Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Initial import of svn+ssh:://svn.icir.org/bro/trunk/bro as of r7088

Browse source
This commit is contained in:
Robin Sommer 2010-09-27 20:42:30 -07:00
commit 61757ac78b
1383 changed files with 380824 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

150
scripts/IP4.pm Normal file
View file

@ -0,0 +1,150 @@
package IP4;
use Exporter;
@ISA = ('Exporter');
@EXPORT = ( 'getIPFromString',
'getStringFromIP',
'getMaskFromPrefix',
'getPrefixFromMask',
'isPartOf',
'aggregateSinglesTo'
);
use strict;
my $DEBUG = 0;
sub getIPFromString{
my ($net) = @_;
my @octets = split (/\./, $net);
#check ip!
foreach my $oct (@octets){
if ($oct!~/\d+/ || $oct<0 || $oct > 255){return 0;}
}
my $ip=0;
for (my $i = 0; $i < 4; $i++){
$ip |= $octets[$i] << ((3-$i)*8);
}
return $ip;
}
sub getStringFromIP{
my ($net) = @_;
my @octets;
my $bitmask=0xff;
for (my $i = 0; $i<4; $i++){
$octets[$i] = ($net & $bitmask);
$net >>= 8;
}
return "$octets[3].$octets[2].$octets[1].$octets[0]";
}
sub getMaskFromPrefix{
my ($pre) = @_;
#check prefix!
if ($pre!~/\d+/ || $pre < 0 || $pre > 32){return 0;}
my $mask=0;
for (my $i = 0; $i < $pre; $i++){
$mask |= 1 << (31-$i);
}
return $mask;
}
sub getPrefixFromMask{
my ($mask) = @_;
if ($mask == 0){return 0}; #special case, we would loop forever with this:
my $prefix;
for ($prefix = 32; !($mask & 1); $prefix--){
$mask >>= 1;
}
return $prefix;
}
sub isPartOf{
my ($iip, $imask, $oip, $omask) = @_;
if ($omask > $imask){return 0;}
#if the net which should contain the other is
#smaller we did something wrong!
return ( (($oip ^ $iip) & $omask) == 0 );
}
sub aggregateSinglesTo{
#paramters:
#1. reference to array of addresses (will be changed!)
#2. refernce to array of masks (will be deleted and changed)
#3. max Bits to aggregate to.
my ($addr, $masks, $bitlimit) = @_;
$bitlimit = 32-$bitlimit; #the way it will be used we'll need the inverse
@$addr = sort{$a<=>$b}(@$addr) or return 0;
@$masks = ();
my $fullmask = getMaskFromPrefix(32);
foreach my $dummy (@$addr){push(@$masks, $fullmask);}
if ($DEBUG){
print STDERR "sorted list before aggregating\n";
print STDERR join(" ", map(getStringFromIP($_), @$addr));
print STDERR "\n";
}
for (my $i = 0;
$i < (scalar(@$addr) - 1);
$i ++)
{
my $lip = $addr->[$i];
my $lmask = $masks->[$i];
my $hip = $addr->[$i + 1];
my $hmask = $masks->[$i + 1];
if (isPartOf($hip, $hmask, $lip, $lmask)) { #parameter: (inner, outer)
if ($DEBUG){
printf STDERR ("removing %s/%s since it is contained in %s/%s ",
getStringFromIP($hip), getPrefixFromMask($hmask),
getStringFromIP($lip), getPrefixFromMask($lmask) );
}
splice(@$addr, $i + 1, 1);
splice(@$masks, $i + 1, 1);
-- $i;
}else{
my $nb = $lip;
$nb ^= $hip; #look for first non-matching bit!
my $firstdiff=0;
while ($nb > 0){
$firstdiff++;
$nb >>= 1;
}
if ($firstdiff <= $bitlimit){
if ($DEBUG){print STDERR "$firstdiff : ";}
while($firstdiff>0){
$firstdiff--;
$nb <<= 1;
$nb += 1;
}
my $nm = ~$nb; #negate to get the new (joint) mask
my $na = $lip & $nm;
$addr->[$i] = $na;
$masks->[$i] = $nm;
if ($DEBUG){
printf STDERR ("%s to %s/%s (aggregating %s)\n",
getStringFromIP($lip), getStringFromIP($addr->[$i]),
getPrefixFromMask($masks->[$i]), getStringFromIP($hip));
}
splice(@$addr, $i + 1, 1);
$i--; #do with the same address again. perhaps it collects even more
}
}
}
if ($DEBUG){
print STDERR "sorted list after aggregation\n";
print STDERR join(" ", map(getStringFromIP($_), @$addr));
print STDERR "\n";
}
return 1;
}
1;

167
scripts/Makefile.am Normal file
View file

@ -0,0 +1,167 @@
## Process this file with automake to produce Makefile.in
bro_bin = ${prefix}/bin
bro_logs = ${prefix}/logs
bro_etc = ${prefix}/etc
bro_site = ${prefix}/site
bro_scripts = ${prefix}/scripts
bro_reports = ${prefix}/reports
bro_perlmods = ${prefix}/perl
# where to download signatures from.
SIGHOST=www.bro-ids.org
# whats our name ..
brohost = @BROHOST@
SUBDIRS = s2b
# these files need to be in the distribution
EXTRA_DIST = bro.cfg.example bro_config.in alert_scores bro.rc.in \
bro.rc-hooks.sh bro_log_compress.sh install_cron.sh \
local.site.bro.default localnetMAC.pl.in \
mail_notice.sh mail_reports.sh \
make-ftp-safe-vocabulary.awk IP4.pm signature_scores \
perl local.lite.bro \
alert_scores signature_scores \
bro_log_compress.sh \
frontend-mail-reports.sh frontend-site-report.sh push_logs.sh mail_notice.sh
# this cleans up some genereated files
MOSTLYCLEAN = bro.rc bro.cfg bro_config intern.bro bro_user_id bro_user_id.bak \
localnetMAC.pl local.site.bro
scoredir=$(prefix)/etc
scriptsdir=$(prefix)/scripts
# just update dist files, not the site file
# and ask me no questions, I'll tell you no ..
update:
$(MAKE) install_default_files
# install brolite
install-brolite:
- $(INSTALL) -d /usr/local/etc/rc.d/
$(MAKE) create_dirs
$(INSTALL) $(srcdir)/alert_scores $(scoredir)/alert_scores
$(INSTALL) $(srcdir)/signature_scores $(scoredir)/signature_scores
$(INSTALL) $(srcdir)/bro_log_compress.sh $(bro_scripts)/bro_log_compress.sh
$(INSTALL) $(srcdir)/frontend-mail-reports.sh $(bro_scripts)/frontend-mail-reports.sh
$(INSTALL) $(srcdir)/frontend-site-report.sh $(bro_scripts)/frontend-site-report.sh
$(INSTALL) $(srcdir)/push_logs.sh $(bro_scripts)/push_logs.sh
$(INSTALL) $(srcdir)/mail_notice.sh $(bro_scripts)/mail_notice.sh
$(INSTALL) $(srcdir)/s2b/example_bro_files/signatures.sig $(prefix)/site
$(INSTALL) $(srcdir)/s2b/bro-include/sig-addendum.sig $(datadir)/bro
$(INSTALL) $(srcdir)/s2b/bro-include/sig-functions.bro $(datadir)/bro
$(INSTALL) $(srcdir)/s2b/example_bro_files/sig-action.bro $(datadir)/bro
# install perl libraries and executables
install_perl_scripts:
@if ! ${PERL} -e 'exit ($] >= 5.006001)' > /dev/null 2>&1; then \
(cd perl && $(PERL) Makefile.PL INSTALLSCRIPT=$(bro_scripts) BROCONFIG=$(prefix)/etc/bro.cfg PREFIX=$(bro_perlmods); $(MAKE) ; $(MAKE) install) ; \
else \
echo "*************************************************" ; \
echo "* Need newer version of perl to install reports *" ; \
echo "* and other supporting perl based tools. *" ; \
echo "*************************************************" ; \
fi
# clean up the mess we made
uninstall-local:
rm -f $(bro_scripts)/mail_reports.sh
rm -f $(bro_scripts)/bro_log_compress.sh
rm -f $(bro_scripts)/bro_config
rm -f $(bro_etc)/bro.rc
rm -f $(bro_etc)/bro.cfg
rm -f $(bro_etc)/bro.cfg.example
rm -f $(prefix)/etc/bro.rc-hooks.sh
rm -f $(prefix)/site/local.site.bro
rm -f $(prefix)/site/${brohost}.bro
$(srcdir)/install_cron.sh uninstall
-rm -f $(prefix)/etc/bro.rc-hooks.sh.new
-rm -f /usr/local/etc/rc.d/bro.sh
# install the stuff to do reports
reports:
$(INSTALL) -d $(bro_scripts)
$(INSTALL) -d $(bro_etc)
(cd s2b && $(MAKE) all)
(cd s2b && $(MAKE) install)
@./bro_config
$(INSTALL_DATA) bro.cfg $(bro_etc)/bro.cfg
$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
$(INSTALL) $(srcdir)/bro_log_compress.sh $(bro_scripts)/bro_log_compress.sh
$(INSTALL) $(srcdir)/frontend-mail-reports.sh $(bro_scripts)/frontend-mail-reports.sh
$(INSTALL) $(srcdir)/frontend-site-report.sh $(bro_scripts)/frontend-site-report.sh
$(INSTALL) $(srcdir)/push_logs.sh $(bro_scripts)/push_logs.sh
$(MAKE) install_perl_scripts
# update the signature file in $BROHOME/site, don't clobber it!
update-sigs:
@echo "Getting signature file from $(SIGHOST)"
- wget http://$(SIGHOST)/download/signatures.sig -O signatures.sig.new -o /dev/null
@if [ ! -s signatures.sig.new ] ; then \
echo "Error in download. Try again later." ; \
else \
if [ ! -f $(prefix)/site/signatures.sig ] ; then \
echo "No previous version, installing new version." ; \
cp signatures.sig.new $(prefix)/site/signatures.sig ; \
else \
cp signatures.sig.new $(prefix)/site/signatures.sig.new ; \
echo "***********************************************************" ; \
echo "A new signature file (signatures.sig.new) has been placed in" ; \
echo "$(prefix)/site. Please compare it to your current signatures.sig " ; \
echo "and copy it over if there are no significant differences." ; \
echo "***********************************************************" ; \
fi \
fi
create_dirs:
- $(INSTALL) -d $(bro_bin)
$(INSTALL) -d $(bro_etc)
$(INSTALL) -d $(bro_logs)
$(INSTALL) -d $(bro_site)
$(INSTALL) -d $(bro_scripts)
$(INSTALL) -d $(bro_reports)
# these are files that SHOULD NOT be updated and are site specific
install_local_files:
@if [ ! -f ${bro_site}/local.site.bro ] ; then \
echo "Installing local.site.bro ..." ; \
if [ ! -f local.site.bro ]; then \
$(INSTALL_DATA) local.site.bro.default $(bro_site)/local.site.bro ; \
else \
$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro ; \
fi \
else \
if [ -f local.site.bro ]; then \
$(INSTALL_DATA) local.site.bro $(bro_site)/local.site.bro.new ; \
fi \
fi
@if [ ! -f ${bro_site}/${brohost}.bro ] ; then \
echo "Installing ${brohost}.bro ..." ; \
$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro ; \
else \
$(INSTALL_DATA) $(srcdir)/local.lite.bro $(bro_site)/${brohost}.bro.new ; \
fi
@if [ ! -f $(prefix)/etc/bro.rc-hooks.sh ] ; then \
$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh ; \
else \
$(INSTALL_DATA) $(srcdir)/bro.rc-hooks.sh $(prefix)/etc/bro.rc-hooks.sh.new ; \
fi
# Default files that can be installed/reinstalled, not site specific
install_default_files:
$(INSTALL) $(srcdir)/mail_reports.sh $(bro_scripts)/mail_reports.sh
$(INSTALL) bro.rc $(prefix)/etc/bro.rc
$(INSTALL) bro_config $(prefix)/scripts/bro_config
-$(INSTALL_DATA) bro.cfg $(bro_etc)/bro.cfg
$(INSTALL_DATA) $(srcdir)/bro.cfg.example $(bro_etc)/bro.cfg.example
- $(INSTALL) bro.rc /usr/local/etc/rc.d/bro.sh
(cd s2b ; $(MAKE) install)
# install cron file
install_cron:
$(srcdir)/install_cron.sh install

29
scripts/README Normal file
View file

@ -0,0 +1,29 @@
This directory contains scripts to help configure and run bro.
bro.cfg.in This is the bro configuration file
bro.cfg This is the bro configuration file with all runtime values set
localnetMAC.pl Program to figure out your network topology based on a
tcpdump input file.
IP4.pm Helper perl module for localnetMac.
brolite.bro This is the default policy file
bro.rc This is the start/stop script, with all runtime values set
bro.rc-hooks.sh User level interface into the start and stop events in bro.rc
bro.rc.in This si the raw start stop script
bro_config This is the script run at 'make install' that sets the
values in bro.cfg
bro_config.in Raw bro_config script, before pre-processing
bro.cfg.example Example file of what bro.cfg should look like
intern.bro.default
This is an example of what intern.bro should look like.
mail_reports.sh
Shell script to email out reports
make-ftp-safe-vocabulary.awk

37
scripts/alert_scores Normal file
View file

@ -0,0 +1,37 @@
# DESCRIPTION:
#
# This file is used by the report generator to assign scores to
# certain types of alerts. Use this file to increase the likelyhood
# that a certain type of alarm is successful. The scores listed
# in this file will be added to any scores derived by the report
# generator. The format is -> ALERT_TYPE<white space>SCORE
#
# The score derived by the report generator is influenced by certain
# traffic patterns. If an alarm is generated and a connection is
# seen coming from the victim host back to the suspect host this will
# drive the score past the $ALARM_THRESHOLD. Also an alarm generated by
# a host from the internal network will likely produce a score higher
# than the $ALARM_THRESHOLD. This functionality only affects alarms
# which produce an incident.
#
# EXAMPLE:
# Lets assume you have created a custom alert type of
# "Employee_Did_Something_Bad". Lets also assume that this alarm
# is triggered only under certain conditions and you know the alarm is
# always correct or of great interest. To make this always show up in
# the report set the score to something equal to or higher than the
# $ALARM_THRESHOLD (default: 100).
#
# NOTES:
#
# The only alert type that cannot be given a score is
# "SensitiveSignature". Instead signatures are given their own
# scores specified in their meta-data. (still in the works)
#
TRWAddressSca 40
WeirdActivit 1
PortScan 20
PasswordGuessing 60
MultipleSignature 20
_DEFAULT_ 0

161
scripts/bro.cfg.example Normal file
View file

@ -0,0 +1,161 @@
# Source file config for running bro
# On a linux system this file will normally exist in /etc/sysconfig
# and will have the same filename as the RC start script which calls it.
# On a FreeBSD machine this file will normally reside in /usr/local/etc
# and will have the same filename as the RC start script which calls it.
# The following variables are exported and needed by Bro at runtime
# These are mostly undocumented. arrrrrr!!!!!!
# BROLOGS
# BROHOME
# BROPATH
# host only format
BRO_HOSTNAME=`hostname | awk -F. ' { print } '`
# FQDN format
# HOSTNAME=`hostname`
# Directory containing Bro binaries
BRO_BIN_DIR="${BROHOME}/bin"
# Filename of the Bro start policy
# START_POLICY="default.bro"
BRO_START_POLICY="localhost.bro"
# Directory containing Bro logs
BROLOGS="${BROHOME}/logs"
export BROLOGS
# Log archive directory
BRO_LOG_ARCHIVE="${BROHOME}/archive"
# Directory containing Bro signature files
BRO_SIG_DIR="${BROHOME}/site"
# Bro policy paths
BROPATH="${BROHOME}/share/bro/site:${BROHOME}/share/bro:${BROHOME}/share/bro/sigs:${BROHOME}/share/bro/time-machine"
export BROPATH
# Location of site specific policy and configurations
BROSITE="${BROHOME}/site"
# Location of host specific policy and configurations
BROHOST="${BROHOME}/host"
# A prefix to use when looking for local policy files to load.
# BRO_PREFIX="local"
# Location of the Bro executable
BRO="${BRO_BIN_DIR}/bro"
# Base command line options.
BRO_ADD_OPTS=" -W"
# Turn on Bro's Watchdog feature
BRO_OPTS="${BRO_ADD_OPTS}"
# Interface name to listen on. The default is to use the busiest one found.
BRO_CAPTURE_INTERFACE=""
# Multiple interface should be specified as a space delimited list.
# Examples:
# CAPTURE_INTERFACE="sk0 sk1 sk5"
# CAPTURE_INTERFACE="eth0 eth3"
# CAPTURE_INTERFACE="eth0"
# If set to YES and there are any signature files ending with .bro in $SIG_DIR
# then they will be started with bro. Set to NO to disable signatures
# Set to YES to enable bro to run with 'signature matching' on (YES/NO)
BRO_USE_SIGNATURES=YES
# Shoud a trace (tcpdump) file be created in the log directory (YES/NO)
BRO_CREATE_TRACE_FILE=NO
# How long to wait during checkpointing after startin a new Bro process and
# stopping the old one. This value is in seconds
BRO_CHECKPOINT_OVERLAP_TIME=20
# Starting time for a report run (0001 is 12:01 am and 1201 is 12:01pm)
BRO_REPORT_START_TIME=0010
# How often (in hours) to generate an activity report
BRO_REPORT_INTERVAL=24
# This is the how often to rotate the logs (in hours)
BRO_LOG_ROTATE_INTERVAL=24
# This is the how often to restart bro (in hours)
BRO_CHECKPOINT_INTERVAL=24
# The maximum time allowed for a Bro process to cleanup and exit
# This value is in seconds
BRO_MAX_SHUTDOWN_TIME=$(( 60 * 60 * 2 )) # 2 hours
# Use this to enable the init script to autorestart Bro in the event of an
# unexpected shutdown. The value should be YES or NO
BRO_ENABLE_AUTORESTART="YES"
# A value less than 1 means there will be no limit to the number of restarts
# Maximum times to try to auto-restart Bro before giving up.
BRO_MAX_RESTART_ATTEMPTS=-1
# Location of the run-time variable directory. This is normally /var/run/bro
# and contains the pidfile and other temporal data.
BRO_RUNTIME_DIR=""
# Email address for local reports to be mailed to
BRO_EMAIL_LOCAL="bro@localhost"
# Email address to send from
BRO_EMAIL_FROM="bro@localhost"
# Do you want to send external reports to a incident reporting org (e.g.: CERT, CIAC, etc)
BRO_EMAIL_EXTERNAL="NO"
# Email address for remote reports to be mailed to
BRO_EMAIL_REMOTE="BRO-IDS@bro-ids.org"
# User id to install and run Bro under
BRO_USER_ID="bro"
# Site name for reports (i.e. LBNL, FOO.COM, BAZ.ORG)
BRO_SITE_NAME=""
# Do you want to encrypt email reports (YES/NO)
BRO_ENCRYPT_EMAIL="NO"
# Location of GPG binary or encrypting email
BRO_GPG_BIN="/usr/local/bin/gpg"
# Default BPF buffer
BRO_BPF_BUFSIZE=4194304
# Do BPF bonding
BRO_BPFBOND_ENABLE="NO"
# Interfaces to bond
BRO_BPFBOND_FLAGS="em0 em1"
# diskspace management settings
# Should I manage diskspace
BRO_DISKSPACE_ENABLE="YES"
# percent full to worry about
BRO_DISKSPACE_PCT=90
# account watching disk space
BRO_DISKSPACE_WATCHER="root"
# days before deleting old logs
BRO_DAYS_2_DELETION=45
# days before compressing logs
BRO_DAYS_2_COMPRESSION=20
# Bulk data capture settings
# Buld data directory
BRO_BULK_DIR="${BROHOME}/bulk-trace"
# Capture filter for bulk data
BRO_BULK_CAPTURE_FILTER=""
# days before deleting bulk data
BRO_BULK_DAYS_2_DELETION=4
# days before compressing bulk data
BRO_BULK_DAYS_2_COMPRESSION=2
# location of sorted log files, needed by Brooery
BROOERY_LOGS="${BROHOME}/sorted-logs"

57
scripts/bro.rc-hooks.sh Normal file
View file

@ -0,0 +1,57 @@
# $Id: bro.rc-hooks.sh 555 2004-10-22 07:48:30Z rwinslow $
# This script is called by bro.rc at various points during the starting
# and stopping of Bro. This is presented as an interface into the start
# and stop process so that customizations can be made. Some simple
# examples are given as defaults.
# As these functions are within the same scope as bro.rc it is possible
# to alter variables that bro.rc needs to run properly. It is HIGHLY
# recommended that this not be done. If you do it don't ask why it broke
# because you were already warned.
# These functions should always return true so that bro.rc can complete
# and exit normally. If these fail to always return unexpected results
# may occur.
# Variables which are intended to be available to this script.
# These are in addition to normal variables in bro.cfg
# LOG_SUFFIX="string"
# PID="integer"
# EXIT_CODE="POSIX exit codes"
# ERROR_MESSAGE="string"
# AUTO_RESTART="t|f"
# START_TIME=`date`
# END_TIME=`date`
post_start_hook() {
# Exit code should not be set at this point. If it is there's a problem.
if [ "${EXIT_CODE}x" = 'x' ]; then
# example of a successful start
true
else
# example of a failed start
false
fi
}
post_exit_hook() {
if [ "${EXIT_CODE}x" = 'x' ]; then
# This was set to null on purpose when messages on exit relate to
# operations encountered by bro.rc and not the bro process itself
# An example may be notification that bro.rc was sent a TERM
# so it therefore shutdown the Bro process it was monitoring
true
elif [ "${EXIT_CODE}" = '0' ]; then
# Bro exited normally
true
else
# Bro failed unexpectedly
false
fi
}

1098
scripts/bro.rc.in Executable file
View file

File diff suppressed because it is too large Load diff

1008
scripts/bro_config.in Executable file
View file

File diff suppressed because it is too large Load diff

88
scripts/bro_log_compress.sh Executable file
View file

@ -0,0 +1,88 @@
#!/bin/sh
# very simple script to compress old files and remove older files
# You will probably want to do something more sophisticated for
# a production bro installation (e.g.: Integrate this into
# your backup scripts)
#
# Note: might want to check current disk space and just exit
# if there is lots of space
#
#set -x
if [ $BROHOME ] ; then
. $BROHOME/etc/bro.cfg
else
# if BROHOME is not set, try default location
. /usr/local/bro/etc/bro.cfg
fi
#echo found BROLOGS in bro.cfg: $BROLOGS
logdir=$BROLOGS/
if [ ! -d $logdir ] ; then
echo "Error: log file directory not found"
exit
fi
Days2deletion=$BRO_DAYS_2_DELETION
Days2compression=$BRO_DAYS_2_COMPRESSION
echo "Deleting files older than $BRO_DAYS_2_DELETION days, and compressing files older than $BRO_DAYS_2_COMPRESSION days"
echo "Checking directory: $BRO_LOG_ARCHIVE"
# first delete old archives
filelist=`find $BRO_LOG_ARCHIVE -type f -mtime +$Days2deletion -print `
#echo list of files to delete: $filelist
for file in $filelist
do
echo removing: $file
rm -f $file
done
# next delete old sorted log files needed by Brooery
if [ -d $BROOERY_LOGS ] ; then
echo "Checking directory: $BROOERY_LOGS"
filelist=`find $BROOERY_LOGS -type f -mtime +$Days2deletion -print `
#echo list of files to delete: $filelist
for file in $filelist
do
echo removing: $file
rm -f $file
done
fi
echo "Checking directory: $logdir"
# also check for any old stuff in the main log dir (just in case)
filelist=`find $logdir -type f -mtime +$Days2deletion -print `
#echo list of files to delete: $filelist
for file in $filelist
do
echo removing: $file
rm -f $file
done
#delete core files that are more than 4 days old
filelist=`find $logdir -name "*core*" -mtime +4 -print `
for file in $filelist
do
echo removing: $file
rm -f $file
done
filelist=`find $logdir -type f -mtime +$Days2compression -print `
#echo list of files to compress: $filelist
for file in $filelist
do
echo compressing: $file
nice gzip $file
done
echo Moving compressed files to archive dir: $BRO_LOG_ARCHIVE
mv $logdir/*.gz $BRO_LOG_ARCHIVE
echo Done.
exit

36
scripts/diskspace.sh Executable file
View file

@ -0,0 +1,36 @@
#!/bin/sh
# script to check disk space and send email if getting full.
# constants are in BROHOME/etc/bro.cfg
. $BROHOME/etc/bro.cfg
if [ -n "$diskspace_enable" -a "x$diskspace_enable" != "xNO" ]; then
prog="`basename $0 .sh`"
t=/tmp/$prog.$$
o=$prog.list
df -kt ufs | sed -e '1d' -e 's/% / /' | \
(while read filesys size used avail pct path ;do
if [ "$pct" -ge "$diskspace_pct" ]; then
echo "Filesystem $path ($filesys) getting full ($pct%)"
fi
done) > $t 2>&1
if [ -s $t ]; then
if [ -f $o ]; then
diff $o $t > /dev/null 2>&1
# remove temp file if no differences
if [ $? = 0 ]; then
rm $t
else
rm $o
fi
fi
if [ -f $t ]; then
mail -s "`hostname` disk space report" \
"$diskspace_watcher" < $t
/bin/cp $t $o
fi
else
rm -f $o
fi
rm -f $t
fi

29
scripts/frontend-mail-reports.sh Normal file
View file

@ -0,0 +1,29 @@
#!/bin/sh
#
# script to check if rsync of logs has finished, and runs site-report.pl
#
# usage: frontend-mail-report.sh BroConfigFile
#
# where are we located
base=`dirname $0`
#set up the environment
if [ $1 ] ; then
. $1
else
. $base/../etc/bro.cfg
fi
echo " "
echo "`date`: checking if reports are ready to mail:" $BROHOME/logs/MailReports.$BRO_HOSTNAME
# only run if file $BROHOME/logs/MailReports.$BRO_HOSTNAME
if [ -e $BROHOME/logs/MailReports.$BRO_HOSTNAME ] ; then
echo "Reports ready: Running mail reports script"
$BROHOME/scripts/mail_reports.sh $1
rm $BROHOME/logs/MailReports.$BRO_HOSTNAME
else
echo "Reports not ready"
fi

32
scripts/frontend-site-report.sh Normal file
View file

@ -0,0 +1,32 @@
#!/bin/sh
#
# script to check if rsync of logs has finished, and runs site-report.pl
#
# usage: frontend-site-report.sh BroConfigFile
#
#set -x
# where are we located
base=`dirname $0`
#set up the environment
if [ $1 ] ; then
. $1
else
. $base/../etc/bro.cfg
fi
echo " "
echo "`date`: checking if reports are ready to generate:" $BROHOME/logs/DoReports.$BRO_HOSTNAME
# only run if file $BROHOME/logs/DoReports.$BROHOST
if [ -e $BROHOME/logs/DoReports.$BRO_HOSTNAME ] ; then
echo "rsync done: running site report script"
rm $BROHOME/logs/DoReports.$BRO_HOSTNAME
$BROHOME/scripts/site-report.pl --broconfig $1
# create file indicating report is finished
echo "creating file" $BROHOME/logs/MailReports.$BRO_HOSTNAME
touch $BROHOME/logs/MailReports.$BRO_HOSTNAME
else
echo "rsync not done"
fi

111
scripts/install_cron.sh Executable file
View file

@ -0,0 +1,111 @@
#!/bin/sh
#install bro into your crontab for checkpointing
# source our cfg or guess at some defaults
if [ -r ./bro.cfg ] ; then
. ./bro.cfg
else
echo "Can't find bro.cfg, not installing crontab"
#BRO_REPORT_START_TIME=0000
#BROHOME="/usr/local/bro"
#BRO_REPORT_INTERVAL=24
#BRO_CHECKPOINT_INTERVAL=24
fi
RPT_MIN=`echo ${BRO_REPORT_START_TIME} | cut -c3-`
RPT_HR=`echo ${BRO_REPORT_START_TIME} | cut -c1,2`
RPT_INT=${BRO_REPORT_INTERVAL}
CHK_INT=${BRO_CHECKPOINT_INTERVAL}
if [ ${CHK_INT} -ge 24 ] ; then
CHK_INT=24
fi
if [ ${RPT_INT} -ge 24 ] ; then
RPT_INT=24
fi
create_cron()
{
echo "BROHOME=${BROHOME}" >> /tmp/bro.crontab
echo "# checkpoint Bro once a week" >> /tmp/bro.crontab
echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab
#if [ ${CHK_INT} -eq 24 ] ; then
# echo "0 0 * * 1 ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab
#else
# echo "0 0/${CHK_INT} * * * ${BROHOME}/etc/bro.rc --checkpoint" >> /tmp/bro.crontab
#fi
if [ ${RPT_INT} -eq 24 ] ; then
echo "${RPT_MIN} ${RPT_HR} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab
else
echo "${RPT_MIN} ${RPT_HR}/${RPT_INT} * * * ( nice -n 19 ${BROHOME}/scripts/site-report.pl )" >> /tmp/bro.crontab
fi
echo "${RPT_MIN} $((${RPT_HR} + 3)) * * * (${BROHOME}/scripts/mail_reports.sh ${BROHOME}/etc/bro.cfg)" >> /tmp/bro.crontab
echo "0 3 * * * (${BROHOME}/scripts/bro_log_compress.sh)" >> /tmp/bro.crontab
# insert rsync stuff, commented out, as an example:
echo "# If you are process logs on a front end host, add this: " >> /tmp/bro.crontab
echo "#10 3 * * * (${BROHOME}/scripts/push_logs.sh FrontendHost)" >> /tmp/bro.crontab
crontab /tmp/bro.crontab
s=$?
if [ $s -ne 0 ] ; then
echo "Can NOT install crontab. Please see crontab.example"
echo "for an example crontab to install"
else
echo ""
echo "New crontab installed."
echo ""
fi
rm /tmp/bro.crontab
echo ""
echo "New crontab installed."
echo ""
}
install_cron ()
{
if [ -f /tmp/bro.crontab ] ; then
rm /tmp/bro.crontab
fi
if crontab -l > /tmp/bro.crontab ; then
if grep bro.rc /tmp/bro.crontab > /dev/null; then
echo ""
echo "Bro already installed in crontab!"
echo "Not installing a new crontab"
echo ""
else
create_cron
fi
else
create_cron
fi
}
uninstall_cron()
{
pid=$$
crontab -l > /tmp/cron.orig.${pid} 2>&1
echo "status = $?"
if [ $? -eq 0 ] ; then
cat /tmp/cron.orig.${pid} | sed -e '/^.*bro_log_compress.sh)$/d' -e '/^.*etc\/bro.cfg; .\/mail_reports.sh)$/d' -e '/^.*.\/site-report.pl)$/d' -e '/^.*bro.rc --checkpoint$/d' > /tmp/cron.new.${pid}
else
echo "crontab missing?"
fi
echo "yes" | crontab -r
crontab /tmp/cron.new.${pid}
echo "You can view your new crontab with a 'crontab -l'"
echo "Your old crontab is in /tmp/cron.orig.${pid}"
}
case $1 in
install)
install_cron
;;
uninstall)
uninstall_cron
;;
esac
exit 0

15
scripts/intern.bro.default Normal file
View file

@ -0,0 +1,15 @@
# This file should describe your network configuration.
# If your local network is a class C, and its network
# address was 192.168.1.0 and a class B network
# with address space 10.1.0.0.
# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into
# this file, telling bro what your local networks are.
@load site
redef local_nets: set[subnet] = {
# example of a class C network
192.168.1.0/24,
# example of a class B network
10.1.0.0/16
};

30
scripts/local.lite.bro Normal file
View file

@ -0,0 +1,30 @@
# $Id: local.lite.bro 1115 2005-03-20 06:51:11Z vern $
# This file is intended for host-specific Bro policy.
# What is host-specific? It can be anything that is not the default
# after installation. This is the place to make tweaks and changes
# to modify policy to suit your network environment and preferences.
# The following causes Bro to load local.XXX.bro anytime you
# "@load XXX" (along with first loading XXX.bro).
#
@prefixes = local
@load brolite # root policy which loads all other default policies.
# File generated by the network script for dynamic configuration of
# the local network subnets.
@load site
# Make any changes to policy starting HERE:
# To run signatures, uncomment the following line.
# @load brolite-sigs
@ifdef ( use_signatures )
# Load Bro signatures. This is the default file containing Bro
# signatures.
redef signature_files += "signatures";
@endif

