkclothXXXXX.*"],
+		['stream', ".*\[ctxsys(ctxsys|unknown|change_on_install)\]XXXXX.*"],
+		['stream', ".*dbsnmpdbsnmpXXXXX.*"],
+		['stream', ".*aurora$orb$unauthenticatedinvalidXXXXX.*"],
+		['stream', ".*jonessteelXXXXX.*"],
+		['stream', ".*mdsysmdsysXXXXX.*"],
+		['stream', ".*ordpluginsordpluginsXXXXX.*"],
+		['stream', ".*ordsysordsysXXXXX.*"],
+		['stream', ".*outlnoutlnXXXXX.*"],
+		['stream', ".*\[system(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*)\]XXXXX.*"],
+		['stream', ".*tracesvrtraceXXXXX.*"],
+		['stream', ".*\[sys(manager|change_on_install|d_syst?pw|system|systempass|manag3r|oracl3.*|oracle.*|0racle.*|0racl3.*)\]XXXXX.*"],
+		['stream', ".*\[ALTER TABLE user CHANGE COLUMN Password Password LONGTEXT\].*"],
+		['packet', "....\0377[\024-\025]\04.*"],
+		['stream', ".*\[s\00p\00_\00p\00a\00s\00s\00w\00o\00r\00d\00\].*"],
+		['stream', ".*\[s\00p\00_\00a\00d\00d\00u\00s\00e\00r\].*"],
+		['stream', ".*\x10\x01\x00.\x00\x00\x01\x00..\x00\x00\x00\x00\x00\x71\x00\x00\x00\x00\x00\x00\x00\x07....\x00\x00\x00\x00\xE0\x03\x00\x00..\x00\x00..\x00\x00.\x00.\x00.\x00.\x00.\x00\x00\x00.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[explorer\.doc\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[normal\.dot\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[resume1\.doc\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[kak\.hta\]*\".*"],
+		['smtp-mime-content-filename', ".*\.\[exe\]\."],
+		['smtp-mime-content-filename', "(approved|application|doc_details|movie28|password|ref-39....|screen_doc|screen_temp|_approved)\.pi[f]*"],
+		['smtp-header-subject', ".*(Hi|Hello|Re:|Fw:)*\040?(Very |special |Happy |Have a )(New |funny |nice |humour |excite |good |powful |WinXP |IE 6.0 )*(game\.|tool\.|website\.|patch\.|Allhallowmas|Epiphany)"],
+		['smtp-header-subject', "(W32\.Elkern|W32\.Klez\.E) removal tools"],
+		['smtp-mime-content-data', "(\x4d\x5a|\x4c\x01).(\000|\001).*"],
+		['smtp-mime-content-filename', "\[photos\.zip\]"],
+		['smtp-mime-content-data', "PK.*\.(pif|scr|exe|cmd|bat|zip|com)(\x4d\x5a|\x4c\x01).(\000|\001).*"],
+		['stream', ".*\\\\\.\.\/\x00\x00\x00.*"],
+		['stream', ".*\\\\\.\.\.\/\x00\x00\x00.*"],
+		['smb-connect-path', "\\\00?\\\00?.*\\\00?A\00?D\00?M\00?I\00?N\00?$\00?.*"],
+		['smb-connect-path', "\\\00?\\\00?.*\\\00?C\00?$\00?.*"],
+		['smb-connect-path', "\\\00?\\\00?.*\\\00?D\00?$\00?.*"],
+		['smb-native-os', "Unix"],
+		['packet', ".*([\001-\010]|[\013-\014]|[\016-\037]|[\0200-\0377]).*"],
+		['pop3-command-line', "(UIDL|DELE) 11111111111111111111111111111111.*"],
+		['pop3-command-line', "helo:AAAAAAAAAAAAAAAA.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[bat\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[com\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[cpl\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ocx\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[hta\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ade\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.386\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[adp\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[inf\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[lnk\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msp\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[reg\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[w(al|sz)\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ht\]\".*"],
+		['packet', "\xe3\x36\x00\x00\x00\x01\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xff\x02\x00\x00\x00\x02\x01\x00\x01\x04\x00\x54\x65\x73\x74\x03\x01\x00.*"],
+		['stream', ".*\[Authorization: Basic A==\].*"],
+		['stream', "RCH0.*"],
+		['packet', "play\x2d\x00..............(([\060-\0377])|(.[^\000])|(..[^\000])|(...[^\000])).*"],
+		['stream', ".*\x0a\[Max-dotdot\][ ]+[0-9][0-9][0-9][0-9].*"],
+		['packet', "\x00\x01\x00\x07.....(.[^\000]|[^\000].).*"],
+		['packet', ".*\x45\x89\x02\x00....\x00\x00\x00\x20\x45\x00\x00\x00"],
+		['stream', ".*\|\|[0-9]\|\|"],
+		['stream', "\[(get|head|post|source)\][^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012[^\012]+\012.*"],
+		['stream', ".*\x05\x00\x06\x01\x00\x00\x00\x00\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x31\x00\x00\x00\x00\x00\x00\x00\x00.*"],
+		['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*"],
+		['packet', "1234567890"],
+		['smb-open-filename', ".*\u\[\\ci_skads\]\u"],
+		['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
+		['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
+		['stream', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
+		['packet', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
+		['packet', ".*\xb8\x4a\x9f\x4d\x1c\x7d\xcf\x11\x86\x1e\x00\x20\xaf\x6e.*"],
+		['http-url-parsed-param', ".*\.htgroup.*"],
+		['http-url-parsed-param', ".*\/\[cgi-bin\/plusmail\]\?.*password=.*password1=.*new_login=.*"],
+		['http-url-parsed-param', ".*\[BBBB\.htr\].*"],
+		['packet', "[\0101-\0172]+"],
+		['packet', "............\x15.*"],
+		['packet', "............\x0d.*"],
+		['packet', "............\x12.*"],
+		['packet', ".......\x08\x00\x04.*"],
+		['packet', ".......\x08\x00\x01.*"],
+		['packet', "..[^\00][^\00].*"],
+		['stream', ".*\xeb\x4b\x5b\x53\x32\xe4\x83\xc3\x0b\x4b\x88\x23\xb8\x50\x77.*"],
+		['stream', ".*PING :1986115026.*001 :irc\.random\.org trillian.*"],
+		['stream', ".*<\[a href\] ?= ?\"\.\.\/\.\.\/.*"],
+		['packet', "\x00\x01\[admin\.dll\].*"],
+		['packet', "\x00\x02.*"],
+		['packet', ".*\.\..*"],
+		['smtp-data-text-plain', "XJS\*C4JDBQADN1\.NSBN3\*2IDNEN\*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL\*C\.34X"],
+		['smtp-mime-content-filename', ".*\.\[wp5\]"],
+		['smtp-header-line', "\[content-type\]:[^\000]+<(\[script\]>|[^\000]+\[onLoad=java\])[^>]*>.*"],
+		['stream', ".*<[^>]*\[notes\]:( |\011)?(\042|\047)?=[\0134][\0134][^>]*[\0134]\[notes\.ini\][^>]*>.*"],
+		['stream', ".*<[^>]*\[href=\](3D)?(\"|')?\[aim:goaway\?message=\].*"],
+		['smtp-mime-content-filename', "\[PC210017\.JPG\].*"],
+		['smtp-rcpt', ".*\[IMCEASMTP\]-[^+]*\+[^+]*\+[^@]*@.*"],
+		['stream', ".*\012(\040|\011)*\[password address=\].*\012(\040|\011)*\[password address=\].*"],
+		['stream', ".*MASSINE.*"],
+		['smtp-command-line', ".*__safebomb__.*"],
+		['smtp-header-to', "x"],
+		['smtp-command-line', ".*\[AUTH( |\011)+GUEST\].*"],
+		['smtp-header-from', ".*\|.*"],
+		['smtp-from', ".*\|.*"],
+		['smtp-header-to', ".*\|.*"],
+		['smtp-rcpt', ".*\|.*"],
+		['smtp-header-reply-to', ".*\|.*"],
+		['smtp-header-line', "\[a\015*t\015*t\015*a\015*c\015*h\015*m\015*e\015*n\015*t\015* c\015*o\015*n\015*v\015*e\015*r\015*t\015*e\015*d\015*\]:.*"],
+		['smtp-data-text-plain', "Attachment Converted(\x0d|=0\[d\]):.*"],
+		['smtp-data-text-html', "Attachment Converted(\x0d|=0\[d\]|=00):.*"],
+		['smtp-command-line', ".*( |\x09)*\[expn\]( |\x09)+(admin|bin|decode|root|rpmmail).*"],
+		['smtp-command-line', "( |\x09)*\[vrfy\]( |\x09)+(bbs|decode|guest|postmaster|root|sybase)"],
+		['smtp-mime-content-filename', ".*\.\[exe\]"],
+		['smtp-mime-content-filename', ".*\.\[pif\]"],
+		['smtp-mime-content-filename', ".*\.\[scr\]"],
+		['smtp-mime-content-filename', ".*\.\[shs\]"],
+		['smtp-mime-content-filename', ".*\.\[vbs\]"],
+		['smtp-mime-content-filename', ".*\.\[com\]"],
+		['smtp-mime-content-filename', ".*\.\[bat\]"],
+		['smtp-mime-content-filename', ".*\.\[ocx\]"],
+		['smtp-mime-content-filename', ".*\.\[cmd\]"],
+		['smtp-mime-content-filename', ".*\[\.job\]"],
+		['smtp-mime-content-filename', ".*\.\[CPL\]"],
+		['smtp-mime-content-filename', ".*\.\[ade\]"],
+		['smtp-mime-content-filename', ".*\.386"],
+		['smtp-mime-content-filename', ".*\.\[adp\]"],
+		['smtp-mime-content-filename', ".*\.\[bas\]"],
+		['smtp-mime-content-filename', ".*\.\[chm\]"],
+		['smtp-mime-content-filename', ".*\.\[hlp\]"],
+		['smtp-mime-content-filename', ".*\.\[inf\]"],
+		['smtp-mime-content-filename', ".*\.\[ins\]"],
+		['smtp-mime-content-filename', ".*\.\[isp\]"],
+		['smtp-mime-content-filename', ".*\.\[js\]"],
+		['smtp-mime-content-filename', ".*\.\[jse\]"],
+		['smtp-mime-content-filename', ".*\.\[lnk\]"],
+		['smtp-mime-content-filename', ".*\.\[mde\]"],
+		['smtp-mime-content-filename', ".*\.\[msc\]"],
+		['smtp-mime-content-filename', ".*\.\[msi\]"],
+		['smtp-mime-content-filename', ".*\.\[msp\]"],
+		['smtp-mime-content-filename', ".*\.\[pcd\]"],
+		['smtp-mime-content-filename', ".*\.\[reg\]"],
+		['smtp-mime-content-filename', ".*\.\[sct\]"],
+		['smtp-mime-content-filename', ".*\.\[vb\]"],
+		['smtp-mime-content-filename', ".*\.\[wsc\]"],
+		['smtp-mime-content-filename', ".*\.\[wsf\]"],
+		['smtp-mime-content-filename', ".*\.\[wsh\]"],
+		['smtp-mime-content-filename', ".*\.\[w(al|sz)\]"],
+		['smtp-mime-content-filename', ".*\.\[ht\]"],
+		['smtp-header-line', ".*;\s+\[boundary\]\s*=\s*\"\""],
