or download this
cmp rule alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS
+Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; classtype:attempted-r
+econ; sid:465; rev:6;)
p2p rule alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"PHISHING-SP
+AM younglaugh.ru known spam email attempt"; flow:to_server, establish
+ed; content:"younglaugh.ru"; nocase; classtype:policy-violation; sid:
+17003; rev:3;)
...
web cgi rules alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
+ (msg:"WEB-CGI HyperSeek hsx.cgi directory traversal attempt"; flow:t
+o_server,established; content:"/hsx.cgi"; http_uri; content:"../../";
+ content:"%00"; distance:1; reference:bugtraq,2314; reference:cve,200
+1-0253; reference:nessus,10602; classtype:web-application-attack; sid
+:803; rev:17;)
specific threats rules alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HO
+ME_NET any (msg:"SPECIFIC-THREATS Microsoft Windows GDI+ TIFF file pa
+rsing heap overflow attempt"; flow:to_client,established; flowbits:is
+set,file.tiff; file_data; content:"|01 00 01 00 01 00 01 00|"; within
+:8; distance:266; content:"|02 01 03 00 04 00 00 00 0A 01 00 00|"; co
+ntent:"|06 01 03 00 01 00 00 00 05 00 00 00|"; distance:0; metadata:p
+olicy balanced-ips drop, policy security-ips drop, service http; refe
+rence:cve,2009-2502; reference:url,technet.microsoft.com/en-us/securi
+ty/bulletin/MS09-062; classtype:attempted-user; sid:16184; rev:7;)
SQL rules alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp
+_start_job - program execution"; flow:to_server,established; content:
+"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth
+:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:8;)