15
scripts/local.site.bro.default Normal file
View file

@ -0,0 +1,15 @@
# This file should describe your network configuration.
# If your local network is a class C, and its network
# address was 192.168.1.0 and a class B network
# with address space 10.1.0.0.
# Then you would put 192.168.1.0/24 and 10.1.0.0/16 into
# this file, telling bro what your local networks are.
@load site
redef local_nets: set[subnet] = {
# example of a class C network
192.168.1.0/24,
# example of a class B network
10.1.0.0/16
};

184
scripts/localnetMAC.pl.in Executable file
View file

@ -0,0 +1,184 @@
#!@PERL@
##This script assumes that there are a lot more external IP Adresses
##than internal ones. It associates all IP adresses with a MAC Adress
##and tracks what MAC adress communicates with what other MAC adress.
use strict;
use IP4;
use Getopt::Std;
my $usage="localnetMac.pl -r <dumpfile> or
localnetMac.pl -t <ascii file>
options:
\t-a <aggregate up to bits>
\t-b <output bro-syntax internal nets to file>
\t-m do not ignore multicast IP addresses
\t-v output debug info
\nInput is taken either from plain or gzip compressed files.
Input formats:
\tlibpcap dump file containing ethernet packets
\tasci file containing <LinkLayerAdr1 LinkLayerAdr2 IPAdr1 IPAdr2> per line
\nNote: for libpcap inputs currently only ethernet is supported. Other link layer protocols should work if using ascii input.\n";
my %args;
getopts("a:b:mr:t:v", \%args);
my $aggto=0;
my $broout="";
my $decomp;
my $multicast = 0;
my $MCASTMIN=224;
my $MCASTMAX=239;
my $debug = 0;
if (!defined $args{r} and !defined $args{t}){die $usage;}
if (defined $args{a}){$aggto = $args{a};}
if (defined $args{b}){$broout=$args{b};}
if (defined $args{m}){$multicast = 1;}
if (defined $args{v}){$debug = 1;}
if($args{r}=~/gz$/ or $args{t}=~/gz$/){
$decomp = `which zcat`;
chomp($decomp);
if ($decomp eq ""){
$decomp = `which gzcat`;
chomp($decomp);
}
if ($decomp eq ""){
die "You need zcat or gzcat in your \$PATH in order to process compressed files\n";
}
}
my $fh;
if ($args{r} and $args{r}=~/gz$/){
open (IN, "$decomp $args{r} |../aux/adtrace/adtrace -|") or die "cannot execute $decomp $args{r} |../aux/adtrace/adtrace - : $!\n";
$fh = *IN;
}elsif($args{r}){
open (IN, "../aux/adtrace/adtrace $args{r}|") or die "cannot execute ./adtrace/adtrace $args{r}: $!\n";
$fh = *IN;
}elsif($args{t} and $args{t}=~/gz$/){
open (IN, "$decomp $args{t} |") or die "cannot execute $decomp $args{t} | : $!\n";
$fh = *IN;
}elsif($args{t} and $args{t} eq "-"){
$fh = *STDIN;
}else{
open (IN, "$args{t}") or die "cannot open $args{t}: $!\n";
$fh = *IN;
}
my %cMacs;
my %macIP;
#for statistics:
my $ips=0;
my $pkt=0;
my $line;
while ($line=<$fh>){
chomp($line);
$pkt++;
my ($sMac, $dMac, $sIP, $dIP)=split(/ /, $line);
if (!$multicast and $sIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
if (!$multicast and $dIP=~/^(\d+)\./ and $1>=$MCASTMIN and $1<=$MCASTMAX){next;}
$macIP{$sMac}->{count}++ if (!exists $macIP{$sMac}->{$sIP});
$macIP{$sMac}->{$sIP}++;
$macIP{$dMac}->{count}++ if (!exists $macIP{$dMac}->{$dIP});
$macIP{$dMac}->{$dIP}++;
$cMacs{join(" ", sort($sMac, $dMac))}++;
}
close ($fh);
foreach my $mac (keys %macIP){
$ips += $macIP{$mac}->{count};
}
printf ("observed %d MAC adresses\n", scalar(keys %macIP));
print (join ("\n", keys %cMacs));
print "\n";
print "observed $pkt packets and $ips distinct IP adresses\nLocal IP addresses:\n";
if ($broout){
open (OUT, "> $broout") or die "cannot open $broout: $!\n";
print OUT "### Local Networks automatically generated by localnetMAC.pl ###\n";
if ($aggto){
print OUT "### NOTE: Internal Networks have been aggregated up to /$aggto networks.\n";
print OUT "### NOTE: Therefore it may happen that some external Networks\n";
print OUT "### NOTE: are considered local\n";
}
print OUT "### file generated at ".localtime()." (local system-time)\n";
printf OUT ("### observed %d MAC adresses:\n###\t", scalar(keys %macIP));
print OUT (join ("\n###\t", keys %cMacs));
print OUT "\n";
print OUT "### observed $pkt packets and $ips distinct IP adresses\n";
print OUT "\n\n";
print OUT "\@load site\n\n";
print OUT "redef local_nets: set[subnet] = {\n";
}
foreach my $macPair (keys %cMacs){
my ($mac1, $mac2) = split(/ /, $macPair);
my %record1;
my %record2;
my ($smallRec, $bigRec);
$record1{mac} = $mac1;
$record2{mac} = $mac2;
$record1{hash} = $macIP{$mac1};
$record2{hash} = $macIP{$mac2};
$record1{count} = delete $record1{hash}->{count};
$record2{count} = delete $record2{hash}->{count};
$record1{masks} = [];
$record2{masks} = [];
if ($debug){
print "*** $mac1 ($record1{count}) ***\n";
print join("\n", sort keys %{$macIP{$mac1}});
print "\n*** $mac1 ($record1{count}) end***\n";
print "*** $mac2 ($record2{count}) ***\n";
print join("\n", sort keys %{$macIP{$mac2}});
print "\n*** $mac2 ($record2{count}) end***\n";
}
my @ips1 = map(getIPFromString($_), keys %{$record1{hash}});
$record1{ips} = \@ips1;
aggregateSinglesTo($record1{ips}, $record1{masks}, $aggto) if ($aggto);
my @ips2 = map(getIPFromString($_), keys %{$record2{hash}} );
$record2{ips} = \@ips2;
aggregateSinglesTo($record2{ips}, $record2{masks}, $aggto) if ($aggto);
if (scalar( @{$record1{ips}} ) < scalar( @{$record2{ips}} )){
$smallRec = \%record1;
$bigRec = \%record2;
}else{
$smallRec = \%record2;
$bigRec = \%record1;
}
if ($broout){
printf OUT ("\t# $smallRec->{mac}: %d(%d) IPs (considered local);\n\t# $bigRec->{mac}: %d(%d) IPs (considered extern)\n",
scalar( @{$smallRec->{ips}} ),$smallRec->{count},
scalar( @{$bigRec->{ips}} ), $bigRec->{count});
}
printf ("$smallRec->{mac}: %d(%d) IPs (considered local); $bigRec->{mac}: %d(%d) IPs (considered extern)\n",
scalar( @{$smallRec->{ips}} ),$smallRec->{count},
scalar( @{$bigRec->{ips}} ), $bigRec->{count});
@{$smallRec->{ips}} = map( getStringFromIP($_), @{$smallRec->{ips}} );
@{$smallRec->{masks}} = map( getPrefixFromMask($_), @{$smallRec->{masks}} );
for(my $i = 0; $i <= $#{$smallRec->{ips}}; $i++){
if ($smallRec->{masks}->[$i]){
print "$smallRec->{ips}->[$i]/$smallRec->{masks}->[$i]\n";
if ($broout){print OUT "\t $smallRec->{ips}->[$i]/$smallRec->{masks}->[$i],\n";}
}else{
print "$smallRec->{ips}->[$i]\n";
if ($broout){print OUT "\t $smallRec->{ips}->[$i]/32,\n";}
}
}
}
if ($broout){
print OUT "};\n";
close(OUT);
}

28
scripts/mail_notice.sh Executable file
View file

@ -0,0 +1,28 @@
#!/bin/sh
#
# This is a sample script to provide basic email notification for
# notices marked NOTICE_EMAIL .
#
# Usage: mail_notice "subject" recipient (optional config path)
notice="/tmp/bro.notice.$$"
# Clean up after ourselves.
trap "rm -f $notice; exit" 1 2 15
# Where are we located.
base=`dirname $0`
# Set up the environment.
if [ $3 ] ; then
. $3
else
. $base/../etc/bro.cfg
fi
echo "From:<$BRO_EMAIL_FROM>" > $notice
echo "To:<$2>" >> $notice
echo "Subject: Bro alarm: $1" >> $notice
sendmail <$notice -oi -f $BRO_EMAIL_FROM $2
rm -f $notice

81
scripts/mail_reports.sh Executable file
View file

@ -0,0 +1,81 @@
#!/bin/sh
#
# Shell script to mail reports, should be called from
# crontab
# $Id: mail_reports.sh 1554 2005-10-24 22:20:26Z tierney $
#
# Usage: mail_reports.sh configFile (default config file = ../etc/bro.cfg)
gpg_error=""
sent_message=""
tmp_file="/tmp/bro.report.$$"
# Clean up after ourselves.
trap "rm $tmp_file; exit" 1 2 15
# Where are we located.
base=`dirname $0`
# Set up the environment.
if [ $1 ] ; then
. $1
else
. $base/../etc/bro.cfg
fi
for f in /usr/bin/sendmail /usr/sbin/sendmail /usr/lib/sendmail; do
if [ -x ${f} ]; then
d="`dirname ${f}`"
PATH="${d}:${PATH}"
export PATH
fi
done
# find the newest report in the report directory
report=`ls -1t $BRO_REPORT_DIR/$BRO_SITE_NAME*.rpt | head -1`
report_interval=`grep Report $report | awk '{print $6,"-",$9}'`
# set up temporary report with subject line embedded
report_subject="Subject: $BRO_HOSTNAME Report: $report_interval"
# and email it
# if encrypted make sure we have a good (gpg) bin and keys
if [ $BRO_ENCRYPT_EMAIL = "YES" ] ; then
if [ -x $BRO_GPG_BIN ] ; then
for recpt in $BRO_EMAIL_LOCAL ; do
echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
echo "To: <$recpt>" >> $tmp_file
echo "$report_subject" >> $tmp_file
cat $report | $BRO_GPG_BIN --yes -ea -r $recpt >> $tmp_file
# If the encryption fails, send it unencrypted
if [ $? -ne 0 ] ; then
echo "From:<$BRO_EMAIL_FROM>" > $tmp_file
echo "To: <$recpt>" >> $tmp_file
echo "$report_subject" >> $tmp_file
cat $report >> $tmp_file
fi
cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
done
sent_message="1"
rm $tmp_file
else
gpg_error="1"
fi
fi
# if there was an error or we are sending unencrypted ...
if [ -z $sent_message ] ; then
for recpt in $BRO_EMAIL_LOCAL ; do
echo "From: <$BRO_EMAIL_FROM>" > $tmp_file
echo "To: <$recpt>" >> $tmp_file
echo "$report_subject" >> $tmp_file
cat $report >> $tmp_file
if [ $gpg_error ] ; then
echo "Invalid gpg bin $BRO_GPG_BIN" >> $tmp_file
fi
cat $tmp_file | sendmail -oi -f $BRO_EMAIL_FROM $recpt
done
rm $tmp_file
fi
exit 0

19
scripts/make-ftp-safe-vocabulary.awk Normal file
View file

@ -0,0 +1,19 @@
# Usage:
#
# grep "^word_in_reply" ftp-anon.log |
# grep -v "ty=ip" |
# sort -k 3 -k 2 -k 5 -n -r |
# awk -f make-ftp-safe-vocabulary.awk -
#
# grep "^word_in_reply" ftp-anon.log | grep -v "ty=ip" | awk -f make-ftp-safe-vocabulary.awk - | sort
BEGIN {
FS = ",";
print "redef safe_ftp_word += {"
}
{
printf("# \t%s, \t\t# %s, %s, %s\n", $2, $3, $4, $5);
}
END { print "};" }

20
scripts/my-local.bro Normal file
View file

@ -0,0 +1,20 @@
# $Id: my-local.bro 507 2004-10-12 11:43:19Z rwinslow $
# This file is intended for host specific Bro policy.
# What is host specific? It can be anything that is not the default
# after installation. This is the place to make tweaks and changes
# to modify policy to suite your network environment and preferences.
@load brolite # root policy which loads all other default policies.
@load intern # file generated by the network script for dynamic config
# of the local network subnets.
@load my-site # local policy file with site specific configurations.
# Make any changes to policy starting here
# Load Bro rules
redef signature_files += "s2b-addendum-sigs";
redef signature_files += "s2b";

17
scripts/my-site.bro Normal file
View file

@ -0,0 +1,17 @@
# $Id: my-site.bro 506 2004-10-12 11:13:03Z rwinslow $
# This file is intended for site specific Bro policy.
# What is site specific? For instances in which there are multiple
# Bro machines or instances running it may be useful to store common
# configuration data among them.
# Common data may be certain subnets to which attacks should be alerted
# differently or perhaps certain addresses which you never care about
# or want to change the notice actions.
# This file is left blank as a place holder.

13
scripts/perl/MANIFEST Normal file
View file

@ -0,0 +1,13 @@
lib/Bro/Config.pm
lib/Bro/Log.pm
lib/Bro/Log/Alarm.pm
lib/Bro/Log/Conn.pm
lib/Bro/Report.pm
lib/Bro/Report/Alarm.pm
lib/Bro/Report/Conn.pm
lib/Bro/Signature.pm
Makefile.PL
MANIFEST This list of files
README
script/edit-brorule.pl
script/site-report.pl

230
scripts/perl/Makefile.PL Normal file
View file

@ -0,0 +1,230 @@
require 5.006_001;
use ExtUtils::MakeMaker;
use Cwd;
use strict;
# See lib/ExtUtils/MakeMaker.pm for details of how to influence
# the contents of the Makefile that is written.
my @args = @ARGV;
my @cleaned_args;
my $scripts_dir = './script';
my $scripts_list;
my $brohome = '';
my $broconfig = '';
my %extra_args = ( 'BROHOME' => \$brohome, 'BROCONFIG' => \$broconfig, );
# Look for any extra args that are not recognized by MakeMaker. Use and
# then omit from the array of the final args to pass to MakeMaker.
foreach my $arg( @args )
{
$arg =~ m/^(.+)=(.+)/;
my $key = $1;
my $val = $2;
if( exists( $extra_args{$key} ) )
{
${$extra_args{$key}} = $val;
}
else
{
push( @cleaned_args, $arg );
}
}
# If any extra args that are not recognized by MakeMaker existed they are removed
# by now.
@_ = @cleaned_args;
@ARGV = @cleaned_args;
if( ! $brohome )
{
if( exists( $ENV{BROHOME} ) )
{
$brohome = $ENV{BROHOME};
}
else
{
$brohome = '/usr/local/bro';
}
}
if( ! $broconfig )
{
$broconfig = "$brohome/etc/bro.cfg";
}
check_prereqs();
$scripts_list = get_exe_list();
foreach my $file( @{$scripts_list} )
{
setbroconfig( $broconfig, $file );
}
WriteMakefile(
'NAME' => 'Bro',
'DISTNAME' => 'Bro-Utilities',
'VERSION_FROM' => 'lib/Bro/Config.pm', # finds $VERSION
'PREREQ_PM' => { 'Config::General' => 2.27,
'Time::Local' => 0,
'Getopt::Long' => 0,
'Socket' => 0,
},
'EXE_FILES' => $scripts_list,
'dist' => {
'COMPRESS' => 'gzip',
'SUFFIX' => 'gz'
},
($] >= 5.005 ? ## Add these new keywords supported since 5.005
('AUTHOR' => 'Roger Winslow <rwinslow@lbl.gov>') : ()),
);
sub chk_version
{
no strict qw( refs vars );
my($pkg,$wanted,$msg) = @_;
local($|) = 1;
print "Checking for $pkg...";
eval { my $p; ($p = $pkg . ".pm") =~ s#::#/#g; require $p; };
print ${"${pkg}::VERSION"} ? "found v" . ${"${pkg}::VERSION"}
: "not found";
print "\n";
my $vnum = ${"${pkg}::VERSION"} || 0;
if( $vnum >= $wanted )
{
print "$pkg is installed\n";
return( 1 );
}
else
{
return();
}
use strict;
}
sub check_prereqs
{
my $failed_prereq = 0;
# Require perl version 5.6.1 or greater
eval { require 5.006_001; };
if( $@ )
{
die( "The minimum version of perl required is 5.6.1 (5.006_001). Please use a different perl binary to install this package.\n" );
}
if( chk_version( 'Config::General' => '2.27' ) )
{
# do nothing
}
else
{
my $orig_dir = cwd();
# Bypass the user prompt for this version
# my $confer = prompt( "Config::General is not installed. Would you like to install it now?",
# 'yes' );
my $confer = 'y';
if( $confer =~ m/yes|y/i )
{
chdir 'ext';
unpack_archive( 'Config-General-2.27.tar.gz' );
chdir 'Config-General-2.27';
print "Installing Config-General-2.27.\n";
sleep( 1 );
do 'Makefile.PL';
if( system( "make; make install" ) == 0 )
{
print "\n ........... done\n";
}
else
{
warn( "Failed to install perl package Config-General-2.27.\n" );
}
chdir "$orig_dir";
}
}
if( $failed_prereq )
{
warn( "Failed one or more prerequisite test, unable to continue.\n" );
exit( 1 );
}
print "\n";
}
sub unpack_archive
{
my $_archive = shift || return( undef );
system( "gzip -d < $_archive | tar xf -" );
}
sub get_exe_list
{
my @ret_list;
if( ! opendir( DIR, $scripts_dir ) )
{
warn( "Failed to open the scripts directory at $scripts_dir. Unable to continue.\n" );
exit( 1 );
}
while( my $file = readdir( DIR ) )
{
if( $file !~ m/^\./ and $file !~ m/^makefile.*/i and
-f "$scripts_dir/$file" )
{
push( @ret_list, "$scripts_dir/$file" );
}
}
closedir( DIR );
return( \@ret_list );
}
sub setbroconfig
{
my $sub_name = 'setbroconfig';
my $_broconfig = shift || return( undef );
my $_file = shift || return( undef );
if( ! open( INFILE, $_file ) )
{
warn( "$sub_name, Failed to open file $_file for reading.\n" );
return( undef );
}
if( ! open( OUTFILE, ">$_file.in" ) )
{
warn( "$sub_name, Failed to open file $_file.in for writing.\n" );
return( undef );
}
while( defined( my $line = <INFILE> ) )
{
$line =~ s/^([[:space:]]*\$DEFAULT_BRO_CONFIG_FILE[[:space:]]*=[[:space:]]*).+(\;.*)$/$1\'$_broconfig\'$2/;
$line =~ s/\$DEFAULT_BRO_HOME/$brohome/;
print OUTFILE $line;
}
close( OUTFILE );
close( INFILE );
system( "mv -f $_file.in $_file" );
return( 1 );
}

64
scripts/perl/README Normal file
View file

@ -0,0 +1,64 @@
This follows the same mantra as all other perl installers.
PURPOSE:
This will install perl modules, libraries, and scripts that are used
for reports, editing signatures, and other useful utilities.
DEFINITIONS:
$(PERL) is the path to the perl binary which you wish to use.
$(INSTALL_ROOT) is this directory which contains the Makefile.PL file.
BROHOME is the variable found in bro.cfg and defines the start of all
things Bro. (default: /usr/local/bro)
BROCONFIG is the location of the bro.cfg file. (default:
/usr/local/bro/etc/bro/cfg)
REQUIREMENTS:
The minimum version of perl required by this installer and it's libraries
is 5.6.1 (5.006_001)
The following perl modules are required:
Socket
Time::Local
Config::General (included and will install if neccessary)
Cwd
Getopt::Long
INSTALL:
$(PERL) Makefile.PL (optional args)
make
make install
INSTALLER NOTES:
For those of you maintaining this installer and/or want to include
additional packages to be installed here's how things are setup.
$(INSTALL_ROOT)/lib contains perl modules (ending in .pm) and will be
installed in the perl site directory.
$(INSTALL_ROOT)/script contains executable perl scripts which will be
installed in the directory defined by INSTALLSCRIPT. The bang paths
will be automatically changed to the path of the perl binary that was
used to run Makefile.PL. Files placed in here will also be scanned
for the variable $DEFAULT_BRO_CONFIG_FILE. The value will automatically
be changed to one of the following in the order listed:
arguments passed to Makfile.PL:
BROCONFIG (this is the path to bro.cfg)
BROHOME (this is the path to BROHOME. etc/bro.cfg will be appended)
Environment variable:
$BROHOME (this is the path to BROHOME. etc/bro.cfg will be appended)
$(INSTALL_ROOT)/ext contains gzipped perl modules which are included
as a convenience. These are packages created by other developers and
are usually found on cpan.org. It will be necessary to change Makefile.PL
if additional packages are placed in here and they need to be installed.

BIN
scripts/perl/ext/Config-General-2.27.tar.gz Normal file
View file

Binary file not shown.

120
scripts/perl/lib/Bro/Config.pm Normal file
View file

@ -0,0 +1,120 @@
package Bro::Config;
use strict;
use Config::General;
require Exporter;
use vars qw( $VERSION
$DEBUG
@ISA
@EXPORT_OK
%DEFAULTS
$DEFAULT_CONFIG_FILE
$BRO_CONFIG );
# $Id: Config.pm 987 2005-01-08 01:04:43Z rwinslow $
$VERSION = 1.20;
$DEBUG = 0;
@ISA = ( 'Exporter' );
@EXPORT_OK = qw( $BRO_CONFIG );
%DEFAULTS = ( BROHOME => '/usr/local/bro',
BRO_POLICY_SUFFIX => '.bro',
BRO_SIG_SUFFIX => '.sig',
META_DATA_PREFIX => '.',
);
$DEFAULTS{CONFIG_FILE} = $DEFAULTS{BROHOME} . '/etc/bro.cfg';
sub parse
{
my $sub_name = 'parse';
my %args = @_;
my $config_file;
my $brohome;
my $conf;
my $ret_hash;
# Check for a config-path that may override the default
if( exists( $args{'File'} ) )
{
$config_file = $args{'File'};
}
else
{
$config_file = $DEFAULT_CONFIG_FILE;
}
# Check for the existance and readability of the config file
if( !( -f $config_file and -r $config_file ) )
{
warn( __PACKAGE__ . "::$sub_name, The Bro config file at $config_file is not readable\n" );
return( undef );
}
$conf = Config::General->new( -ConfigFile => $config_file,
-MergeDuplicateOptions => 1,
-AutoTrue => 1,
);
%{$ret_hash} = $conf->getall;
return( $ret_hash );
}
sub Configure
{
my $sub_name = 'Configure';
my %args = @_;
if( exists( $args{File} ) )
{
if( $args{File} !~ m/[\;\|\?\*\&\{\}]/ and $args{File} =~ m/^([[:print:]]+)$/ )
{
my $clean_name = $1;
if( -f $clean_name and -r $clean_name )
{
$DEFAULT_CONFIG_FILE = $clean_name;
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unable to read config file at $clean_name\n" );
return( undef );
}
}
else
{
warn( __PACKAGE__ . "::$sub_name, Filename contains invalid characters\n" );
return( undef );
}
}
$BRO_CONFIG = parse();
# Set other defaults that have been omitted or don't exist in the config file
setdefaults();
return( 1 );
}
sub setdefaults
{
my $sub_name = 'setdefaults';
my $override = $_[0] || 0;
my @variables_changed;
foreach my $key( keys( %DEFAULTS ) )
{
if( $override or !( exists( $BRO_CONFIG->{$key} ) ) )
{
$BRO_CONFIG->{$key} = $DEFAULTS{$key};
push( @variables_changed, $key )
}
}
return( @variables_changed );
}
1;

295
scripts/perl/lib/Bro/Log.pm Normal file
View file

@ -0,0 +1,295 @@
package Bro::Log;
require 5.006_001;
use strict;
use Bro::Config( '$BRO_CONFIG' );
use Time::Local;
use vars qw( $VERSION
$BROLOGS );
# $Id: Log.pm 2865 2006-04-27 19:09:18Z tierney $
$VERSION = 1.20;
# This is the bare minimum format in which the filename must conform
my $FILENAME_REGEX = qr/^[[:alnum:]]\.(?:log|[[:print:]]\.[[:print:]])/;
# filename produced by Bro running from a trace file
my $name_trace = qr/^([[:alnum:]]+)\.log$/;
# filename produced from a Bro running on live traffic and currently open
# or logs that are not rotated or post processed
my $name_running = qr/^([[:alnum:]]+) # log name
\. # seperator
([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*) # hostname
\. # seperator
([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
_ # time seperator
[[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2}) # time
$/x;
# filename produced after post processing for things like the GUI. The
# filename contains the log name, hostname, begin epoch time, and end
# epoch time.
my $name_epoch_range = qr/^([[:alnum:]]+) # log name
\. # seperator
([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*) # hostname
\. # seperator
([[:digit:]]{10}) # beginning epoch time
- # seperator
([[:digit:]]{10}) # ending epoch time
$/x;
my $name_rotate_log = qr/^([[:alnum:]]+) # log name
\. # seperator
([^-][[:alnum:]-]*(?:\.[^-][[:alnum:]-])*) # hostname
\. # seperator
([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
_ # time seperator
[[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2}) # time
- # second time seperator
([[:digit:]]{2}-[[:digit:]]{2}-[[:digit:]]{2} # date
_ # time seperator
[[:digit:]]{2}\.[[:digit:]]{2}\.[[:digit:]]{2}) # time
(\.log)?$/x;
sub activelog
{
my $sub_name = 'activelog';
my $log_dir = $BRO_CONFIG->{BROLOGS};
my $ret_str;
if( !( defined( $log_dir ) ) )
{
warn( "no log directory defined\n" );
return( undef );
}
if( -f "$log_dir/active_log" )
{
if( open( I_FILE, "$log_dir/active_log" ) )
{
if( defined( $ret_str = <I_FILE> ) )
{
# remove any trailing newlines
if( $ret_str !~ m/[[:space]]+$/ )
{
chomp( $ret_str );
}
else
{
return( 0 );
}
}
else
{
return( 0 );
}
}
else
{
warn( "Failed to read the active log file at $log_dir/active_log\n" );
}
close( I_FILE );
}
else
{
return( 0 );
}
return( $ret_str );
}
sub loglist
{
my $sub_name = 'log_list';
my $__log_type = $_[0] || return( undef );
my $brologs_dir = $BRO_CONFIG->{BROLOGS};
my @ret_list;
if( opendir( DIR, $brologs_dir ) )
{
while( defined( my $file_name = readdir( DIR ) ) )
{
if( my $log_type = ( filenametoepochtime( $file_name ) )[0] )
{
if( $log_type eq $__log_type )
{
push( @ret_list, "$brologs_dir/$file_name" );
}
}
}
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unable to open the BROLOGS directory\n" );
return( undef );
}
closedir( DIR );
if( wantarray )
{
return( @ret_list );
}
else
{
return( \@ret_list );
}
}
sub filenametoepochtime
{
my $sub_name = 'filenametoepochtime';
# returns the log name, hostname, start time, and end time
# log name will always return.
# If any of the other three are not available then return value
# will be undef.
my $filename = $_[0] || return( undef );
my $log_name;
my $host_name;
my $start_time;
my $end_time;
if( ! $filename =~ $FILENAME_REGEX )
{
print "$filename is bad!!\n";
return( undef );
}
# There are several ways in which the filename is formatted. This
# if tree attempts to parse each of those
# Log name but no hostname or times. This can occur when running Bro
# from a trace file.
if( $filename =~ $name_trace )
{
$log_name = $1;
}
# filename contains the log name, hostname, and start time. This usually
# occurs on filenames which are currently being written to or are not
# rotated.
elsif( my @file_parts = $filename =~ $name_running )
{
my $start_time_string;
( $log_name, $host_name, $start_time_string ) = ( @file_parts );
# split up the string so it can be passed to timetoepoch
my @parts = $start_time_string =~ m/^([[:digit:]]{2}) # year
- # seperator
([[:digit:]]{2}) # month
- # seperator
([[:digit:]]{2}) # day
_ # time seperator
([[:digit:]]{2}) # hour
\. # seperator
([[:digit:]]{2}) # minute
\. # seperator
([[:digit:]]{2}) # second
$/x;
if( @parts == 6 )
{
$start_time = timetoepoch( @parts );
}
else
{
return( undef );
}
}
# filename contains the log name, hostname, epoch start time, epoch end time
elsif( my @file_parts = $filename =~ $name_epoch_range )
{
( $log_name, $host_name, $start_time, $end_time ) = @file_parts;
}
# filename contains the log name, hostname, start time and end time as
# strings as put out by rotate logs.
# i.e weird.lite3.06-04-27_10.40.53-06-04-27_10.41.12
elsif( my @file_parts = $filename =~ $name_rotate_log )
{
my $start_time_string;
my $end_time_string;
( $log_name, $host_name, $start_time_string, $end_time_string ) = @file_parts;
#print "***** $filename: st: $start_time_string, et: $end_time_string\n";
# look at the start date
my @parts = $start_time_string =~ m/^([[:digit:]]{2}) # year
- # seperator
([[:digit:]]{2}) # month
- # seperator
([[:digit:]]{2}) # day
_ # time seperator
([[:digit:]]{2}) # hour
\. # seperator
([[:digit:]]{2}) # minute
\. # seperator
([[:digit:]]{2}) # second
$/x;
$start_time = timetoepoch( @parts );
# look at the start date
@parts = $end_time_string =~ m/^([[:digit:]]{2}) # year
- # seperator
([[:digit:]]{2}) # month
- # seperator
([[:digit:]]{2}) # day
_ # time seperator
([[:digit:]]{2}) # hour
\. # seperator
([[:digit:]]{2}) # minute
\. # seperator
([[:digit:]]{2}) # second
$/x;
$end_time = timetoepoch( @parts );
#print "***** st: $start_time, et: $end_time\n";
}
else
{
return( undef );
}
return( $log_name, $host_name, $start_time, $end_time );
}
sub timetoepoch
{
my $sub_name = 'timetoepoch';
# arguments are in the order
# year
# month
# day
# hour
# minutes
# seconds
my $epoch_time;
my( $year, $mon, $day, $hour, $min, $sec ) = @_;
# The month fed into timelocal is 0 based index
if( $mon > 0 )
{
--$mon;
}
if( $epoch_time = timelocal($sec,$min,$hour,$day,$mon,$year) )
{
return( $epoch_time );
}
else
{
return( undef );
}
}
1;