+		['packet', ".*\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x63\x82\x53\x63\x35[\001-\017][\001-\017].*"],
+		['stream', ".*\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08\xb0\x66\x43\x89\xf1\xcd\x80\x89\x06\xb0\x02\x66\x89\x46\x0c\xb0\x90\x66\x89\x46\x0e\x8d\x46\x0c\x89\x46\x04\x29\xc0\x89\x46\x10\xb0\x10\x89\x46\x08\xb0\x66\x43\xcd\x80\x29\xc0\x40\x89\x46\x04\xb3\x04\xb0\x66\xcd\x80\xeb\x02\xeb\x4c\x29\xc0\x89\x46\x04\x89\x46\x08\xb0\x66\x43\xcd\x80\x88\xc3\x29\xc9\xb0\x3f\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\xb8\x2e\x62\x69\x6e\x40\x89\x06\xb8\x2e\x73\x68\x21\x40\x89\x46\x04\x29\xc0\x88\x46\x07\x89\x76\x08\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\x64\xff\xff\xff.*"],
+		['stream', "\x31\xc9\xf7\xe1\x51\x5b\xb0\xa4\xcd\x80\x31\xc9\x6a\x02\x5b\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58\xcd\x80\x41\x6a\x3f\x58\xcd\x80\xeb\x1f.*"],
+		['stream', "\x6d\x6f\x64\x65\x20\x72\x65\x61\x64\x65\x72\x0d\x0a\x67\x72\x6f\x75\x70\x20\x74\x65\x73\x74\x0d\x0a\x70\x6f\x73\x74\x0d\x0a\x4d\x65\x73\x73\x61\x67\x65\x2d\x49\x44\x3a\x20\x3c......\x40a*\x3e\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x61\x40\x61\x2e\x04\x80\x13\x08\xec\x83\x13\x08\x0d\x0a\x53\x65\x6e\x64\x65\x72\x3a\x20\x61\x40\x61\x2e\x04\x80\x13\x08\xec\x83\x13\x08\x0d\x0a\x4e\x65\x77\x73\x67\x72\x6f\x75\x70\x73\x3a\x20\x74\x65\x73\x74\x0d\x0a\x53\x75\x62\x6a\x65\x63\x74\x3a\x20\x62\x6c\x61\x68\x0d\x0a\x0d\x0a\x62\x6c\x61\x68\x0d\x0a\x2e\x0d\x0a\x67\x72\x6f\x75\x70\x20\x63\x6f\x6e\x74\x72\x6f\x6c\x0d\x0a\x70\x6f\x73\x74\x0d\x0a\x4d\x65\x73\x73\x61\x67\x65\x2d\x49\x44\x3a\x20\x3c......\x40\x74\x65\x73\x74\x3e\x0d\x0a\x46\x72\x6f\x6d\x3a\x20\x61\x40\x62\x2e\x63\x0d\x0a\x53\x65\x6e\x64\x65\x72\x3a\x20\x61\x40\x62\x2e\x63\x0d\x0a\x43\x6f\x6e\x74\x72\x6f\x6c\x3a\x20\x63\x61\x6e\x63\x65\x6c\x20\x3c......\x40a*\x3e\x0d\x0a\x53\x75\x62\x6a\x65\x63\x74\x3a\x20\x63\x6d\x73\x67\x20\x63\x61\x6e\x63\x65\x6c\x20\x3c......\x40a*\x3e\x0d\x0a\x4e\x65\x77\x73\x67\x72\x6f\x75\x70\x73\x3a\x20\x63\x6f\x6e\x74\x72\x6f\x6c\x0d\x0a.*"],
+		['stream', "100.*\x25\x2e\x34\x38\x37\x37\x37\x75\x25\x38\x35\x24\x68\x6e\x5c\x25\x2e\x31\x34\x32\x33\x33\x75\x25\x38\x36\x24\x68\x6e\x0a.*"],
+		['stream', ".*\x68\x00\x57\x72\x4c\x65\x68\x00\x42\x31\x33\x42\x57\x7a\x00\x01\x00.*"],
+		['stream', ".*\xff\xd8.*([\000-\0376].|.[\000-\0376])\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
+		['smb-open-filename', ".*\[p\00?s\00?e\00?x\00?e\00?s\00?v\00?c\00?\.\00?e\00?x\00?e\].*"],
+		['stream', "\x07\[authors\]...\x04\[bind\].*"],
+		['packet', "\x07\[authors\]...\x04\[bind\].*"],
+		['stream', ".*XC-QUERY-SECURITY.*"],
+		['stream', ".*\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50\x50\x66\x68..\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02\x52\x51.*"],
+		['packet', ".*\xeb\x02\xeb\x02\xeb\x02.*"],
+		['stream', ".*\xeb\x02\xeb\x02\xeb\x02.*"],
+		['stream', ".*\u\xd9\xee\xd9\x74\x24\xf4\x5b\x31\xc9\xb1.\x81\x73\x17....\x83\xeb\xfc\xe2\xf4\u.*"],
+		['packet', ".*\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef\/bin.*"],
+		['stream', ".*\xc0\x02\x7a\x69\x90\x90\x90\x90\xc0\xd5\xbf\xef\xb8\xd5\xbf\xef\/bin.*"],
+		['packet', ".*\x8d\x0e\x89\x4e\x08\x89\x46\x0c\x8d\x4e\x08\x50\x51\x56\x50\xb0\x3b\xcd\x80\xe8\xe5\xff\xff\xff\/bin.*"],
+		['stream', ".*\x8d\x0e\x89\x4e\x08\x89\x46\x0c\x8d\x4e\x08\x50\x51\x56\x50\xb0\x3b\xcd\x80\xe8\xe5\xff\xff\xff\/bin.*"],
+		['packet', ".*\x84\xff\xff\xff[\0371-\0377].*"],
+		['packet', ".*\x30\x81\xaf\x02\x01\x00\x04\x06\x70\x75\x62\x6c\x69\x63\xa0\x81\xa1\x02\x02\x09\x28\x02\x01\x00\x02\x01\x00\x30\x81\x94\x30\x81\x91\x06\x81\x8c\x4d(\x73\x25)+\x73\x81\xff\xff\xff\xff\xff\xff\xff\xff\x7f\x05.*"],
+		['snmp-oid', "\x2b\x06\x01\x04\x01\x82\x37\x01\x02\x05\x03.*"],
+		['snmp-community', "NoGaH$@!"],
+		['snmp-community', "secret"],
+		['stream', ".*((http:\/\/217\.107\.218\.147\/msits.exe\047;)|(function getRealShell\(\))|(84;66;86;5;73;119;71;89;95)|(\[%41%44%4F%44%42%2E\])|(\[%53%74%72%65%61%6D\])).*"],
+		['http-text-html', ".*<applet CODE=\"BlackBox\.class\" width=1 height=1><\/APPLET>.*"],
+		['smtp-header-from', ".*nongmin_cn.*"],
+		['stream', ".*qazwsx.hsq;*"],
+		['stream', ".*qaswsx.*"],
+		['ftp-username', "w0rm"],
+		['stream', "connected.*"],
+		['packet', ".*\x00#.*"],
+		['packet', ".*Ahhhh My Mouth Is Open.*"],
+		['packet', "03.*"],
+		['packet', "02.*"],
+		['packet', "20.*"],
+		['packet', "60.*"],
+		['packet', "121.*"],
+		['packet', "39.*"],
+		['packet', "41.*"],
+		['packet', "23.*"],
+		['packet', "13.*"],
+		['packet', "12[^1]?.*"],
+		['packet', "24.*"],
+		['packet', "110.*"],
+		['packet', "117.*"],
+		['packet', "118.*"],
+		['packet', "35.*"],
+		['packet', "21.*"],
+		['packet', "09.*"],
+		['packet', "100.*"],
+		['packet', "26.*"],
+		['packet', "32.*"],
+		['packet', "33.*"],
+		['packet', "31.*"],
+		['packet', "04.*"],
+		['packet', "30.*"],
+		['packet', "199.*"],
+		['packet', "88.*"],
+		['packet', "40.*"],
+		['packet', ".*KeyLogger Shut Down.*"],
+		['packet', ".*KeyLogger Is Enabled On port.*"],
+		['packet', "38.*"],
+		['packet', "07.*"],
+		['packet', "36.*"],
+		['packet', "64.*"],
+		['packet', "17.*"],
+		['packet', "89.*"],
+		['packet', "911.*"],
+		['packet', "125.*"],
+		['packet', "15.*"],
+		['packet', "14.*"],
+		['packet', "63.*"],
+		['packet', "91.*"],
+		['packet', "92.*"],
+		['packet', ".*shutd0wnM0therF\*\*\*eR.*"],
+		['packet', "10.*"],
+		['packet', "70.*"],
+		['packet', "22.*"],
+		['packet', "71.*"],
+		['packet', "25.*"],
+		['packet', "34.*"],
+		['packet', "13.*"],
+		['packet', "37.*"],
+		['packet', "370.*"],
+		['packet', "16.*"],
+		['packet', ".*Retreaving.*"],
+		['packet', ".*KeyLogger Is Enabled On port.*"],
+		['packet', ".*FTP Server changed to.*"],
+		['packet', ".*Comp Name.*"],
+		['packet', ".*Wrong Password.*"],
+		['packet', ".*Volume Serial Number.*"],
+		['packet', ".*Host.*"],
+		['packet', ".*\x00#.*"],
+		['packet', "A.*"],
+		['stream', ".*host.*"],
+		['stream', ".*NetSphere.*"],
+		['stream', ".*NetSphere.*"],
+		['stream', ".*Wtzup User.*"],
+		['packet', "srv_infoSERVER INFO:\x0d\x0a\x0dFilename: .*"],
+		['stream', ".*--.*"],
+		['stream', ".*--.*"],
+		['packet', "(\xce\x63\xd1\xd2\x16\xe7\x13\xcf|\*!\*QWTY\?|\x9e\xf4\xc2\xeb\x87\x89\xa2\x04).*"],
+		['http-header', "\[server\]: BO\/.*"],
+		['smtp-rcpt', "funguscrack@hotmail.com"],
+		['packet', "\x1d\xa3\x2b\x85\x4f\x55\x00\xbb\x37\xf8\xab\x30.*"],
+		['packet', "\xce\x63\xd1\xd2\x16\xe7\x13\xcf.\xa5\xa5\x86.\x75\x4b\x99.*"],
+		['packet', ".\x00\x00\x00.*"],
+		['packet', ".*Alvgus's Trojan Server.*"],
+		['stream', ".*Connected To Amanda.*"],
+		['stream', ".*AOL Admin Server.*"],
+		['stream', ".*(RQS|PAS|GNT|DIE|UPL|RBT|WDR|SDR|RUN|INV).*"],
+		['stream', ".*Execute[A-Z][a-z]+.*"],
+		['stream', ".*Basic Hell - .*"],
+		['packet', ".*\x00Bla Ver [1-6]\.o0\x00.*"],
+		['stream', ".*B\.R\.E\.A\.C\.H Server.*"],
+		['packet', "\*VERBuHa [0-9]\..*"],
+		['stream', "Crazzynet.*"],
+		['packet', "Exploiter (Server )?[0-9]\.[0-9] \.? Port.*"],
+		['stream', "NaZWA UZYTKOWNIKA.*"],
+		['stream', "ForCed EnTrY .*"],
+		['stream', "access ok\x20.*"],
+		['stream', "ver:Ghost version .*"],
+		['packet', "(0020|0021|0030|0031|0040|0041|0050|0051|0060|0061|025|027|0220)"],
+		['stream', ".*(H01|T01|V01|C01|M01|Q03|J01|P03)\x08.*"],
+		['stream', "Conectado!\x0d\x0a.*"],
+		['packet', "(001|015|038.*|060|065.*)"],
+		['stream', ".*InCommand (v )?[0-9]\.[0-9].*"],
+		['stream', "Insane Network vs [0-9]\.[0-9].*"],
+		['stream', "verpc,.*"],
+		['stream', "Leszcz [0-9].*"],
+		['stream', ".*\x29\x00\x00\x00\x00\x00\x03\x00\x09\x00\x00\x00.*\x0c\x00\x00\x00v[0-9]\..*"],
+		['packet', "(swapmouse|normalmouse|taskbargizle|taskbargoster|ctrlaltdelyok|ctrlaltdelvar)"],
+		['stream', "\0133OK\0135 \([^\0051]*\) version [0-9]\..*"],
+		['packet', "(List|Closewindow [0-9]+|MouseMove.*)"],
+		['stream', ".*Mavericks Matrix .*"],
+		['stream', ".*start hide.*"],
+		['stream', "Michal [0-9]\.[0-9]+ \x0d.*"],
+		['packet', "({[A-z]:\\|clrrmt|reqfiledir|K[A-z]:\\.*)"],
+		['stream', ".*Millenium [0-9]\.[0-9].*"],
+		['packet', "RQS [0-9]"],
+		['stream', ".*Mneah Remote Control, .*"],
+		['stream', "ver(BETA [0-9]|[0-9]\.[0-9]).*"],
+		['stream', ".*220 MoonPie 1\.3\x0d\x0a.*"],
+		['ftp-banner', "MoonPie FTP-Server"],
+		['stream', ".*(KEY=.*)?Connected to.*"],
+		['packet', "(Computer|User|WinInfo|TIME)"],
+		['stream', ".*NSServer-s.*"],
+		['stream', ".*\[NetSpy Version\] [0-9]\.[0-9]\x0d\x0a.*"],
+		['packet', "con[0-9]\.[0-9][0-9]?"],
+		['packet', "([0-5]|F)([0-9]|[A-F])[0-9]?"],
+		['stream', "PhuCk y0u\x0d\x0a.*"],
+		['stream', "#01#[0-9].*"],
+		['stream', "Oblivion [0-0]\.[0-9]+ ready\..*"],
+		['stream', ".*Optix Pro.*"],
+		['stream', "02[0-2][0-9]?[0-9]?(\.[0-9][0-9]?[0-9]?)+.*"],
+		['stream', "cmd=[a-z]+ var1=.*"],
+		['packet', "(001|0060|0061|060|065[A-z]:.*|061)"],
+		['stream', "phAse zero server.*"],