694
scripts/perl/lib/Bro/Log/Alarm.pm Normal file
View file

@ -0,0 +1,694 @@
package Bro::Log::Alarm;
use strict;
require 5.006_001;
use strict;
use vars qw( $VERSION
%DATA_MAP );
# $Id: Alarm.pm 987 2005-01-08 01:04:43Z rwinslow $
$VERSION = 1.20;
# Map data descriptions to subroutine names
%DATA_MAP = ( t => \&timestamp,
timestamp => \&timestamp,
notice => \&notice_type,
notice_type => \&notice_type,
notice_act => \&notice_action,
notice_action => \&notice_action,
event_src => \&event_source,
event_source => \&event_source,
source_addr => \&source_addr,
src_addr => \&source_addr,
srcip => \&source_addr,
source_ip => \&source_addr,
src_port => \&source_port,
source_port => \&source_port,
destination_addr => \&destination_addr,
dst_addr => \&destination_addr,
dstip => \&destination_addr,
destination_ip => \&destination_addr,
dst_port => \&destination_port,
destination_port => \&destination_port,
user => \&user,
filename => \&filename,
sigid => \&sigid,
method => \&method,
URL => \&url,
n => \&misc_integer,
count => \&misc_integer,
return_code => \&misc_integer,
msg => \&message,
message => \&message,
sub_msg => \&sub_message,
sub_message => \&sub_message,
);
sub new
{
my $sub_name = 'new';
# This is the parser for tag based alarm and notice files.
my $_log_line;
my @_args = @_;
my %alarm_parts;
if( @_args == 1 )
{
$_log_line = $_args[0];
}
else
{
return( undef );
}
# Order of data in array
# t = timestamp
# no = notice_type
# na = notice_action
# es = event_src, event_source
# sa = source_ip (source address)
# sp = source_port
# da = destination_ip (destination address)
# dp = destination_port
# user = user
# file = filename or sigid
# method = method
# url = URL
# num = count or number or return_code
# msg = message
# sub = sub_message
# tag = tag
# Is this a tag based log line delimited by spaces?
if( $_log_line =~ m/^t\=/ )
{
my $i = 0;
my $i2 = 0;
my $len = length( $_log_line );
my $p_idx = 0;
my $buff_pos = 0;
my $subtr_len = 0;
my @log_parts;
for( $i2 = 0; $i2 < $len; ++$i2 )
{
if( substr( $_log_line, $i2, 1 ) eq ' ' and
substr( $_log_line, $p_idx, 1 ) ne "\\" )
{
if( $subtr_len < 1 )
{
# Skip over this entry, probably just leading space.
# Regardless of what happened there is no useful data.
}
else
{
my $tag;
my $tag_data;
( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
if( exists( $alarm_parts{$tag} ) )
{
warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data. It will be ignored\n" );
}
else
{
$alarm_parts{$tag} = $tag_data;
}
}
$subtr_len = 0;
$p_idx = $i2 + 1;
$buff_pos = $i2 + 1;
++$i;
}
else
{
++$subtr_len;
$p_idx = $i2;
}
}
# Get the last piece of data
my $tag;
my $tag_data;
( $tag, $tag_data ) = extracttag( substr( $_log_line, $buff_pos, $subtr_len ) );
# Make sure this is not a duplicate tag.
if( exists( $alarm_parts{$tag} ) )
{
warn( __PACKAGE__ . "::$sub_name, Found duplicate tag '$tag', in data. It will be ignored\n" );
}
else
{
# Remove any trailing newlines
chomp( $tag_data );
$alarm_parts{$tag} = $tag_data;
}
}
# Is this a colon delimited log line?
elsif( $_log_line =~ m/^[[:digit:]]{10}\.[[:digit:]]{6}/ and $_log_line =~ m/\:/ )
{
my $i = 0;
my $i2 = 0;
my $len = length( $_log_line );
my $p_idx = 0;
my $buff_pos = 0;
my $subtr_len = 0;
my @log_parts;
for( $i2 = 0; $i2 < $len; ++$i2 )
{
if( substr( $_log_line, $i2, 1 ) eq ':' and
substr( $_log_line, $p_idx, 1 ) ne "\\" )
{
if( $subtr_len < 1 )
{
$log_parts[$i] = '';
}
else
{
$log_parts[$i] = substr( $_log_line, $buff_pos, $subtr_len );
$log_parts[$i] = unescape_colons( $log_parts[$i] );
}
$subtr_len = 0;
$p_idx = $i2 + 1;
$buff_pos = $i2 + 1;
++$i;
}
else
{
++$subtr_len;
$p_idx = $i2;
}
}
# Get the last piece of data
$log_parts[$i] = unescape_colons( substr( $_log_line, $buff_pos, $subtr_len ) );
# Remove any trailing newline that may have been left on
chomp( $log_parts[$i] );
$alarm_parts{t} = $log_parts[0];
$alarm_parts{no} = $log_parts[1];
$alarm_parts{na} = $log_parts[2];
$alarm_parts{es} = $log_parts[3];
$alarm_parts{sa} = $log_parts[4];
$alarm_parts{sp} = $log_parts[5];
$alarm_parts{da} = $log_parts[6];
$alarm_parts{dp} = $log_parts[7];
$alarm_parts{user} = $log_parts[8];
$alarm_parts{file} = $log_parts[9];
$alarm_parts{method} = $log_parts[10];
$alarm_parts{url} = $log_parts[11];
$alarm_parts{num} = $log_parts[12];
$alarm_parts{msg} = $log_parts[13];
$alarm_parts{sub} = $log_parts[14];
}
else
{
return( undef );
}
# Make sure that certain fields have values otherwise the data is invalid
if( exists( $alarm_parts{t} ) )
{
return( \%alarm_parts );
}
else
{
return( undef );
}
}
sub unescape
{
my $sub_name = 'unescape';
&unescape_spaces;
}
sub unescape_spaces
{
my $sub_name = 'unescape_spaces';
my $data = $_[0];
if( ! defined( $data ) )
{
return( undef );
}
else
{
$data =~ s/\\ / /g;
$data =~ s/\\\\/\\/g;
}
return( $data );
}
sub unescape_colons
{
my $sub_name = 'unescape_colons';
my $data = $_[0];
if( ! defined( $data ) )
{
return( undef );
}
else
{
$data =~ s/\\:/:/g;
$data =~ s/\\\\/\\/g;
}
return( $data );
}
sub extracttag
{
my $sub_name = 'extracttag';
# Seperate the tag from it's data and return them. If there is a problem
# this sub will return undef. If a tag has no data then a zero length
# string will be returned.
my $__data = $_[0];
my $ret_tag;
my $ret_data;
# Seperate out the tag from the data
( $ret_tag, $ret_data ) = split( /\=/, $__data, 2 );
if( length( $ret_tag ) > 0 )
{
if( defined( $ret_data ) )
{
$ret_data = unescape_spaces( $ret_data );
}
else
{
$ret_data = '';
}
return( $ret_tag, $ret_data );
}
else
{
return( undef );
}
}
sub timestamp
{
my $sub_name = 'timestamp';
my $data = $_[0];
my $format = $_[1]; # Maybe for future expansion. Just thinking out loud.
return( $data->{t} );
}
sub notice_type
{
my $sub_name = 'notice_type';
my $data = $_[0] || return( undef );
return( $data->{no} );
}
sub notice_action
{
my $sub_name = 'notice_action';
my $data = $_[0] || return( undef );
return( $data->{na} );
}
sub event_source
{
my $sub_name = 'event_source';
my $data = $_[0] || return( undef );
if( exists( $data->{es} ) )
{
return( $data->{es} );
}
else
{
return( undef );
}
}
sub source_addr
{
my $sub_name = 'source_addr';
my $data = $_[0] || return( undef );
if( exists( $data->{sa} ) )
{
return( $data->{sa} );
}
else
{
return( undef );
}
}
sub source_ip
{
# This is for backwards compatibility and will be removed in the future
&source_addr;
}
sub source_port
{
my $sub_name = 'source_port';
my $data = $_[0] || return( undef );
if( exists( $data->{sp} ) )
{
return( $data->{sp} );
}
else
{
return( undef );
}
}
sub destination_addr
{
my $sub_name = 'destination_addr';
my $data = $_[0] || return( undef );
return( $data->{da} );
}
sub destination_ip
{
# This is for backwards compatibility and will be removed in the future
&destination_addr;
}
sub destination_port
{
my $sub_name = 'destination_port';
my $data = $_[0] || return( undef );
if( exists( $data->{dp} ) )
{
return( $data->{dp} );
}
else
{
return( undef );
}
}
sub user
{
my $sub_name = 'user';
my $data = $_[0] || return( undef );
if( exists( $data->{user} ) )
{
return( $data->{user} );
}
else
{
return( undef );
}
}
sub filename
{
my $sub_name = 'filename';
my $data = $_[0] || return( undef );
if( exists( $data->{file} ) )
{
return( $data->{file} );
}
else
{
return( undef );
}
}
sub sigid
{
my $sub_name = 'sigid';
&filename;
}
sub method
{
my $sub_name = 'method';
my $data = $_[0] || return( undef );
if( exists( $data->{method} ) )
{
return( $data->{method} );
}
else
{
return( undef );
}
}
sub url
{
my $sub_name = 'url';
my $data = $_[0] || return( undef );
if( exists( $data->{url} ) )
{
return( $data->{url} );
}
else
{
return( undef );
}
}
sub misc_integer
{
my $sub_name = 'misc_integer';
my $data = $_[0] || return( undef );
if( exists( $data->{num} ) )
{
return( $data->{num} );
}
else
{
return( undef );
}
}
sub count
{
&misc_integer;
}
sub return_code
{
&misc_integer;
}
sub message
{
my $sub_name = 'message';
my $data = $_[0] || return( undef );
if( exists( $data->{msg} ) )
{
return( $data->{msg} );
}
else
{
return( undef );
}
}
sub sub_message
{
my $sub_name = 'sub_message';
my $data = $_[0] || return( undef );
if( exists( $data->{sub} ) )
{
return( $data->{sub} );
}
else
{
return( undef );
}
}
sub tag
{
my $sub_name = 'tag';
my $data = $_[0] || return( undef );
if( exists( $data->{tag} ) )
{
return( $data->{tag} );
}
else
{
return( undef );
}
}
sub timerange
{
my $sub_name = 'timerange';
# Find the most likely beginning and ending times covered by a given
# alarm file.
my $filename = $_[0];
my $start_time = 9999999999;
my $end_time = -1;
my $f_size = ( stat( $filename ) )[7];
if( open( INFILE, $filename ) )
{
my $s_idx = 0;
my $s_no_change = 0;
# Find the smallest timestamp in the first 1000 lines.
while( defined( my $ln = <INFILE> ) and
( $s_idx < 1000 ) and
( $s_no_change < 20 ) )
{
if( my $alarm_line = new( $ln ) )
{
my $w_timestamp = timestamp( $alarm_line );
if( $w_timestamp < $start_time )
{
$start_time = $w_timestamp;
$s_no_change = 0;
}
else
{
++$s_no_change;
}
}
++$s_idx;
}
close( INFILE );
# Find the largest timestamp in the last 1000 lines
# Each connection with a status of "SF" will be counted as one line
# Every line will be examined but the "SF" lines are the only ones
# that give a good picture as to the time state of the file.
if( sysopen( INFILE, $filename, 0 ) )
{
sysseek( INFILE, $f_size, 0 );
my $cur_pos = sysseek( INFILE, 0, 1 );
my $nl_pos = $cur_pos;
my $line_count = 0;
my $e_no_change = 0;
# Get last 1000 lines
while( $line_count < 1000 and $e_no_change < 20 )
{
my $new_line_found = 0;
my $buf;
sysread( INFILE, $buf, 1 );
if( $cur_pos > -1 )
{
if( $buf eq $/ )
{
$new_line_found = 1;
}
}
else
{
# Must have hit the beginning of the file
if( $nl_pos > 20 )
{
$cur_pos = 0;
sysseek( INFILE, 0, 0 );
$new_line_found = 1;
}
else
{
last;
}
}
if( $new_line_found )
{
my $cur_line = '';
sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
if( my $alarm_line = new( $cur_line ) )
{
my $w_timestamp = timestamp( $alarm_line );
if( $w_timestamp > $end_time )
{
$end_time = $w_timestamp;
}
else
{
++$e_no_change;
}
}
$nl_pos = $cur_pos;
++$line_count;
}
--$cur_pos;
if( $cur_pos < 0 )
{
last;
}
sysseek( INFILE, $cur_pos, 0 );
}
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
return( undef );
}
close( INFILE );
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
return( undef );
}
# Make sure that sane values were found for the start and end times
if( $start_time == 9999999999 or $end_time == -1 )
{
# warn( __PACKAGE__ . "::$sub_name, There was an error determining the start and end ranges.\n" );
# warn( "No valid values could be found.\n" );
return( undef );
}
return( $start_time, $end_time );
}

773
scripts/perl/lib/Bro/Log/Conn.pm Normal file
View file

@ -0,0 +1,773 @@
package Bro::Log::Conn;
require 5.006_001;
use strict;
use vars qw( $VERSION
$NULL_VALUE
$DEBUG );
# $Id: Conn.pm 1426 2005-09-30 00:19:18Z rwinslow $
$VERSION = 1.20;
$NULL_VALUE = -1;
$DEBUG = 0;
my $CONN_SPLIT_PATT = ' ';
# my $CONN_SPLIT_PATT = qr/ /o;
# Map data descriptions to subroutine names
my %DATA_MAP = ( timestamp => \&timestamp,
duration => \&duration,
source_ip => \&srcip,
srcip => \&srcip,
destination_ip => \&dstip,
dstip => \&dstip,
service => \&service,
source_port => \&srcport,
srcport => \&srcport,
destination_port => \&dstport,
dstport => \&dstport,
protocol => \&protocol,
source_bytes => \&srcbytes,
srcbytes => \&srcbytes,
destination_bytes => \&srcbytes,
dstbytes => \&dstbytes,
connection_status => \&connstat,
connstat => \&connstat,
source_network => \&srcnetwork,
srcnetwork => \&srcnetwork,
other => \&other,
);
sub new
{
my $_log_line = $_[0] || return( undef ); # string ref
# Order of data in array
# 0 = timestamp
# 1 = duration
# 2 = source ip
# 3 = destination ip
# 4 = service
# 5 = source port
# 6 = destination port
# 7 = protocol
# 8 = source bytes
# 9 = destination bytes
# 10 = connection status
# 11 = source network
# 12 = other
my @log_parts = split( $CONN_SPLIT_PATT, $$_log_line, 13 );
if( defined( $log_parts[11] ) )
{
return( \@log_parts );
}
else
{
return( undef );
}
}
sub output
{
my $sub_name = 'output';
my $data = $_[0] || return undef;
my $format = $_[1] || '';
my @ret_data;
if( ref( $format ) ne 'ARRAY' )
{
$format = [ 'timestamp',
'duration',
'srcip',
'dstip',
'service',
'srcport',
'dstport',
'protocol',
'srcbytes',
'dstbytes',
'connstat',
'srcnetwork',
'other',
];
}
my $i = 0;
foreach my $key( @{$format} )
{
if( exists( $DATA_MAP{$key} ) )
{
$ret_data[$i] = &{$DATA_MAP{$key}}( $data );
++$i;
}
else
{
return( undef );
}
}
if( wantarray )
{
return( @ret_data );
}
else
{
return( join( ' ', @ret_data ) );
}
}
sub timestamp
{
my $sub_name = 'timestamp';
my $data = $_[0] || return( undef );
return( $data->[0] );
}
sub duration
{
my $sub_name = 'duration';
my $data = $_[0] || return undef;
my $arg1 = $_[1] || 0;
if( $arg1 eq 'raw' )
{
return( $data->[1] );
}
elsif( $data->[1] eq '?' and defined( $NULL_VALUE ) )
{
return( $NULL_VALUE );
}
else
{
return( $data->[1] );
}
}
sub source_ip
{
&srcip;
}
sub srcip
{
my $sub_name = 'srcip';
return( $_[0]->[2] );
}
sub destination_ip
{
&dstip;
}
sub dstip
{
my $sub_name = 'dstip';
return( $_[0]->[3] );
}
sub service
{
my $sub_name = 'service';
return( $_[0]->[4] );
}
sub source_port
{
&srcport;
}
sub srcport
{
my $sub_name = 'srcport';
return( $_[0]->[5] );
}
sub destination_port
{
&dstport
}
sub dstport
{
my $sub_name = 'dstport';
return( $_[0]->[6] );
}
sub protocol
{
my $sub_name = 'protocol';
return( $_[0]->[7] );
}
sub source_bytes
{
&srcbytes;
}
sub srcbytes
{
my $sub_name = 'srcbytes';
my $data = $_[0] || return undef;
my $arg1 = $_[1] || 0;
if( $arg1 eq 'raw' )
{
return( $data->[8] );
}
elsif( $data->[8] eq '?' and defined( $NULL_VALUE ) )
{
return( $NULL_VALUE );
}
elsif( $data->[10] eq 'SF')
{
# safest to only count sessions with normal termination
return( $data->[8] );
}
else
{
return( $NULL_VALUE );
}
}
sub destination_bytes
{
&dstbytes;
}
sub dstbytes
{
my $sub_name = 'dstbytes';
my $data = $_[0] || return undef;
my $arg1 = $_[1] || 0;
if( $arg1 eq 'raw' )
{
return( $data->[9] );
}
elsif( $data->[9] eq '?' and defined( $NULL_VALUE ) )
{
return( $NULL_VALUE );
}
elsif( $data->[10] eq 'SF' )
{
# safest to only count sessions with normal termination
return( $data->[9] );
}
else
{
return( $NULL_VALUE );
}
}
sub connstat
{
my $sub_name = 'connstat';
my $data = $_[0] || return undef;
return( $data->[10] );
}
sub source_network
{
&srcnetwork;
}
sub srcnetwork
{
my $sub_name = 'srcnetwork';
my $data = $_[0] || return undef;
chomp( $data->[11] );
return( $data->[11] );
}
sub tag
{
my $sub_name = 'tag';
my $data = $_[0] || return( undef );
my $other_field = $data->[12];
my @ret_tag_ids;
while( $other_field =~ s/(\@[[:digit:]]+)// )
{
push( @ret_tag_ids, $1 );
}
if( @ret_tag_ids > 0 )
{
if( wantarray )
{
return( @ret_tag_ids );
}
else
{
return( \@ret_tag_ids );
}
}
else
{
return( undef );
}
}
sub other
{
my $sub_name = 'other';
my $data = $_[0] || return undef;
# Remove any newline character at the end
chomp( $data->[12] );
return( $data->[12] );
}
sub timerange
{
my $sub_name = 'timerange';
# Find the most likely beginning and ending times covered by a given
# conn file.
my $filename = $_[0];
my $find_start_time = $_[1];
my $find_end_time = $_[2];
my $start_time = 9999999999;
my $end_time = -1;
my $max_start_lines = 10000;
my $max_end_lines = 10000;
my $max_line_length = 5000;
my $f_size = ( stat( $filename ) )[7] || 0;
my $default_start;
my $default_end;
if( $DEBUG > 2 )
{
warn( __PACKAGE__ . "::$sub_name, Filename: $filename\n" );
}
# If the file is zero size then don't even both continuing
if( $f_size < 1 )
{
if( $DEBUG > 2 )
{
warn( __PACKAGE__ . "::$sub_name, File is zero size, skipping\n" );
}
return( undef );
}
# If $find_start_time and $find_end_time are defined then the the first
# line that is greater than or equal to the timestamp in $find_start_time
# will be read by seek and then set into $start_pos.
# The last line that contains a timestamp less than or equal to
# $find_end_time will be read by seek and then set in $end_pos.
eval {
local $SIG{ALRM} = sub { die( "Alarm Timeout\n" ) };
alarm 90;
if( open( INFILE, $filename ) )
{
my $s_idx = 0; # start line counter
my $s_no_change = 0; # start no change counter
# Set the very first connection timestamp to $default_start
while( ! $default_start and defined( my $line = <INFILE> ) )
{
if( my $conn_line = new( \$line ) )
{
$default_start = timestamp( $conn_line );
}
}
# Find the smallest timestamp in the first 1000 lines where the
# connection is complete (SF) or (REJ) and the duration is less
# than .1 seconds
while( ( $s_idx < $max_start_lines ) and
( $s_no_change < 20 ) and
defined( my $ln = <INFILE> ) )
{
if( my $conn_line = new( \$ln ) )
{
if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
{
if( duration( $conn_line ) < 0.1 )
{
my $w_timestamp = timestamp( $conn_line );
if( $w_timestamp < $start_time )
{
$start_time = $w_timestamp;
$s_no_change = 0;
}
else
{
++$s_no_change;
}
}
}
}
++$s_idx;
}
close( INFILE );
# Find the largest timestamp in the last 20 lines
# Each connection with a status of "SF" or "REJ" will be counted as
# one line. Every line will be examined but the "SF" or "REJ"
# lines are the only ones that give a good picture as to the time
# state of the file.
if( sysopen( INFILE, $filename, 0 ) )
{
sysseek( INFILE, $f_size, 0 );
my $cur_pos = sysseek( INFILE, 0, 1 );
my $nl_pos = $cur_pos;
my $matched_count = 0;
my $line_count = 0;
# Get last 20 lines
while( $matched_count < 20 and
$line_count < $max_end_lines )
{
my $new_line_found = 0;
my $buf;
sysread( INFILE, $buf, 1 );
if( $cur_pos > -1 )
{
if( $buf eq $/ )
{
$new_line_found = 1;
}
}
else
{
# Must have hit the beginning of the file
if( $nl_pos > 20 ) # supress things like blank lines
{
sysseek( INFILE, 0, 0 );
$new_line_found = 1;
}
else
{
last;
}
}
if( $new_line_found )
{
my $cur_line = '';
++$line_count;
# Make sure that the line is not too large
# Fix for some funky rsync errors that may occur
if( $nl_pos - $cur_pos > $max_line_length )
{
# WAY too big, just mark new position and ignore
}
else
{
sysread( INFILE, $cur_line, $nl_pos - $cur_pos );
if( my $conn_line = new( \$cur_line ) )
{
if( ! $default_end )
{
$default_end = timestamp( $conn_line );
}
if( duration( $conn_line ) < 0.1 and duration( $conn_line ) >= 0 )
{
my $w_timestamp = timestamp( $conn_line );
if( $w_timestamp > $end_time )
{
$end_time = $w_timestamp;
}
}
if( connstat( $conn_line ) =~ m/^(?:SF)|(?:REJ)$/ )
{
++$matched_count;
}
}
}
$nl_pos = $cur_pos;
}
--$cur_pos;
if( $cur_pos < 0 )
{
last;
}
sysseek( INFILE, $cur_pos, 0 );
}
}
else
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename' with sysread.\n" );
}
return( undef );
}
close( INFILE );
}
else
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Unable to open file '$filename'.\n" );
}
return( undef );
}
close( INFILE );
};
alarm 0;
# Make sure that $start_time has something other than the filler value.
if( $start_time == 9999999999 )
{
if( $default_start )
{
$start_time = $default_start;
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, No start_time was found, setting to a default of $default_start\n" );
}
}
else
{
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, No start_time was found and no default_start time was found\n" );
}
}
}
# Make sure that $end_time has something other than the filler value.
if( $end_time == -1 )
{
if( $default_end )
{
$end_time = $default_end;
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, No end_time was found, setting to a default of $default_start\n" );
}
}
else
{
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, No end_time was found and no default_end time was found\n" );
}
}
}
if( $DEBUG > 2 )
{
warn( " " . __PACKAGE__ . "::$sub_name, Start time: $start_time\n" );
warn( " " . __PACKAGE__ . "::$sub_name, End time: $end_time\n" );
}
if( $@ )
{
if( $@ =~ m/Alarm Timeout/ )
{
if( !( $start_time and $end_time ) )
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Error occurred in trying to read the file $filename\n" );
}
return( undef );
}
else
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Timed out during file read. The first and last timestamps have been set as the range of time available\n" );
}
}
}
else
{
warn( $@ );
return( undef );
}
}
return( $start_time, $end_time );
}
sub containstag
{
my $sub_name = 'containstag';
my $data = shift || return( undef );
my @tags_to_match = @_;
my $conn_tags = tag( $data ) || return( 0 );
my $matched_tag = 0;
OUT_LOOP:
{
foreach my $tag_to_match( @tags_to_match )
{
foreach my $tag_id( @{$conn_tags} )
{
if( $tag_id eq $tag_to_match )
{
$matched_tag = $tag_id;
last OUT_LOOP;
}
}
}
} # end OUT_LOOP
return( $matched_tag );
}
sub startposition
{
my $sub_name = 'startposition';
# Find the first file position where $timestamp is greater than or equal to
# a timestamp in the file.
my $timestamp = $_[0];
}
sub endposition
{
my $sub_name = 'endposition';
# Find the last file position where $timestamp is less than or equal to
# a timestamp in a file.
my $timestamp = $_[0];
}
sub connectsucceed
{
my $sub_name = 'connectsucceed';
my $data = $_[0] || return( undef );
my $S_REGEX = qr/^S/o;
my $S123_REGEX = qr/^S[123]$/o;
my $connstat = connstat( $data );
if( $connstat =~ $S_REGEX )
{
if( $connstat eq 'SF' )
{
return( 1 );
}
elsif( $connstat =~ $S123_REGEX )
{
if( srcbytes( $data ) > 0 && dstbytes( $data ) > 0 )
{
return( 1 );
}
else
{
return( 0 );
}
}
}
else
{
# connection failed
return( 0 );
}
}
sub range
{
my $sub_name = 'range';
my $data = $_[0] || return( undef );
my $match_time = $_[1];
my $error_margin = $_[2];
my $start_time;
my $end_time;
my $duration;
# Make sure that the error margin is greater than zero
if( !( defined( $error_margin ) and $error_margin > 0 ) )
{
$error_margin = 0;
}
$start_time = timestamp( $data );
$duration = duration( $data );
if( $match_time )
{
if( $duration < 0 )
{
$duration = 10;
}
$end_time = $start_time + $duration + $error_margin;
$start_time = $start_time - $error_margin;
if( $match_time >= $start_time and
$match_time <= $end_time )
{
return( 1 );
}
else
{
return( 0 );
}
}
else
{
if( $duration > -1 )
{
$end_time = $start_time + $duration;
}
return( $start_time, $end_time );
}
}
1;
# The args to Bro::Log::Conn::output are the connection array ref returned by
# Bro::Log::Conn::new and an optional array ref of what order and fields
# should be printed.
# EXAMPLE:
# $array_ref = Bro::Log::Conn::new( $ln );
# @output_parts = Bro::Log::Conn::output( $array_ref, [ 'srcip', 'dstip', 'timestamp' ] )
#
# The available fields are as follows:
# timestamp
# duration
# srcip
# dstip
# service
# srcport
# dstport
# protocol
# srcbytes
# dstbytes
# connstat
# srcnetwork
# other
# For convenience any data that is represented by a ? will be replaced by a -1
# This occurs for duration, srcbytes, and dstbytes
# This is adjustable by changing $NULL_VALUE