+		['stream', ".*The Phoenix is ready.*"],
+		['stream', ".*PitFall Ativo !!!.*"],
+		['stream', "Conectado a [^\012]+ - The Prayer .*"],
+		['packet', "Execute[A-z]+.*"],
+		['stream', "Accept,.*"],
+		['stream', "210 Prosiak v.*"],
+		['stream', "psychward (revised|final).*"],
+		['stream', "son-of-pw .*"],
+		['packet', "(0031|0030|060|001)"],
+		['packet', "R0X_[A-Z]+.*"],
+		['stream', ".*R3C Server.*"],
+		['stream', "MSG You have connected to.*"],
+		['stream', "Remote Hack [0-9]\.[0-9]+ Server.*"],
+		['stream', ".*(hidestart|showstart|hidetaskbar|showtaskbar|message|swapon|swapoff|ftpon|ftpoff).*"],
+		['stream', "Connected to.*"],
+		['stream', "ServerSocket Connect\.\.\."],
+		['stream', ".*Schneckenkorn.*"],
+		['stream', "{E}([A-Z]|[a-z]):.*"],
+		['stream', ".*(YES, connected|the tHing ).*"],
+		['stream', "ID[0-9][0-9]?[0-9]?(\.[0-9][0-9]?[0-9]?)+;.*"],
+		['packet', "(run|del):.*"],
+		['stream', "<(SYSTMTIME|REQSTFILE|UPLOADING)>.*"],
+		['stream', "Truva Server.*"],
+		['stream', ".*ULTOR'S TROJAN.*"],
+		['stream', ".*23L'esclave.*"],
+		['stream', "(Undetected |STL(Undetected|Udt)).*"],
+		['stream', "Vagr Nocker .*"],
+		['stream', "Vampire v[0-9]\.[0-9] Server On-Line.*"],
+		['stream', ".*phAse Zero.*"],
+		['packet', ".*activate.*"],
+		['packet', ".*logged in.*"],
+		['stream', "\x0b\x00\x00\x00\x07\x00\x00\x00Connect.*"],
+		['stream', "\x32\x00\x00\x00\x06\x00\x00\x00Drives\x24\x00.*"],
+		['stream', ".*GirlFriend.*"],
+		['stream', ".*\[ypi0ca\].*"],
+		['stream', ".*\[ypi0ca\].*"],
+		['stream', ".*\[Access Granted\.\.\.\].*"],
+		['stream', ".*\[GateCrasher\].*"],
+		['stream', "(\x85.?\x13\x3c\x9e\xa2.*)|(\x04\x01..[^\000]...).*"],
+		['stream', "(\x85.?\x13\x3c\x9e\xa2.*)|(\x04\x01..[^\000]...).*"],
+		['stream', ".*GET .*"],
+		['stream', "\000#waste\000.*"],
+		['line', "221 Goodbye, have a good infection :\)."],
+		['stream', ".*GetInfo.*"],
+		['stream', ".*GetInfo.*"],
+		['stream', ".*NetBus.*"],
+		['stream', ".*NetBus.*"],
+		['stream', ".*WHATISIT.*"],
+		['stream', ".*FTPON.*"],
+		['stream', ".*FTP Port open.*"],
+		['stream', ".*pINg.*"],
+		['stream', ".*@@.*"],
+		['packet', ".*l44adsl.*"],
+		['packet', ".*aaa .*"],
+		['packet', ".*rsz .*"],
+		['packet', ".*shi .*"],
+		['packet', ".*xyz .*"],
+		['irc-join-chan', "#b3eblebr0x"],
+		['packet', "stream\/.*"],
+		['packet', "ping.*"],
+		['http-header-content-type', "multipart\/form-data; boundary=---------------------------123"],
+		['http-header', "authorization: (%n%n%n%n)+"],
+		['http-url-parsed-param', ".*:\/+[^\012]*\0133(\?.*|\/.*|#.*)"],
+		['http-url-parsed-param', ".*:\/+[^\012]*\0133:[^:]*[^\0135]*(\?.*|\/.*|#.*)"],
+		['http-url-parsed-param', ".*\[\.(bat|cmd)\?&\].*"],
+		['http-url-parsed-param', ".*\[(a|NULL|test)\.ida\].*"],
+		['http-url-parsed-param', ".*\/\[_vti_bin\/fpcount\.exe\](\?|\/)[^\012]*\[digits\]=[1-9][0-9][0-9].*"],
+		['http-url-parsed-param', ".*\[\/IISADMPWD\/((aexp|anot).*|achg)\.htr\].*"],
+		['http-url-parsed-param', "\/\[_AuthChangeUrl\?\].*"],
+		['http-url-parsed-param', ".*\[.asp::$data\].*"],
+		['http-request', "\[POST\] \/\[msadc\/msadcs\.dll\/(VbBusObj\.VbBusObjCls\.GetRecordset|AdvancedDataFactory\.Query)\].*"],
+		['http-url-parsed-param', ".*\[\/catalog_type\.asp\?ProductType=\|\].*"],
+		['http-url-parsed-param', ".*\[\/exchange\/LogonFrm\.asp\?.*mailbox=%%%\].*"],
+		['http-request', "PUT \[\/users\/\][^.]*\.\[asp\].*"],
+		['http-url-parsed-param', "\/\[scripts\/iisadmin\/ism\.dll\?http\/dir\].*"],
+		['http-url', "\/\[scripts\]\/[^\012]*\.\.((%c1%9c)|(%c0%af))\.\.\/.*"],
+		['stream', "\[POST \/ext\.dll HTTP\/1\..\]\x0d\x0aContent-Length: 1\x0d\x0a\x0d\x0aAAA*.*"],
+		['http-header-host', ".*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
+		['http-url-parsed-param', "\[\/scripts\/tools\/newdsn\.exe\]\?[^ ]*newdb=CREATE_DB.*"],
+		['http-url', ".*%20HTTP\/1\.[0-9](%0\[d\])?%0\[a\].*"],
+		['http-url-parsed-param', ".*\.bat\"\+.*"],
+		['http-request', "\[POST\] \/scripts\/nsiislog\.dll.*"],
+		['http-url', "\/\[scripts\][^>]*[^.]+\.\[bat\]\"\+\"?&\+.*"],
+		['http-url-parsed-param', ".*\/\[gwweb\.exe\?\][^\000]*\[help\]=\/?\.\.\/.*"],
+		['http-url-parsed', "\/exec\/show\/config\/cr"],
+		['http-url-parsed-param', ".*\[\/vti_bin\/.*\/?fp(30|4a)reg\.dl\].*"],
+		['http-url-parsed', "\/app_sta\.stm"],
+		['http-url-parsed', "\[\/cgi-bin\/config\.bin\]"],
+		['http-url', ".*\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa\x7e\x8e\x95\x97\x97\xcd\x1c\x4d\x14\x7c\x90\xfd\x68\xc4"],
+		['stream', ".*\xeb\x1b\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0\xb0\x3b\x8d\x7e\x07\x89\xf9\x53\x51\x56\x56\xeb\x10\xe8\xe0\xff.*"],
+		['stream', ".*GET \/\x90*\xeb\x5f\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89.*"],
+		['stream', "AAAAAAAAAAAAAAAAAAAAAAA+.*"],
+		['http-url', ".*(\x90)*\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e.*"],
+		['stream', ".*POST (\x82\xe4\x04\x08)+\x0d\x0a(\x53)+.*"],
+		['http-request', "(\xc0\xf4\xff\xbf)+[N]+\x89\xe5\x31\xd2\xb2.*"],
+		['http-request', "GET \/(\x2d)+\x5a\xb4\x40\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0d\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\xeb\x67\x5e\x8b\xec\x8b\x06\x66\x33\xc0\x8b\xd8\x03\x40\x3c\x8b\x40\x78\x03\xc3\x8b\x78\x20\x8d\x3c\x3b\x03\x1f\x33\xd2\x33\xc9\x43\x38\x13\x75\x01\x41\x81.*"],
+		['http-header-accept-encoding', ".*(\x90)+\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xb0\x2e\xcd\x80\x31\xdb\xf7\xe3\xb0\x66\x53\x43\x53\x43\x53\x89\xe1\x4b.*"],
+		['http-url', "\[\/cgi-bin\/webc\.(cgi|exe)\/(~|%7e)carl\/g\/\].*"],
+		['http-request', "[^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].*"],
+		['http-url', ".*\.\[(pdf|fdf|xfdf|xdp|xfd)\]%00.*"],
+		['http-url-parsed', "\[\/vgn\/style\].*"],
+		['http-url', "\/a+\x01\x01\x01\x01.*"],
+		['http-url', "\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/[a-z]:\winnt.*"],
+		['http-url-parsed-param', ".*\[\/visadmin\.exe\?user=guest\]"],
+		['http-request', "REVLOG \/.*"],
+		['http-url-parsed-param', ".*\[Template\]\/[^ ]*\.\[xml\]\?[^ ]*\[contenttype=text\].*"],
+		['http-header-host', ".*(\046|\057|\077|\0174).*"],
+		['http-url-parsed-param', ".*(<|\[%3c\])\[img\][^\000]*\[src\]( |\011)*=( |\011)*(\042|\047)?\[javascript\]:.*"],
+		['http-url-parsed-param', ".*\/mailbox\.php3\?actionID=6&server=x&imapuser=x';[^\012]*\+--&pass=x.*"],
+		['http-url-parsed-param', ".*(\[RawCustomSearchField|rawdocdata)\.asp\]\?[^;];execmaster\.dbo\.(xp_cmdshell|sp_grantlogin).*"],
+		['http-url-parsed-param', ".*\[SiteAdmin\.ASP\]\?[^\012]*&\[GroupName\]=.*';.*"],
+		['http-header', ".*&\[(userid|password)\]=[^&]*%27.*"],
+		['http-url-parsed-param', ".*\/\.\.\.\.\.\.\.\.\.\.\..*"],
+		['http-url-parsed-param', ".*\/\[webcart\/.*(orders\/checks\.txt|config\/import\.txt|config\/mountain\.cfg)\]"],
+		['http-url-parsed-param', ".*\[\/cgi-bin\/console\.exe\?.*page_size=\].*"],
+		['http-url-parsed-param', ".*\[\/cgi-bin\/cs\.exe\?.*action=\]"],
+		['http-url-parsed-param', ".*\[\/scripts\/slxweb\.dll\/admin\?.*command=\].*"],
+		['http-url-parsed', ".*\/\[officescan\/cgi\/jdkRqNotify\.exe\]"],
+		['http-url', "\/<script>window\.location=\"\/https-admserv\/bin\/perl\/importInfo%3Fdir=.*"],
+		['http-header-user-agent', "webmin"],
+		['line', ".*\xeb\x0b\x3c\x66\x61\x6b\x65\x68\x61\x6c\x6f\x3f\x3e\x31\xc0\x50\x40\x89\xc3\x50\x40\x50\x89\xe1\xb0\x66\xcd\x80\x31\xd2\x52\x66\x68\x23\x83\x43\x66\x53\x89\xe1\x6a\x10\x51\x50\x89\xe1.*"],
+		['http-text-html', ".*<\[OBJECT\][^>]*\[classid=\"CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF\"\][^>]*>.*"],
+		['http-text-html', ".*(m|&#109;|M|&#77;)(h|H|&#72;|&#104;)(t|T|&#84;|&#116;)(m|&#109;|M|&#77;)(l|L|&#76;|&#108;)(:|&#58)((f|F|&#70;|&#102;)(i|I|&#73;|&#105;)(l|L|&#76;|&#108;)(e|E|&#69;|&#101;)|(r|R|&#82;|&#114;)(e|E|&#69;|&#101;)(s|S|&#83;|&#115;)|(m|M|&#77;|&#109;)(i|I|&#73;|&#105;)(d|D|&#68;|&#100;))(:|&#58;)(\/|&#47;)(\/|&#47;)[^!]*!(h|H|&#72;|&#104;)(t|T|&#84;|&#116;)(t|T|&#84;|&#116;)(p|P|&#80;|&#112;).*"],
+		['http-text-html', ".*\[mhtml:\]((\[file\]|\[res\]|\[mid\]):\/\/[^!]*!${[^}]*}|${[^}]*}[^!]*!(\[http\]|\[ftp\])).*"],
+		['http-text-html', ".*<\[object\][^>]*\[classid=(\042|\047)clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B\](\042|\047)[^>]*>.*"],
+		['http-header', "\[location\]:[ ]*\[URL\]:(\[ms-its\]|\[res\]):.*"],
+		['http-text-html', ".*\[showHelp\][ ]*(\([ ]*(\"|')?|(\"|'))(mk:@MSITStore:|\[res:\/\/\]|\[(ms-)?its:\]).*"],
+		['stream', ".*qxco7=document\.cookie;function gc099\(n21\).*"],
+		['http-text-html', ".*<\[iframe\] [^>]*\[src\](\040|\011)*=(\040|\011)*(\"|')?\\\\.*"],
+		['http-text-html', ".*<\[a\][^>]+\[folder\](\011|\040)*=(\011|\040)*('|\")?\[shell\]:.*"],
+		['http-text-html', ".*<\[script\].*<\[frameset\][^>]+\[this\.focus\]\(\).*"],
+		['http-text-html', ".*<\[a\][^>]+\[mailto:\](\041|[\043-\046]|[\050-\075]|[\076-\0176])*&(\[quot\]|#34);[^>]*>.*"],