714
scripts/perl/lib/Bro/Report.pm Normal file
View file

@ -0,0 +1,714 @@
package Bro::Report;
use strict;
require 5.006_001;
require Exporter;
use Socket;
use vars qw( $VERSION
$DEBUG
@EXPORT_OK
@ISA
$USE_FLOCK
$INCIDENT_COUNT_FILE
$TEMP_DIR
@TEMP_FILES
$IPTONAME_TIMEOUT
$USE_IPTONAME_CACHE
%IPTONAME_CACHE );
@ISA = ( 'Exporter' );
# $Id: Report.pm 1419 2005-09-29 18:56:06Z rwinslow $
$VERSION = 1.20;
$DEBUG = 0;
@EXPORT_OK = qw( iptoname swrite trimhostname trimbytes time_mdhm time_hms date_md
date_ymd getincidentnumber standard_deviation mean_val tempfile
trimstring );
my %STEPS = ( 0 => '',
1 => 'K',
2 => 'M',
3 => 'G',
4 => 'T',
5 => 'P',
K => 1,
M => 2,
G => 3,
T => 4,
G => 5, );
# Check if flock can be used
eval {
flock( STDIN, 1 )
};
if( $@ )
{
$USE_FLOCK = 0;
}
else
{
$USE_FLOCK = 1;
}
# Default temp directorywhich to write to
$TEMP_DIR = '/tmp';
# Default timeout for dns reverse lookups
$IPTONAME_TIMEOUT = 3;
# Should ip to name reverse lookups be cached?
$USE_IPTONAME_CACHE = 1;
sub iptoname
{
my $sub_name = 'iptoname';
my $h_ip = $_[0] || return( undef );
my $resolved_hostname = undef;
my $ret_val;
if( exists( $IPTONAME_CACHE{$h_ip} ) )
{
return( $IPTONAME_CACHE{$h_ip} );
}
eval
{
local $SIG{ALRM} = sub { die( "Lookup Timeout\n" ) };
alarm( $IPTONAME_TIMEOUT);
$resolved_hostname = gethostbyaddr( inet_aton( $h_ip ), 2 );
alarm( 0 );
};
if( $resolved_hostname )
{
$ret_val = $resolved_hostname;
}
else
{
$ret_val = $h_ip;
}
if( $USE_IPTONAME_CACHE )
{
$IPTONAME_CACHE{$h_ip} = $ret_val;
}
return( $ret_val );
}
sub swrite
{
my $sub_name = 'swrite';
my $format = shift;
my @args = @_;
my $ret_val;
$^A = '';
formline( $format, @args );
$ret_val = $^A;
$^A = '';
return( $ret_val );
}
sub trimhostname
{
my $sub_name = 'trimhostname';
my $hostname = $_[0];
my $max_length = $_[1] || 35;
my $direction = $_[2] || '>';
my $ret_val = '';
my $len = length( $hostname );
if( $len > $max_length )
{
my $dif = $len - $max_length + 3;
if( $direction eq '>' )
{
$ret_val = "..." . substr( $hostname, $dif, $len);
}
else
{
$ret_val = substr( $hostname, 0, $len - $dif) . "...";
}
}
else
{
$ret_val = $hostname;
}
return( $ret_val );
}
sub trimbytes
{
my $sub_name = 'trimbytes';
my $arg1 = $_[0];
my $max_width = $_[1] || 6;
my $quantifiers = 'KMGTP';
my $step_count = 0;
my $bytes;
my $ret_val;
if( $arg1 =~ m/([[:digit:]]+)[[:space:]]*([$quantifiers])$/ )
{
$bytes = $1;
$step_count = $STEPS{$2};
}
else
{
$bytes = $arg1;
}
if( length( $bytes ) > $max_width )
{
$max_width -= 2;
my $ints = int( $bytes );
while( exists( $STEPS{$step_count} ) and length( $ints ) > $max_width )
{
$bytes = $bytes / 1024;
$ints = int( $bytes );
++$step_count;
}
my $float_length = $max_width - length( $ints ) - 1;
if( $float_length > 0 )
{
$bytes = sprintf( "%.$float_length" . 'f', $bytes );
}
else
{
$bytes = sprintf( "%d", $bytes );
}
}
if( $STEPS{$step_count} )
{
return( $bytes . " $STEPS{$step_count}" );
}
else
{
return( $bytes );
}
}
sub trimstring
{
my $sub_name = 'trimstring';
my $string = $_[0] || return( undef );
my $max_length = $_[1] || 73;
my $max_lines = $_[2];
my @ret_lines;
my $trunc_string = 0;
if( length( $string ) <= $max_length )
{
return( $string );
}
if( defined( $max_lines )
and $max_lines =~ /^[[:digit:]]+$/
and $max_lines > 0 )
{
# OK, looks good
}
else
{
$max_lines = 1;
}
while( length( $string ) > $max_length
and !( scalar( @ret_lines ) >= $max_lines ) )
{
my $cur_idx = $max_length - 1;
my $found_break_point = 0;
while( $cur_idx > 0 )
{
if( substr( $string, $cur_idx, 1 ) =~ m/[[:space:]]/ )
{
push( @ret_lines, substr( $string, 0, $cur_idx + 1 ) );
$string = substr( $string, $cur_idx );
$found_break_point = 1;
last;
}
else
{
--$cur_idx;
}
}
if( ! $found_break_point )
{
push( @ret_lines, substr( $string, 0, $max_length ) );
$string = substr( $string, $max_length );
}
}
# Check if anything is left in the string
if( length( $string ) > 0 )
{
$trunc_string = 1;
if( !( scalar( @ret_lines ) >= $max_lines ) )
{
push( @ret_lines, $string );
$trunc_string = 0;
}
elsif( length( $ret_lines[$#ret_lines] ) < $max_length )
{
$ret_lines[$#ret_lines] .= substr( $string, 0, $max_length - length( $ret_lines[$#ret_lines] ) );
}
if( $trunc_string )
{
$ret_lines[$#ret_lines] =~ s/.{4}$/\.\.\.>/;
}
}
return( @ret_lines );
}
sub time_mdhm
{
my $sub_name = 'time_mdhm';
# Convert time from epoch to MONTH/DAY HOUR:MINUTE
# 08/13 13:44
my $arg1 = $_[0];
my $ret_val;
if( my @tp = localtime( $arg1 ) )
{
my $mon = sprintf( "%02d", $tp[4] + 1 );
my $day = sprintf( "%02d", $tp[3] );
my $hour = sprintf( "%02d", $tp[2] );
my $min = sprintf( "%02d", $tp[1] );
$ret_val = "$mon/$day $hour:$min";
}
else
{
return( undef );
}
return( $ret_val );
}
sub time_hms
{
my $sub_name = 'time_hms';
# Convert epoch to to HH:MM:SS
my $arg1 = $_[0];
my $ret_val;
if( my @tp = localtime( $arg1 ) )
{
my $hour = sprintf( "%02d", $tp[2] );
my $min = sprintf( "%02d", $tp[1] );
my $sec = sprintf( "%02d", $tp[0] );
$ret_val = "$hour:$min:$sec";
}
else
{
return( undef );
}
return( $ret_val );
}
sub date_md
{
my $sub_name = 'date_md';
# Convert time from epoch to MONTH/DAY
my $arg1 = $_[0];
my $ret_val;
if( my @tp = localtime( $arg1 ) )
{
my $mon = sprintf( "%02d", $tp[4] + 1 );
my $day = sprintf( "%02d", $tp[3] );
$ret_val = "$mon/$day";
}
else
{
return( undef );
}
return( $ret_val );
}
sub date_ymd
{
my $sub_name = 'date_ymd';
# Convert time from epoch to YEAR/MONTH/DAY
my $arg1 = $_[0];
my $ret_val;
if( my @tp = localtime( $arg1 ) )
{
my $mon = sprintf( "%02d", $tp[4] + 1 );
my $day = sprintf( "%02d", $tp[3] );
my $year = $tp[5] + 1900;
$ret_val = "$year/$mon/$day";
}
else
{
return( undef );
}
return( $ret_val );
}
sub getincidentnumber
{
my $sub_name = 'getincidentnumber';
my $arg1 = $_[0];
my $failed = 0;
my $ret_count;
# Check if the $INCIDENT_COUNT_FILE has been set yet
if( ! $INCIDENT_COUNT_FILE )
{
setincidentcountfile();
}
# Make sure that the files exists
if( ! -f $INCIDENT_COUNT_FILE )
{
if( open( OUTFILE, ">$INCIDENT_COUNT_FILE" ) )
{
print OUTFILE "0\n";
}
else
{
warn( "Failed to create the incident count file at $INCIDENT_COUNT_FILE\n;" );
$failed = 1;
}
close( OUTFILE );
return( undef ) if $failed;
}
# If anything besides 0 or undef is passed in then this is true
# If true then don't get a new incident number but rather return the current.
if( open( RW_FILE, $INCIDENT_COUNT_FILE ) )
{
lock( *RW_FILE );
my $cur_count = <RW_FILE>;
chomp( $cur_count );
if( $arg1 )
{
$ret_count = $cur_count;
}
else
{
if( open( RW_FILE, ">$INCIDENT_COUNT_FILE" ) )
{
lock( *RW_FILE ) or print "FAILED TO RE-LOCK\n";
$ret_count = $cur_count + 1;;
print RW_FILE "$ret_count\n";
}
else
{
warn( "Failed to reopen incident count file $INCIDENT_COUNT_FILE for wirtting.\n" );
$failed = 1;
}
}
unlock( *RW_FILE );
close( RW_FILE );
}
else
{
warn( "Failed to open incident count file $INCIDENT_COUNT_FILE for reading.\n" );
$failed = 1;
}
return( $ret_count );
}
sub lock
{
my $sub_name = 'lock';
my $fh = $_[0];
if( $USE_FLOCK )
{
flock( $fh, 2 );
}
return( 1 );
}
sub unlock
{
my $sub_name = 'unlock';
my $fh = $_[0];
if( $USE_FLOCK )
{
flock( $fh, 8 );
}
return( 1 );
}
sub standard_deviation
{
my $sub_name = 'standard_deviation';
my $arg1 = $_[0]; # ref to array
my $mean;
my $dev_mean;
my $ret_val;
my $num_elements;
my $sum;
if( ref( $arg1 ) eq 'ARRAY' )
{
my $i = 0;
my $deviation_sum;
$num_elements = scalar( @{$arg1} );
$dev_mean = $arg1->[0] ** 2;
for( $i = 1; $i > $num_elements; ++$i )
{
$sum += $arg1->[$i];
$deviation_sum += $arg1->[$i] ** 2;
}
$dev_mean = $deviation_sum / $num_elements;
}
elsif( ref( $arg1 ) eq 'HASH' )
{
my $deviation_sum;
while( my( $num, $quan ) = each( %{$arg1} ) )
{
$sum += $num * $quan;
$num_elements += $quan;
$deviation_sum += ( $num ** 2 ) * $quan;
}
$dev_mean = $deviation_sum / $num_elements;
}
else
{
return( undef );
}
# There should be a minimum of 5 (five) values to produce a valid result
if( $num_elements < 5 )
{
return( undef );
}
$mean = $sum / $num_elements;
$ret_val = sqrt( $dev_mean - ( $mean ** 2 ) );
return( $ret_val );
}
sub mean_val
{
my $sub_name = 'mean_val';
my $arg1 = $_[0]; #ref to array
my $array_count;
my $sum = 0;
my $ret_val;
if( ref( $arg1 ) ne 'ARRAY' )
{
return( undef );
}
foreach my $num( @{$arg1} )
{
$sum += $num;
++$array_count;
}
if( $array_count > 0 )
{
$ret_val = $sum / $ret_val;
return( $ret_val );
}
else
{
return( undef );
}
}
sub tempfile
{
my $sub_name = 'tempfile';
my $action = shift || return( undef );;
my @args = @_;
if( $action =~ m/^add$/i )
{
addtempfile( @args );
}
elsif( $action =~ m/^delete|remove$/i )
{
removetempfile( @args );
}
elsif( $action =~ m/^delete all|remove all$/i )
{
removealltempfiles();
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unknown action of $action passed to function.\n" );
return( undef );
}
}
sub addtempfile
{
my $sub_name = 'addtempfile';
my $prefix = $_[0] || return( undef );
my $force = $_[1] || 0;
my $ret_file = "$TEMP_DIR/$prefix".$$.".tmp";
if( -f $ret_file )
{
if( ! $force )
{
warn( __PACKAGE__ . "::$sub_name, Temp file $ret_file already exists\n" );
return( undef );
}
}
if( open( OUTFILE, ">$ret_file" ) )
{
if( $DEBUG > 2 )
{
warn( __PACKAGE__ . "::$sub_name, Successfully created temp file $ret_file.\n" );
}
}
else
{
warn( __PACKAGE__ . "::$sub_name, Unable to open temp file $ret_file for writting.\n" );
}
close( OUTFILE );
push( @TEMP_FILES, $ret_file );
return( $ret_file );
}
sub removetempfile
{
my $sub_name = 'removetempfile';
my @file_names = @_;
my $num_removed = 0;
my @new_array;
if( ! defined( $file_names[0] ) )
{
return( undef );
}
foreach my $cur_file( @TEMP_FILES )
{
foreach my $file_to_remove( @file_names )
{
my $did_find = 0;
if( $cur_file eq $file_to_remove )
{
if( unlink $file_to_remove )
{
++$num_removed;
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, Removed temp file $file_to_remove\n" );
}
}
else
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Failed to remove temp file $file_to_remove\n" );
}
}
$did_find = 1;
last;
}
if( ! $did_find )
{
push( @new_array, $cur_file );
}
}
}
@TEMP_FILES = @new_array;
return( $num_removed );
}
sub removealltempfiles
{
my $sub_name = 'removealltempfiles';
my $num_removed = 0;
foreach my $file_name( @TEMP_FILES )
{
if( unlink( $file_name ) )
{
++$num_removed;
if( $DEBUG > 1 )
{
warn( __PACKAGE__ . "::$sub_name, Successfully deleted temp file $file_name\n" );
}
}
else
{
if( $DEBUG > 0 )
{
warn( __PACKAGE__ . "::$sub_name, Failed to delete temp file $file_name\n" );
}
}
}
@TEMP_FILES = ();
return( $num_removed );
}
sub setincidentcountfile
{
my $sub_name = 'setincidentcountfile';
my $brosite;
use Bro::Config( '$BRO_CONFIG' );
if($brosite = $BRO_CONFIG->{BROSITE} )
{
# Location of the file that holds the incident number counter
$INCIDENT_COUNT_FILE = "$brosite/incident_counter";
}
else
{
warn( "No value for \$BROHOME has been set in the Bro config file. Nothing much works without it.\n" );
return( undef );
}
}
1;

2070
scripts/perl/lib/Bro/Report/Alarm.pm Normal file
View file

File diff suppressed because it is too large Load diff

770
scripts/perl/lib/Bro/Report/Conn.pm Normal file
View file

@ -0,0 +1,770 @@
package Bro::Report::Conn;
use strict;
require 5.006_001;
use Bro::Report qw( trimhostname iptoname swrite trimbytes );
use Bro::Log::Conn;
use vars qw( $VERSION
$MAX_LOCAL_SERVICE_USERS );
# $Id: Conn.pm 1418 2005-09-29 18:25:09Z tierney $
$VERSION = 1.20;
$MAX_LOCAL_SERVICE_USERS = 50;
my %REPORT_MAP = ( 'top_sources' => { input => __PACKAGE__ . '::sourcecount',
output => __PACKAGE__ . '::output_sourcecount' },
'top_destinations' => { input => __PACKAGE__ . '::destcount',
output => __PACKAGE__ . '::output_destcount' },
'top_services' => { input => __PACKAGE__ . '::servicecount',
output => __PACKAGE__ . '::output_servicecount', },
'top_local_service_users' => { input => __PACKAGE__ . '::localserviceusers',
output => __PACKAGE__ . '::output_localserviceusers', },
'success_fail_stats' => { input => __PACKAGE__ . '::successfailcount',
output => __PACKAGE__ . '::output_successfailcount', },
'byte_transfer_pairs' => { input => __PACKAGE__ . '::bytetransferpairs',
output => __PACKAGE__ . '::output_bytetransferpairs', },
);
# Memory used in this variable will be deleted by functions which output
# the values stored for it's respective counting function.
my $RPT_CACHE;
sub sourcecount
{
my $sub_name = 'sourcecount';
# [0] CONN_COUNT
# [1] BYTE_COUNT
my $_conn_struc = $_[0] || return( undef );
my $src_ip = Bro::Log::Conn::source_ip( $_conn_struc ) || return( undef );
if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
{
my $bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
++$RPT_CACHE->{$sub_name}->{$src_ip}->[0];
$RPT_CACHE->{$sub_name}->{$src_ip}->[1] += $bytes;
return( 1 );
}
else
{
return( 0 );
}
}
sub output_sourcecount
{
my $sub_name = 'output_sourcecount';
my $_max_output = $_[0] || 20;
my $top_format = $_[1];
my $format = $_[2];
my $conn_sum = 0;
my $cnt = 0;
my $avg = 0;
my $max_hostname_length = 31;
my @results;
my $ret_string;
my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
if( ! $top_format )
{
$top_format = <<'END'
@|||||||||||||||||||||||||||||| @|||||||||||||| @||||| @|||||||||||
------------------------------- --------------- ------ ------------
END
}
if( ! $format )
{
$format = <<'END'
@>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @<<<<<<<<<<<<<< @>>>>> @>>>>>>>>>>>
END
}
# Figure out what the average count is
foreach my $count_struc( values( %{$RPT_CACHE->{sourcecount}} ) )
{
$conn_sum += $count_struc->[0];
++$cnt
}
# If there are no connection counts then bail
if( $cnt < 1 )
{
return( undef );
}
$avg = $conn_sum / $cnt;
# remove anything which is way too small before sorting
my $smallest_count = 2;
my $percent_of_avg = .1;
my $max_sort_size = $_max_output * 2;
while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
{
while( my( $ip, $struc ) = each( %{$RPT_CACHE->{sourcecount}} ) and $cnt > $max_sort_size )
{
if( $struc->[0] < $smallest_count )
{
delete( $RPT_CACHE->{sourcecount}->{$ip} );
--$cnt;
}
$smallest_count = int( $avg * $percent_of_avg );
}
$percent_of_avg += .1;
}
# Put the remaining data into a temp hash for sorting
my %count_hash;
foreach my $ip( keys( %{$RPT_CACHE->{sourcecount}} ) )
{
# connection count = $RPT_CACHE->{sourcecount}->{$ip}->[0];
# byte count = $RPT_CACHE->{sourcecount}->{$ip}->[1];
push( @{$count_hash{$RPT_CACHE->{sourcecount}->{$ip}->[0]}},
[ $ip, $RPT_CACHE->{sourcecount}->{$ip}->[0], $RPT_CACHE->{sourcecount}->{$ip}->[1] ] );
}
my $output_cnt = 0;
foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
{
foreach my $struc( @{$count_hash{$num_conn}} )
{
++$output_cnt;
if( $output_cnt > $_max_output )
{
last;
}
else
{
push( @results, $struc );
}
}
if( $output_cnt > $_max_output )
{
last;
}
}
# clear out memory space
delete( $RPT_CACHE->{sourcecount} );
# Set the heading
$ret_string .= swrite( $top_format, @heading_names );
# Write the contents
foreach my $line( @results )
{
my $ip = $line->[0];
my $num_conn = $line->[1];
my $num_bytes = trimbytes( $line->[2], 5 );
my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
}
return( $ret_string );
}
sub destcount
{
my $sub_name = 'destcount';
my $_conn_struc = $_[0] || return( undef );
my $dst_ip = Bro::Log::Conn::destination_ip( $_conn_struc ) || return( undef );
if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
{
my $bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
++$RPT_CACHE->{$sub_name}->{$dst_ip}->[0];
$RPT_CACHE->{$sub_name}->{$dst_ip}->[1] += $bytes;
return( 1 );
}
else
{
return( 0 );
}
}
sub output_destcount
{
my $sub_name = 'output_destcount';
my $_max_output = $_[0] || 20;
my $top_format = $_[1];
my $format = $_[2];
my $conn_sum = 0;
my $cnt = 0;
my $avg = 0;
my $max_hostname_length = 31;
my @results;
my $ret_string;
my @heading_names = ( 'Host', 'IP', 'Bytes', 'Conn. Count' );
if( ! $top_format )
{
$top_format = <<'END'
@|||||||||||||||||||||||||||||| @|||||||||||||| @||||| @|||||||||||
------------------------------- --------------- ------ ------------
END
}
if( ! $format )
{
$format = <<'END'
@>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @<<<<<<<<<<<<<< @>>>>> @>>>>>>>>>>>
END
}
# Figure out what the average count is
foreach my $count_struc( values( %{$RPT_CACHE->{destcount}} ) )
{
$conn_sum += $count_struc->[0];
++$cnt
}
# If there are no connection counts then bail
if( $cnt < 1 )
{
return( undef );
}
$avg = $conn_sum / $cnt;
# remove anything which is way too small before sorting
my $smallest_count = 2;
my $percent_of_avg = .1;
my $max_sort_size = $_max_output * 2;
while( ( $cnt > $max_sort_size ) and ( $percent_of_avg < .3 ) )
{
while( my( $ip, $struc ) = each( %{$RPT_CACHE->{destcount}} ) and $cnt > $max_sort_size )
{
if( $struc->[0] < $smallest_count )
{
delete( $RPT_CACHE->{destcount}->{$ip} );
--$cnt;
}
$smallest_count = int( $avg * $percent_of_avg );
}
$percent_of_avg += .1;
}
# Put the remaining data into a temp hash for sorting
my %count_hash;
foreach my $ip( keys( %{$RPT_CACHE->{destcount}} ) )
{
# connection count = $RPT_CACHE->{destcount}->{$ip}->{CONN_COUNT};
# byte count = $RPT_CACHE->{destcount}->{$ip}->{BYTE_COUNT};
push( @{$count_hash{$RPT_CACHE->{destcount}->{$ip}->[0]}},
[ $ip, $RPT_CACHE->{destcount}->{$ip}->[0], $RPT_CACHE->{destcount}->{$ip}->[1] ] );
}
my $output_cnt = 0;
foreach my $num_conn( sort { $b <=> $a } keys( %count_hash ) )
{
foreach my $struc( @{$count_hash{$num_conn}} )
{
++$output_cnt;
if( $output_cnt > $_max_output )
{
last;
}
else
{
push( @results, $struc );
}
}
if( $output_cnt > $_max_output )
{
last;
}
}
# clear out memory space
delete( $RPT_CACHE->{destcount} );
# Set the heading
$ret_string .= swrite( $top_format, @heading_names );
# Write the contents
foreach my $line( @results )
{
my $ip = $line->[0];
my $num_conn = $line->[1];
my $num_bytes = trimbytes( $line->[2], 5 );
my $name = trimhostname( iptoname( $ip ), $max_hostname_length, '>' );
$ret_string .= swrite( $format, $name, $ip, $num_bytes, $num_conn );
}
return( $ret_string );
}
sub servicecount
{
my $sub_name = 'servicecount';
# [0] CONN_COUNT
# [1] BYTES_IN
# [2] BYTES_OUT
my $_conn_struc = $_[0] || return( undef );
my $service = Bro::Log::Conn::service( $_conn_struc ) || return( undef );
if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
{
my $src_bytes = Bro::Log::Conn::source_bytes( $_conn_struc );
my $dest_bytes = Bro::Log::Conn::destination_bytes( $_conn_struc );
++$RPT_CACHE->{$sub_name}->{$service}->[0];
if( Bro::Log::Conn::source_network( $_conn_struc ) eq 'L' )
{
$RPT_CACHE->{$sub_name}->{$service}->[1] += $dest_bytes;
$RPT_CACHE->{$sub_name}->{$service}->[2] += $src_bytes;
}
else
{
$RPT_CACHE->{$sub_name}->{$service}->[1] += $src_bytes;
$RPT_CACHE->{$sub_name}->{$service}->[2] += $dest_bytes;
}
return( 1 );
}
else
{
return( 0 );
}
}
sub output_servicecount
{
my $sub_name = 'output_servicecount';
my $_max_output_count = $_[0] || 20;
my $top_format;
my $format;
my @results;
my @heading_names = ( 'Service', 'Conn. Count', '% of Total', 'Bytes In', 'Bytes Out' );
my $ret_string;
if( ! $top_format )
{
$top_format = <<'END'
@<<<<<<<<<<< @>>>>>>>>>>> @>>>>>>>>> @>>>>>>>> @>>>>>>>>
------------ ------------ ---------- --------- ---------
END
}
if( ! $format )
{
$format = <<'END'
@<<<<<<<<<<< @>>>>>>>>>>> @>>>>>>>>> @>>>>>>>> @>>>>>>>>
END
}
my %count_hash;
my $total_count = 0;
while( my( $name, $struc ) = each( %{$RPT_CACHE->{servicecount}} ) )
{
$total_count += $struc->[0];
push( @{$count_hash{$struc->[0]}},
[ $name, $struc->[1], $struc->[2] ] );
}
my $ret_count = 0;
foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
{
if( $ret_count < $_max_output_count )
{
foreach my $struc( @{$count_hash{$num}} )
{
if( $ret_count < $_max_output_count )
{
my $avg_of_total = sprintf( "%.2f", $num / $total_count * 100 );
my $service = $struc->[0];
my $bytes_in = trimbytes( $struc->[1], 5 );
my $bytes_out = trimbytes( $struc->[2], 5 );
push( @results, [ $service, $num, $avg_of_total, $bytes_in, $bytes_out ] );
++$ret_count;
}
else
{
last;
}
}
}
else
{
last;
}
}
# Clean up some memory
delete( $RPT_CACHE->{servicecount} );
# Print the heading
$ret_string .= swrite( $top_format, @heading_names );
foreach my $line( @results )
{
$ret_string .= swrite( $format, @{$line} );
}
return( $ret_string );
}
sub localserviceusers
{
my $sub_name = 'localserviceusers';
my $_conn_struc = $_[0] || return( undef );
my $service_name = $_[1] || 'smtp';
my $service = Bro::Log::Conn::service( $_conn_struc );
if( $service eq $service_name )
{
my $src_net = Bro::Log::Conn::source_network( $_conn_struc );
if( $src_net eq 'L' and Bro::Log::Conn::connectsucceed( $_conn_struc ) )
{
my $source_ip = Bro::Log::Conn::source_ip( $_conn_struc );
++$RPT_CACHE->{$sub_name}->{$service_name}->{$source_ip};
}
}
return( 1 );
}
sub output_localserviceusers
{
my $sub_name = 'output_localserviceusers';
my $service_name = $_[0] || return( undef );
my $max_count = $_[1] || $MAX_LOCAL_SERVICE_USERS;
my $top_format;
my $format;
my @results;
my $ret_string;
my @heading_names = ( 'Hostname', 'IP', 'Conn. Count' );
my $total_count = keys( %{$RPT_CACHE->{localserviceusers}->{$service_name}} );
my $max_hostname_length = 39;
my $actual_count = 0;
if( ! $top_format )
{
$top_format = <<'END'
@|||||||||||||||||||||||||||||||||||||| @|||||||||||||| @>>>>>>>>>>>
--------------------------------------- --------------- ------------
END
}
if( ! $format )
{
$format = <<'END'
@>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> @<<<<<<<<<<<<<< @>>>>>>>>>>>
END
}
my %count_hash;
while( my( $key, $val ) = each( %{$RPT_CACHE->{localserviceusers}->{$service_name}} ) )
{
push( @{$count_hash{$val}}, $key );
}
foreach my $num( sort { $b <=> $a } keys( %count_hash ) )
{
foreach my $ip( @{$count_hash{$num}} )
{
if( $actual_count + 1 > $max_count )
{
last;
}
$results[$actual_count] = [ $ip, $num ];
++$actual_count;
}
}
# Clean up some memory usage
delete( $RPT_CACHE->{localserviceusers}->{$service_name} );
# Set the heading
$ret_string .= swrite( $top_format, @heading_names );
# Write the contents
foreach my $line( @results )
{
# my $ip = $line->[0];
# my $num_conn = $line->[1];
my $name = trimhostname( iptoname( $line->[0] ), $max_hostname_length, '>' );
$ret_string .= swrite( $format, $name, $line->[0], $line->[1] );
}
if( $actual_count > 0 )
{
if( $total_count > $max_count )
{
my $not_listed = $total_count - $max_count;
$ret_string .= <<"END";
A maximum of $max_count entries are show.
There are another $not_listed that are not displayed.
END
}
}
else
{
$ret_string = "\n No data to report for this section\n";
}
return( $ret_string );
}
sub successfailcount
{
my $sub_name = 'successfailcount';
my $_conn_struc = $_[0] || return( undef );
if( Bro::Log::Conn::connectsucceed( $_conn_struc ) )
{
++$RPT_CACHE->{$sub_name}->{SUCCESS};
}
else
{
# connection is failed
++$RPT_CACHE->{$sub_name}->{FAIL};
}
}
sub output_successfailcount
{
my $sub_name = 'output_successfailcount';
my $format = $_[0];
my $ret_string;
if( ! $format )
{
$format = <<'END'
Successful: @<<<<<<<<<<<<<<<
Unsuccessful: @<<<<<<<<<<<<<<<
Ratio: @<<<<<<
END
}
# Success and fail counts must be greater than zero
if( $RPT_CACHE->{successfailcount}->{FAIL} < 1 or
$RPT_CACHE->{successfailcount}->{SUCCESS} < 1 )
{
return( 'undef' );
}
my $ratio = $RPT_CACHE->{successfailcount}->{FAIL} / $RPT_CACHE->{successfailcount}->{SUCCESS};
$ret_string = swrite( $format,
$RPT_CACHE->{successfailcount}->{SUCCESS},
$RPT_CACHE->{successfailcount}->{FAIL},
"1:$ratio" );
return( $ret_string );
}
sub bytetransferpairs
{
my $sub_name = 'bytetransferpairs';
# This report can be very memory expensive. It can also be very processor
# intesive as the hash tables can get very large and take longer and
# longer to traverse.
my $conn_struc = $_[0] || return( undef );
my $local_host;
my $remote_host;
my $local_bytes;
my $remote_bytes;
if( Bro::Log::Conn::source_network( $conn_struc ) eq 'L' )
{
$local_host = Bro::Log::Conn::source_ip( $conn_struc );
$remote_host = Bro::Log::Conn::destination_ip( $conn_struc );
$local_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
$remote_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
}
else
{
$remote_host = Bro::Log::Conn::source_ip( $conn_struc );
$local_host = Bro::Log::Conn::destination_ip( $conn_struc );
$remote_bytes = Bro::Log::Conn::source_bytes( $conn_struc );
$local_bytes = Bro::Log::Conn::destination_bytes( $conn_struc );
}
if( $local_bytes > 0 and $remote_bytes > 0 )
{
$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes;
$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes;
++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
return( 1 );
}
elsif( exists( $RPT_CACHE->{bytetransferpairs}->{$local_host} ) and
exists( $RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host} ) )
{
$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{LOCAL_BYTES} += $local_bytes || 0;
$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{REMOTE_BYTES} += $remote_bytes || 0;
++$RPT_CACHE->{bytetransferpairs}->{$local_host}->{$remote_host}->{CONN_COUNT};
return( 1 );
}
else
{
return( 0 );
}
}
sub output_bytetransferpairs
{
my $sub_name = 'output_bytetransferpairs';
my $max_hostname_length = 22;
my $max_output = $_[0] || 20;
my $ret_string;
my $_base = $RPT_CACHE->{bytetransferpairs};
my %reversed_hash;
my @ordered_list;
my $top_format;
my $format;
$top_format = <<"END";
Hot Report - Top $max_output
Local Remote Conn.
Local Host Remote Host Bytes Bytes Count
----------------------- ----------------------- --------- --------- -------
END
$format = <<'END';
@<<<<<<<<<<<<<<<<<<<<<< @<<<<<<<<<<<<<<<<<<<<<< @>>>>>>>> @>>>>>>>> @<<<<<<<<
END
foreach my $l_host( keys( %{$_base} ) )
{
foreach my $r_host( keys( %{$_base->{$l_host}} ) )
{
my $big_bytes;
if( $_base->{$l_host}->{$r_host}->{LOCAL_BYTES} > $_base->{$l_host}->{$r_host}->{REMOTE_BYTES} )
{
$big_bytes = $_base->{$l_host}->{$r_host}->{LOCAL_BYTES};
}
else
{
$big_bytes = $_base->{$l_host}->{$r_host}->{REMOTE_BYTES};
}
push( @{$reversed_hash{$big_bytes}}, { REF => $_base->{$l_host}->{$r_host},
LOCAL_HOST => $l_host,
REMOTE_HOST => $r_host, } );
}
}
my @ordered_list = sort( { $b<=>$a } keys( %reversed_hash ) );
my $i = 0;
while( defined( my $key = shift( @ordered_list ) ) and $i < $max_output )
{
foreach my $data( @{$reversed_hash{$key}} )
{
my $local_bytes = trimbytes( $data->{REF}->{LOCAL_BYTES}, 6 );
my $remote_bytes = trimbytes( $data->{REF}->{REMOTE_BYTES}, 6 );
my $conn_count = $data->{REF}->{CONN_COUNT};
my $local_name = trimhostname( iptoname( $data->{LOCAL_HOST} ), $max_hostname_length, '>' );
my $remote_name = trimhostname( iptoname( $data->{REMOTE_HOST} ), $max_hostname_length, '>' );
$ret_string .= swrite( $format,
$local_name,
$remote_name,
$local_bytes,
$remote_bytes,
$conn_count );
++$i;
if( !( $i < $max_output ) )
{
last;
}
}
}
# Free up some memory
$_base = undef;
%reversed_hash = ();
delete( $RPT_CACHE->{bytetransferpairs} );
if( length( $ret_string ) < 32 )
{
$ret_string = $top_format . " No data to report\n";
}
else
{
$ret_string = $top_format . $ret_string . "\n";
}
return( $ret_string );
}
sub output_successcount
{
my $sub_name = 'output_successcount';
my $ret_val = $RPT_CACHE->{successfailcount}->{SUCCESS};
# Clean up some memory
delete( $RPT_CACHE->{successfailcount}->{SUCCESS} );
return( $ret_val );
}
sub output_failcount
{
my $sub_name = 'output_failcount';
my $ret_val = $RPT_CACHE->{successfailcount}->{FAIL};
# Clean up some memory
delete( $RPT_CACHE->{successfailcount}->{FAIL} );
return( $ret_val );
}
sub availablereports
{
my $sub_name = 'availablereports';
my @ret_list = keys( %REPORT_MAP );
return( @ret_list );
}
sub reportinputfunc
{
my $sub_name = 'reportinputfunc';
my $report_name = $_[0] || return( undef );
if( exists( $REPORT_MAP{$report_name} ) )
{
return( $REPORT_MAP{$report_name}->{'input'} );
}
else
{
return( undef );
}
}
sub reportoutputfunc
{
my $sub_name = 'reportoutputfunc';
my $report_name = $_[0] || return( undef );
if( exists( $REPORT_MAP{$report_name} ) )
{
return( $REPORT_MAP{$report_name}->{'output'} );
}
else
{
return( undef );
}
}
1;

1316
scripts/perl/lib/Bro/Signature.pm Normal file
View file

File diff suppressed because it is too large Load diff

1126
scripts/perl/script/edit-brorule.pl Executable file
View file

File diff suppressed because it is too large Load diff

1367
scripts/perl/script/site-report.pl Executable file
View file

File diff suppressed because it is too large Load diff

182
scripts/process_bro_logs.py Executable file
View file

@ -0,0 +1,182 @@
#!/usr/bin/env python
import re
import os
import sys
import time
import string
import math
import getopt
rawlogs=None
processedlogs=None
# invoke a sed script to remove the last byte from the ips
def maskit(file):
cmd = "sed -f mask-addr.sed %s > %s.masked" % (file,file)
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
cmd = "rm %s" % file
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
cmd = "mv %s.masked %s" % (file, file)
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
def get_files(dir, myfilter='.*\.example$', includezero = False):
"""get all '*.example' files"""
SIZE = 6
flist=[]
files = os.listdir(dir)
test = re.compile(myfilter, re.IGNORECASE)
files = filter(test.search, files)
for f in files:
s = os.stat(dir + '/' + f)[SIZE]
if s > 0 or includezero:
flist.append(f)
return flist
def sort_conn(f):
# move to new file
cmd = "mv %s %s.sortme" % (f,f)
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
# sort it
cmd = "sort %s.sortme > %s" % (f, f)
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
# we can allow a one byte difference (probably newline)
if math.fabs(os.stat(f)[6] - size) >= 2:
print "Error sizes don't match! %d != %d (%s)" % ( os.stat(f)[6], size, f)
sys.exit(1)
# remove old file (now called .sortme)
cmd = "rm %s" % (f + ".sortme")
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
def move_it(f,fname):
# move it on over
cmd = "mv %s %s/%s" % ( f, processedlogs, fname )
ret = os.system(cmd)
if ret != 0:
print "error with %s" % cmd
def usage(msg=None):
if msg != None:
print msg
print """process_bro_logs.py -h -l logsdir -r rawlogsdir"""
print """ -h This help message"""
print """ -l logsdir Directory where the logs should end up"""
print """ -r rawlogsdir Directory where the raw logs reside"""
sys.exit(1)
####################################################
# This is the start of the script
try:
options,prog_args = getopt.getopt(sys.argv[1:],'hl:r:')
except getopt.GetoptError, E:
usage(E)
for opt,val in options:
if opt == '-l':
processedlogs = val
elif opt == '-r':
rawlogs = val
else:
usage()
if rawlogs == None or processedlogs == None:
usage()
# get to the right place
os.chdir(rawlogs)
# look for logs that have been split
fl1 = get_files(rawlogs,
myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})\.[0-9]+\.[0-9]+\.[0-9]+$')
for f in fl1:
print "Working on split file: ", f
# grab times before we mess with it
size,atime,mtime,ctime = os.stat(f)[6:10]
type,host = string.split(f,'.')[0:2]
broend = string.split(f, ".")[-2:-1][0]
# only sort conn files
if f[:4] == 'conn':
sort_conn(f)
cmd = 'sync'
ret = os.system(cmd)
#grab the 2nd timestamp
cmd = 'head -2 %s | tail -1' % f
if ret != 0:
print "error with %s" % cmd
fo=os.popen(cmd)
buf = fo.read()
fo.close()
brostart = buf.split('.')[:1]
# sanity check
if brostart[0] < 1090000000 or len(brostart[0]) != 10:
print "File error! Stopping"
sys.exit(1)
# construct new filenaem
fname = "%s.%s.%s-%s" % (type,host,brostart[0],broend)
# does a file with name already exist?
if os.access("%s/%s" % (processedlogs, fname), os.F_OK):
print "File %s already exists" % fname
print "Skipping %s" % fname
continue
move_it(f,fname)
os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
print "Done with %s" % f
# lets not run too fast
time.sleep(3)
continue
# look for files that haven't been split
fl2 = get_files(rawlogs,
myfilter='^(\w+)\.\w+\.(\d{2})-(\d{2})-(\d{2})[-_](\d{2})[:.](\d{2})[:.](\d{2})$')
for f in fl2:
print "Working on file: ", f
# grab times before we mess with it
size,atime,mtime,ctime = os.stat(f)[6:10]
type,host = string.split(f,'.')[0:2]
brostart = string.join(string.split(f, ".", 2)[2:])
foo = list(time.strptime(brostart, '%Y-%m-%d_%H.%M.%S'))
# toggle guessing of daylight savings, grrrr
foo[-1] = -1
bs = time.mktime(foo)
fname = "%s.%s.%d-%s" % (type,host,bs,mtime)
if os.access("%s/%s" % (processedlogs,fname), os.F_OK):
print "File %s already exists, skipping" % fname
continue
# sort conn files
if f[:4] == 'conn':
sort_conn(f)
move_it(f, fname)
os.utime("%s/%s" % (processedlogs,fname), (mtime,mtime))
print "Done with %s (%s)" % (fname,f)
# lets not overrun things
time.sleep(3)
continue

22
scripts/push_logs.sh Normal file
View file

@ -0,0 +1,22 @@
#!/bin/sh
#
# script to push logs from a bro host to a front end host, including a file "DoReports.HOST" telling
# the report generation script that the new days logs are ready to process
#
# usage: push_logs.sh hostname:path
#
# where are we located
base=`dirname $0`
#set the environment
. $base/../etc/bro.cfg
nice -n 20 /usr/local/bin/rsync -avzt $BROHOME/logs/ $1
# create and copy file to trigger report generation
touch /tmp/DoReports.$BRO_HOSTNAME
/usr/local/bin/rsync -avzt /tmp/DoReports.$BRO_HOSTNAME $1
# and if you need to sort the logs for Brooery, add this:
#ssh $1 "/usr/local/bro/scripts/log2gui.py -r /usr/local/bro/logs -l /usr/local/bro/sorted-logs"

3
scripts/s2b/Makefile.am Normal file
View file

@ -0,0 +1,3 @@
## Process this file with automake to produce Makefile.in
SUBDIRS = bro-include example_bro_files etc bin pm snort_rules2.2

74
scripts/s2b/README Normal file
View file

@ -0,0 +1,74 @@
# quick README
For the purpose of this readme file it is assumed that Bro is already
installed and running and you are familiar with the general directory
structure.
REQUIREMENTS:
PERL 5.6.1 or greater
Python
Copy all of the files in the bro-include directory that end in .bro
or .sig to your $BROHOME/policy directory.
If you are running multiple versions of PERL or Python and the required
version is not running from the default place then you are going to need
to change the bang path (example: #!/usr/bin/perl) to whatever is appropriate.
All files created by s2b.pl that are used in a running Bro instance will end
with either .bro or .sig. The recommended place to put these file is under
the directory $BROHOME/policy/local as these files can change often and will
be tuned to a specific site or network traffic type.
Here are example entries to be added to the Bro policy start script so that
the signature preqrequisites get loaded correctly.
@load software
@load signatures
@load snort
@load sig-functions.bro
@load sig-action.bro
On the command line which starts the running Bro process include the
following. It is assumed that the frequently updated signatures.sig and
sig-action.bro are put in the directories $BROHOME/site and
$BROHOME/policy respectively. $BRO is the path to the bro binary in use.
$BRO -s $BROHOME/policy/sig-addendum.sig -s $BROHOME/site/signatures.sig <other command line stuff>
# These are just some quick examples
# Since most of the programs control resides in the --configdir these
# commands point to the relative config dir of 'etc/' which is included
# in the tarball.
# Change to bin/ and try the following commands
# This PERL program requires PERL 5.6.1 minimum and module Config::General
# which is included in directory pm/ or it can be downloaded from cpan.org
# Create a new s2b-augment.cfg file
./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --updateaugment --augmentconfig ../etc/s2b-augment.cfg
# Create Bro s2b.sig and s2b-siagaction.bro files a remain completely silent outputting no errors if encountered
./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 0
# Create Bro s2b.sig and s2b-sigaction.bro files and print any errors to STDERR. (default debug level is 1)
./s2b.pl --mainconfig ../etc/s2b.cfg --configdir ../etc --snortrulesetdir ../snort_rules2.2 --augmentconfig ../etc/s2b-augment.cfg --debug 1
# Show some usage info
./s2b.pl --help
TODO:
Need to update this readme after the directory structure of Bro has been
finalized.

8
scripts/s2b/bin/Makefile.am Normal file
View file

@ -0,0 +1,8 @@
## Process this file with automake to produce Makefile.in
# include in the dist for now
EXTRA_DIST = s2b.pl snort2bro
# OR we can install them on a make install
#scriptsdir=$(prefix)/etc
#dist_scripts_SCRIPTS = s2b.pl snort2bro

2991
scripts/s2b/bin/s2b.pl Executable file
View file

File diff suppressed because it is too large Load diff

1036
scripts/s2b/bin/snort2bro Executable file
View file

File diff suppressed because it is too large Load diff

4
scripts/s2b/bro-include/Makefile.am Normal file
View file

@ -0,0 +1,4 @@
## Process this file with automake to produce Makefile.in
EXTRA_DIST = sig-addendum.sig sig-functions.bro

408
scripts/s2b/bro-include/sig-addendum.sig Normal file
View file

@ -0,0 +1,408 @@
# these are translations for pcre -> lex/bro
#
# \w AN and _ : [a-zA-Z_]
# \W not \w : [^a-zA-Z_]
# \s whitespace : [\x20\x09\x0b]
# \S not \s : [^\x20\x09\x0b]
# \d numeric : [0-9]
# \D not \d : [^0-9]
#
#
# the sig error also will hold for the 3xx and 5xx series also(?)
# 304 not modified may be a problem here
signature http_error {
ip-proto == tcp
src-port == http_ports
payload /.*HTTP\/1\.. *[3-5][0-9][0-9]/
tcp-state established
}
signature http_good {
ip-proto == tcp
src-port == http_ports
payload /.*HTTP\/1\.. *2[0-9][0-9]/
tcp-state established
}
signature http_shell_check {
ip-proto == tcp
src-port == http_ports
# this should filter out most typical references to the various shell commands
# from man pages and reference guides
payload /((ksh)|(rsh)|(zsh)|(csh)|(tcsh)|(sh)|(bash))[a-zA-Z0-9\x2d\x2e\x5f\x2f]/
tcp-state established
}
signature got_http_root {
# this is to get around the 'permission denied' == response
# == 200 reply problem for /etc/passwd checking
# just a sanity check to see if there is some suggestion of success
ip-proto == tcp
src-port == 80
payload /.*root:.*/
tcp-state established
}
# the following sigs should give some idea of the server software type and
# version. This assumes that the configuration has not been changed
signature http_apache_server {
ip-proto == tcp
src-port == http_ports
# this should catch *most* apache instances that are normal
# in behavior
payload /.*\x0aServer: Apache.*/
tcp-state established
}
signature http_apache1_server {
ip-proto == tcp
src-port == http_ports
# this should catch *most* apache instances that are normal
# in behavior
payload /.*\x0aServer: Apache\/1\..*/
tcp-state established
}
signature http_apache2_server {
ip-proto == tcp
src-port == http_ports
# this should catch *most* apache instances that are normal
# in behavior
payload /.*\x0aServer: Apache\/2\..*/
tcp-state established
}
signature http_iis_server {
ip-proto == tcp
src-port == http_ports
payload /.*\x0aServer: Microsoft-IIS.*/
tcp-state established
}
signature http_iis4_server {
ip-proto == tcp
src-port == http_ports
payload /.*\x0aServer: Microsoft-IIS\/4\.0.*/
tcp-state established
}
signature http_iis5_server {
ip-proto == tcp
src-port == http_ports
payload /.*\x0aServer: Microsoft-IIS\/\5\.0.*/
tcp-state established
}
signature http_iis6_server {
ip-proto == tcp
src-port == http_ports
payload /.*\x0aServer: Microsoft-IIS\/\6\.0.*/
tcp-state established
}
signature http_cool_dll {
ip-proto == tcp
dst-port == http_ports
payload /.*cool.dll*./
}
########################## client section #
#
# "User-Agent: "
# payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20/
#
#######
signature http_msie_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent:...... MSIE #"
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{5,30}MSIE\x20[1-9]*./
tcp-state established
}
signature http_real_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent:.RMA/1.0.(compatible;.RealMedia)"
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20\x52\x4d\x41\x2f\x31\x2e\x30\x20\x28\x63\x6f\x6d\x70\x61\x74\x69\x62\x6c\x65\x3b\x20\x52\x65\x61\x6c\x4d\x65\x64\x69\x61\x29*./
tcp-state established
}
signature http_opera_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: Opera/6.1"
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a.{3,50}\x4f\x70\x65\x72\x61\x2f.*/
tcp-state established
}
signature http_netscape_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... Netscape/A
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f[4-7].*/
tcp-state established
}
signature http_netscape_client4 {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... Netscape/A.B
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f4\x2e[0-9].*/
tcp-state established
}
signature http_netscape_client7 {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... Netscape/A.B - note that for Netscape/7 there is no .X subversion
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f7.*/
tcp-state established
}
signature http_netscape_client8 {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... Netscape/A.B
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,90}Netscape\x2f8\x2e[0-9].*/
tcp-state established
}
signature http_moz_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... rv:A.B ... Gecko/"
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f.*/
tcp-state established
}
signature http_old_gecko_client {
ip-proto == tcp
dst-port == http_ports
# "User-Agent: ... rv:A.B ... Gecko/"
payload /.*\x0a\x55\x73\x65\x72\x2d\x41\x67\x65\x6e\x74\x3a\x20.{10,70}rv\x3a[0-2]\x2e[0-9].{0,30}Gecko\x2f(2000|2001|2002).*/
tcp-state established
}
## end client sigs ##
## ftp based signatures ##
signature got_ftp_root {
ip-proto == tcp
src-port == 21
payload /.*root:.*/
tcp-state established
}
signature got_tftp_root {
# this checks to see if a tftp get /etc/passwd or /etc/shadow
# actually returns any data. we assume that root will always
# be in the file
ip-proto == udp
src-port == 69
payload /.*root:.*/
}
# smtp return code checking
signature smtp_server_ok {
ip-proto == tcp
src-port == 25
payload /. [2-3][0-9][0-9]../ # 2xx-3xx successful
tcp-state established
}
signature smtp_server_pending {
ip-proto == tcp
src-port == 25
payload /.4[0-9][0-9]../ # 4xx failure, ask sender to try later
tcp-state established
}
signature smtp_server_fail {
ip-proto == tcp
src-port == 25
payload /.5[0-9][0-9]../ # 5xx permanent failure
tcp-state established
}
# ftp server return code information. a few assumptions made here
# in theory '150' is a good return, but I skip it here for simplicity
signature ftp_server_ok {
ip-proto == tcp
src-port == 21
payload /.2[0-9][0-9]../ # 2xx ok
tcp-state established
}
signature ftp_server_error {
ip-proto == tcp
src-port == 21
payload /.5[0-9][0-9]../ # 5xx fail
tcp-state established
}
# snmp return checker - we ought to expect a non-trivial quantity of data for a
# successful snmp connection
signature snmp_userver_ok_return {
ip-proto == udp
src-port >= 161
src-port <= 162
payload-size > 10
}
signature snmp_tserver_ok_return {
ip-proto == tcp
src-port >= 161
src-port <= 162
payload-size > 10
tcp-state established
}
signature pop_return_ok {
ip-proto == tcp
src-port >= 109
src-port <= 110
payload /.\x2bOK/
tcp-state established
}
signature pop_return_error {
ip-proto == tcp
src-port >= 109
src-port <= 110
payload /.\x2dERR/
tcp-state established
}
# this series of sigs is provided by CIAC based on suckit rootkit
# backdoor traffic. the 'signature' has only been seen on port 22
# up till now.
signature sid-ciac-sk1 {
ip-proto == tcp
event "CIAC-1 suckit backdoor"
payload /.*\xd1\xe4\x22\x07\x57\xd3\xa9\x9a\x5a\xd5\xcc\xc7\x9d\xa1\xd5\xc5\xa6\xf1\x6d\x57/
}
signature sid-ciac-sk2 {
ip-proto == tcp
event "CIAC-2 suckit backdoor"
payload /.*\x7c\x83\x3b\x3f\x8a\x80\x59\xbf\x45\xbd\x5f\xf2\xa3\xc9\x36\x85\xa9\xd1\x15\xc3/
}
signature sid-ciac-sk3 {
ip-proto == tcp
event "CIAC-3 suckit backdoor"
payload /.*\x12\xc4\xf6\x62\x55\xe6\x36\xbd\xe4\x65\xbc\x24\xbe\xb0\x50\xac\xe0\xef\x9a\x4f/
}
signature sid-ciac-sk6 {
ip-proto == tcp
event "CIAC-6 suckit backdoor"
payload /.*\xd2\x9b\xec\xe0\x8c\x09\x28\xcb\x05\x60\x1b\xc5\x59\x34\xab\xbd\x56\xd6\x78\xaa/
}
signature sid-ciac-sk7 {
ip-proto == tcp
event "CIAC-7 suckit backdoor"
payload /.*\xdd\xbd\x4c\x7b\x35\x9a\x89\x88\xf0\x0d\xa8\xf1\x44\x67\x7b\xcd\x18\xf0\xe6\x70/
}
signature sid-ciac-sk10 {
ip-proto == tcp
event "CIAC-10 suckit backdoor"
payload /.*\xe7\xa7\x74\xb8\xb9\xfe\x9a\x6e\x6c\xe1\xd5\xde\x5f\x5c\xd5\x9d\x49\x69\x9a\xba/
}
signature sid-ciac-sk11 {
ip-proto == tcp
event "CIAC-11 suckit backdoor"
payload /.*\x4b\x56\xde\x0c\x47\xbf\x12\x9f\xc7\x24\x40\x64\x5c\xfd\xa8\x2b\xaf\x3f\x09\xc7/
}
signature sid-ciac-sk12 {
ip-proto == tcp
event "CIAC-12 suckit backdoor"
payload /\xe1\xac\x20\x5a\xda\x5a\xf7\x0c\x17\x24\x8e\xc2\x0e\xa0\x0b\xee\x7a\x77\xe0\x64/
}
signature sid-ciac-sk13 {
ip-proto == tcp
event "CIAC-13 suckit backdoor"
payload /\xc9\xe9\x36\xa1\xce\xae\x10\x3c\x32\x81\xac\x9b\x01\x81\x5a\x68\x01\x91\x82\xa4/
}
signature sid-ciac-sk14 {
ip-proto == tcp
event "CIAC-14 suckit backdoor"
payload /\x45\x2e\xe5\x01\x80\xb0\x0a\xca\xdb\x16\xa1\x8f\xc6\xcd\x97\x60\x92\x44\x93\x16/
}
signature sid-ciac-7 {
ip-proto == tcp
event "HXDEF 1.0-0.84 backdoor"
payload /.*\x01\x9A\x8C\x66\xAF\xC0\x4A\x11\x9E\x3F\x40\x88\x12\x2C\x3A\x4A\x84\x65\x38\xB0\xB4\x08\x0B\xAF\xDB\xCE\x02\x94\x34\x5F\x22\x00*./
}
signature sid-ciac-8 {
ip-proto == tcp
event "HXDEF 0.73 backdoor"
payload /.*\x01\xFE\x3C\x6C\x6A\xFF\x99\xA8\x34\x83\x38\x24\xA1\xA4\xF2\x11\x5A\xD3\x18\x8D\xBC\xC4\x3E\x40\x07\xA4\x28\xD4\x18\x48\xFE\x00*./
}
signature sid-ciac-modrootme-1 {
ip-proto == tcp
dst-port == http_ports
tcp-state established
requires-signature ! http_error
http /GET root .*/
}
## end payload
## misc sigs ##
signature dest_microsoft_address {
dst-ip == 207.46.0.0/16
}
signature src_microsoft_address {
src-ip == 207.46.0.0/16
}
# experimental phatbot sig
signature phatbot_sig {
ip-proto == tcp
dst-port == http_ports
http /POST \0x20{1,10}\/ HTTP\/1\.0.*/
http /Content-Length: 204800.*/
tcp-state established
requires-signature ! http_error
event "phatbot sig"
}
signature thinstall_trojan {
ip-proto == tcp
dst-port == http_ports
http /[pP][oO][sS][tT]\x20{1,}\/bi\/servlet\/ThinstallPre/
tcp-state established,originator
event "ThinstallPre Adware Trojan, personal and machine data theft, successful"
# reference: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_REVOP.F&VSect=T
}
signature bagle-bc {
ip-proto == tcp
dst-port == http_ports
src-ip == local_nets
tcp-state established
http /[\/][gG]\.[jJ][pP][gG]/
event "bagle.bc g.jpg download attempt"
}
## end misc ##

278
scripts/s2b/bro-include/sig-functions.bro Normal file
View file

@ -0,0 +1,278 @@
# series of functions to be used by the signatures
#
# we see *allot* of odd patch related traffic to and from M$
const MS_ADDR_RANGE: set[subnet] &redef;
redef MS_ADDR_RANGE = { 207.46.0.0/16 };
# the following are all based on the existance of software.bro
# being loaded
@ifdef ( software_table )
function isApache(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Apache" !in softset )
return F;
return T;
}
function isApacheLt12(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Apache" !in softset )
return F;
local safe_version: software_version =
[$major = +1, $minor = +2, $minor2 = +0, $addl = ""];
if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
return F;
return T;
}
function isApacheLt1322(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Apache" !in softset )
return F;
local safe_version: software_version =
[$major = +1, $minor = +3, $minor2 = -22, $addl = ""];
if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
return F;
return T;
}
function isApacheLt1325(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Apache" !in softset )
return F;
local safe_version: software_version =
[$major = +1, $minor = +3, $minor2 = -25, $addl = ""];
if ( software_cmp_version(softset["Apache"]$version, safe_version) >= 0 )
return F;
return T;
}
function isNotApache(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Apache" !in softset )
return T;
return F;
}
function isIIS(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "IIS" !in softset )
return F;
return T;
}
function isNotIIS(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "IIS" !in softset )
return T;
return F;
}
function isMSIE(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "MSIE" !in softset )
return F;
return T;
}
function isNotMSIE(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "MSIE" !in softset )
return T;
return F;
}
function isMozilla(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Mozilla" !in softset )
return F;
return T;
}
function isNotMozilla(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Mozilla" !in softset )
return T;
return F;
}
function isRealMedia(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
if ( ip !in software_table )
return F;
local softset = software_table[ip];
if ( "Mozilla" !in softset )
return F;
return T;
}
@endif
# end of the software.bro related functions
function dataSizeG50(state: signature_state): bool
{
local size = state$payload_size;
if ( size < 50 )
return F;
return T;
}
function dataSizeG100(state: signature_state): bool
{
local size = state$payload_size;
if ( size < 100 )
return F;
return T;
}
function dataSizeG150(state: signature_state): bool
{
local size = state$payload_size;
if ( size < 150 )
return F;
return T;
}
function dataSizeG200(state: signature_state): bool
{
local size = state$payload_size;
if ( size < 200 )
return F;
return T;
}
function respInMsNet(state: signature_state): bool
{
local ip = state$conn$id$resp_h;
return ip in MS_ADDR_RANGE;
}
function origInMsNet(state: signature_state): bool
{
local ip = state$conn$id$orig_h;
return ip in MS_ADDR_RANGE;
}

8
scripts/s2b/etc/Makefile.am Normal file
View file

@ -0,0 +1,8 @@
## Process this file with automake to produce Makefile.in
# include in the dist for now
EXTRA_DIST = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg
# OR we can install them on a make install
#scriptsdir=$(prefix)/etc
#dist_scripts_SCRIPTS = s2b-augment.cfg s2b-ruleset-augment.cfg s2b-sigmap.cfg s2b.cfg

17162
scripts/s2b/etc/s2b-augment.cfg Normal file
View file

File diff suppressed because it is too large Load diff

157
scripts/s2b/etc/s2b-ruleset-augment.cfg Normal file
View file

@ -0,0 +1,157 @@
<attack-responses.rules>
</attack-responses.rules>
<backdoor.rules>
</backdoor.rules>
<bad-traffic.rules>
</bad-traffic.rules>
<chat.rules>
</chat.rules>
<ddos.rules>
</ddos.rules>
<deleted.rules>
</deleted.rules>
<dns.rules>
</dns.rules>
<dos.rules>
</dos.rules>
<experimental.rules>
</experimental.rules>
<exploit.rules>
</exploit.rules>
<finger.rules>
</finger.rules>
<ftp.rules>
requires-reverse-signature ! ftp_server_error
</ftp.rules>
<icmp.rules>
</icmp.rules>
<imap.rules>
</imap.rules>
<info.rules>
</info.rules>
<local.rules>
</local.rules>
<misc.rules>
</misc.rules>
<multimedia.rules>
</multimedia.rules>
<mysql.rules>
</mysql.rules>
<netbios.notes>
</netbios.notes>
<netbios.rules>
</netbios.rules>
<nntp.rules>
</nntp.rules>
<oracle.rules>
</oracle.rules>
<other-ids.rules>
</other-ids.rules>
<p2p.rules>
</p2p.rules>
<policy.rules>
</policy.rules>
<pop2.rules>
requires-reverse-signature ! pop_return_error
</pop2.rules>
<pop3.rules>
requires-reverse-signature ! pop_return_error
</pop3.rules>
<porn.rules>
</porn.rules>
<rpc.rules>
</rpc.rules>
<rservices.rules>
</rservices.rules>
<scan.rules>
</scan.rules>
<shellcode.rules>
</shellcode.rules>
<smtp.rules>
requires-reverse-signature ! smtp_server_fail
</smtp.rules>
<snmp.rules>
</snmp.rules>
<sql.rules>
</sql.rules>
<telnet.rules>
</telnet.rules>
<tftp.rules>
</tftp.rules>
<virus.rules>
</virus.rules>
<web-attacks.rules>
requires-reverse-signature ! http_error
</web-attacks.rules>
<web-cgi.rules>
requires-reverse-signature ! http_error
</web-cgi.rules>
<web-client.rules>
</web-client.rules>
<web-coldfusion.rules>
requires-reverse-signature ! http_error
</web-coldfusion.rules>
<web-frontpage.rules>
requires-reverse-signature ! http_error
eval isIIS
</web-frontpage.rules>
<web-iis.rules>
requires-reverse-signature ! http_error
eval isIIS
</web-iis.rules>
<web-misc.rules>
requires-reverse-signature ! http_error
</web-misc.rules>
<web-php.rules>
requires-reverse-signature ! http_error
</web-php.rules>
<x11.rules>
</x11.rules>

38
scripts/s2b/etc/s2b-sigmap.cfg Normal file
View file

@ -0,0 +1,38 @@
# this table is used to generate the automatic sid-to-sig action table that bro imports
# the fields here are used as a table translation between snort and bro
# currently there is no sound reason not to change any of this
# *do not* make any comment line the same as any snort alert type!!
attempted-admin SIG_LOG
attempted-user SIG_LOG
shellcode-detect SIG_FILE
successful-admin SIG_LOG
successful-user SIG_LOG
trojan-activity SIG_LOG
unsuccessful-user SIG_FILE
web-application-attack SIG_LOG
attempted-dos SIG_FILE
attempted-recon SIG_FILE
bad-unknown SIG_FILE
denial-of-service SIG_FILE
misc-attack SIG_LOG
non-standard-protocol SIG_FILE
rpc-portmap-decode SIG_FILE
successful-dos SIG_LOG
successful-recon-largescale SIG_LOG
successful-recon-limited SIG_LOG
suspicious-filename-detect SIG_LOG
suspicious-login SIG_LOG
system-call-detect SIG_LOG
unusual-client-port-connection SIG_LOG
web-application-activity SIG_LOG
icmp-event SIG_FILE
misc-activity SIG_LOG
network-scan SIG_FILE
not-suspicious SIG_QUIET
protocol-command-decode SIG_FILE
string-detect SIG_LOG
unknown SIG_FILE
policy-violation SIG_QUIET
kickass-porn SIG_QUIET
default-login-attempt SIG_LOG

113
scripts/s2b/etc/s2b.cfg Normal file
View file

@ -0,0 +1,113 @@
# Snort2Bro
# Bro Signature ID prefix
# May only contain alphanumberic and dash characters
#
# sigprefix s2b-
##
# Configuration directory
#
# configdir /usr/local/etc/bro/s2b
##
#configdir /home/rwinslow/projects/s2b
configdir ./
# Augment Configuration filename
#
# augmentconfig s2b-augment.cfg
##
# Ruleset Augment Configuration filename
# This file contains Bro signature options and contexts which are included
# into rules based on the ruleset filenames from which they come. The syntax
# rules for this file are the same as s2b-augment.cfg
# This file is used during augment building only.
#
# rulesetaugmentconfig s2b-ruleset-augment.cfg
##
# User Augment Configuration filename
# This is the user level augment config file which should be the location in
# which behavior for individual signatures is controlled.
#
# useraugmentconfig s2b-user-augment.cfg
##
# Bro signature output filename
# This should probably be a full path name otherwise it will write
# to the present working directory
#
# brosignaturedest s2b.sig
##
# Bro sigaction output filename
# This should probably be a full path name otherwise it will write to the
# present working directory.
# This file contains mappings of signature id to SigActions which
# will be included into a running Bro instance. These mappings are created
# for any Bro signature which uses anything but the default SigAction.
#
# sigactiondest s2b-sigaction.bro
##
# Debug level
#
# debug 0
##
# sid prefix
#
# sigprefix s2b-
##
# Mappings for Snort alert classtype to Bro SigAction.
#
# sigmapconfig s2b-sigmap.cfg
##
# Snort ruleset directory
# All files ending in .rules are considered during parsing by default
#
# snortrulesetdir './'
##
# Snort rule sets to exclude from conversion
# Any filename specified here will not even be read by the program
# There are two different ways to specify the list. Both are listed but only
# one style may be used.
#
#<ignoresnortrulesets>
# porn.rules
# icmp.rules
# experimental.rules
# deleted.rules
# policy.rules
# bad-traffic.rules
# info.rules
#</ignoresnortrulesets>
##
ignoresnortruleset porn.rules
#ignoresnortruleset icmp.rules
ignoresnortruleset experimental.rules
ignoresnortruleset deleted.rules
ignoresnortruleset policy.rules
ignoresnortruleset bad-traffic.rules
#ignoresnortruleset info.rules
# Default Bro SigAction that will be used for creating the Bro signature
# s2b.sig and the Bro SigAction file s2b-sigaction.bro
#
# defaultsigaction SIG_LOG
##
# This option will apply a signature to traffic flowing in either direction.
# Snort defines two networks, $HOME_NET and $EXTERNAL_NET, for a source
# and destination pairing. These two variables will be ignored and not
# converted if this option is set to true. The default is set to true.
# There is one exception. If the destination or source is a subnet or ip
# address then it will remain intact.
#
# ignorehostdirection true
##

4
scripts/s2b/example_bro_files/Makefile.am Normal file
View file

@ -0,0 +1,4 @@
## Process this file with automake to produce Makefile.in
EXTRA_DIST = sig-action.bro signatures.sig