+		['http-text-html', ".*<[^>]*\[href=\](\"|')?\[shell:user profile\\\].*"],
+		['http-text-html', ".*<\[object\][^>]*\[clsid:26676CDD-DD35-4AF2-8751CC25DC468EF2\].*\.LaunchURL\(.*"],
+		['http-text-html', ".*<\[object\][^>]*\[clsid:0534CF61-83C5-4765-B19B-45F7A4E135D0\].*\.LaunchCustomRuleWizard\(.*"],
+		['http-text-html', ".*\u\[getClass\(\)\.forName\(('|\")?(sun|javax?\.security|javax?\.rmi|javax?\.transaction|org|javax?\.nio\.channels)\]\u.*"],
+		['http-data', "\xff\xd8.*\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
+		['http-text-html', ".*<[^>]*=(\"|')?\[help:runscript\]=[^ ]*\.\[scpt\][^>]*>.*"],
+		['http-text-html', ".*<[^>]*=( |\090)*(\047|\042)?( |\090)*\[HCP:\/\/system\/DVDUpgrd\/dvdupgrd\.htm\]\?[^>]+>.*"],
+		['http-url-parsed-param', ".*\/cgi-bin\/campas.*(\X0A\X|%0(a|A)).*"],
+		['http-url-parsed-param', ".*\/cgi-bin\/jj[^\012]*(HTTPdRocKs|SDGROCKS).*"],
+		['http-url-parsed', "\/cgi-bin\/phf.*"],
+		['http-data', ".*\[AnyFormTo\]=[^&]*(;|%\[3b\]).*"],
+		['http-url-parsed-param', ".*\/process_bug\.cgi?.*=.*;.*"],
+		['http-url-parsed-param', ".*\/classifieds\.cgi\?[^ ]+return=.+@.+\..+(\.\.\/|\/).*"],
+		['http-url', ".*\/cvsweb\.cgi\/.*\/;.*"],
+		['http-url', ".*site_searcher\.cgi\?page=\|.*"],
+		['http-url-parsed-param', "\/\[cgi-sys\/guestbook\.cgi(\?|\/)user=cpanel&template\]=\|.*"],
+		['http-url-parsed-param', ".*\.\[(bat|cmd)\](\?|\/)\x7c.*"],
+		['http-url-parsed-param', ".*\[(insert into\]|\[(select|update)\] [^;]*\[(from|set)\] [^;]*\[where\]|\[delete from)\].*"],
+		['http-request', ".*\.(php|cgi)\?.*\=[^&]*[\"\'\`][^&]*[;\|][^&]*[\"\'\`].*"],
+		['http-url', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08.*"],
+		['http-url', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40.*"],
+		['http-header-host', ".*\.\.\/.*"],
+		['http-authorization', "(super:5777364|superman:21241036)\00?\00?"],
+		['http-url-parsed', "\/\[frame_debug\.asp\]"],
+		['http-url-parsed-param', "\/cgi-bin\/handler\/.*;.+\?.*"],
+		['http-url-parsed-param', ".*\/pfdispaly\.cgi\?'%0A"],
+		['http-url-parsed-param', "\/cgi-bin\/webdist\.cgi\?.*distloc=.*;"],
+		['http-url-parsed-param', ".*\/passwd\.php3\?.*\[(%2F|%3B|;|\+)\].*"],
+		['http-url-parsed-param', ".*\/\[include_once\.php\]\?[^ ]*\[inc_prefix\]=(http|ftp):\/\/.*"],
+		['http-header-user-agent', "tirpitz"],
+		['http-url-parsed-param', ".*\[Sources\/Packages\.php\?sourcedir=http\]:\/\/.*"],
+		['http-url-parsed-param', ".*\/\[hit\.php\?url_hit=http\]:\/\/.*"],
+		['http-url-parsed-param', ".*\/includes\/(header|footer)\.php3\?[^ ]*my_(footer|header)=http:\/\/.*"],
+		['http-url-parsed-param', ".*\/\[admin\/(system|exec)\.php3\?cmd\]=.*"],
+		['http-url-parsed-param', ".*\/index\.php(\?|\/)theme=\.\.(\/|%2\[F\]).*"],
+		['http-url-parsed', ".*\/\[mail\]\/\[admin\]"],
+		['http-url-parsed-param', ".*\/\[zentrack\/index\.php\](\?|\/)[^\012]*\[configFile\]=\[http\]:\/\/.*"],
+		['http-url-parsed-param', ".*\/\[lib\.inc\.php\]\?[^ ]*\[pm_path=http\]:\/\/.*"],
+		['http-data', ".*form-data;[^\012]*name=\"([\000-\041]|[\043-\0132]|[\0134-\0377])*\0133.*Content-Type:[ ]+\.\.\/.*"],
+		['http-data', ".*\[Content-Disposition: form-data;\][^\012]*\[filename=\]\"?\.\.(\/|\\).*"],
+		['http-url-parsed-param', ".*\/\[sendtofriend\]\.\[php\]\?[^\00]*\[mid\]=[^&]*'+.*"],
+		['http-url-parsed-param', ".*\/\[admin\.php3\?.*(step=4|option=pass).*(step=4|option=pass)\].*"],
+		['http-url-parsed-param', ".*\[\/read\.php3\]\?[^\012]*\[sSQL\]=.*"],
+		['http-url-parsed-param', "\/\[phorum\/plugin\/replace\/plugin.php?.*PHORUM[[]settings_dir\][]].*"],
+		['http-url-parsed-param', ".*quick_reply\.php\?phpbb_root_path=http:\/\/.*"],
+		['http-request', "\[GET\] \/init\.php\?.*(HTTP_(GET|POST|COOKIE)_VARS|HTTP_POST_FILES)=.*"],
+		['http-url', ".*GALLERY_EMBEDDED_INSIDE(_TYPE)?.*"],
+		['stream', ".*\xff\xf4\xff\xfd\x06.*"],
+		['stream', ".*\/viewsource\/template\.html\?.*"],
+		['stream', ".*\/viewsource\/template\.html\?.*"],
+		['http-url-parsed', "\/graphics\/sml3com%s%s%s"],
+		['packet', ".*NAMENAME\xffPASS.*"],
+		['stream', ".*\x0a.*"],
+		['http-url', ".*\/%%"],
+		['stream', ".*\xff\xf3\xff\xf3\xff\xf3\xff\xf3\xff\xf3.*"],
+		['http-url-parsed-param', "\/?\[Gozila\.cgi\]\?"],
+		['packet', ".*NAMENAME..?PASSWORD.*"],
+		['http-url-parsed', ".*\/OPTIONS( |%20)([^ ]|[^\056])+\.\[HTML\].*"],
+		['http-url-parsed-param', ".*\[setinfo\.hts\]\?[^?]*\[setinclude\]=[^?]*(\.\.\/)+[^?]*"],
+		['packet', "(\x00|\x02)\x00.*"],
+		['stream', ".*\x68\x2f\x62\x69\x6e\x5f\x6a\x70\x58\x66\x50\x66\x68\x2f\x63\x57\x54\x5b\x31\xf6\x56\x54\x5a\x68\x2f\x61\x73\x68\x59\x51\x57\x54\x5d\x56\x51\x68\x2f\x74\x6d\x70\x54\x59\x56\x51\x55\x53\x54\x51\x5d\x59\xb0\x02\xcd\x80\x39\xc6\x75\x06\xb0\x0b\xcd\x80\xeb\x1a\x31\xdb\x4b\x56\x54\x59\x31\xd2\x6a\x07\x58\xcd\x80\x31\xc9\x66\xb9\x6d\x09\x55\x5b\x6a\x0f\x58\xcd\x80\x6a\x01\x58\xcd\x80\x90\x90\x90\x90\xa0\x01\x07\x08\x29\x0a\x35\x33\x30\x20\x6c\x6f\x6f\x6b\x20\x77\x68\x61\x74\x20\x69\x20\x64\x69\x64\x20\x74\x6f\x20\x79\x6f\x75\x0a.*"],
+		['stream', "RETR \"\|.*"],
+		['ftp-pathname', "(spt\.dat|rom-0)"],
+		['ftp-sitestring', ".*kakaka\.zip"],
+		['ftp-pathname', ".*\/\/\.\.\/.*"],
+		['ftp-password', "wh00t.*"],
+		['ftp-password', "h0tb0x"],
+		['ftp-password', "lrkr0x"],
+		['ftp-password', "satori"],
+		['ftp-password', ".*\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb\x31\xc0.*"],
+		['ftp-pathname', ".*\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb.*"],
+		['ftp-password', ".*-broken@shattered\.hopes.*"],
+		['ftp-password', ".*hi@blahblah\.net.*"],
+		['ftp-sitestring', "\[EXEC\] (%5$p|%20d\|%).*"],
+		['ftp-pathname', "~{.*"],
+		['ftp-username', "%x%x%x"],
+		['stream', ".*\xb4\x20\xb4\x21\x8b\xcc\x83\xe9\x04\x8b\x19\x33\xc9\x66\xb9\x10.*"],
+		['ftp-username', "themosthax0ruserthatthisw0rldhaseverseen.*"],
+		['stream', ".*(size [^\0012]+\0012.+ size [^\0012]+\0012.+size)+.*"],
+		['ftp-pathname', "\/dadasjasojdasj\/adhjaodhahasohasaoihroaha.*"],
+		['telnet-user', "\[4Dgifts\]"],
+		['telnet-user', "\[ezsetup\]"],
+		['telnet-user', "\[OutOfBox\]"],
+		['stream', ".*TENmanUFactOryPOWER.*"],
+		['telnet-user', "userNotUsed"],
+		['telnet-user', "copyright"],
+		['stream', ".*\x04\x04\x04\x04\x04\x04\x04\x04\x04\x04.*"],
+		['stream', ".*\x0D\x0A[[]Yes[]]\x0D\x0A\xFF\xFE\x08\xFF\xFD\x26.*"],
+		['stream', ".*\xff\xf6\xff\xfb\x08\xff\xfb\x26.*"],
+		['stream', ".*\xf0\x00\x00\x00\x58\x55\x89\xe5\x81\xec\x2c\x00\x00\x00\x89\x45\xd4\xc7\x45\xfc\x00\x00\xe6\x77\x8b\x45\xfc\x66\x81\x38\x4d\x5a\x75\x7c\x05\x3c\x00\x00\x00\x8b\x18\x03.*"],
+		['stream', "DESCRIBE.*(\/\.\.\/\.\.)+.*\.\[smi RTSP\/1.0\]\x0d\x0a\x0d\x0a.*"],
+		['smtp-header-to', ".*(hacker117@163\.com|54love@fescomail\.net).*"],
+		['stream', "(\0211|\0223|\0261|\0273|\0354|\0366|\0025)(\0023|\0024)\x00\x00.*"],
+		['smtp-data-line', ".*(AHMAZQByAHYAYwAuAGUAeAB|AGwAcwBlAHIAdgBjAC4AZQB4|AbABzAGUAcgB2AGMALgBlAHg).*"],
+		['http-url', "\/\[default\.ida\?XXXXXXXXXX+%u9090%u6858%ucbd3%u\].*"],
+		['smtp-mime-content-filename', "\[message\.zip\]"],
+		['smtp-mime-content-filename', "\[wendy\.zip\]"],
+		['stream', "tftp -i [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ GET ms(blast|laugh)\.exe.*"],
+		['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\Start.*"],
+		['stream', ".*HKLM\\software\\microsoft\\mssqlserver\\client\\connectto\\dsquery.*"],
+		['packet', "\x5c\xbf\x01\x29\xca\x62\xeb\xf1"],
+		['smtp-data-text-html', "<xml id=(3D)?\"oExec\">"],
+		['stream', ".*RETR [0-9]+_up.exe.*"],
+		['stream', ".*>>cmd\.ftp&echo anonymous>>cmd\.ftp&echo user&echo bin>>cmd\.ftp&echo get .*"],
+		['stream', "\[get\] \/[0-9][0-9][0-9][0-9][0-9][0-9]\.\[php\].*"],
+		['smtp-data-line', "bQ1naQ8wU3T9tZ\+9BW5nczNNb2R1NTlOYW0f\+7eDR1ByO0FkZHJlc3MPU3lzdH\+b\/fZlbURp"],
+		['stream', "C"],
+		['tftp-filename', "\[hello\.all\]"],
+		['stream', "tftp -i [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ GET h3110\.411 package\.exe & package\.exe & exit\x0a\x00.*"],
+		['smb-open-filename', ".*(\[slacke-worm\.exe\]|\[\x00s\x00l\x00a\x00c\x00k\x00e\x00-\x00w\x00o\x00r\x00m\x00\.\x00e\x00x\x00e\]).*"],
+		['stream', ".*\x0B\x01\x06\x00\x00\x20\x01\x00\x00\x10\x00\x00\x00\xE0\x06\x00\x20\x01\x08\x00\x00\xF0\x06\x00\x00\x10\x08\x00\x00\x00\x40\x00\x00\x10\x00\x00\x00\x02\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x20\x08\x00\x00\x10\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x10\x00\x00\x10\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x08\x00\x64\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x64\x11\x08\x00\x0C.*\x55\x50\x58\x30\x00\x00\x00\x00\x00\xE0\x06\x00\x00\x10\x00\x00.*"],
+		['smb-copy-filename', ".*R\x00I\x00C\x00H\x00E\x00D\x002\x000.*"],
+		['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x10\x5a\x4a\x33\xc9\x66\xb9\x7d\x01\x80\x34\x0a\x99\xe2\xfa\xeb\x05\xe8\xeb.*"],
+		['stream', "echo open [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ [0-9]+ > o&echo user 1 1 >> o &echo get bling\.exe >> o &echo quit >> o &ftp -n -s:o &bling\.exe.*"],
+		['packet', ".*hel32hkernQhounthickChGetTf\xb9llQh32.*\x45\xcc\x50\x8b\x45\xc0\x50\xff.*"],
+		['stream', ".*User Access Verification.*Your PassWord:.*"],
+		['stream', ".*\x20\x03\xb3\xb2\x19\x11\xaa\x80\x3c\x46\xfe\x61\x34\x86\xc2\x68\x30\x18\x56\x0d\x95\x75\xac\x52\x23\x16\x42\xb1\x24\x8b\xa0\xc8\x11\xac\x2b\xbb\xb2\x4d\x92\x20\x40\xb6\xc6\x67\xb7\x59\x6a\x29\xba\xa5\x50\x19\x1d\x91\xc9\xb3\xd3\x50\xed\xa5\xe7\x5c\xc4\x6f.*"],
+		['smb-open-filename', ".*(\[M\000?o\000?F\000?e\000?i\000?\.\000?v\000?e\000?r\]|\[S\000?c\000?a\000?r\000?d\000?s\000?v\000?r\000?3\000?2\000?\.\000?\000?e\000?x\000?e\]|\[l\000?a\000?s\000?v\000?r\000?3\000?2\000?\.\000?e\000?x\000?e\]).*"],
+		['http-url', ".*%u5951%u6841%u7533%u0018%u754F%u7405%u4E03.*"],
+		['dns-type-name', "\x00\x01(cheese\.dns4biz\.org|butter\.dns4biz\.org|chilly\.no-ip\.info|kwill\.hopto\.org)"],
+		['stream', "SNAF.*"],
+		['stream', "USER x\012PASS x\012PORT \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['http-data', "id=crutop&vvpupkin.*"],
+		['stream', ".*CONNECT_DATA(\x20|\x09|\x0a|\x0d)*=(\x20|\x09|\x0a|\x0d)*\((\x20|\x09|\x0a|\x0d)*\((\x20|\x09|\x0a|\x0d)*COMMAND(\x20|\x09|\x0a|\x0d)*=(\x20|\x09|\x0a|\x0d)*SERVICE_CURLOAD.*"],
+		['http-url', ".*\[S%F(F|9)S\.OWA\].*"],
+		['stream', ".*\x01\x31\xDB\xCD\x80\xE8\x5B\xFF\xFF\xFF.*"],
+		['stream', ".*\[x\00p\00_\00c\00m\00d\00s\00h\00e\00l\00l\00\].*"],
+		['stream', ".*\[x\00p\00_\00c\00m\00d\00s\00h\00e\00l\00l\00\].*"],
+		['stream', ".*\[s\00p\00_\00s\00t\00a\00r\00t\00_\00j\00o\00b\00\].*"],
+		['stream', ".*\[s\00p\00_\00s\00t\00a\00r\00t\00_\00j\00o\00b\00\].*"],
+		['stream', ".*xp_dirtree N'%..%..%.....*'.*"],
+		['stream', ".*\[SELECT pwdencrypt\(REPLICATE\]\('.',([3-9][0-9][0-9]|[1-9][0-9][0-9][0-9]+)\)\).*"],
+		['stream', "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02\x10\x00\x00\x00.*\x00\x24\x01\x00\x00.*"],
+		['stream', "\x12\x01\x00\x34\x00\x00\x00\x00\x00\x00\x15\x00\x06\x01\x00\x1b\x00\x01\x02\x00\x1c\x00\x0c\x03\x00\x28\x00\x04\xff\x08\x00\x02\x10\x00\x00\x00(\x58)+\x00\x24\x01\x00\x00.*"],
+		['stream', ".*\[x\00p\00_\00(e\00x\00e\00c\00r\00e\00s\00u\00l\00t\00s\00e\00t\00|p\00r\00i\00n\00t\00s\00t\00a\00t\00e\00m\00e\00n\00t\00s|d\00i\00s\00p\00l\00a\00y\00p\00a\00r\00a\00m\00s\00t\00m\00t)\].*"],
+		['packet', ".*\x04\x41\x41\x41\x41.*"],
+		['packet', "\x08[^:]*:.*"],
+		['packet', "\x04.................................................................*"],
+		['packet', "\x10\x00\x00.*"],
+		['stream', ".*\[cash_words\]\(.-[1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+.\);.*"],
+		['stream', ".*\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x66\xb3\x01\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x8d\x0c\x24\xcd\x80\xb3\x02\xb1\x02\x31\xc9\x51\x51\x51.*"],
+		['packet', "\x00\x00\x00\x00(([\0310-\0377]\x71\x1c\x07)|(.[\0162-\0377]\x1c\x07)|(..[\0035-\0377]\x07)|(...[\0011-\0377])).*"],
+		['packet', ".*\x0d\x00..\x09\x00\x00\x00[^\000]*\xff\xff\xff\xfe.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[x-mas.exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[badass.exe\]\".*"],
+		['line', ".*BubbleBoy is back!.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[links\.vbs\]\".*"],
+		['line', "\[X-Spanska\]:( |\x09)*.\[Yes\]"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[irok\.exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[pics4you\.exe\]\".*"],
+		['line', "\[subject\]: ble bla. bee.*"],
+		['line', "\[subject\]: I Love You ;\).*"],
+		['line', "\[subject\]: Matrix has you\.\.\..*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myjuliet\.chm\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myromeo\.exe\]\".*"],
+		['line', "\[subject\]: From shake-beer.*"],
+		['line', "\[subject\]: Sorry\.\.\. Hey you !.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[navidad\.exe\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[setup\.exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[the_fly\.chm\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[toadie\.exe\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[666test\.vbs\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[tune\.vbs\]*\".*"],
+		['line', ".*begin .*\.\[vbs\].*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[dinheiro\.doc\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[money\.doc\]*\".*"],
+		['smtp-mime-content-filename', "\[badass.exe\]"],
+		['smtp-header-subject', ".*BubbleBoy is back!.*"],
+		['smtp-mime-content-filename', "\[links\]\.\[vbs\]"],
+		['smtp-mime-content-filename', "\[file_zippati\.exe\]"],
+		['smtp-header-line', "X-Spanska:( |\x09)*.Yes"],
+		['smtp-mime-content-filename', "\[irok\.exe\]"],
+		['smtp-data-line', ".*\[Software provided by \X5B\XMATRiX\X5D\X\].*"],
+		['smtp-mime-content-filename', "\[pics4you\.exe\]"],
+		['smtp-data-line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myjuliet\.chm\]\".*"],
+		['smtp-data-line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[myromeo\.exe\]\".*"],
+		['smtp-header-subject', "Sorry\.\.\. Hey you !.*"],
+		['smtp-mime-content-filename', "\[navidad\.exe\]"],
+		['smtp-mime-content-filename', "\[readme\.exe\]|\[sample\.exe\]"],
+		['smtp-mime-content-filename', "\[xpass\.xls\]"],
+		['smtp-mime-content-filename', "\[icq_greetings\.exe\]"],
+		['smtp-header-subject', "Pikachu Pokemon.*"],
+		['smtp-mime-content-filename', "\[setup\.exe\]"],
+		['smtp-mime-content-filename', "\[the_fly\.chm\]"],
+		['smtp-mime-content-filename', "\[666test\.vbs\]"],
+		['smtp-mime-content-filename', "\[tune\.vbs\]"],
+		['smtp-mime-content-filename', "\[kak\.hta\]"],
+		['stream', ".*LRCQID7dIDFEECggDSLm9df8C\/zSNKDBBAAoGA0AEUQ\+FEN23f7doqAT\/dCQk\/xWcEQmDxCTD.*"],
+		['smtp-mime-content-filename', "(\[About_Me\]|\[driver\]|\[enjoy\]|\[Source\]|\[Interesting\]|\[README\]|\[images\]|\[Pics\.ZIP\]|\[Doom3 Preview\]|\[you_are_fat\]!*)\.(\[exe\]|\[scr\]|\[pif\])"],
+		['smtp-mime-content-filename', ".*\.(\[doc|txt|xl.|gif|jpg|zip|enc|end|ps|pdf|dot|etf|rtf|ex_|ex$|ram|rm|bak|bas|bdf|bga|bhz|lha|lzh|arc|arj|cdx|csv|cal|dat|pcm|wav|mpg|mpeg|avi|wmv|mp3|mpe|anus\])\s*\.\s*(\[386|ADE|ADP|ANI|BAS|BAT|CHM|CMD|COM|CPL|CRT|DLL|DO.|EXE|GRP|HLP|HTA|INF|INS|ISP|JOB|JS|JSE|LNK|MDB|MDE|MSC|MSI|MSP|MST|OCX|PCD|PIF|POT|PPT|REG|SCR|SCT|SHB|SHS|SYS|URL|VB|VBE|VBS|WMF|WSC|WSF|WSH|WSZ|XL.\])"],
+		['smtp-header-subject', "Important information for you\. Read it immediately !"],
+		['stream', ".*(enRN(\x0d\x0a)?di5x(\x0d\x0a)?eXk3|dnp0(\x0d\x0a)?TXYu(\x0d\x0a)?cXl5|dXZ6(\x0d\x0a)?dE12(\x0d\x0a)?LnF5).*"],
+		['stream', ".*(HwoL(\x0d\x0a)?cGdz(\x0d\x0a)?emJh|XB8K(\x0d\x0a)?C3Bn(\x0d\x0a)?c3pi|G1wf(\x0d\x0a)?Cgtw(\x0d\x0a)?Z3N6).*"],
+		['stream', ".*(TSUR(\x0d\x0a)?ce0U(\x0d\x0a)?2RkI|XHtF(\x0d\x0a)?NkZC(\x0d\x0a)?NUUy|TFNJ(\x0d\x0a)?RFx7(\x0d\x0a)?RTZG).*"],
+		['stream', ".*(PUkg(\x0d\x0a)?YW0g(\x0d\x0a)?Ikly|PT1J(\x0d\x0a)?IGFt(\x0d\x0a)?ICJJ|SSBh(\x0d\x0a)?bSAi(\x0d\x0a)?SXJ6).*"],
+		['stream', ".*(NShF(\x0d\x0a)?OXU6(\x0d\x0a)?el1n|RTl1(\x0d\x0a)?Onpd(\x0d\x0a)?Z\/YO|KEU5(\x0d\x0a)?dTp6(\x0d\x0a)?XWf2).*"],
+		['stream', ".*aW5nB7oGdbA7FU11aA9GtlgQQWEPSert\/0Nvb2xoZWxwMzJTbjxzaG87trUNlI8tRGSDAJML.*"],
+		['smtp-data-text-html', "<OBJECT STYLE=\"display:none\" DATA=\"http:\/\/[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?:81\/[0-9][0-9][0-9][0-9][0-9][0-9]\.php\">"],
+		['smtp-header-subject', "(ble bla, bee)|(I Love You ;\))|(sorry\.\.\.)|(Hey you !)|(Matrix has you\.\.\.)|(my picture)|(from shake-beer)"],
+		['smtp-header-subject', "(Good Times|Market share tipoff\.\.\.|New Developments|WWIII!)"],
+		['smtp-mime-content-filename', "\[baby\.exe\]|\[bboy\.exe\]|\[boss\.exe\]|\[casper\.exe\]|\[chestburst\.exe\]|\[cooler1\.exe\]|\[cooler3\.exe\]|\[copier\.exe\]|\[cupid2\.exe\]|\[farter\.exe\]|\[fborfw\.exe\]|\[g-zilla.exe\]|\[gadget\.exe\]|\[goal\.exe\]|\[goal1\.exe\]|\[hog\.exe\]|\[irnglant\.exe\]|\[monica\.exe\]|\[panther\.exe\]|\[party\.exe\]|\[pirate\.exe\]|\[saddam\.exe\]|\[theobbq\.exe\]|\[video\.exe\]"],
+		['smtp-mime-content-filename', "\[money\.doc\]|\[dinheiro\.doc\]"],
+		['stream', ".*\X80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 80 1c 40 11 \X.*"],
+		['stream', ".*\x00\x00\x04\x00\/...\xfc\xff\xff\xff\xfc\xff\xff\xff\xa1\xff\xff\xbf\xf8\xe2\xff\xbf\x20\xd9\x05\x08[A-z]+.*"],
+		['packet', ".*(\x90)+\xeb\x3c\x5e\x31\xc0\x88\x46\xfa\x89\x46\xf5\x89\xf7\x83\xc7\x10\x89.*"],
+		['packet', ".*AAAABBBBABCDBBBBABCF.*"],
+		['packet', ".*\xeb\x3d\x9a\xff\xff\xff\xff\x07\xff.*|.*\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff.*"],
+		['packet', ".*ADM_METHOD\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16\x00\x00\x00\x15\.\.\/.*"],
+		['stream', ".*uid=[0-9]+\([^)]+\).*"],