626
scripts/s2b/example_bro_files/sig-action.bro Normal file
View file

@ -0,0 +1,626 @@
# This file was created by s2b.pl on Wed Sep 15 18:34:41 2004.
# This file is dynamically generated each time s2b.pl is run and therefore any
# changes done manually will be overwritten.
# $Id: sig-action.bro 840 2004-11-30 22:33:48Z jason $
redef signature_actions += {
["s2b-1186-6"] = SIG_FILE,
["s2b-1790-4"] = SIG_FILE,
["s2b-2000-1"] = SIG_FILE,
["s2b-2005-10"] = SIG_FILE,
["s2b-253-4"] = SIG_FILE,
["s2b-2016-6"] = SIG_FILE,
["s2b-581-9"] = SIG_FILE,
["s2b-650-8"] = SIG_FILE,
["s2b-498-6"] = SIG_FILE,
["s2b-333-8"] = SIG_FILE,
["s2b-1143-5"] = SIG_FILE,
["s2b-2314-1"] = SIG_FILE,
["s2b-1126-6"] = SIG_FILE,
["s2b-907-5"] = SIG_FILE,
["s2b-223-3"] = SIG_FILE,
["s2b-818-10"] = SIG_FILE,
["s2b-2177-4"] = SIG_FILE,
["s2b-1482-4"] = SIG_FILE,
["s2b-616-4"] = SIG_FILE,
["s2b-2383-9"] = SIG_FILE,
["s2b-2104-3"] = SIG_FILE,
["s2b-1697-3"] = SIG_FILE,
["s2b-2533-5"] = SIG_FILE,
["s2b-243-2"] = SIG_FILE,
["s2b-1309-9"] = SIG_FILE,
["s2b-472-4"] = SIG_FILE,
["s2b-879-7"] = SIG_FILE,
["s2b-1733-9"] = SIG_FILE,
["s2b-2470-3"] = SIG_FILE,
["s2b-321-5"] = SIG_FILE,
["s2b-1113-5"] = SIG_FILE,
["s2b-893-7"] = SIG_FILE,
["s2b-2050-5"] = SIG_FILE,
["s2b-1776-2"] = SIG_FILE,
["s2b-1868-5"] = SIG_FILE,
["s2b-693-5"] = SIG_FILE,
["s2b-603-5"] = SIG_FILE,
["s2b-2084-8"] = SIG_FILE,
["s2b-1729-5"] = SIG_ALARM,
["s2b-1145-7"] = SIG_FILE,
["s2b-1280-9"] = SIG_FILE,
["s2b-2385-9"] = SIG_FILE,
["s2b-1448-10"] = SIG_FILE,
["s2b-1181-8"] = SIG_FILE,
["s2b-1481-4"] = SIG_FILE,
["s2b-870-5"] = SIG_FILE,
["s2b-1960-7"] = SIG_FILE,
["s2b-2125-8"] = SIG_FILE,
["s2b-843-7"] = SIG_FILE,
["s2b-1922-6"] = SIG_FILE,
["s2b-516-3"] = SIG_FILE,
["s2b-1191-6"] = SIG_FILE,
["s2b-1413-10"] = SIG_FILE,
["s2b-582-8"] = SIG_FILE,
["s2b-331-10"] = SIG_FILE,
["s2b-2081-9"] = SIG_FILE,
["s2b-911-7"] = SIG_FILE,
["s2b-1231-8"] = SIG_FILE,
["s2b-1577-4"] = SIG_FILE,
["s2b-1454-6"] = SIG_FILE,
["s2b-471-3"] = SIG_FILE,
["s2b-1216-5"] = SIG_FILE,
["s2b-595-16"] = SIG_FILE,
["s2b-1473-5"] = SIG_FILE,
["s2b-2026-9"] = SIG_FILE,
["s2b-534-6"] = SIG_FILE,
["s2b-1392-10"] = SIG_FILE,
["s2b-491-8"] = SIG_FILE,
["s2b-1453-5"] = SIG_FILE,
["s2b-324-5"] = SIG_FILE,
["s2b-246-2"] = SIG_FILE,
["s2b-1197-6"] = SIG_FILE,
["s2b-881-5"] = SIG_FILE,
["s2b-589-8"] = SIG_FILE,
["s2b-533-8"] = SIG_FILE,
["s2b-2530-3"] = SIG_FILE,
["s2b-829-9"] = SIG_FILE,
["s2b-1108-10"] = SIG_FILE,
["s2b-1461-5"] = SIG_FILE,
["s2b-867-9"] = SIG_FILE,
["s2b-330-9"] = SIG_FILE,
["s2b-1175-10"] = SIG_FILE,
["s2b-847-7"] = SIG_FILE,
["s2b-1132-6"] = SIG_FILE,
["s2b-1268-12"] = SIG_FILE,
["s2b-2534-3"] = SIG_FILE,
["s2b-2504-6"] = SIG_FILE,
["s2b-227-6"] = SIG_FILE,
["s2b-1648-7"] = SIG_FILE,
["s2b-1447-11"] = SIG_FILE,
["s2b-236-6"] = SIG_FILE,
["s2b-1629-6"] = SIG_FILE,
["s2b-1497-6"] = SIG_FILE,
["s2b-1147-7"] = SIG_FILE,
["s2b-2019-4"] = SIG_FILE,
["s2b-1778-4"] = SIG_FILE,
["s2b-1293-10"] = SIG_FILE,
["s2b-1179-7"] = SIG_FILE,
["s2b-1190-6"] = SIG_FILE,
["s2b-1446-6"] = SIG_FILE,
["s2b-1459-5"] = SIG_FILE,
["s2b-2014-5"] = SIG_FILE,
["s2b-1119-7"] = SIG_FILE,
["s2b-2384-8"] = SIG_FILE,
["s2b-2032-5"] = SIG_FILE,
["s2b-2475-3"] = SIG_FILE,
["s2b-361-12"] = SIG_FILE,
["s2b-1267-11"] = SIG_FILE,
["s2b-586-8"] = SIG_FILE,
["s2b-2520-5"] = SIG_FILE,
["s2b-520-5"] = SIG_FILE,
["s2b-878-6"] = SIG_FILE,
["s2b-268-4"] = SIG_FILE,
["s2b-854-7"] = SIG_FILE,
["s2b-1864-7"] = SIG_FILE,
["s2b-1452-5"] = SIG_FILE,
["s2b-931-6"] = SIG_FILE,
["s2b-251-3"] = SIG_FILE,
["s2b-840-7"] = SIG_FILE,
["s2b-1264-13"] = SIG_FILE,
["s2b-933-7"] = SIG_FILE,
["s2b-512-4"] = SIG_FILE,
["s2b-1348-5"] = SIG_QUIET,
["s2b-1688-3"] = SIG_FILE,
["s2b-902-7"] = SIG_FILE,
["s2b-1134-7"] = SIG_FILE,
["s2b-889-7"] = SIG_FILE,
["s2b-234-2"] = SIG_FILE,
["s2b-915-5"] = SIG_FILE,
["s2b-637-3"] = SIG_FILE,
["s2b-836-7"] = SIG_FILE,
["s2b-2473-3"] = SIG_FILE,
["s2b-2033-8"] = SIG_FILE,
["s2b-1151-5"] = SIG_FILE,
["s2b-835-9"] = SIG_FILE,
["s2b-1955-6"] = SIG_FILE,
["s2b-660-7"] = SIG_FILE,
["s2b-904-7"] = SIG_FILE,
["s2b-826-7"] = SIG_FILE,
["s2b-833-8"] = SIG_FILE,
["s2b-883-5"] = SIG_FILE,
["s2b-1930-3"] = SIG_FILE,
["s2b-887-6"] = SIG_FILE,
["s2b-859-7"] = SIG_FILE,
["s2b-588-17"] = SIG_FILE,
["s2b-1682-3"] = SIG_FILE,
["s2b-230-5"] = SIG_FILE,
["s2b-1952-5"] = SIG_FILE,
["s2b-1173-5"] = SIG_FILE,
["s2b-583-9"] = SIG_FILE,
["s2b-880-8"] = SIG_FILE,
["s2b-1104-9"] = SIG_FILE,
["s2b-1146-5"] = SIG_FILE,
["s2b-837-8"] = SIG_FILE,
["s2b-1694-3"] = SIG_FILE,
["s2b-362-12"] = SIG_FILE,
["s2b-536-7"] = SIG_FILE,
["s2b-1161-9"] = SIG_FILE,
["s2b-648-7"] = SIG_FILE,
["s2b-2468-3"] = SIG_FILE,
["s2b-1301-11"] = SIG_FILE,
["s2b-2348-6"] = SIG_FILE,
["s2b-1259-5"] = SIG_FILE,
["s2b-2370-2"] = SIG_QUIET,
["s2b-1464-3"] = SIG_FILE,
["s2b-1721-4"] = SIG_FILE,
["s2b-1696-3"] = SIG_FILE,
["s2b-2477-3"] = SIG_FILE,
["s2b-1168-5"] = SIG_FILE,
["s2b-1680-3"] = SIG_FILE,
["s2b-848-9"] = SIG_FILE,
["s2b-1366-5"] = SIG_FILE,
["s2b-1167-7"] = SIG_FILE,
["s2b-1202-5"] = SIG_FILE,
["s2b-530-10"] = SIG_FILE,
["s2b-2466-3"] = SIG_FILE,
["s2b-1410-9"] = SIG_FILE,
["s2b-1579-4"] = SIG_FILE,
["s2b-2018-4"] = SIG_FILE,
["s2b-1691-3"] = SIG_FILE,
["s2b-718-7"] = SIG_FILE,
["s2b-2034-7"] = SIG_FILE,
["s2b-538-10"] = SIG_FILE,
["s2b-1189-6"] = SIG_FILE,
["s2b-1308-5"] = SIG_FILE,
["s2b-2029-5"] = SIG_FILE,
["s2b-865-8"] = SIG_FILE,
["s2b-2022-4"] = SIG_FILE,
["s2b-841-7"] = SIG_FILE,
["s2b-2021-4"] = SIG_FILE,
["s2b-1164-10"] = SIG_FILE,
["s2b-1275-10"] = SIG_FILE,
["s2b-1954-5"] = SIG_FILE,
["s2b-323-5"] = SIG_FILE,
["s2b-903-7"] = SIG_FILE,
["s2b-638-5"] = SIG_FILE,
["s2b-274-5"] = SIG_FILE,
["s2b-1156-6"] = SIG_FILE,
["s2b-823-6"] = SIG_FILE,
["s2b-1217-7"] = SIG_FILE,
["s2b-2176-4"] = SIG_FILE,
["s2b-1586-4"] = SIG_FILE,
["s2b-640-6"] = SIG_FILE,
["s2b-1411-10"] = SIG_FILE,
["s2b-275-10"] = SIG_FILE,
["s2b-1239-5"] = SIG_FILE,
["s2b-852-8"] = SIG_FILE,
["s2b-1950-5"] = SIG_FILE,
["s2b-1130-5"] = SIG_FILE,
["s2b-864-7"] = SIG_FILE,
["s2b-2386-6"] = SIG_FILE,
["s2b-1118-5"] = SIG_FILE,
["s2b-891-5"] = SIG_FILE,
["s2b-2570-6"] = SIG_FILE,
["s2b-691-5"] = SIG_FILE,
["s2b-272-7"] = SIG_FILE,
["s2b-910-5"] = SIG_FILE,
["s2b-1414-11"] = SIG_FILE,
["s2b-1867-1"] = SIG_FILE,
["s2b-1962-7"] = SIG_FILE,
["s2b-2025-9"] = SIG_FILE,
["s2b-532-8"] = SIG_FILE,
["s2b-1199-11"] = SIG_FILE,
["s2b-2536-3"] = SIG_FILE,
["s2b-1693-4"] = SIG_FILE,
["s2b-1365-5"] = SIG_FILE,
["s2b-1576-4"] = SIG_FILE,
["s2b-1541-4"] = SIG_FILE,
["s2b-1666-5"] = SIG_FILE,
["s2b-832-11"] = SIG_FILE,
["s2b-2502-7"] = SIG_FILE,
["s2b-646-5"] = SIG_FILE,
["s2b-1575-4"] = SIG_FILE,
["s2b-1142-5"] = SIG_FILE,
["s2b-222-2"] = SIG_FILE,
["s2b-1435-6"] = SIG_FILE,
["s2b-535-6"] = SIG_FILE,
["s2b-1451-6"] = SIG_FILE,
["s2b-1273-10"] = SIG_FILE,
["s2b-2565-1"] = SIG_FILE,
["s2b-858-7"] = SIG_FILE,
["s2b-626-7"] = SIG_FILE,
["s2b-1232-8"] = SIG_FILE,
["s2b-593-18"] = SIG_FILE,
["s2b-672-6"] = SIG_FILE,
["s2b-1624-5"] = SIG_FILE,
["s2b-2480-3"] = SIG_FILE,
["s2b-897-10"] = SIG_FILE,
["s2b-1158-10"] = SIG_FILE,
["s2b-877-8"] = SIG_FILE,
["s2b-585-7"] = SIG_FILE,
["s2b-1271-14"] = SIG_FILE,
["s2b-1115-7"] = SIG_FILE,
["s2b-630-5"] = SIG_FILE,
["s2b-2505-7"] = SIG_FILE,
["s2b-1684-3"] = SIG_FILE,
["s2b-1470-5"] = SIG_FILE,
["s2b-1924-6"] = SIG_FILE,
["s2b-1641-5"] = SIG_FILE,
["s2b-2500-4"] = SIG_FILE,
["s2b-245-3"] = SIG_FILE,
["s2b-2080-6"] = SIG_FILE,
["s2b-233-3"] = SIG_FILE,
["s2b-478-3"] = SIG_FILE,
["s2b-651-8"] = SIG_FILE,
["s2b-2486-5"] = SIG_FILE,
["s2b-861-12"] = SIG_FILE,
["s2b-1476-5"] = SIG_FILE,
["s2b-1614-8"] = SIG_FILE,
["s2b-1898-8"] = SIG_FILE,
["s2b-1165-9"] = SIG_FILE,
["s2b-1869-5"] = SIG_FILE,
["s2b-1480-9"] = SIG_FILE,
["s2b-2193-9"] = SIG_FILE,
["s2b-1162-7"] = SIG_FILE,
["s2b-576-8"] = SIG_FILE,
["s2b-254-4"] = SIG_FILE,
["s2b-611-7"] = SIG_FILE,
["s2b-241-7"] = SIG_FILE,
["s2b-928-5"] = SIG_FILE,
["s2b-2313-2"] = SIG_FILE,
["s2b-2465-3"] = SIG_FILE,
["s2b-1160-11"] = SIG_FILE,
["s2b-1129-5"] = SIG_FILE,
["s2b-1155-5"] = SIG_FILE,
["s2b-1228-6"] = SIG_FILE,
["s2b-489-7"] = SIG_FILE,
["s2b-1460-5"] = SIG_FILE,
["s2b-1896-8"] = SIG_FILE,
["s2b-932-7"] = SIG_FILE,
["s2b-838-9"] = SIG_FILE,
["s2b-500-4"] = SIG_FILE,
["s2b-2478-3"] = SIG_FILE,
["s2b-1971-4"] = SIG_FILE,
["s2b-465-3"] = SIG_FILE,
["s2b-276-5"] = SIG_FILE,
["s2b-1599-7"] = SIG_FILE,
["s2b-1105-5"] = SIG_FILE,
["s2b-2192-8"] = SIG_FILE,
["s2b-590-12"] = SIG_FILE,
["s2b-1926-6"] = SIG_FILE,
["s2b-834-7"] = SIG_FILE,
["s2b-1662-5"] = SIG_FILE,
["s2b-1356-5"] = SIG_FILE,
["s2b-598-12"] = SIG_FILE,
["s2b-1144-5"] = SIG_FILE,
["s2b-1689-3"] = SIG_FILE,
["s2b-846-8"] = SIG_FILE,
["s2b-1110-7"] = SIG_FILE,
["s2b-2476-3"] = SIG_FILE,
["s2b-1813-5"] = SIG_FILE,
["s2b-2339-2"] = SIG_FILE,
["s2b-503-6"] = SIG_FILE,
["s2b-2471-3"] = SIG_FILE,
["s2b-1159-10"] = SIG_FILE,
["s2b-868-9"] = SIG_FILE,
["s2b-619-5"] = SIG_FILE,
["s2b-529-7"] = SIG_FILE,
["s2b-1732-9"] = SIG_FILE,
["s2b-1176-5"] = SIG_FILE,
["s2b-1117-6"] = SIG_FILE,
["s2b-659-6"] = SIG_FILE,
["s2b-2027-5"] = SIG_FILE,
["s2b-850-5"] = SIG_FILE,
["s2b-866-8"] = SIG_FILE,
["s2b-871-7"] = SIG_FILE,
["s2b-1408-8"] = SIG_FILE,
["s2b-1638-5"] = SIG_FILE,
["s2b-1133-11"] = SIG_FILE,
["s2b-2038-5"] = SIG_FILE,
["s2b-1136-5"] = SIG_FILE,
["s2b-1125-8"] = SIG_FILE,
["s2b-612-6"] = SIG_FILE,
["s2b-1131-5"] = SIG_FILE,
["s2b-228-3"] = SIG_FILE,
["s2b-1469-5"] = SIG_FILE,
["s2b-1177-6"] = SIG_FILE,
["s2b-869-8"] = SIG_FILE,
["s2b-1251-6"] = SIG_FILE,
["s2b-1137-9"] = SIG_FILE,
["s2b-239-2"] = SIG_FILE,
["s2b-1953-5"] = SIG_FILE,
["s2b-1188-6"] = SIG_FILE,
["s2b-1895-8"] = SIG_FILE,
["s2b-250-4"] = SIG_FILE,
["s2b-2079-6"] = SIG_FILE,
["s2b-1218-5"] = SIG_FILE,
["s2b-652-9"] = SIG_FILE,
["s2b-1458-6"] = SIG_FILE,
["s2b-892-8"] = SIG_FILE,
["s2b-627-7"] = SIG_FILE,
["s2b-1277-9"] = SIG_FILE,
["s2b-1235-8"] = SIG_FILE,
["s2b-2023-4"] = SIG_FILE,
["s2b-1580-4"] = SIG_FILE,
["s2b-2493-5"] = SIG_FILE,
["s2b-1572-7"] = SIG_FILE,
["s2b-1326-6"] = SIG_FILE,
["s2b-328-8"] = SIG_FILE,
["s2b-2537-3"] = SIG_FILE,
["s2b-1777-4"] = SIG_FILE,
["s2b-862-9"] = SIG_FILE,
["s2b-580-9"] = SIG_FILE,
["s2b-1948-4"] = SIG_FILE,
["s2b-537-11"] = SIG_FILE,
["s2b-1746-11"] = SIG_FILE,
["s2b-601-6"] = SIG_FILE,
["s2b-2418-3"] = SIG_FILE,
["s2b-653-8"] = SIG_FILE,
["s2b-658-5"] = SIG_FILE,
["s2b-221-3"] = SIG_FILE,
["s2b-1959-7"] = SIG_FILE,
["s2b-1674-5"] = SIG_FILE,
["s2b-914-5"] = SIG_FILE,
["s2b-322-10"] = SIG_FILE,
["s2b-1140-11"] = SIG_FILE,
["s2b-146-5"] = SIG_FILE,
["s2b-2191-3"] = SIG_FILE,
["s2b-1692-3"] = SIG_FILE,
["s2b-2566-1"] = SIG_FILE,
["s2b-2037-5"] = SIG_FILE,
["s2b-634-2"] = SIG_FILE,
["s2b-1882-10"] = SIG_FILE,
["s2b-901-10"] = SIG_FILE,
["s2b-279-3"] = SIG_FILE,
["s2b-1412-13"] = SIG_FILE,
["s2b-579-8"] = SIG_FILE,
["s2b-2190-3"] = SIG_FILE,
["s2b-1992-5"] = SIG_FILE,
["s2b-513-10"] = SIG_FILE,
["s2b-578-8"] = SIG_FILE,
["s2b-2524-7"] = SIG_FILE,
["s2b-332-8"] = SIG_FILE,
["s2b-575-8"] = SIG_FILE,
["s2b-502-2"] = SIG_FILE,
["s2b-692-6"] = SIG_FILE,
["s2b-851-7"] = SIG_FILE,
["s2b-599-11"] = SIG_FILE,
["s2b-2174-4"] = SIG_FILE,
["s2b-635-3"] = SIG_FILE,
["s2b-475-3"] = SIG_FILE,
["s2b-1265-9"] = SIG_FILE,
["s2b-235-2"] = SIG_FILE,
["s2b-270-6"] = SIG_FILE,
["s2b-1659-3"] = SIG_FILE,
["s2b-1695-3"] = SIG_FILE,
["s2b-1681-3"] = SIG_FILE,
["s2b-1949-5"] = SIG_FILE,
["s2b-1184-6"] = SIG_FILE,
["s2b-1581-4"] = SIG_FILE,
["s2b-1150-6"] = SIG_FILE,
["s2b-1123-9"] = SIG_FILE,
["s2b-1292-8"] = SIG_FILE,
["s2b-584-11"] = SIG_FILE,
["s2b-591-10"] = SIG_FILE,
["s2b-1360-5"] = SIG_FILE,
["s2b-622-6"] = SIG_FILE,
["s2b-518-6"] = SIG_FILE,
["s2b-860-8"] = SIG_FILE,
["s2b-908-8"] = SIG_FILE,
["s2b-249-7"] = SIG_FILE,
["s2b-1180-12"] = SIG_FILE,
["s2b-2472-3"] = SIG_FILE,
["s2b-1154-5"] = SIG_FILE,
["s2b-1070-7"] = SIG_FILE,
["s2b-574-8"] = SIG_FILE,
["s2b-1478-3"] = SIG_FILE,
["s2b-514-5"] = SIG_FILE,
["s2b-2006-10"] = SIG_FILE,
["s2b-2159-8"] = SIG_FILE,
["s2b-224-3"] = SIG_FILE,
["s2b-1961-7"] = SIG_FILE,
["s2b-247-4"] = SIG_FILE,
["s2b-2335-2"] = SIG_FILE,
["s2b-495-7"] = SIG_FILE,
["s2b-552-7"] = SIG_QUIET,
["s2b-636-1"] = SIG_FILE,
["s2b-863-7"] = SIG_FILE,
["s2b-1685-4"] = SIG_FILE,
["s2b-1367-5"] = SIG_FILE,
["s2b-806-11"] = SIG_FILE,
["s2b-1120-8"] = SIG_FILE,
["s2b-2450-3"] = SIG_FILE,
["s2b-1302-7"] = SIG_FILE,
["s2b-1421-11"] = SIG_FILE,
["s2b-875-9"] = SIG_FILE,
["s2b-913-5"] = SIG_FILE,
["s2b-2020-4"] = SIG_FILE,
["s2b-1418-11"] = SIG_FILE,
["s2b-2230-5"] = SIG_FILE,
["s2b-1183-8"] = SIG_FILE,
["s2b-1672-10"] = SIG_FILE,
["s2b-717-6"] = SIG_FILE,
["s2b-856-5"] = SIG_FILE,
["s2b-1324-6"] = SIG_FILE,
["s2b-1270-11"] = SIG_FILE,
["s2b-632-5"] = SIG_FILE,
["s2b-1444-3"] = SIG_FILE,
["s2b-1582-4"] = SIG_FILE,
["s2b-1127-7"] = SIG_FILE,
["s2b-1100-7"] = SIG_QUIET,
["s2b-614-7"] = SIG_FILE,
["s2b-898-9"] = SIG_FILE,
["s2b-1229-7"] = SIG_FILE,
["s2b-2030-6"] = SIG_FILE,
["s2b-2382-8"] = SIG_FILE,
["s2b-256-5"] = SIG_FILE,
["s2b-1855-7"] = SIG_FILE,
["s2b-894-8"] = SIG_FILE,
["s2b-1209-5"] = SIG_FILE,
["s2b-1148-5"] = SIG_FILE,
["s2b-1230-8"] = SIG_FILE,
["s2b-1212-5"] = SIG_FILE,
["s2b-905-7"] = SIG_FILE,
["s2b-2474-3"] = SIG_FILE,
["s2b-642-6"] = SIG_FILE,
["s2b-1585-4"] = SIG_FILE,
["s2b-872-9"] = SIG_FILE,
["s2b-1894-8"] = SIG_FILE,
["s2b-1294-10"] = SIG_FILE,
["s2b-2028-5"] = SIG_FILE,
["s2b-255-11"] = SIG_FILE,
["s2b-1274-17"] = SIG_FILE,
["s2b-925-5"] = SIG_FILE,
["s2b-237-2"] = SIG_FILE,
["s2b-845-7"] = SIG_FILE,
["s2b-1899-8"] = SIG_FILE,
["s2b-906-7"] = SIG_FILE,
["s2b-1683-3"] = SIG_FILE,
["s2b-1686-3"] = SIG_FILE,
["s2b-311-11"] = SIG_FILE,
["s2b-1951-5"] = SIG_FILE,
["s2b-1226-4"] = SIG_FILE,
["s2b-605-6"] = SIG_FILE,
["s2b-1649-7"] = SIG_FILE,
["s2b-2497-6"] = SIG_FILE,
["s2b-240-2"] = SIG_FILE,
["s2b-278-5"] = SIG_FILE,
["s2b-888-5"] = SIG_FILE,
["s2b-1213-5"] = SIG_FILE,
["s2b-1276-14"] = SIG_FILE,
["s2b-1475-4"] = SIG_FILE,
["s2b-2151-4"] = SIG_QUIET,
["s2b-1676-3"] = SIG_FILE,
["s2b-1415-9"] = SIG_FILE,
["s2b-1272-10"] = SIG_FILE,
["s2b-1153-5"] = SIG_FILE,
["s2b-1152-5"] = SIG_FILE,
["s2b-1640-6"] = SIG_ALARM,
["s2b-1687-3"] = SIG_FILE,
["s2b-1623-6"] = SIG_FILE,
["s2b-2083-8"] = SIG_FILE,
["s2b-1430-7"] = SIG_FILE,
["s2b-1263-11"] = SIG_FILE,
["s2b-2017-12"] = SIG_FILE,
["s2b-1462-5"] = SIG_FILE,
["s2b-1257-8"] = SIG_FILE,
["s2b-497-8"] = SIG_FILE,
["s2b-936-5"] = SIG_FILE,
["s2b-505-5"] = SIG_FILE,
["s2b-1111-5"] = SIG_FILE,
["s2b-1923-6"] = SIG_FILE,
["s2b-1390-5"] = SIG_FILE,
["s2b-467-3"] = SIG_FILE,
["s2b-1266-10"] = SIG_FILE,
["s2b-2469-3"] = SIG_FILE,
["s2b-827-7"] = SIG_FILE,
["s2b-226-6"] = SIG_FILE,
["s2b-1192-6"] = SIG_FILE,
["s2b-688-6"] = SIG_FILE,
["s2b-890-10"] = SIG_FILE,
["s2b-1109-8"] = SIG_FILE,
["s2b-501-4"] = SIG_FILE,
["s2b-231-3"] = SIG_FILE,
["s2b-1584-4"] = SIG_FILE,
["s2b-587-8"] = SIG_FILE,
["s2b-476-4"] = SIG_FILE,
["s2b-1897-8"] = SIG_FILE,
["s2b-336-10"] = SIG_FILE,
["s2b-830-7"] = SIG_FILE,
["s2b-2101-9"] = SIG_FILE,
["s2b-232-5"] = SIG_FILE,
["s2b-828-5"] = SIG_FILE,
["s2b-2031-5"] = SIG_FILE,
["s2b-1471-5"] = SIG_FILE,
["s2b-2036-6"] = SIG_FILE,
["s2b-1856-7"] = SIG_FILE,
["s2b-810-11"] = SIG_FILE,
["s2b-1224-10"] = SIG_FILE,
["s2b-853-9"] = SIG_FILE,
["s2b-257-8"] = SIG_FILE,
["s2b-1269-10"] = SIG_FILE,
["s2b-2312-2"] = SIG_FILE,
["s2b-1166-8"] = SIG_FILE,
["s2b-641-6"] = SIG_FILE,
["s2b-1394-5"] = SIG_FILE,
["s2b-1583-4"] = SIG_FILE,
["s2b-2082-9"] = SIG_FILE,
["s2b-1775-2"] = SIG_FILE,
["s2b-1279-14"] = SIG_FILE,
["s2b-1416-9"] = SIG_FILE,
["s2b-273-7"] = SIG_FILE,
["s2b-1747-11"] = SIG_FILE,
["s2b-644-5"] = SIG_FILE,
["s2b-930-5"] = SIG_FILE,
["s2b-1375-6"] = SIG_FILE,
["s2b-1690-3"] = SIG_FILE,
["s2b-1424-6"] = SIG_FILE,
["s2b-1420-11"] = SIG_FILE,
["s2b-1260-10"] = SIG_FILE,
["s2b-508-7"] = SIG_FILE,
["s2b-282-7"] = SIG_QUIET,
["s2b-2015-5"] = SIG_FILE,
["s2b-1891-8"] = SIG_FILE,
["s2b-360-7"] = SIG_FILE,
["s2b-519-6"] = SIG_FILE,
["s2b-504-6"] = SIG_FILE,
["s2b-1344-5"] = SIG_FILE,
["s2b-1178-6"] = SIG_FILE,
["s2b-1220-5"] = SIG_FILE,
["s2b-1792-8"] = SIG_FILE,
["s2b-1419-9"] = SIG_FILE,
["s2b-1854-7"] = SIG_FILE,
["s2b-2481-3"] = SIG_FILE,
["s2b-2467-3"] = SIG_FILE,
["s2b-1001-7"] = SIG_FILE,
["s2b-1116-6"] = SIG_FILE,
["s2b-271-4"] = SIG_FILE,
["s2b-281-5"] = SIG_FILE,
["s2b-2035-6"] = SIG_FILE,
["s2b-1281-7"] = SIG_FILE,
["s2b-1234-8"] = SIG_FILE,
["s2b-1381-5"] = SIG_FILE,
["s2b-1860-4"] = SIG_FILE,
["s2b-522-2"] = SIG_FILE,
["s2b-912-5"] = SIG_FILE,
["s2b-1128-5"] = SIG_FILE,
["s2b-1677-3"] = SIG_FILE,
["s2b-639-5"] = SIG_FILE,
["s2b-1303-7"] = SIG_FILE,
["s2b-1457-6"] = SIG_FILE,
["s2b-1122-5"] = SIG_FILE,
["s2b-1678-5"] = SIG_FILE,
["s2b-1139-7"] = SIG_FILE,
["s2b-645-5"] = SIG_FILE,
["s2b-631-6"] = SIG_FILE,
["s2b-2257-5"] = SIG_FILE,
["s2b-244-3"] = SIG_FILE,
["s2b-1295-9"] = SIG_FILE,
["s2b-225-6"] = SIG_FILE,
["s2b-1327-7"] = SIG_FILE,
["s2b-844-7"] = SIG_FILE,
["s2b-229-5"] = SIG_FILE,
["s2b-2093-5"] = SIG_FILE,
["s2b-1087-8"] = SIG_FILE,
["s2b-517-1"] = SIG_FILE,
["s2b-1252-13"] = SIG_FILE,
["s2b-842-7"] = SIG_FILE,
["s2b-2175-5"] = SIG_FILE,
};

15805
scripts/s2b/example_bro_files/signatures.sig Normal file
View file

File diff suppressed because it is too large Load diff

BIN
scripts/s2b/pm/Config-General-2.26.tar.gz Normal file
View file

Binary file not shown.

4
scripts/s2b/pm/Makefile.am Normal file
View file

@ -0,0 +1,4 @@
## Process this file with automake to produce Makefile.in
# include in the dist
EXTRA_DIST = Config-General-2.26.tar.gz

15
scripts/s2b/snort_rules2.2/Makefile.am Normal file
View file

@ -0,0 +1,15 @@
## Process this file with automake to produce Makefile.in
# include in the dist
EXTRA_DIST = attack-responses.rules backdoor.rules bad-traffic.rules \
cgi-bin.list chat.rules classification.config ddos.rules deleted.rules \
dns.rules dos.rules experimental.rules exploit.rules finger.rules \
ftp.rules gen-msg.map generators icmp-info.rules icmp.rules imap.rules \
info.rules local.rules misc.rules multimedia.rules mysql.rules \
netbios.rules nntp.rules oracle.rules other-ids.rules p2p.rules
policy.rules pop2.rules pop3.rules porn.rules reference.config rpc.rules \
rservices.rules scan.rules shellcode.rules sid sid-msg.map smtp.rules \
snmp.rules snort.conf sql.rules telnet.rules tftp.rules threshold.conf \
unicode.map virus.rules web-attacks.rules web-cgi.rules web-client.rules \
web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules \
web-php.rules x11.rules

29
scripts/s2b/snort_rules2.2/attack-responses.rules Normal file
View file

@ -0,0 +1,29 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: attack-responses.rules 91 2004-07-15 08:13:57Z rwinslow $
# ----------------
# ATTACK RESPONSES
# ----------------
# These signatures are those when they happen, its usually because a machine
# has been compromised. These should not false that often and almost always
# mean a compromise.
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command completed"; flow:from_server,established; content:"Command completed"; nocase; classtype:bad-unknown; sid:494; rev:7;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES command error"; flow:from_server,established; content:"Bad command or filename"; nocase; classtype:bad-unknown; sid:495; rev:7;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES file copied ok"; flow:from_server,established; content:"1 file|28|s|29| copied"; nocase; classtype:bad-unknown; sid:497; rev:8;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; flow:from_server,established; content:"Invalid URL"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:10;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; nocase; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;)
alert ip any any -> any any (msg:"ATTACK-RESPONSES id check returned root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:498; rev:6;)
alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:1882; rev:10;)
alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES oracle one hour install"; flow:from_server,established; content:"Oracle Applications One-Hour Install"; classtype:bad-unknown; sid:1464; rev:3;)
alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:10;)
alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful kadmind buffer overflow attempt"; flow:established,from_server; content:"*GOBBLE*"; depth:8; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:10;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit GOBBLE"; flow:from_server,established; content:"*GOBBLE*"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:successful-admin; sid:1810; rev:9;)
alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful gobbles ssh exploit uname"; flow:from_server,established; content:"uname"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1811; rev:8;)
alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; classtype:unsuccessful-user; sid:2104; rev:3;)
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows"; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; classtype:successful-user; sid:2412; rev:3;)

87
scripts/s2b/snort_rules2.2/backdoor.rules Normal file
View file

@ -0,0 +1,87 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: backdoor.rules 91 2004-07-15 08:13:57Z rwinslow $
#---------------
# BACKDOOR RULES
#---------------
#
alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0D 0A|[RPL]002|0D 0A|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:7;)
alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;)
alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:109; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;)
alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:to_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:115; rev:5;)
# 3150, 4120
alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; classtype:misc-activity; sid:1980; rev:1;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:195; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; classtype:misc-activity; sid:1981; rev:1;)
alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1982; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; classtype:misc-activity; sid:1983; rev:1;)
alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1984; rev:1;)
alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"BACKDOOR Doly 2.0 access"; flow:established,from_server; content:"Wtzup Use"; depth:32; reference:arachnids,312; classtype:misc-activity; sid:119; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1094 (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:1;)
alert tcp $EXTERNAL_NET 1024: -> $HOME_NET 2589 (msg:"BACKDOOR - Dagger_1.4.0_client_connect"; flow:to_server,established; content:"|0B 00 00 00 07 00 00 00|Connect"; depth:16; reference:arachnids,483; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:104; rev:7;)
alert tcp $HOME_NET 2589 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR - Dagger_1.4.0"; flow:from_server,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; reference:arachnids,484; reference:url,www.tlsecurity.net/backdoor/Dagger.1.4.html; classtype:misc-activity; sid:105; rev:7;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; ack:101058054; flags:A,12; seq:101058054; flow:stateless; reference:arachnids,445; classtype:misc-activity; sid:106; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:108; rev:6;)
alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR Infector.1.x"; flow:established,from_server; content:"WHATISIT"; reference:arachnids,315; classtype:misc-activity; sid:117; rev:6;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR SatansBackdoor.2.0.Beta"; flow:established,from_server; content:"Remote|3A| You are connected to me."; reference:arachnids,316; classtype:misc-activity; sid:118; rev:5;)
alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector 1.6 Server to Client"; flow:established,from_server; content:"WHATISIT"; classtype:misc-activity; sid:120; rev:5;)
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; classtype:misc-activity; sid:121; rev:5;)
alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"BACKDOOR HackAttack 1.20 Connect"; flow:established,from_server; content:"host"; classtype:misc-activity; sid:141; rev:5;)
alert tcp $EXTERNAL_NET !80 -> $HOME_NET 21554 (msg:"BACKDOOR GirlFriendaccess"; flow:to_server,established; content:"Girl"; reference:arachnids,98; classtype:misc-activity; sid:145; rev:5;)
alert tcp $HOME_NET 30100 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere access"; flow:established,from_server; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:146; rev:5;)
alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"BACKDOOR GateCrasher"; flow:established,from_server; content:"GateCrasher"; reference:arachnids,99; classtype:misc-activity; sid:147; rev:5;)
alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Connection"; flow:established,from_server; content:"c|3A 5C|"; classtype:misc-activity; sid:152; rev:6;)
alert tcp $HOME_NET 23476 -> $EXTERNAL_NET any (msg:"BACKDOOR DonaldDick 1.53 Traffic"; flow:from_server,established; content:"pINg"; classtype:misc-activity; sid:153; rev:5;)
alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"BACKDOOR NetSphere 1.31.337 access"; flow:from_server,established; content:"NetSphere"; reference:arachnids,76; classtype:misc-activity; sid:155; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; classtype:misc-activity; sid:157; rev:5;)
alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:from_server,established; content:"FTP Port open"; classtype:misc-activity; sid:158; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR NetMetro File List"; flow:to_server,established; content:"--"; reference:arachnids,79; classtype:misc-activity; sid:159; rev:6;)
# alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags:A+; flow:stateless; reference:arachnids,79; classtype:misc-activity; sid:160; rev:5;)
alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"BACKDOOR Matrix 2.0 Client connect"; content:"activate"; reference:arachnids,83; classtype:misc-activity; sid:161; rev:4;)
alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"BACKDOOR Matrix 2.0 Server access"; content:"logged in"; reference:arachnids,83; classtype:misc-activity; sid:162; rev:4;)
alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active"; flags:SA,12; flow:stateless; content:"|B4 B4|"; reference:arachnids,36; classtype:misc-activity; sid:163; rev:8;)
alert icmp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR SIGNATURE - Q ICMP"; dsize:>1; itype:0; reference:arachnids,202; classtype:misc-activity; sid:183; rev:4;)
alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; dsize:>1; flags:A+; flow:stateless; reference:arachnids,203; classtype:misc-activity; sid:184; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; reference:arachnids,263; classtype:misc-activity; sid:185; rev:5;)
alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"BACKDOOR PhaseZero Server Active on Network"; flow:established,from_server; content:"phAse"; classtype:misc-activity; sid:208; rev:5;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; reference:arachnids,510; classtype:attempted-admin; sid:209; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; classtype:attempted-admin; sid:210; rev:3;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; classtype:attempted-admin; sid:211; rev:3;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; classtype:attempted-admin; sid:212; rev:3;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; classtype:attempted-admin; sid:213; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; classtype:attempted-admin; sid:214; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; classtype:attempted-admin; sid:215; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; reference:arachnids,516; classtype:attempted-admin; sid:216; rev:6;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; classtype:attempted-admin; sid:217; rev:3;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; classtype:attempted-user; sid:218; rev:4;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; classtype:misc-activity; sid:219; rev:6;)
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; classtype:misc-activity; sid:220; rev:6;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; flags:A+; flow:stateless; content:"A"; depth:1; reference:arachnids,314; classtype:attempted-recon; sid:614; rev:7;)
alert ip any any -> 216.80.99.202 any (msg:"BACKDOOR fragroute trojan connection attempt"; reference:bugtraq,4898; classtype:trojan-activity; sid:1791; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"BACKDOOR win-trin00 connection attempt"; content:"png []..Ks l44"; depth:14; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:6;)
# NOTES: this string should be within the first 3 bytes of the connection
alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:6;)
alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; flow:stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR SubSeven 2.1 Gold server connection response"; flow:from_server,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; classtype:misc-activity; sid:2100; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"BACKDOOR Remote PC Access connection attempt"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; flow:stateless; classtype:trojan-activity; sid:2182; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"BACKDOOR DoomJuice file upload attempt"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:3;)