+		['packet', "..\x85\x00\x00\x00\x00.\x00\x00\x00\x00[\041-\0377].\x00((\001)|(\040))\x00\x01.*"],
+		['stream', ".*\x04\x42\x45\x41\x56\x00\x04\x42\x45\x41\x56\x49\x53\x00\x01\x08\x00\x79\x65\x70\x20\x79\x65\x70\x00\x00.*"],
+		['stream', ".*\x5C\x00\x5C\x00\x2A\x00\x53\x00\x4D\x00\x42\x00\x53\x00\x45\x00\x52\x00\x56\x00\x45\x00\x52\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xFF\xFF\xFF\xFF\x00\x00\x00\x00.*"],
+		['stream', ".*\xeb\x2f\x5f\xeb\x4a\x5e\x89\xfb\x89\x3e\x89\xf2.*"],
+		['packet', "..\x40\x00......\x00\x01.*"],
+		['stream', ".*\"[^\"]*\[https?\]:\/\/[^ ]*(%00|\x00|%01|\x01|%09|\x09)[^ ]*@[^\"]*\".*"],
+		['stream', ".*<\[OBJECT\][^>]*\[classid=\"CLSID:4B106874-DD36-11D0-8B44-00A024DD9EFF\"\][^>]*>.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[doc\.vbs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[gif\.vbs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[jpg\.vbs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[pif\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[scr\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[shs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[txt\.vbs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vbs\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[xls\.vbs\]\".*"],
+		['line', "(\[Content-Disposition: attachment\];)?( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[cmd\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[chm\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[crt\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[hlp\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[ins\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[isp\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[js\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[jse\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[mdb\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[mde\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msc\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[msi\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[pcd\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[sct\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[url\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vb\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[vbe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsc\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsf\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\".*\.\[wsh\]\".*"],
+		['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
+		['line', ".*\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff.*"],
+		['stream', ".*\xeb\x34\x5e\x8d\x1E\x89\x5e\x0b\x31\xd2\x89\x56\x07.*"],
+		['stream', ".*\xeb\x35\x5E\x80\x46\x01\x30\x80\x46\x02\x30\x80\x46\x03\x30.*"],
+		['stream', ".*\xeb\x38\x5e\x89\xf3\x89\xd8\x80\x46\x01\x20\x80\x46\x02.*"],
+		['stream', ".*\xeb\x58\x5E\x31\xdb\x83\xc3\x08\x83\xc3\x02\x88\x5e\x26.*"],
+		['line', "1 LSUB \"\" {1064}.*"],
+		['stream', ".*\x2a\x20\x41\x55\x54\x48\x45\x4e\x54\x49\x43\x41\x54\x45\x20\x7b\x31\x30\x32\x38\x7d\x0a\x90*\xeb\x21\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x0c\x88\x5e\x11\x31\xc0\xb0\x3b\xbf\x30\x30\x30\x30\x29\x7e\x01\x29\x7e\x03\x53\x53\x56\x56\xeb\x10\xe8\xda\xff\xff\xff.*"],
+		['stream', ".*x82 partial 1 body\x5b(\x41\x41)+\xeb\x38\x5e\x80\x46\x01\x50\x80\x46\x02\x50\x80\x46\x03\x50\x80\x46\x05\x50\x80\x46\x06.*"],
+		['stream', ".*A0666 PARTIAL 1 BODY\x5b(\x90)+\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03.*"],
+		['stream', ".*\x78\x20\x6c\x6f\x67\x69\x6e\x20\x7b\x34\x32\x39\x34\x39\x36\x37\x32\x39\x35\x7d\x0d\x0a\xc3\xb0\xc3\xaf\xc3\xbf\xc2\xbf\xc2\x90\xc3\xaf\xc3\xbf\xc2\xbf\xc3\xbc\xc3\xbf\xc3\xbf\xc3\xbf\xc3\xbc.*"],
+		['stream', ".*\x00\x01\x57\x00\x00\x00\x18.\xFF\xFF\xFF\xFF\x00\x00.*"],
+		['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['stream', "SSH-1\.1-A*\xb8\x00\x03\xff\xe0\x00A*\x90*\x00\xbb\x12\x00\x0a\x00\x90*\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5.*"],
+		['ssh-header', ".*(#RHL|SISQO|AcidBurns|Born|God|Joker|Owned|Protected|Shadow|SloboZ|U-B00T's_BACKDOOR|hai|X.X.X|GOBBLES|KobrAs@Undernet.Org|check_ssh_1.17|7.7.7).*"],
+		['stream', ".*(uname|bin\/ls|bin\/id|bin\/nc|bin\/g?cc|bin\/mail|ifconfig|bin\/(k|ba|c|tc|z)?sh).*"],
+		['stream', ".*uid=[0-9]+\([^)]+\).*"],
+		['stream', "\[(GET|HEAD|POST)\] \/?(\.\.(\/|\\))+.*"],
+		['line', "227 ...............................................[^\0353]+\xeb\x40\x5e\x31\xc0\x88.*"],
+		['http-url-parsed-param', "\/\[cgi-bin\]\/\[readfile\]\.\[tcl\]\?\[file\]=.*\/(\[etc\]|\[usr\]|\[bin\]|\[sbin\]|\[var\/log\]).*"],
+		['stream', "[^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ][^ ]+[ ].*"],
+		['packet', "-soa [^\012]+%(%|d|D|i|o|u|x|X|f|e|g|E|s|c|\0133|p|n).*"],
+		['stream', ".*-805289688=%31%C0%89%C3%B0%02%CD%80%38%C3%74%05%8D%43%01%CD%80%31%C0%89%45%10%40.*"],
+		['stream', ".*\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012\[(is-modified|unchanged)\] [^\012]*\012.*"],
+		['packet', "\x00\x09.........................[\0100-\0200].*"],
+		['stream', ".*\x31\x30\x30\x30\x33\x2e\x68\x74\x74\x70\x3a\x2f\x2f(\x90)+\x30\x9b\xbf\xef\x90\xeb\x1f\x5e\x31\xc0\x89.*"],
+		['stream', ".*\x00\x00domain HELL\x00.*"],
+		['stream', ".*\xff\xff\x4b\x41\x44\x4d\x30\x2e\x30\x41\x00\x00\xfb\x03\x00\x40\x06\x08\x00\x40.*"],
+		['stream', ".*\x70\xf9\xff\xbf\x70\xf9\xff\xbf\x70\xf9\xff\xbf\x72\xf9\xff\xbf\x25\x2e\x66\x25\x2e\x66\x25\x2e\x66\x25\x2e\x66.*"],
+		['stream', ".*\x40\x82\x82\x82\x82\x24\xd2\x04\x08\x82\x82\x82\x82\x25\xd2\x04\x08\x82\x82\x82\x82\x26\xd2\x04\x08\x82\x82\x82\x82\x27\xd2\x04\x08\x25\x31\x31\x24\x32\x33\x36\x78\x25\x31\x32\x24\x6e\x25\x31.*"],
+		['packet', "\x3e\x3e\x3e\x0a\x80\xf7\xff\xbf\xff\xff\xff\xff\x81\xf7\xff\xbf\xff\xff\xff\xff\x82\xf7\xff\xbf\xff\xff\xff\xff\x83\xf7\xff\xbf\x25\x30\x38\x78.*"],
+		['stream', ".*\x31\xc0\x31\xdb\x31\xc9\x51\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc2\x31\xc0\x31\xc9\x51\x51.*"],
+		['stream', "\x05\x00\x0b\x03\x10\x00\x00\x00\x48\x00\x00\x00\x02\x00\x00\x00\xd0\x16\xd0\x16\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\x60\x9e\xe7\xb9\x52\x3d\xce\x11\xaa\xa1\x00\x00\x69\x01\x29\x3f\x02\x00\x02\x00\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00\x05\x00\x00\x01\x10\x00\x00\x00\xd0\x16\x00\x00\x8f\x00\x00\x00\x20\x27\x01\x00\x00\x00\x02\x00\xf0\x00\x00\x00\x00\x00\x00\x00\xf0\x00\x00\x00.*\x88\x13\x00\x00\x00\x00\x00\x00\x88\x13\x00\x00.*"],
+		['stream', ".*\[Plonked by Dave Aitel\].*"],
+		['stream', ".*\x5c\x00\x6c\x00\x6f\x00\x63\x00\x61\x00\x74\x00\x6f\x00\x72\x00.*\x39\x04\x00\x00\x00\x00\x00\x00\x39\x04\x00\x00\x2f\x00\x2e\x00\x3a\x00\x2f\x00.*"],
+		['smb-native-lanman', "Metasploit Framework"],
+		['stream', ".*ADMROCKS.*"],
+		['packet', ".*ADMROCKS.*"],
+		['line', "[^ ]*%[0-9]*n"],
+		['tftp-filename', ".*AA(A)+\.(AA)+\xff\xff\xff\xff\xeb\x27\x8b\x34\x24\x33\xc9\x33.*"],
+		['tftp-filename', "\/.*"],
+		['stream', ".*\x01a\\\.\.\\\.\.\\winnt\\repair\\sam.*"],
+		['line', "550 .* \[cannot mail\].*\[to programs\].*"],
+		['smtp-data-text-html', ".*\[https?\]:\/\/[^ ]*(%00|\x00|%01|\x01|%09|\x09)[^ ]*@.*"],
+		['smtp-data-text-html', ".*<\[a\][^>]+\[mailto:\](\041|[\043-\046]|[\050-\075]|[\076-\0176])*&(\[quot\]|#34);.*"],
+		['stream', ".*<[^>]*=( |\090)*(\047|\042)?( |\090)*\[HCP:\/\/system\/DVDUpgrd\/dvdupgrd\.htm\]\?[^>]+>.*"],
+		['stream', ".*<[^>]*\[href=\](\"|')?\[shell:user profile\\\].*"],
+		['smtp-mime-content-data', "\xff\xd8.*\0377(\0376|\0341|\0342|\0355)\000(\000|\001).*"],
+		['smtp-header-reply-to', ".*(\${\[ifs\]}|\/bin\/).*"],
+		['stream', ".*\x31\xc0\x89\xc3\x89\xc1\x89\xc2\xb2\x3f\x88\xd0\xb3\x05\xcd\x80\x89\xd0\x41\xcd\x80\x89\xd0\x41\xcd\x80\xeb\x1d\x5e\x29\xc0\x88\x46\x07\x89\x46\x0c\x89\x76\x08\xb0\x0b\x87\xf3\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\x29\xc0\x40\xcd\x80\xe8\xde\xff\xff\xff.*"],
+		['smtp-header-from', ".*(ABCDEFGHIJKLMNOPQRSTUVWXYZabc|\x55\x54\x5d\x33\xff\x57\xc6\x45\xfc\x63\xc6\x45\xfd\x6d\xc6\x45\xfe\x64\x57\xc6).*"],
+		['smtp-rcpt', ".*\xff\xff\xff\xff.*"],
+		['smtp-command-line', ".*\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff\x5c\xff.*"],
+		['smtp-header-line', ".*charset( |\x09)*=( |\x09)*\"\".*"],
+		['smtp-command-line', ".*\xeb\x45\xeb\x20\x5b\xfc\x33\xc9\xb1\xaf\x8b\xf3\x80\x2b.*"],
+		['smtp-rcpt', "(\[uu\])?\[decode\]"],
+		['stream', ".*<\[META http-equiv=refresh content=\"1; &#13;&#10;url=file:\/\/C:\WINDOWS\Application Data\Qualcomm\Eudora\Embedded\.*\.mhtml\"\]>.*"],
+		['smtp-command-line', "( |\x09)*\[etrn\].*"],
+		['smtp-data-text-html', ".*<([a-z]|[A-Z])+[^>]+\[hcp\]:\/\/([\000-\041]|[\043-\046]|[\050-\0377])*(\"|&\[quot\];|&#34;)([\000-\041]|[\043-\046]|[\050-\0377])*-\[url\][ ]+(\"|&\[quot\];|&#34;).*"],
+		['smtp-command-line', "(\[HELO\]|\[RCPT TO\])[^\00]*%(\.?[0-9][0-9]?($|\*)*)?[a-z].*"],
+		['packet', ".*(\x90)+\x31\xc0\x31\xdb\xb0\x02\xcd\x80\x39\xd8\x75\x2d\x31\xc0\x50\x66\x68\x2d\x46\x89.*"],
+		['packet', ".*(\x0c|\x51)..*%\[(n|h|s|x)\].*"],
+		['stream', ".*\x41\x39\x30\xc0\xa8\x01\x01\x2f\x62\x69\x6e\x2f\x73\x68\x00.*"],
+		['stream', ".*(XXXX%\.172u%300\$n|\xE8\x94\xFF\xFF\xFF\/bin\/sh).*"],
+		['stream', ".*\xe8.\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\x5e\xb0\x02\x89\x06\xfe\xc8\x89\x46\x04\xb0\x06\x89\x46.*"],
+		['stream', ".*\xeb\x56\x5E\x56\x56\x56\x31\xd2\x88\x56\x0b\x88\x56\x1e.*"],
+		['stream', ".*\xeb\x40\x5E\x31\xc0\x40\x89\x46\x04\x89\xc3\x40\x89\x06.*"],
+		['stream', ".*\x01\x03\x00\x00\x00\x00\x00\x01\x00\x02\x02\xe8.*"],
+		['stream', ".*\xeb\x2c\x5b\x89\xd9\x80\xc1\x06\x39\xd9\x7c\x07\x80\x01.*"],
+		['stream', ".*\xff\xff\xff\x2f\x42\x49\x4e\x2f\x53\x48\x00.*"],
+		['stream', ".*\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78\x7F\xFF\xFB\x78.*\x40\x8A\xFF\xC8\x40\x82\xFF\xD8\x3B\x36\xFE\x03\x3B\x76\xFE\x02.*"],
+		['stream', ".*\xeb\x23\x5e\x33\xc0\x88\x46\xfa\x89\x46\xf5\x89\x36.*"],
+		['packet', ".*\xA0\x09\x30\x07\xA1\x05\x23\x03\x03\x01[\001-\007].*"],
+		['stream', ".*\xeb\x7f\x5d\x55\xfe\x4d.\xfe\x4d.\xfe\x4d.*"],
+		['line', ".*\xeb\x49\x5e\x29\xc0\x29\xdb\x40\x89\x46\x04\x40\x89\x06\xb0\x06\x89\x46\x08.*"],
+		['lpr-command', ".*\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/.*"],
+		['stream', ".*\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/.*"],
+		['stream', ".*\/bin\/(ba|k|c|tc)?sh.*"],
+		['stream', ".*\.\.\/\.\.\/\.\.\/\.\.\/.*"],
+		['packet', ".*\xff\xff\/(usr\/)?bin\/.*"],
+		['packet', ".*\xff\xff\xff\/bin\/sh.*"],
+		['stream', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
+		['packet', ".*\x90\x1a\xc0\x0f\x90\x02\x20\x08\x92\x02\x20\x0f\xd0\x23\xbf\xf8.*"],
+		['stream', ".*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05.*"],
+		['packet', ".*\xeb\x6e\x5e\xc6\x06\x9a\x31\xc9\x89\x4e\x01\xc6\x46\x05.*"],
+		['stream', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0.*"],
+		['packet', ".*\x31\xc0\xb0\x3f\x31\xdb\xb3\xff\x31\xc9\xcd\x80\x31\xc0.*"],
+		['stream', ".*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0.*"],
+		['packet', ".*\x31\xc0\xb0\x02\xcd\x80\x85\xc0\x75\x4c\xeb\x4c\x5e\xb0.*"],
+		['stream', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
+		['packet', ".*\x89\xf7\x29\xc7\x89\xf3\x89\xf9\x89\xf2\xac\x3c\xfe.*"],
+		['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['packet', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['stream', ".*\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x7a\x69\x03\x21\x00\x90*\x31\xdb\x31\xc0\xeb\x30\x5e\x8d\x7e\x10\x89\xf9\x89\x3e\x8d\x7e\x18\x89.*"],
+		['stream', ".*\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x01\x00\x01\x00\x00\x7a\x69\x03\x21\x00\x90*\x31\xdb\x31\xc0\xeb\x38\x5e\x8b\xfe\x89\x7e\x3c\x8d\x7e\x14\x89\x7e\x40.*"],
+		['packet', "..\x09\x80\x00\x00\x00\x01\x00\x00\x00\x00.*"],
+		['http-header-user-agent', "\[Autoproxy\]"],
+		['stream', ".*>net start r_server.*"],
+		['packet', "\xb4\xb4"],
+		['stream', ".*B\.F\. Evolution RAT.*"],
+		['stream', ".*Mini Oblivion v[0-9]\.[0-9] Ready.*"],
+		['stream', ".*(LISTAPP|FTPON|MOUSE(OFF|ON)|TIME|SPAWN|RUN|VER|EXPLOREFOL|APPDATE|CONFIG|DEVICE|PROGRAMS|PWZ|BIOS(VER|EX)|SCRN|HIDESTART).*"],
+		['stream', ".*PitFall Vers\xe3o TelNet.*"],
+		['stream', "((\x6c)|(\xc7)|(\xc8.*)|(\xc9.*)|(\xca.*))"],
+		['stream', ".*Remote: You are connected to me.*"],
+		['stream', ".*connected\. .*"],
+		['stream', ".*version:.DEFCON8.2.1"],
+		['stream', ".* [[]RPL[]]002.*"],
+		['stream', ".*YOK2BENNY.*"],
+		['stream', "\x00[^\0]*\x00bin\x00.*"],
+		['stream', "\x00[^\0]*(\x00|\x0d)echo\+\++(\x00|\x0d).*"],
+		['stream', "\x00[^\0]*\x00root\x00.*"],
+		['finger-user', "cmd_rootsh"],
+		['stream', "\x30\x82..\x02\x01.\x60\x82..\x02[\0005-\0377].*"],
+		['http-header-host', "apache-nosejob\.c.*"],
+		['http-header-host', "apache-scalp\.c.*"],
+		['stream', "POST \/ HTTP\/1.1\x0d\x0aHost: Unknown\x0d\x0aX-CCCCCCC: A.*Transfer-Encoding: chunked.*\x0d\x0affffff6e\x0d\x0a.*"],
+		['stream', ".*TERM=xterm; export TERM=xterm; exec bash -i\x0a.*"],
+		['http-url', "[^:]*%(i|o|x|X|s|g|G|n)([\000-\071]|[\073-\076]|[\077-\0377])*:.*"],
+		['http-authorization', "[^:]*%.*"],
+		['http-url', ".*\[\/null\.printer\].*"],
+		['http-url-parsed-param', ".*\[(a|NULL|test)\.idq\].*"],
+		['http-url-parsed-param', ".*\.asp(\?|\/)\xeb\x06\xeb\x06.*"],
+		['stream', ".*\x90\xeb\x03\x5d\xeb\x05\xe8\xf8\xff\xff\xff\x83\xc5\x15\x90\x90\x90\x8b\xc5\x33\xc9\x66\xb9\x10\x03\x50\x80\x30\x97\x40\xe2\xfa.*"],
+		['stream', ".*NNNNaaaa\?cjjs HTTP\/.*"],
+		['http-request', "\[LOCK\] \/X+\x25\x75\x33\x30\x37\x33.*"],
+		['stream', ".*\[search\] \/[^ ]*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['http-url-parsed', "\[\/servlet\/UploadServlet\]"],
+		['stream', "\[POST +\/_vti_bin\/_vti_aut\/fp30reg\.dll\].*\[Transfer-Encoding: +chunked\].*"],
+		['stream', "(GET|HEAD|POST) .*%s.* HTTP\/.*"],
+		['stream', ".*\x50\x4f\x53\x54\x20\x2f\x20\x48\x54\x54\x50\x2f\x31\x2e\x30\x0a\x43\x6f\x6e\x74\x65\x6e\x74\x2d\x4c\x65\x6e\x67\x74\x68\x3a\x20\x2d\x38\x30\x30\x0a\x0a\x0a\xeb\x0a\x2d\x2d\x6e\x65\x74\x72\x69.*"],
+		['http-request', ".*\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\xff\x49\x02\x6a\x10\x51\x50\x89\xe1\x43\xb0\x66\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0.*"],
+		['http-request', ".*(\x83\xc4\x40\xeb\x74\x5d\x6a\x06\x6a\x01\x6a\x02\x8d\x1c\x24\x89\xd9\x31\xdb\xb3\x01\x31\xc0|\x83\xc4\x40\xeb\x55\x5d\x6a\x06\x6a\x01\x6a\x02\x31\xc0\xb0\x61\x50\xcd\x80\x89\xc7\x83\xec).*"],
+		['http-url-parsed', ".*\/\[c32web\.exe\/ChangeAdminPassword\]"],
+		['http-url-parsed', ".*\[\/cart32\.exe\/cart32clientlist\]"],
+		['http-url-parsed-param', ".*\[\/cgi-bin\/FtpSave\.dll\?\].*"],
+		['http-text-html', ".*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*<\[object\][^>]+\[classid=\"clsid:\][^>]+\[codebase\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*[\0103-\0172]:.*"],
+		['http-text-html', ".*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*<\[object\][^>]*\[codebase\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*[\0103-\0172]:[^>]*\[classid\]( |\x09|\x0A)*=( |\x09|\x0A)*(\"|')( |\x09|\x0A)*\[clsid:\].*"],
+		['http-text-html', ".*<[^>]*=(\047|\042)?\[ssh\]:\/\/[^>]*%20-(F|R)[^>]*>.*"],
+		['http-url-parsed-param', ".*\[\/pals-cgi\?.*(palsAction=restart|documentName=).*(palsAction=restart|documentName=)\].*"],
+		['http-url-parsed-param', ".*\/\[wsisa\.dll\/WService=.*\?WSMadmin\].*"],
+		['http-request', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['http-header', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['ftp-pathname', ".*\x83\xec\x04\x5e\x83\xc6\x70\x83\xc6\x28\xd5\xe0\xc0.*"],
+		['ftp-password', "-user@"],
+		['ftp-pathname', "\xeb\x0e\x5e\x56\x5f\xac\x3c\xa0\x74\x0b\x90\x34\x98\xaa\xeb\xf5.*"],
+		['ftp-password', ".*(\x31\xc0\x31\xdb\x31\xc9\xb0\x46\xcd\x80\x31\xc0\x31\xdb|\x31\xc0\x50\x50\x50\xb0\x7e\xcd\x80\x31\xdb).*"],
+		['ftp-pathname', "~root"],
+		['ftp-sitestring', "exec xx.*(\x25\x2E\x66)+.*"],
+		['ftp-password', "\x78\x78\x90\x1b\xc0\x0f\x82\x10\x20\x17\x91\xd0\x20\x08\xae\x10.*"],
+		['line', ".*\x90\x90\x31\xc0\x31\xdb\xb0\x17\xcd\x80\x31\xc0\xb0\x17\xcd\x80\x31\xc0\x31\xdb\xb0\x2e\xcd\x80\xeb\x4f\x31\xc0\x31\xc9\x5e\xb0\x27\x8d\x5e\x05\xfe\xc5\xb1\xed\xcd\x80\x31\xc0\x8d\x5e\x05\xb0\x3d\xcd\x80\x31\xc0\xbb\xd2\xd1\xd0\xff\xf7\xdb\x31\xc9\xb1\x10\x56\x01\xce\x89\x1e\x83\xc6\x03.*"],
+		['ftp-password', "h@ck\.er.*"],
+		['telnet-subnegotiation', ".*\x03\xff\xff\xff\xff\xcc\/bin\/.*"],
+		['telnet-subnegotiation', ".*\[ld_library_path\].*"],
+		['telnet-subnegotiation', ".*\[ld_preload\].*"],
+		['telnet-subnegotiation', ".*\[resolv_host_conf\].*"],
+		['telnet-subnegotiation', ".*_\[rld\].*"],
+		['telnet-subnegotiation', ".*\x27\x00\x00T\x02*T\x02*Y\x02*P\x02*R\x02*O\x02*M\x02*P\x02*T.*"],
+		['stream', ".*\x00\x00\x44\x49\x53\x50\x6c\x41\x59\x01\x6d\x61\x74\x74\x65\x72\x3a\x30\x2e\x30\xff\xf0\xff\xfd\x01\xff\xfc\x01(\x41)+.*"],
+		['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa5\xec.\x04\xb5\xec.\x04\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
+		['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa9\xec.\x04\xb9\xec.\x04\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
+		['stream', ".*\x53\x45\x54\x55\x50\x20\x2f\xa5\xec.\x03\xb5\xec.\x03\x8b\x7d\x08\x33\xc9\x33\x02\xb2\x1f\x80\xc2\x01\x66\x81\xc1\x9d\x02.*"],
+		['stream', "\x53\x45\x54\x55\x50\x20\x2f\x8b\xfa\x33\xc9\xb2\x35\x90\x90\x90.*"],