26
scripts/s2b/snort_rules2.2/bad-traffic.rules Normal file
View file

@ -0,0 +1,26 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: bad-traffic.rules 91 2004-07-15 08:13:57Z rwinslow $
#------------------
# BAD TRAFFIC RULES
#------------------
# These signatures are representitive of traffic that should never be seen on
# any network. None of these signatures include datagram content checking
# and are extremely quick signatures
#
alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0 traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074; classtype:misc-activity; sid:525; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; dsize:>6; flags:S,12; flow:stateless; reference:url,www.cert.org/incident_notes/IN-99-07.html; classtype:misc-activity; sid:526; rev:9;)
alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;)
alert ip any any -> any any (msg:"BAD-TRAFFIC same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:527; rev:8;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
# linux happens. Blah
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; classtype:misc-activity; sid:1322; rev:7;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:1627; rev:3;)
alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; flow:stateless; classtype:bad-unknown; sid:1431; rev:8;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2186; rev:3;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2187; rev:3;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2188; rev:3;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103; reference:bugtraq,8211; reference:cve,2003-0567; classtype:non-standard-protocol; sid:2189; rev:3;)

16
scripts/s2b/snort_rules2.2/cgi-bin.list Normal file
View file

@ -0,0 +1,16 @@
# (C) Copyright 2001,2002 Brian Caswell, et al. All rights reserved.
# $Id: cgi-bin.list 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# cgi-bin list
#--------------
# if content-list actually worked, this would be our content-list for
# the different CGI bin directories we would check for.
"/cgi-bin/"
"/cgi/"
"/cgi-local/"
"/perl/"
"/mod_perl/"
"/scripts/"
"/comps/"
"/cgi-bin-sdb/"

48
scripts/s2b/snort_rules2.2/chat.rules Normal file
View file

@ -0,0 +1,48 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: chat.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# CHAT RULES
#-------------
# These signatures look for people using various types of chat programs (for
# example: AIM, ICQ, and IRC) which may be against corporate policy
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CHAT ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; classtype:policy-violation; sid:541; rev:9;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"CHAT ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; nocase; content:"[ICQ User]"; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:540; rev:11;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; distance:0; nocase; content:"text/x-msmsgsinvite"; distance:0; nocase; content:"Application-Name|3A|"; content:"File Transfer"; distance:0; nocase; classtype:policy-violation; sid:1986; rev:4;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:3;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command|3A|"; content:"CANCEL"; distance:0; content:"Cancel-Code|3A|"; nocase; content:"REJECT"; distance:0; nocase; classtype:policy-violation; sid:1989; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC nick change"; flow:to_server,established; content:"NICK "; offset:0; classtype:policy-violation; sid:542; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC SEND"; nocase; classtype:policy-violation; sid:1639; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; offset:0; nocase; content:" |3A|.DCC CHAT chat"; nocase; classtype:policy-violation; sid:1640; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC channel join"; flow:to_server,established; content:"JOIN |3A| |23|"; offset:0; nocase; classtype:policy-violation; sid:1729; rev:5;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC message"; flow:established; content:"PRIVMSG "; nocase; classtype:policy-violation; sid:1463; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CHAT IRC dns request"; flow:to_server,established; content:"USERHOST "; offset:0; nocase; classtype:policy-violation; sid:1789; rev:3;)
alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CHAT IRC dns response"; flow:to_client,established; content:"|3A|"; offset:0; content:" 302 "; content:"=+"; classtype:policy-violation; sid:1790; rev:4;)
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM login"; flow:to_server,established; content:"*|01|"; depth:2; classtype:policy-violation; sid:1631; rev:6;)
alert tcp $HOME_NET any -> $AIM_SERVERS any (msg:"CHAT AIM send message"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; depth:4; offset:6; classtype:policy-violation; sid:1632; rev:6;)
alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"CHAT AIM receive message"; flow:to_client; content:"*|02|"; depth:2; content:"|00 04 00 07|"; depth:4; offset:6; classtype:policy-violation; sid:1633; rev:6;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;)
alert tcp any any -> any 5050 (msg:"CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; depth:4; nocase; content:"|00|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:3;)
alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; classtype:policy-violation; sid:2457; rev:2;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM webcam offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM webcam request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:3;)
alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM webcam watch"; flow:from_server,established; content:"|0D 00 05 00|"; depth:4; classtype:policy-violation; sid:2461; rev:3;)

66
scripts/s2b/snort_rules2.2/classification.config Normal file
View file

@ -0,0 +1,66 @@
# $Id: classification.config 91 2004-07-15 08:13:57Z rwinslow $
# The following includes information for prioritizing rules
#
# Each classification includes a shortname, a description, and a default
# priority for that classification.
#
# This allows alerts to be classified and prioritized. You can specify
# what priority each classification has. Any rule can override the default
# priority for that rule.
#
# Here are a few example rules:
#
# alert TCP any any -> any 80 (msg: "EXPLOIT ntpdx overflow";
# dsize: > 128; classtype:attempted-admin; priority:10;
#
# alert TCP any any -> any 25 (msg:"SMTP expn root"; flags:A+; \
# content:"expn root"; nocase; classtype:attempted-recon;)
#
# The first rule will set its type to "attempted-admin" and override
# the default priority for that type to 10.
#
# The second rule set its type to "attempted-recon" and set its
# priority to the default for that type.
#
#
# config classification:shortname,short description,priority
#
config classification: not-suspicious,Not Suspicious Traffic,3
config classification: unknown,Unknown Traffic,3
config classification: bad-unknown,Potentially Bad Traffic, 2
config classification: attempted-recon,Attempted Information Leak,2
config classification: successful-recon-limited,Information Leak,2
config classification: successful-recon-largescale,Large Scale Information Leak,2
config classification: attempted-dos,Attempted Denial of Service,2
config classification: successful-dos,Denial of Service,2
config classification: attempted-user,Attempted User Privilege Gain,1
config classification: unsuccessful-user,Unsuccessful User Privilege Gain,1
config classification: successful-user,Successful User Privilege Gain,1
config classification: attempted-admin,Attempted Administrator Privilege Gain,1
config classification: successful-admin,Successful Administrator Privilege Gain,1
# NEW CLASSIFICATIONS
config classification: rpc-portmap-decode,Decode of an RPC Query,2
config classification: shellcode-detect,Executable code was detected,1
config classification: string-detect,A suspicious string was detected,3
config classification: suspicious-filename-detect,A suspicious filename was detected,2
config classification: suspicious-login,An attempted login using a suspicious username was detected,2
config classification: system-call-detect,A system call was detected,2
config classification: tcp-connection,A TCP connection was detected,4
config classification: trojan-activity,A Network Trojan was detected, 1
config classification: unusual-client-port-connection,A client was using an unusual port,2
config classification: network-scan,Detection of a Network Scan,3
config classification: denial-of-service,Detection of a Denial of Service Attack,2
config classification: non-standard-protocol,Detection of a non-standard protocol or event,2
config classification: protocol-command-decode,Generic Protocol Command Decode,3
config classification: web-application-activity,access to a potentially vulnerable web application,2
config classification: web-application-attack,Web Application Attack,1
config classification: misc-activity,Misc activity,3
config classification: misc-attack,Misc Attack,2
config classification: icmp-event,Generic ICMP event,3
config classification: kickass-porn,SCORE! Get the lotion!,1
config classification: policy-violation,Potential Corporate Privacy Violation,1
config classification: default-login-attempt,Attempt to login by a default username and password,2

51
scripts/s2b/snort_rules2.2/ddos.rules Normal file
View file

@ -0,0 +1,51 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: ddos.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# DDOS RULES
#-----------
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe"; id:678; itype:8; content:"1234"; reference:arachnids,443; classtype:attempted-recon; sid:221; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; reference:arachnids,425; classtype:attempted-dos; sid:222; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG"; reference:arachnids,187; classtype:attempted-recon; sid:223; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184; classtype:attempted-dos; sid:228; rev:3;)
alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"DDOS shaft client login to handler"; flow:from_server,established; content:"login|3A|"; reference:arachnids,254; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"DDOS shaft handler to agent"; content:"alive tijgu"; reference:arachnids,255; classtype:attempted-dos; sid:239; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"DDOS shaft agent to handler"; content:"alive"; reference:arachnids,256; classtype:attempted-dos; sid:240; rev:2;)
alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags:S,12; seq:674711609; flow:stateless; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44"; reference:arachnids,186; classtype:attempted-dos; sid:231; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; classtype:attempted-dos; sid:234; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; classtype:bad-unknown; sid:235; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN server response"; icmp_id:123; icmp_seq:0; itype:0; content:"shell bound to port"; reference:arachnids,182; classtype:attempted-dos; sid:238; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"DDOS mstream agent to handler"; content:"newserver"; classtype:attempted-dos; sid:243; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler to agent"; content:"stream/"; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream handler ping to agent"; content:"ping"; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"DDOS mstream agent pong to handler"; content:"pong"; classtype:attempted-dos; sid:246; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"DDOS mstream client to handler"; flow:to_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:4;)
alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:to_client,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags:S,12; flow:stateless; reference:arachnids,111; reference:cve,2000-0138; classtype:attempted-dos; sid:249; rev:7;)
alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"DDOS mstream handler to client"; flow:from_server,established; content:">"; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183; classtype:attempted-dos; sid:251; rev:3;)
alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224; rev:3;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; reference:arachnids,195; classtype:attempted-dos; sid:225; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; reference:arachnids,191; classtype:attempted-dos; sid:226; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; reference:arachnids,192; classtype:attempted-dos; sid:227; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; reference:arachnids,194; classtype:attempted-dos; sid:236; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; reference:arachnids,190; classtype:attempted-dos; sid:229; rev:5;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:7;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:7;)
alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"DDOS Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:7;)

399
scripts/s2b/snort_rules2.2/deleted.rules Normal file
View file

@ -0,0 +1,399 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: deleted.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# DELETED RULES
#-------------
# These signatures have been deleted for various reasons, but we are keeping
# them here for historical purposes.
# Duplicate to 332
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER probe 0 attempt"; flow:to_server,established; content:"0"; reference:arachnids,378; classtype:attempted-recon; sid:325; rev:4;)
# Duplicate of 512
alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:511; rev:5;)
# Duplicate of 514
alert tcp $EXTERNAL_NET any -> $HOME_NET 27374 (msg:"MISC ramen worm incoming"; flow:established; content:"GET "; depth:8; nocase; reference:arachnids,460; classtype:bad-unknown; sid:506; rev:4;)
# Duplicate of 557
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;)
# Duplicate of 559
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;)
# Duplicate of 844
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC O'Reilly args.bat access"; flow:to_server,established; uricontent:"/cgi-dos/args.bat"; nocase; classtype:attempted-recon; sid:1121; rev:5;)
# Yeah, so the one site that was vulnerable to edit.pl aint no more.
# http://packetstorm.widexs.nl/new-exploits/freestats-cgi.txt
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-CGI edit.pl access"; flow:to_server,established; uricontent:"/edit.pl"; nocase; reference:bugtraq,2713; classtype:attempted-recon; sid:855; rev:6;)
# duplicate of 987
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .htr request"; flow:to_server,established; uricontent:".htr"; nocase; reference:bugtraq,4474; reference:cve,2002-0071; reference:nessus,10932; classtype:web-application-activity; sid:1619; rev:8;)
# webmasters suck, so this happens ever so often. Its really not that bad,
# so lets disable it.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-MISC prefix-get //"; flow:to_server,established; uricontent:"get //"; nocase; classtype:attempted-recon; sid:1114; rev:6;)
# dup of 1660
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"EXPERIMENTAL WEB-IIS .NET trace.axd access"; flow:to_server,established; uricontent:"/traace.axd"; nocase; classtype:web-application-attack; sid:1749; rev:4;)
# dup
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC iPlanet ../../ DOS attempt"; flow:to_server,established; content:"GET "; depth:4; uricontent:"/../../../../../../../../../../../"; reference:bugtraq,2282; reference:cve,2001-0252; classtype:web-application-attack; sid:1049; rev:11;)
# Falses WAAAYYY too often.
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES directory listing"; flow:from_server,established; content:"Directory of"; nocase; classtype:unknown; sid:496; rev:8;)
# Replaced with 1801,1802,1803,1804
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS header field buffer overflow attempt"; flow:to_server,established; content:"|3A|"; content:"|0A|"; content:"|00|"; reference:bugtraq,4476; reference:cve,2002-0150; classtype:web-application-attack; sid:1768; rev:7;)
# duplicate of sid:1673
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:1698; rev:4;)
# Port based only sigs suck, this is why stream4 has flow logs
alert tcp $EXTERNAL_NET 6000:6005 -> $HOME_NET any (msg:"X11 outbound client connection detected"; flow:established; reference:arachnids,126; classtype:misc-activity; sid:1227; rev:5;)
# basically duplicate of 330
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop redirection"; dsize:11; flow:to_server,established; content:"@localhost|0A|"; reference:arachnids,11; classtype:attempted-recon; sid:329; rev:8;)
# duplicate of 1478
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI swc attempt"; flow:to_server,established; uricontent:"/swc"; nocase; classtype:attempted-recon; sid:1477; rev:5;)
# duplicate of 1248
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>258; flow:to_server,established; uricontent:"/fp30reg.dll"; nocase; reference:arachnids,555; reference:bugtraq,2906; reference:cve,2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; classtype:web-application-attack; sid:1246; rev:14;)
# duplicate of 1249
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; dsize:>259; flow:to_server,established; uricontent:"/fp4areg.dll"; nocase; reference:bugtraq,2906; reference:cve,2001-0341; classtype:web-application-attack; sid:1247; rev:11;)
# duplicate of 1755
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1780; rev:9;)
# duplicate of 1538
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;)
# This rule looks for the exploit for w3-msql, but very badly
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86 access"; flow:to_server,established; uricontent:"/bin/shA-cA/usr/openwin"; nocase; reference:arachnids,211; reference:cve,1999-0276; classtype:attempted-recon; sid:874; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"echo netrjs stre"; reference:bugtraq,324; reference:cve,1999-0914; classtype:attempted-admin; sid:318; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"A90|C0 A8 01 01|/bin/sh|00|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;)
# duplicate of 109
alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags:A+; flow:established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity; sid:114; rev:5;)
# duplicate of 110
alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:5;)
# we have a backorifice preprocessor
alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags:A+; flow:established; content:"server|3A| BO/"; reference:arachnids,400; classtype:misc-activity; sid:112; rev:6;)
# we have a backorifice preprocessor
alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content:"|CE|c|D1 D2 16 E7 13 CF|9|A5 A5 86|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;)
alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; classtype:misc-activity; sid:164; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:165; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; classtype:misc-activity; sid:166; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32"; reference:arachnids,106; classtype:misc-activity; sid:167; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33"; reference:arachnids,106; classtype:misc-activity; sid:168; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; classtype:misc-activity; sid:169; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110"; reference:arachnids,106; classtype:misc-activity; sid:170; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35"; reference:arachnids,106; classtype:misc-activity; sid:171; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; classtype:misc-activity; sid:172; rev:6;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; classtype:misc-activity; sid:173; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31"; reference:arachnids,106; classtype:misc-activity; sid:174; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; classtype:misc-activity; sid:175; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04"; reference:arachnids,106; classtype:misc-activity; sid:176; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down"; reference:arachnids,106; classtype:misc-activity; sid:177; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21"; reference:arachnids,106; classtype:misc-activity; sid:179; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64"; reference:arachnids,106; classtype:misc-activity; sid:180; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; classtype:misc-activity; sid:181; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; classtype:misc-activity; sid:182; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; classtype:misc-activity; sid:122; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; classtype:misc-activity; sid:124; rev:5;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving"; reference:arachnids,106; classtype:misc-activity; sid:125; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12"; reference:arachnids,106; classtype:misc-activity; sid:126; rev:5;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; classtype:misc-activity; sid:127; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; classtype:misc-activity; sid:128; rev:5;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - "; reference:arachnids,106; classtype:misc-activity; sid:129; rev:5;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; classtype:misc-activity; sid:130; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130"; reference:arachnids,106; classtype:misc-activity; sid:131; rev:5;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; classtype:misc-activity; sid:132; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; classtype:misc-activity; sid:133; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17"; reference:arachnids,106; classtype:misc-activity; sid:134; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; classtype:misc-activity; sid:135; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; classtype:misc-activity; sid:136; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911"; reference:arachnids,106; classtype:misc-activity; sid:137; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; classtype:misc-activity; sid:138; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88"; reference:arachnids,106; classtype:misc-activity; sid:140; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content:"40"; reference:arachnids,106; classtype:misc-activity; sid:142; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; classtype:misc-activity; sid:143; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:149; rev:5;)
alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; classtype:misc-activity; sid:150; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; reference:arachnids,106; classtype:misc-activity; sid:151; rev:5;)
alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; classtype:misc-activity; sid:154; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; classtype:misc-activity; sid:156; rev:5;)
alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content:"--Ahhhhhhhhhh"; reference:arachnids,405; classtype:misc-activity; sid:113; rev:6;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07"; reference:arachnids,106; classtype:misc-activity; sid:186; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; classtype:misc-activity; sid:187; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38"; reference:arachnids,106; classtype:misc-activity; sid:188; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23"; reference:arachnids,106; classtype:misc-activity; sid:189; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24"; reference:arachnids,106; classtype:misc-activity; sid:190; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; classtype:misc-activity; sid:191; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26"; reference:arachnids,106; classtype:misc-activity; sid:192; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; classtype:misc-activity; sid:193; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; classtype:misc-activity; sid:194; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30"; reference:arachnids,106; classtype:misc-activity; sid:196; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; classtype:misc-activity; sid:197; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; classtype:misc-activity; sid:198; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; classtype:misc-activity; sid:199; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; classtype:misc-activity; sid:200; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15"; reference:arachnids,106; classtype:misc-activity; sid:201; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100"; reference:arachnids,106; classtype:misc-activity; sid:202; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117"; reference:arachnids,106; classtype:misc-activity; sid:203; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118"; reference:arachnids,106; classtype:misc-activity; sid:204; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199"; reference:arachnids,106; classtype:misc-activity; sid:205; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; classtype:misc-activity; sid:206; rev:5;)
alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; classtype:misc-activity; sid:207; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content:"|09 80 00 00 00 01 00 00 00 00|"; depth:16; offset:2; reference:arachnids,277; reference:bugtraq,134; reference:cve,1999-0009; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:7;)
alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; classtype:misc-activity; sid:148; rev:5;)
# The following ftp rules look for specific exploits, which are not needed now
# that initial protocol decoding is available.
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;)
# duplicate of 475
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;)
# not needed thanks to 1964 and 1965
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;)
# dup of 589
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)
# dup of 1275
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)
# dup of 1280
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)
# dup of 1281
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;)
# this has been replaced with sid 1905 and 1906
alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;)
# these have been replaced by 1915, 1916, 1914, and 1913
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;)
# duplicate of 1088
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;)
# these are obsolete
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;)
# what is this rule? we have no idea...
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)
# These have been replaced by better rules (1915,1916,1913,1914)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;)
alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2102; rev:8;)
# specific example for sid:1549
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;)
# this is properly caught by sid:527
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;)
# duplicate of 1546
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;)
# these are obsoleted by cleaning up 663
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;)
# dup of 588
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;)
# dup of 1274
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;)
# these virus rules suck.
alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"ble bla"; nocase; classtype:misc-activity; sid:725; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"I Love You"; classtype:misc-activity; sid:726; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Sorry... Hey you !"; classtype:misc-activity; sid:727; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"my picture from shake-beer"; classtype:misc-activity; sid:728; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible QAZ Worm"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:731; rev:7;)
alert tcp any any -> any 25 (msg:"Virus - Possible QAZ Worm Calling Home"; flow:established; content:"nongmin_cn"; reference:MCAFEE,98775; classtype:misc-activity; sid:733; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible Matrix worm"; flow:established; content:"Software provide by [MATRiX]"; nocase; classtype:misc-activity; sid:734; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"Matrix has you..."; classtype:misc-activity; sid:735; rev:6;)
alert tcp any any -> any 25 (msg:"Virus - Successful eurocalculator execution"; flags:PA; flow:established; content:"funguscrack@hotmail.com"; nocase; classtype:misc-activity; sid:736; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible eurocalculator.exe file"; flow:established; content:"filename="; content:"eurocalculator.exe"; nocase; classtype:misc-activity; sid:737; rev:6;)
alert tcp any any -> any 110 (msg:"Virus - Possible Pikachu Pokemon Virus"; flags:PA; flow:established; content:"Pikachu Pokemon"; reference:MCAFEE,98696; classtype:misc-activity; sid:738; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Triplesix Worm"; flow:established; content:"filename=|22|666TEST.VBS|22|"; nocase; reference:MCAFEE,10389; classtype:misc-activity; sid:739; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Tune.vbs"; flow:established; content:"filename=|22|tune.vbs|22|"; nocase; reference:MCAFEE,10497; classtype:misc-activity; sid:740; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Market share tipoff"; reference:MCAFEE,10109; classtype:misc-activity; sid:741; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"name =|22|WWIII!"; reference:MCAFEE,10109; classtype:misc-activity; sid:742; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"New Developments"; reference:MCAFEE,10109; classtype:misc-activity; sid:743; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NAIL Worm"; flow:established; content:"Good Times"; reference:MCAFEE,10109; classtype:misc-activity; sid:744; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Papa Worm"; flow:established; content:"filename=|22|XPASS.XLS|22|"; nocase; reference:MCAFEE,10145; classtype:misc-activity; sid:745; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Freelink Worm"; flow:established; content:"LINKS.VBS"; reference:MCAFEE,10225; classtype:misc-activity; sid:746; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Simbiosis Worm"; flow:established; content:"filename=|22|SETUP.EXE|22|"; nocase; classtype:misc-activity; sid:747; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible BADASS Worm"; flow:established; content:"name =|22|BADASS.EXE|22|"; reference:MCAFEE,10388; classtype:misc-activity; sid:748; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible ExploreZip.B Worm"; flow:established; content:"name =|22|File_zippati.exe|22|"; reference:MCAFEE,10471; classtype:misc-activity; sid:749; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible wscript.KakWorm"; flow:established; content:"filename=|22|KAK.HTA|22|"; nocase; reference:MCAFEE,10509; classtype:misc-activity; sid:751; rev:7;)
alert tcp any 110 -> any any (msg:"Virus Possible Suppl Worm"; flow:established; content:"filename=|22|Suppl.doc|22|"; nocase; reference:MCAFEE,10361; classtype:misc-activity; sid:752; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - theobbq.exe"; flow:established; content:"filename=|22|THEOBBQ.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:753; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|MONEY.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:754; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible IROK Worm"; flow:established; content:"filename=|22|irok.exe|22|"; nocase; reference:MCAFEE,98552; classtype:misc-activity; sid:755; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Fix2001 Worm"; flow:established; content:"filename=|22|Fix2001.exe|22|"; nocase; reference:MCAFEE,10355; classtype:misc-activity; sid:756; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Y2K Zelu Trojan"; flow:established; content:"filename=|22|Y2K.EXE|22|"; nocase; reference:MCAFEE,10505; classtype:misc-activity; sid:757; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible The_Fly Trojan"; flow:established; content:"filename=|22|THE_FLY.CHM|22|"; nocase; reference:MCAFEE,10478; classtype:misc-activity; sid:758; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Word Macro - VALE"; flow:established; content:"filename=|22|DINHEIRO.DOC|22|"; nocase; reference:MCAFEE,10502; classtype:misc-activity; sid:759; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Passion Worm"; flow:established; content:"filename=|22|ICQ_GREETINGS.EXE|22|"; nocase; reference:MCAFEE,10467; classtype:misc-activity; sid:760; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler3.exe"; flow:established; content:"filename=|22|COOLER3.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:761; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - party.exe"; flow:established; content:"filename=|22|PARTY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:762; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - hog.exe"; flow:established; content:"filename=|22|HOG.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:763; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal1.exe"; flow:established; content:"filename=|22|GOAL1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:764; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - pirate.exe"; flow:established; content:"filename=|22|PIRATE.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:765; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - video.exe"; flow:established; content:"filename=|22|VIDEO.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:766; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - baby.exe"; flow:established; content:"filename=|22|BABY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:767; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cooler1.exe"; flow:established; content:"filename=|22|COOLER1.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:768; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - boss.exe"; flow:established; content:"filename=|22|BOSS.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:769; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - g-zilla.exe"; flow:established; content:"filename=|22|G-ZILLA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:770; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible ToadieE-mail Trojan"; flow:established; content:"filename=|22|Toadie.exe|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:771; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible PrettyPark Trojan"; flow:established; content:"|5C|CoolProgs|5C|"; depth:750; offset:300; reference:MCAFEE,10175; classtype:misc-activity; sid:772; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Happy99 Virus"; flow:established; content:"X-Spanska|3A|Yes"; reference:MCAFEE,10144; classtype:misc-activity; sid:773; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible CheckThis Trojan"; flow:established; content:"name =|22|links.vbs|22|"; classtype:misc-activity; sid:774; rev:5;)
alert tcp any 110 -> any any (msg:"Virus - Possible Bubbleboy Worm"; flow:established; content:"BubbleBoy is back!"; reference:MCAFEE,10418; classtype:misc-activity; sid:775; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - copier.exe"; flow:established; content:"filename=|22|COPIER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:776; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible MyPics Worm"; flow:established; content:"name =|22|pics4you.exe|22|"; reference:MCAFEE,10467; classtype:misc-activity; sid:777; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Babylonia - X-MAS.exe"; flow:established; content:"name =|22|X-MAS.EXE|22|"; reference:MCAFEE,10461; classtype:misc-activity; sid:778; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - gadget.exe"; flow:established; content:"filename=|22|GADGET.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:779; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - irnglant.exe"; flow:established; content:"filename=|22|IRNGLANT.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:780; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - casper.exe"; flow:established; content:"filename=|22|CASPER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:781; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - fborfw.exe"; flow:established; content:"filename=|22|FBORFW.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:782; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - saddam.exe"; flow:established; content:"filename=|22|SADDAM.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:783; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - bboy.exe"; flow:established; content:"filename=|22|BBOY.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:784; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - monica.exe"; flow:established; content:"filename=|22|MONICA.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:785; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - goal.exe"; flow:established; content:"filename=|22|GOAL.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:786; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - panther.exe"; flow:established; content:"filename=|22|PANTHER.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:787; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - chestburst.exe"; flow:established; content:"filename=|22|CHESTBURST.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:788; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Common Sense Worm"; flow:established; content:"name =|22|THE_FLY.CHM|22|"; classtype:misc-activity; sid:790; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - cupid2.exe"; flow:established; content:"filename=|22|CUPID2.EXE|22|"; nocase; reference:MCAFEE,10540; classtype:misc-activity; sid:791; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|RESUME1.DOC|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:792; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|Explorer.doc|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:794; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - txt.vbs file"; flow:established; content:"filename="; content:".txt.vbs"; nocase; classtype:misc-activity; sid:795; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - xls.vbs file"; flow:established; content:"filename="; content:".xls.vbs"; nocase; classtype:misc-activity; sid:796; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - jpg.vbs file"; flow:established; content:"filename="; content:".jpg.vbs"; nocase; classtype:misc-activity; sid:797; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - gif.vbs file"; flow:established; content:"filename="; content:".gif.vbs"; nocase; classtype:misc-activity; sid:798; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible Timofonica Worm"; flow:established; content:"filename=|22|TIMOFONICA.TXT.vbs|22|"; nocase; reference:MCAFEE,98674; classtype:misc-activity; sid:799; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Resume Worm"; flow:established; content:"filename=|22|NORMAL.DOT|22|"; nocase; reference:MCAFEE,98661; classtype:misc-activity; sid:800; rev:7;)
alert tcp any 110 -> any any (msg:"Virus - Possible Worm - doc.vbs file"; flow:established; content:"filename="; content:".doc.vbs"; nocase; classtype:misc-activity; sid:801; rev:6;)
alert tcp any 110 -> any any (msg:"Virus - Possible NewApt.Worm - farter.exe"; flow:established; content:"filename=|22|FARTER.EXE|22|"; nocase; reference:MCAFEE,1054; classtype:misc-activity; sid:789; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"VIRUS Klez Incoming"; dsize:>120; flow:to_server,established; content:"MIME"; content:"VGhpcyBwcm9"; classtype:misc-activity; sid:1800; rev:4;)
# pcre makes this not needed
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;)
# historical reference... this used to be here...
alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; flow:established; content:"name =|22|Zipped_Files.EXE|22|"; reference:MCAFEE,10450; classtype:misc-activity; sid:802; rev:7;)
# taken care of by http_inspect now
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS multiple decode attempt"; flow:to_server,established; uricontent:"%5c"; uricontent:".."; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-attack; sid:970; rev:10;)
# better rule for 1054 caused these rules to not be needed
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".js%2570"; nocase; classtype:attempted-recon; sid:1236; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".j%2573p"; nocase; classtype:attempted-recon; sid:1237; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat sourecode view"; flow:to_server,established; uricontent:".%256Asp"; nocase; classtype:attempted-recon; sid:1238; rev:6;)
# these rules are dumb. sid:857 looks for the access, and thats all we can do
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey attempt full path"; flow:to_server,established; uricontent:"/faxsurvey?/"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1647; rev:9;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI faxsurvey arbitrary file read attempt"; flow:to_server,established; uricontent:"/faxsurvey?cat%20"; nocase; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-attack; sid:1609; rev:7;)
# dup of 2061
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Tomcat directory traversal attempt"; flow:to_server,established; uricontent:"|00|.jsp"; reference:bugtraq,2518; classtype:web-application-attack; sid:1055; rev:9;)
# squash all of the virus rules into one rule. go PCRE!
alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content:"qazwsx.hsq"; reference:MCAFEE,98775; classtype:misc-activity; sid:732; rev:8;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .shs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".shs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:730; rev:7;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .exe file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".exe|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2160; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .doc file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".doc|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2161; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vbs file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vbs|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:793; rev:7;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hta file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hta|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2162; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .chm file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".chm|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2163; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .reg file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".reg|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2164; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .ini file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".ini|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2165; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .bat file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".bat|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2166; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .diz file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".diz|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2167; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .cpp file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".cpp|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2168; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .dll file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".dll|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2169; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .vxd file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".vxd|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2170; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .sys file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".sys|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2171; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .com file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".com|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2172; rev:4;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .scr file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".scr|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:729; rev:7;)
alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND .hsq file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:"filename=|22|"; within:30; content:".hsq|22|"; within:30; nocase; classtype:suspicious-filename-detect; sid:2173; rev:4;)
# uh, yeah this happens quite a bit.
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;)
# dup of 1485
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665; rev:6;)
# dup of 2339
alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2336; rev:3;)
# these happen. more research = more better rules
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:7;)
#nmap is no longer as dumb as it once was...
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;)
# dup of 553
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp|0D 0A|"; nocase; classtype:misc-activity; sid:1449; rev:7;)
# dup of 2417, which is a better rule anyways
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:6;)