+		['irc-join-chan', "#(aaNIya827|ABIGAI285|abvGai68|abvGai689|AIdas865|alEKaN33|alEKaN33|ALexAn7|aMBEr552|AMEXaN544|aMFeR44|anDHeW9|AnDREA861|AnGnL2|AnyeLI5|aOEJaN329|AutoMN232|aUtumN790|BrIana628|BribNa146|bROOME564|BryXE955|CAlHeR44|cHASW30|ChrIsb80|cHRisT319|cqloE581|cvrLoS32|daKOGa641|dakOtA29|dakotz40|dAnirl638|dEsTyn4|dRSTIn5|eatHAN9|Elizrb738|eric259|etHam4|FAIxh452|GAbrie484|GacRIE6|gaRRut550|gaureT85|gaViN9|geBRiE88|GZBriE1|HAAEY40|HlexAN1|huNTwR79|iAN12|iSaBEL1|ISabeL37|IsNBEl41|jada6|jared8|jenfa2|JenNA9|jeRPMi18|JEsUS428|JGREmY1|JHCqUe2|joRdaN3|jOsCua832|JOSE737|jOsE90|JoSEoH51|jOsHPA863|jOSW89|jQHn659|jYsmIN17|KATher354|KATHrc6|KAtzER231).*"],
+		['irc-join-chan', "#(KenHET92|KeViN1|kevin678|LauRd150|lauva822|LESLie3|ligueL5|LoGEn1|MaCven441|MAdiSo236|MAIY78|MaMeLi144|marc7|maRISs8|maRy211|MEGaT33|merK4|MGRk176|MIchrL605|mIGUEl4|MjLLY10|MsRK9|mygaN504|nATalH0|NaThAv2|nIChoL12|noah420|paige300|PatrzC3|psAIaH333|Q8DarK|riCEAr797|robERt686|RtBeCC499|SEan31|SHelbY692|SihRrA2|SrIN809|sYDNEe3|TyleR607|vICoOR779|vICTor6|VIctTR7|WArOLi666|WILlIA779|xaVIEE9|xQvIEr151|yaDa61|zHCHar13|ZOE4|zoh3).*"],
+		['stream', ".*HKLM\\System\\CurrentControlSet\\Services\\NetDDE\\ImagePath.*"],
+		['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['http-url-parsed', "\/(images|0)\/cinik\.c.*"],
+		['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['packet', "\x00\x00\x00\x00........\x70\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"],
+		['smb-open-filename', ".*\0134\000?(\[d\00?v\00?l\00?d\00?r\x00?3\x00?2\00?\.\00?e\00?x\00?e\00?\]|\[i\00?n\00?s\00?t\00?\.\00?e\00?x\00?e\]).*"],
+		['stream', ".*\x59\x49\x39\xE0\xC3\x1D\xD3\x4D\xD8\xF2\x61\x73\x73\x6B\x47\x69\xDA\xB5\xBC\x05\x3A\xF0\xE4\xC7\x98\x76\xCB\xB4\x37\xA4\x39\x4A.*"],
+		['stream', ".*PONG :aux4\.suckit\.com.*"],
+		['smb-connect-path', "\x5c\x00\x5c\x00\x31\x00\x32\x00\x2e\x00\x33\x00\x34\x00\x2e\x00\x35\x00\x36\x00\x2e\x00\x37\x00\x38\x00\x5c\x00\x49\x00\x50\x00\x43\x00\x24\x00"],
+		['stream', ".*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x31\xc9\x66\xb9\x86\x06\x80\x73.*"],
+		['stream', ".*\[update user set password\]='90909090.*"],
+		['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[eurocalculator\.exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[file_zippati\.exe\]\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[fix2001\.exe\]\".*"],
+		['line', ".*\[Software provided by \X5B\XMATRiX\X5D\X\].*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"readme.exe\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[xpass\.xls\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[icq_greeting\](s)*\.\[exe\]*\".*"],
+		['line', "\[Subject\]: Pikachu Pokemon.*"],
+		['line', "Subject: C:\\CoolProgs\\Pretty Park\.exe.*"],
+		['stream', ".*qazwsx\.hsq.*SOFTWARE\Microsoft\Windows\Current Version\Run.*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[suppl\.doc\]*\".*"],
+		['line', "( |\x09)*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[timofonica\.txt\.vbs\]\".*"],
+		['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[y2k\.exe\]\".*"],
+		['line', ".*(\[file\])?\[name\]( |\x09)*=( |\x09)*\"\[Zipped_Files.EXE\]\".*"],
+		['smtp-mime-content-filename', "\[x-mas\.exe\]"],
+		['smtp-mime-content-filename', "\[eurocalculator\.exe\]"],
+		['smtp-mime-content-filename', "\[fix2001\.exe\]"],
+		['smtp-header-subject', "\[C:\\\\CoolProgs\\\\Pretty Park\.exe\].*"],
+		['smtp-data-line', ".*\[qazwsx\.hsq\].*\[SOFTWARE\Microsoft\Windows\Current Version\Run\].*"],
+		['smtp-mime-content-filename', "\[suppl\.doc\]"],
+		['smtp-mime-content-filename', "\[timofonica\.txt\.vbs\]"],
+		['smtp-mime-content-filename', "\[toadie\.exe\]"],
+		['smtp-mime-content-filename', "begin.*\.\[vbs\].*"],
+		['smtp-mime-content-filename', "\[wtc\.exe\]"],
+		['smtp-mime-content-filename', "\[y2k\.exe\]"],
+		['smtp-mime-content-filename', "\[Zipped_Files\.EXE\]"],
+		['stream', ".*\xeb\x31\x5e\x89\x76\xac|\xeb\x35\x5e\x89\x76\x18.*"],
+		['stream', ".*\x23\x0D\xF6\xD2\x00\x00\x00\x00\x00\x00\x00\x02\x00\x01\x86\xA0\x00\x00\x00\x02\x00\x00\x00\x05\x00\x00\x00\x01\x00\x00\x00\x20\x3D\xD2\xC9\x9F\x00\x00\x00\x09\x6C\x6F\x63\x61\x6C\x68\x6F\x73\x74\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x86\xa0\x00\x00\x00\x02\x00\x00\x00\x04\xFF\xFF\xFF\xFF.*"],
+		['packet', ".*\xeb\x4b\x5e\x89\x76\xac\x83\xee\x20\x8d\x5e\x28\x83\xc6\x20\x89\x5e\xb0\x83\xee\x20\x8d\x5e\x2e\x83\xc6\x20\x83\xc3\x20\x83\xeb\x23\x89\x5e\xb4\x31\xc0\x83\xee\x20\x88\x46\x27\x88\x46\x2a\x83\xc6\x20\x88\x46\xab\x89\x46\xb8\xb0\x2b\x2c\x20\x89\xf3\x8d\x4e.*"],
+		['packet', ".*\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x32\x33\x36\x78\x25\x6e\x25\x31\x33\x37\x78\x25\x6e\x25\x31\x30\x78\x25\x6e\x25\x31\x39\x32\x78\x25\x6e.*"],
+		['packet', ".*\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x38\x78\x25\x32\x33\x36\x78\x25\x6e\x25\x31\x33\x37\x78\x25\x6e\x25\x31\x30\x78\x25.*"],
+		['stream', "(.*\Xff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f ff ff ff c0 00 00 00 00 00 00 00 0d 00 00 00 6f\X.*|\x20\xbf\xff\xff\x20\xbf\xff\xff)"],
+		['packet', ".*(\xc0\x0f\x80\x1b\xc0\x0f\x80\x1b\xc0\x0f\x80\x1b\xc0\x0f\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x5c\x92\x22\x20\x10\x94\x1b\xc0\x0f\xec\x02\x3f\xf0\xac\x22\x80\x16\xae\x02|\x90\x90\xeb\x45\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb7\x88\x46\xbc\x31\xc0\x50).*"],
+		['packet', ".*ADM_METHOD\x00\x00\x00\x00\x00\x09\x00\x00\x00\x16\x00\x00\x00\x15\.\.\/\.\.\/\.\.\/\.\.\/\.\.\/bin\/sh.*"],
+		['stream', ".*\x90\x90\x31\xdb\x89\xe7\x8d\x77\x10\x89\x77\x04\x8d\x4f\x20\x89\x4f\x08\xb3\x10\x89\x19\x31\xc9\xb1\xff\x89\x0f\x51\x31\xc0\xb0.*"],
+		['stream', ".*(uname|\/bin\/|export).*"],
+		['stream', ".*\xa0\x0e\x30\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a\xa1\x05\x23\x03\x03\x01[\001-\007].*"],
+		['stream', ".*\x05\xe0\xe3\x1c\x0b\x03\xb8\xd7\xe0\xe8\x09\xfa\x89\xf9.*"],
+		['stream', ".*\x68\x5d\x5e\xff\xd5\xff\xd4\xff\xf5\x8b\xf5\x90\x66\x31.*"],
+		['pop3-command-line', ".*.\xff\xff\xff\/bin\/.*"],
+		['stream', ".*\x56\x0e\x31\xc0\xb0\x3b\x8d\x7e\x12\x89\xf9\x89\xf9.*"],
+		['line', "AUTH.*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
+		['line', "LIST 1 .*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
+		['line', "XTND .*\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff\xff\xff.*"],
+		['line', "AUTH .*\xeb\x1b\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x29\xc0\xaa\x89\xf9\x89\xf0\xab\x89\xfa\x29\xc0\xab\xb0\x08\x04\x03\xcd\x80\xe8\xe0\xff\xff\xff.*"],
+		['stream', ".*(\x41)+\xf0\x00\x00\x00\x58\x55\x89\xe5\x81\xec\x2c\x00\x00\x00\x89\x45\xd4\xc7\x45\xfc\x00\x00\xe7\x77\x8b\x45\xfc\x66\x81\x38\x4d\x5a\x75\x7c\x05\x3c\x00\x00\x00\x8b\x18\x03\x5d\xfc\x66\x81\x3b.*"],
+		['ssh-header', "SSH-2\.0-G+O+B+L+E+S+.*"],
+		['ssh-header', ".*http:\/\/anti\.security\.is.*"],
+		['stream', ".*\*GOBBLE\*.*"],
+		['packet', ".*\xb1\x06\x51\xb1\x01\x51\xb1\x02\x51\x89\xe1\xb3\x01\xb0\x66\xcd\x80\x89\xc1\x31\xc0\x31\xdb\x50\x50\x50\x66\x68..\xb3\x02\x66\x53\x89\xe2\xb3\x10\x53\xb3\x02\x52\x51.*"],
+		['packet', "..........[\061-\071][\060-\071][\060-\071]([\060-\071]|\x62|\x64).*"],
+		['stream', "\[A+BBBB\].*"],
+		['stream', "\[DATE\] A+.*"],
+		['packet', ".*(\x90)+\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd.*"],
+		['stream', ".*\x01\x00\x00\x00\x64\x00\x00\x00\x00\xd0\x07\x0c\x00\xd0\x07\x0c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xd0\x07\x43\x00\x0c\x00\x14\x08\x01.*"],
+		['stream', ".*\[FLATLINE'S( )+KWAADWAAR\].*"],
+		['packet', ".*\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14\x14.*"],
+		['stream', ".*\x08\x00\x5c\x00\x50\x00\x49\x00\x50\x00\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00\x00\x03\x10\x00\x00\x00.\x08\x00\x00\x01\x00\x00\x00.\x08\x00\x00\x00\x00(\x1b\x00|\x19\x00).*\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90.*"],
+		['stream', ".*\x5c\x00\x5c\x00\x46\x00\x58\x00\x4e\x00\x42\x00\x46\x00\x58\x00\x46\x00\x58\x00.*\xcc\xe0\xfd\x7f.*"],
+		['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*\x31\x00\x32\x00\x37\x00\x2e\x00\x30\x00\x2e\x00\x30\x00\x2e\x00.*"],
+		['stream', ".*\xa0\x01\x00\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46.*(\\\x00\\\x00l\x00o\x00c\x00a\x00l\x00h\x00o\x00s\x00t|\\\x00\\\x001\x002\x007\x00\.\x000\x00\.\x000\x00\.\x001).*"],
+		['stream', ".*\x5c\x00\x6c\x00\x73\x00\x61\x00\x72\x00\x70\x00\x63\x00.*\x6a\x28\x19\x39\x0c\xb1\xd0\x11\x9b\xa8\x00\xc0\x4f\xd9\x2e\xf5.*"],
+		['packet', "gstsearch"],
+		['smtp-rcpt', ".*ixltd@postone.com.*"],
+		['smtp-command-line', ".*\[(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to)\]:([^\012]|[^\015])*(<><><><>|\(\)>\(\)>\(\)>).*"],
+		['smtp-header-line', ".*\[(from|resent-sender|resent-from|resent-reply-to|sender|reply-to|errors-to)\]:([^\012]|[^\015])*(<><><><>|\(\)>\(\)>\(\)>).*"],
+		['smtp-data-text-plain', ".*g0YIG4lGDIhGF4hGGohGRVBW\/zawO1CQ.*"],
+		['smtp-command-line', ".*\[XEXCH50\][ ]+([1-9][0-9][0-9][0-9][0-9][0-9][0-9][0-9]+|-[0-9]+).*"],
+		['smtp-command-line', "( |\x09)*\[debug\].*"],
+		['smtp-command-line', "( |\x09)*\[wiz\]( |\x09)*"],
+['stream', ".*R( )*<( )*\"( )*\|( )*\/bin\/.*"]
+
+	]	
+
 end
 end