35
scripts/s2b/snort_rules2.2/dns.rules Normal file
View file

@ -0,0 +1,35 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: dns.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# DNS RULES
#----------
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content:"|00 00 FC|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:255; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content:"|00 00 FC|"; offset:14; reference:arachnids,212; reference:cve,1999-0532; classtype:attempted-recon; sid:1948; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; offset:12; nocase; content:"|04|bind"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:6;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; classtype:bad-unknown; sid:253; rev:4;)
alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 01 00 01 00 00 00|<|00 04|"; classtype:bad-unknown; sid:254; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; reference:arachnids,482; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:303; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; reference:bugtraq,2303; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; classtype:attempted-admin; sid:262; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; classtype:attempted-admin; sid:264; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; classtype:attempted-admin; sid:265; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; classtype:attempted-admin; sid:266; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; classtype:attempted-admin; sid:267; rev:5;)

28
scripts/s2b/snort_rules2.2/dos.rules Normal file
View file

@ -0,0 +1,28 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: dos.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# DOS RULES
#----------
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;)
alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:4;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|02 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:272; rev:7;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; content:"|00 00|"; depth:2; reference:bugtraq,514; reference:cve,1999-0918; classtype:attempted-dos; sid:273; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:5;)
alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; id:413; seq:6060842; flow:stateless; reference:bugtraq,2022; reference:cve,2000-1039; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; reference:arachnids,411; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:276; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:277; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; dsize:>1445; flow:to_server,established; reference:arachnids,261; reference:bugtraq,662; reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flags:U+; flow:stateless; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; dsize:>1023; flow:to_server,established; reference:bugtraq,4006; reference:cve,2002-0224; classtype:attempted-dos; sid:1408; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; reference:bugtraq,6844; reference:cve,1999-1566; classtype:misc-attack; sid:1605; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; dsize:1; flow:to_server,established; classtype:denial-of-service; sid:1641; rev:5;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; dsize:1; flow:to_server,established; content:"|13|"; classtype:web-application-attack; sid:1545; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; content:"|05|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flags:RSF*; flow:established; threshold:type both,track by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:6;)

12
scripts/s2b/snort_rules2.2/experimental.rules Normal file
View file

@ -0,0 +1,12 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: experimental.rules 91 2004-07-15 08:13:57Z rwinslow $
# ---------------
# EXPERIMENTAL RULES
# ---------------
# These signatures are experimental, new and may trigger way too often.
#
# Be forwarned, this is our testing ground. We put new signatures here for
# testing before incorporating them into the default signature set. This is
# for bleeding edge stuff only.
#

78
scripts/s2b/snort_rules2.2/exploit.rules Normal file
View file

@ -0,0 +1,78 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: exploit.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# EXPLOIT RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; classtype:attempted-admin; sid:302; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; dsize:>1000; flow:to_server,established; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;)
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; dsize:>512; flags:A+; flow:stateless; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; dsize:>1000; flow:to_server,established; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; dsize:>720; flow:to_server,established; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; classtype:misc-attack; sid:1751; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;)
alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;)
alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:bugtraq,CAN-2004-0164; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:7;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2,>,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;)
alert udp any 4000 -> any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER email overflow attempt"; content:"|05 00|"; depth:2; byte_jump:2,0,relative,little; byte_test:2,>,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:4;)
alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:6;)
alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:6;)
alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve, CAN-2004-0367; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; within:1054; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2551; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2552; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2553; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2554; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2555; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2556; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2557; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2558; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2559; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; classtype:attempted-admin; sid:2560; rev:2;)

21
scripts/s2b/snort_rules2.2/finger.rules Normal file
View file

@ -0,0 +1,21 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: finger.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# FINGER RULES
#-------------
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; reference:cve,1999-0660; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER search query"; flow:to_server,established; content:"search"; reference:arachnids,375; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER root query"; flow:to_server,established; content:"root"; reference:arachnids,376; classtype:attempted-recon; sid:323; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER null request"; flow:to_server,established; content:"|00|"; reference:arachnids,377; classtype:attempted-recon; sid:324; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; reference:arachnids,379; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; reference:arachnids,380; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER bomb attempt"; flow:to_server,established; content:"@@"; reference:arachnids,381; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER redirection attempt"; flow:to_server,established; content:"@"; reference:arachnids,251; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; reference:arachnids,132; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER 0 query"; flow:to_server,established; content:"0"; reference:arachnids,131; reference:arachnids,378; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER . query"; flow:to_server,established; content:"."; reference:arachnids,130; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER version query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:1541; rev:4;)

100
scripts/s2b/snort_rules2.2/ftp.rules Normal file
View file

@ -0,0 +1,100 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: ftp.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# FTP RULES
#----------
# protocol verification
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; classtype:attempted-admin; sid:2546; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; classtype:attempted-admin; sid:2373; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; classtype:attempted-admin; sid:2374; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:100,relative; pcre:"/^APPE\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2391; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2392; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; classtype:attempted-admin; sid:2343; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL\s[^\n]{100}/smi"; reference:arachnids,257; reference:bugtraq,679; reference:cve,1999-0789; classtype:attempted-admin; sid:337; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:100,relative; pcre:"/^CWD\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,7950; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2002-0126; classtype:attempted-admin; sid:1919; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1621; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; reference:bugtraq,2120; reference:cve,2001-0065; classtype:attempted-admin; sid:1562; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER\s[^\n]{100}/smi"; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,1690; reference:bugtraq,4638; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0943; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; classtype:attempted-admin; sid:1734; rev:16;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,2000-1035; reference:cve,2002-0126; classtype:attempted-admin; sid:1972; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:1942; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:100,relative; pcre:"/^MKD\s[^\n]{100}/smi"; reference:bugtraq,612; reference:bugtraq,9872; reference:cve,1999-0911; classtype:attempted-admin; sid:1973; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1974; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1975; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:1976; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE"; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:1623; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; dsize:10; flow:to_server,established; content:"PWD"; nocase; classtype:protocol-command-decode; sid:1624; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; dsize:10; flow:to_server,established; content:"SYST"; nocase; classtype:protocol-command-decode; sid:1625; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD Root directory transversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:8;)
# bad ftp commands
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; reference:arachnids,317; reference:bugtraq,2241; reference:cve,1999-0080; classtype:bad-unknown; sid:361; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"*"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1777; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; nocase; content:"?"; distance:1; reference:bugtraq,4482; reference:cve,2002-0073; classtype:attempted-dos; sid:1778; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:12;)
# bad directories
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:10;)
# dup of 1672
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~|0D 0A|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:1728; rev:6;)
# dup of 1229
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:2;)
# vulnerabilities against specific implementations of ftp
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content:".%20."; nocase; reference:bugtraq,2052; reference:cve,2001-0054; classtype:bad-unknown; sid:360; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt ["; flow:to_server,established; content:"~"; content:"["; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:1; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; dsize:>100; flow:to_server,established,no_stream; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:5;)
# BAD FILES
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; flow:to_server,established; content:".forward"; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; classtype:suspicious-filename-detect; sid:1927; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; classtype:suspicious-filename-detect; sid:1928; rev:3;)
# suspicious login attempts
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; reference:arachnids,01; classtype:suspicious-login; sid:144; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; reference:arachnids,332; classtype:suspicious-login; sid:353; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; classtype:misc-attack; sid:2178; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; classtype:misc-attack; sid:2179; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; reference:bugtraq,10181; reference:bugtraq,8486; reference:bugtraq,9675; classtype:misc-attack; sid:2338; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2272; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; reference:bugtraq,9072; classtype:suspicious-login; sid:2334; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; classtype:attempted-admin; sid:2416; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%"; pcre:"/\s+.*?%.*?%/smi"; classtype:string-detect; sid:2417; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2574; rev:1;)

131
scripts/s2b/snort_rules2.2/gen-msg.map Normal file
View file

@ -0,0 +1,131 @@
# $Id: gen-msg.map 91 2004-07-15 08:13:57Z rwinslow $
# GENERATORS -> msg map
# Format: generatorid || alertid || MSG
1 || 1 || snort general alert
2 || 1 || tag: Tagged Packet
100 || 1 || spp_portscan: Portscan Detected
100 || 2 || spp_portscan: Portscan Status
100 || 3 || spp_portscan: Portscan Ended
101 || 1 || spp_minfrag: minfrag alert
102 || 1 || http_decode: Unicode Attack
102 || 2 || http_decode: CGI NULL Byte Attack
102 || 3 || http_decode: large method attempted
102 || 4 || http_decode: missing uri
102 || 5 || http_decode: double encoding detected
102 || 6 || http_decode: illegal hex values detected
102 || 7 || http_decode: overlong character detected
103 || 1 || spp_defrag: Fragmentation Overflow Detected
103 || 2 || spp_defrag: Stale Fragments Discarded
104 || 1 || spp_anomsensor: SPADE Anomaly Threshold Exceeded
104 || 2 || spp_anomsensor: SPADE Anomaly Threshold Adjusted
105 || 1 || spp_bo: Back Orifice Traffic Detected
106 || 1 || spp_rpc_decode: Fragmented RPC Records
106 || 2 || spp_rpc_decode: Multiple Records in one packet
106 || 3 || spp_rpc_decode: Large RPC Record Fragment
106 || 4 || spp_rpc_decode: Incomplete RPC segment
110 || 1 || spp_unidecode: CGI NULL Attack
110 || 2 || spp_unidecode: Directory Traversal
110 || 3 || spp_unidecode: Unknown Mapping
110 || 4 || spp_unidecode: Invalid Mapping
111 || 1 || spp_stream4: Stealth Activity Detected
111 || 2 || spp_stream4: Evasive Reset Packet
111 || 3 || spp_stream4: Retransmission
111 || 4 || spp_stream4: Window Violation
111 || 5 || spp_stream4: Data on SYN Packet
111 || 6 || spp_stream4: Full XMAS Stealth Scan
111 || 7 || spp_stream4: SAPU Stealth Scan
111 || 8 || spp_stream4: FIN Stealth Scan
111 || 9 || spp_stream4: NULL Stealth Scan
111 || 10 || spp_stream4: NMAP XMAS Stealth Scan
111 || 11 || spp_stream4: VECNA Stealth Scan
111 || 12 || spp_stream4: NMAP Fingerprint Stateful Detection
111 || 13 || spp_stream4: SYN FIN Stealth Scan
111 || 14 || spp_stream4: TCP forward overlap detected
111 || 15 || spp_stream4: TTL Evasion attempt
111 || 16 || spp_stream4: Evasive retransmitited data attempt
111 || 17 || spp_stream4: Evasive retransmitited data with the data split attempt
111 || 18 || spp_stream4: Multiple acked
111 || 19 || spp_stream4: Shifting to Emegency Session Mode
111 || 20 || spp_stream4: Shifting to Suspend Mode
112 || 1 || spp_arpspoof: Directed ARP Request
112 || 2 || spp_arpspoof: Etherframe ARP Mismatch SRC
112 || 3 || spp_arpspoof: Etherframe ARP Mismatch DST
112 || 4 || spp_arpspoof: ARP Cache Overwrite Attack
113 || 1 || spp_frag2: Oversized Frag
113 || 2 || spp_frag2: Teardrop/Fragmentation Overlap Attack
113 || 3 || spp_frag2: TTL evasion detected
113 || 4 || spp_frag2: overlap detected
113 || 5 || spp_frag2: Duplicate first fragments
113 || 6 || spp_frag2: memcap exceeded
113 || 7 || spp_frag2: Out of order fragments
113 || 8 || spp_frag2: IP Options on Fragmented Packet
113 || 9 || spp_frag2: Shifting to Emegency Session Mode
113 || 10 || spp_frag2: Shifting to Suspend Mode
114 || 1 || spp_fnord: Possible Mutated GENERIC NOP Sled detected
114 || 2 || spp_fnord: Possible Mutated IA32 NOP Sled detected
114 || 3 || spp_fnord: Possible Mutated HPPA NOP Sled detected
114 || 4 || spp_fnord: Possible Mutated SPARC NOP Sled detected
115 || 1 || spp_asn1: Indefinite ASN.1 length encoding
115 || 2 || spp_asn1: Invalid ASN.1 length encoding
115 || 3 || spp_asn1: ASN.1 oversized item, possible overflow
115 || 4 || spp_asn1: ASN.1 spec violation, possible overflow
115 || 5 || spp_asn1: ASN.1 Attack: Datum length > packet length
116 || 1 || snort_decoder: Not IPv4 datagram!
116 || 2 || snort_decoder: WARNING: Not IPv4 datagram!
116 || 3 || snort_decoder: WARNING: hlen < IP_HEADER_LEN!
116 || 4 || snort_decoder: Bad IPv4 Options
116 || 5 || snort_decoder: Truncated IPv4 Options
116 || 45 || snort_decoder: TCP packet len is smaller than 20 bytes!
116 || 46 || snort_decoder: TCP Data Offset is less than 5!
116 || 47 || snort_decoder: TCP Data Offset is longer than payload!
116 || 54 || snort_decoder: Tcp Options found with bad lengths
116 || 55 || snort_decoder: Truncated Tcp Options
116 || 56 || snort_decoder: T/TCP Detected
116 || 57 || snort_decoder: Obsolete TCP options
116 || 58 || snort_decoder: Experimental TCP options
116 || 95 || snort_decoder: Truncated UDP Header!
116 || 96 || snort_decoder: Invalid UDP header, length field < 8
116 || 97 || snort_decoder: Short UDP packet, length field > payload length
116 || 105 || snort_decoder: ICMP Header Truncated!
116 || 106 || snort_decoder: ICMP Timestamp Header Truncated!
116 || 107 || snort_decoder: ICMP Address Header Truncated!
116 || 108 || snort_decoder: Unknown Datagram decoding problem!
116 || 109 || snort_decoder: Unknown Datagram decoding problem!
116 || 110 || snort_decoder: Truncated EAP Header!
116 || 111 || snort_decoder: EAP Key Truncated!
116 || 112 || snort_decoder: EAP Header Truncated!
116 || 120 || snort_decoder: WARNING: Bad PPPOE frame detected!
116 || 130 || snort_decoder: WARNING: Bad VLAN Frame!
116 || 131 || snort_decoder: WARNING: Bad LLC header!
116 || 132 || snort_decoder: WARNING: Bad Extra LLC Info!
116 || 133 || snort_decoder: WARNING: Bad 802.11 LLC header!
116 || 134 || snort_decoder: WARNING: Bad 802.11 Extra LLC Info!
116 || 140 || snort_decoder: WARNING: Bad Token Ring Header!
116 || 141 || snort_decoder: WARNING: Bad Token Ring ETHLLC Header!
116 || 142 || snort_decoder: WARNING: Bad Token Ring MRLEN Header!
116 || 143 || snort_decoder: WARNING: Bad Token Ring MR Header!
117 || 1 || spp_portscan2: Portscan detected!
118 || 1 || spp_conversation: Bad IP protocol!
119 || 1 || http_inspect: ASCII ENCODING
119 || 2 || http_inspect: DOUBLE DECODING ATTACK
119 || 3 || http_inspect: U ENCODING
119 || 4 || http_inspect: BARE BYTE UNICODE ENCODING
119 || 5 || http_inspect: BASE36 ENCODING
119 || 6 || http_inspect: UTF-8 ENCODING
119 || 7 || http_inspect: IIS UNICODE CODEPOINT ENCODING
119 || 8 || http_inspect: MULTI_SLASH ENCODING
119 || 9 || http_inspect: IIS BACKSLASH EVASION
119 || 10 || http_inspect: SELF DIRECTORY TRAVERSAL
119 || 11 || http_inspect: DIRECTORY TRAVERSAL
119 || 12 || http_inspect: APACHE WHITESPACE (TAB)
119 || 13 || http_inspect: NON-RFC HTTP DELIMITER
119 || 14 || http_inspect: NON-RFC DEFINED CHAR
119 || 15 || http_inspect: OVERSIZE REQUEST-URI DIRECTORY
119 || 16 || http_inspect: OVERSIZE CHUNK ENCODING
119 || 17 || http_inspect: UNAUTHORIZED PROXY USE DETECTED
120 || 1 || http_inspect: ANOMALOUS HTTP SERVER ON UNDEFINED HTTP PORT
121 || 1 || flow-portscan: Fixed Scale Scanner Limit Exceeded
121 || 2 || flow-portscan: Sliding Scale Scanner Limit Exceeded
121 || 3 || flow-portscan: Fixed Scale Talker Limit Exceeded
121 || 4 || flow-portscan: Sliding Scale Talker Limit Exceeded

37
scripts/s2b/snort_rules2.2/generators Normal file
View file

@ -0,0 +1,37 @@
# Master Registry of Snort Generator Ids
#
#
# This file is used to maintain unique generator ids for files even if
# the default snort configuration doesn't include some patch that is
# required for a specific preprocessor to work
#
#
#
# Maintainer: Chris Green <cmg@sourcefire.com>
#
# Contact cmg@sourcefire.com for an assignment
rules_subsystem 1 # Snort Rules Engine
tag_subsystem 2 # Tagging Subsystem
portscan 100 # Portscan1
minfrag 101 # Minfrag [ removed ]
http_decode 102 # HTTP decode 1/2
defrag 103 # First defragmenter [ removed ]
spade 104 # SPADE [ not included anymore ]
bo 105 # Back Orifice
rpc_decode 106 # RPC Preprocessor
stream2 107 # 2nd stream preprocessor [removed]
stream3 108 # 3rd stream preprocessor (AVL nightmare) [ removed ]
telnet_neg 109 # telnet option decoder
unidecode 110 # unicode decoder
stream4 111 # Stream4 preprocessor
arpspoof 112 # Arp Spoof detector
frag2 113 # 2nd fragment preprocessor
fnord 114 # NOP detector [ removed ]
asn1 115 # ASN.1 Validator [ removed ]
decode 116 # Snort Internal Decoder
scan2 117 # portscan2
conversation 118 # conversation
reserved 119 # TBA
reserved 120 # TBA
snmp 121 # Andrew Baker's newer SNMP decoder

107
scripts/s2b/snort_rules2.2/icmp-info.rules Normal file
View file

@ -0,0 +1,107 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: icmp-info.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# ICMP-INFO
#--------------
#
# Description:
# These rules are standard ICMP traffic. They include OS pings, as well
# as normal routing done by ICMP. There are a number of "catch all" rules
# that will alert on unknown ICMP types.
#
# Potentially "BAD" ICMP rules are included in icmp.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING *NIX"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; classtype:misc-activity; sid:366; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; reference:arachnids,152; classtype:misc-activity; sid:368; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; reference:arachnids,438; reference:arachnids,444; classtype:misc-activity; sid:369; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; reference:arachnids,151; classtype:misc-activity; sid:370; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; reference:arachnids,153; classtype:misc-activity; sid:371; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; reference:arachnids,155; classtype:misc-activity; sid:372; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; reference:arachnids,156; classtype:misc-activity; sid:373; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; reference:arachnids,157; classtype:misc-activity; sid:374; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity; sid:375; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; reference:arachnids,159; classtype:misc-activity; sid:376; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; reference:arachnids,161; classtype:misc-activity; sid:377; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; reference:arachnids,164; classtype:misc-activity; sid:378; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; reference:arachnids,163; classtype:misc-activity; sid:379; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; reference:arachnids,166; classtype:misc-activity; sid:380; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris"; dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; reference:arachnids,169; classtype:misc-activity; sid:382; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8; ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity; sid:395; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:misc-activity; sid:396; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity; sid:397; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:misc-activity; sid:398; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:misc-activity; sid:400; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity; sid:403; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply"; icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here"; icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply"; icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved"; icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity; sid:431; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity; sid:432; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection"; icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0; itype:39; classtype:misc-activity; sid:445; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply"; icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute"; icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1"; icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1 undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2"; icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2 undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7"; icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7 undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;)

35
scripts/s2b/snort_rules2.2/icmp.rules Normal file
View file

@ -0,0 +1,35 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: icmp.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# ICMP RULES
#-----------
#
# Description:
# These rules are potentially bad ICMP traffic. They include most of the
# ICMP scanning tools and other "BAD" ICMP traffic (Such as redirect host)
#
# Other ICMP rules are included in icmp-info.rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; reference:arachnids,158; classtype:attempted-recon; sid:465; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; reference:arachnids,311; classtype:attempted-recon; sid:466; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-recon; sid:467; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450; classtype:attempted-recon; sid:471; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host"; icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:bad-unknown; sid:472; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net"; icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:bad-unknown; sid:473; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; classtype:attempted-recon; sid:474; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; reference:arachnids,307; classtype:attempted-recon; sid:476; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench"; icode:0; itype:4; classtype:bad-unknown; sid:477; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; classtype:misc-activity; sid:480; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; reference:arachnids,167; classtype:misc-activity; sid:481; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; reference:arachnids,168; classtype:misc-activity; sid:482; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; reference:arachnids,154; classtype:misc-activity; sid:483; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; classtype:misc-activity; sid:484; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity; sid:486; rev:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:misc-activity; sid:487; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; classtype:misc-activity; sid:1813; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:499; rev:4;)

41
scripts/s2b/snort_rules2.2/imap.rules Normal file
View file

@ -0,0 +1,41 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: imap.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# IMAP RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:cve,1999-0005; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:9;)
# auth is an imap2 function and only accepts literal usage
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:" AUTH"; nocase; content:"{"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:1930; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:15;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:8;)
# FIND does not accept a literal command
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:1755; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2046; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2107; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login brute force attempt"; flow:to_server,established; content:"LOGIN"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2273; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:3;)
alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:3;)

14
scripts/s2b/snort_rules2.2/info.rules Normal file
View file

@ -0,0 +1,14 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: info.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# INFO RULES
#-----------
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP no password"; flow:from_client,established; content:"PASS"; nocase; pcre:"/^PASS\s*\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INFO battle-mail traffic"; flow:to_server,established; content:"BattleMail"; classtype:unknown; sid:490; rev:6;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"INFO FTP Bad login"; flow:from_server,established; content:"530 "; pcre:"/^530\s+(Login|User)/smi"; classtype:bad-unknown; sid:491; rev:8;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login failed"; nocase; classtype:bad-unknown; sid:492; rev:8;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"INFO TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; nocase; classtype:bad-unknown; sid:1251; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flow:from_server,established; content:"Welcome!psyBNC@lam3rz.de"; classtype:bad-unknown; sid:493; rev:5;)

6
scripts/s2b/snort_rules2.2/local.rules Normal file
View file

@ -0,0 +1,6 @@
# $Id: local.rules 91 2004-07-15 08:13:57Z rwinslow $
# ----------------
# LOCAL RULES
# ----------------
# This file intentionally does not come with signatures. Put your local
# additions here.

94
scripts/s2b/snort_rules2.2/misc.rules Normal file
View file

@ -0,0 +1,94 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: misc.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# MISC RULES
#-----------
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr"; ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:500; rev:4;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre"; ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909; classtype:bad-unknown; sid:501; rev:4;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to <1024"; flags:S,12; flow:stateless; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:6;)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to <1024"; flags:S,12; flow:stateless; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"MISC Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; reference:arachnids,229; classtype:bad-unknown; sid:505; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"MISC PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"MISC gopher proxy"; flow:to_server,established; content:"ftp|3A|"; nocase; content:"@/"; reference:arachnids,409; classtype:bad-unknown; sid:508; rev:7;)
alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"MISC PCAnywhere Failed Login"; flow:from_server,established; content:"Invalid login"; depth:16; reference:arachnids,240; classtype:unsuccessful-user; sid:512; rev:4;)
alert tcp $HOME_NET 7161 -> $EXTERNAL_NET any (msg:"MISC Cisco Catalyst Remote Access"; flags:SA,12; flow:stateless; reference:arachnids,129; reference:bugtraq,705; reference:cve,1999-0430; classtype:bad-unknown; sid:513; rev:10;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"MISC ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; reference:arachnids,461; classtype:bad-unknown; sid:514; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"MISC SNMP NT UserList"; content:"+|06 10|@|14 D1 02 19|"; classtype:attempted-recon; sid:516; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp query"; content:"|00 01 00 03 00 01 00|"; reference:arachnids,476; classtype:attempted-recon; sid:517; rev:1;)
# once we get response, check for content:"|00 01 00|"; offset:0; depth:3;
alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"MISC xdmcp info query"; content:"|00 01 00 02 00 01 00|"; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:1;)
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Large UDP Packet"; dsize:>4000; reference:arachnids,247; classtype:bad-unknown; sid:521; rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments"; dsize:< 25; fragbits:M; classtype:bad-unknown; sid:522; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC UPnP Location overflow"; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;)
alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddGame attempt"; flow:to_client,established; content:"aim|3A|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;)
alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"MISC AIM AddExternalApp attempt"; flow:to_client,established; content:"aim|3A|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1752; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"MISC AFS access"; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"MISC Xtramail Username overflow attempt"; dsize:>500; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; reference:bugtraq,791; reference:cve,1999-1511; classtype:attempted-admin; sid:1636; rev:8;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"MISC OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; nocase; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:3;)
alert udp $EXTERNAL_NET 2002 -> $HTTP_SERVERS 2002 (msg:"MISC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:5;)
# once we get response, check for content:"|03|"; offset:0; depth:1;
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request RDP"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1447; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal server request"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; reference:bugtraq,3099; reference:cve,2001-0540; classtype:protocol-command-decode; sid:1448; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"MISC Alcatel PABX 4400 connection attempt"; flow:established,to_server; content:"|00 01|C"; depth:3; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hardware address length overflow"; content:"|01|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp invalid hardware type"; content:"|01|"; depth:1; byte_test:1,>,7,1; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"MISC bootp hostname format string attempt"; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; reference:bugtraq,4701; reference:cve,2002-0702; classtype:misc-attack; sid:2039; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Disclosure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; dsize:>512; flow:to_server,established; content:"B|00 02|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:6;)
alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"MISC xtacacs failed login response"; content:"|80 02|"; depth:2; content:"|02|"; distance:4; classtype:misc-activity; sid:2041; rev:2;)
alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"MISC isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; classtype:misc-activity; sid:2043; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; classtype:misc-activity; sid:2047; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; classtype:misc-activity; sid:2048; rev:2;)
# This rule needs some work since you don't have to pass BEGIN and END
# anywhere near each other.
#
#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
#! msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
#! content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
#! within:255; classtype:misc-attack;)
# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2010; rev:4;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2011; rev:4;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:2;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2317; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2318; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; dsize:>156; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; classtype:attempted-admin; sid:2126; rev:6;)
# this rule is specificly not looking for flow, since tcpdump handles lengths wrong
alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:5;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; classtype:bad-unknown; sid:2159; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2532; rev:3;)
alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2533; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9978; classtype:web-application-activity; sid:2547; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; classtype:web-application-activity; sid:2548; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; classtype:string-detect; sid:2561; rev:2;)

20
scripts/s2b/snort_rules2.2/multimedia.rules Normal file
View file

@ -0,0 +1,20 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: multimedia.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# MULTIMEDIA RULES
#-------------
# These signatures look for people using streaming multimedia technologies.
# Using streaming media may be a violation of corporate policies.
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MULTIMEDIA Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; classtype:policy-violation; sid:1436; rev:4;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media audio download"; flow:from_server,established; content:"Content-type|3A| audio/x-ms-wma"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1437; rev:5;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Windows Media Video download"; flow:from_server,established; content:"Content-type|3A| video/x-ms-asf"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1438; rev:6;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Shoutcast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-scpls"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1439; rev:5;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MULTIMEDIA Icecast playlist redirection"; flow:from_server,established; content:"Content-type|3A| audio/x-mpegurl"; nocase; content:"|0A|"; within:2; classtype:policy-violation; sid:1440; rev:5;)
alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; classtype:misc-activity; sid:1428; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .ram playlist download attempt"; flow:to_server,established; uricontent:".ram"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2419; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rmp playlist download attempt"; flow:to_server,established; uricontent:".rmp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2420; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .smi playlist download attempt"; flow:to_server,established; uricontent:".smi"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2421; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rt playlist download attempt"; flow:to_server,established; uricontent:".rt"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2422; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MULTIMEDIA realplayer .rp playlist download attempt"; flow:to_server,established; uricontent:".rp"; flowbits:set,realplayer.playlist; flowbits:noalert; classtype:misc-activity; sid:2423; rev:2;)

15
scripts/s2b/snort_rules2.2/mysql.rules Normal file
View file

@ -0,0 +1,15 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: mysql.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# MYSQL RULES
#----------
#
# These signatures detect unusual and potentially malicious mysql traffic.
#
# These signatures are not enabled by default as they may generate false
# positive alarms on networks that do mysql development.
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; classtype:protocol-command-decode; sid:1775; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; classtype:protocol-command-decode; sid:1776; rev:2;)

150
scripts/s2b/snort_rules2.2/netbios.rules Normal file
View file

@ -0,0 +1,150 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: netbios.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# NETBIOS RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2466; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:536; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2467; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2468; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2469; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:532; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2473; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2474; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBu"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2475; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2174; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2175; rev:5;)
# where did these come from? I don't know. lets disable them for real for now
# and deal with it later...
### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C|winreg|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
### alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS winreg unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00|"; offset:85; nocase; classtype:attempted-recon; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C|winreg|00|"; within:8; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2476; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Create AndX Request winreg unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|A2|"; depth:5; offset:4; byte_test:1,>,127,6,relative; content:"|5C 00|w|00|i|00|n|00|r|00|e|00|g|00 00 00|"; within:16; distance:79; nocase; flowbits:set,smb.winreg.create; classtype:protocol-command-decode; sid:2477; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|pipe|5C 00 05 00 0B|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2478; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC bind winreg unicode attempt"; flow:to_server,established; flowbits:set,smb.dce.bind.winreg; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|01 D0 8C|3D|22 F1|1|AA AA 90 00|8|00 10 03|"; within:16; distance:29; flowbits:isset,smb.winreg.create; classtype:protocol-command-decode; sid:2479; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2480; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown unicode little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,>,127,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 00|"; within:17; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2481; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,&,16,1,relative; content:"|18 00|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2482; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC shutdown little endian attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:5; nocase; byte_test:1,<,16,1,relative; content:"|00 18|"; within:2; distance:19; flowbits:isset,smb.dce.bind.winreg; classtype:protocol-command-decode; sid:2483; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DOS RFPoison"; flow:to_server,established; content:"|5C 00 5C 00|*|00|S|00|M|00|B|00|S|00|E|00|R|00|V|00|E|00|R|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00|"; reference:arachnids,454; classtype:attempted-dos; sid:529; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; reference:arachnids,204; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; classtype:attempted-recon; sid:1239; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; reference:arachnids,338; classtype:attempted-recon; sid:534; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; reference:arachnids,337; classtype:attempted-recon; sid:535; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS Samba clientaccess"; flow:to_server,established; content:"|00|Unix|00|Samba"; reference:arachnids,341; classtype:not-suspicious; sid:539; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00 00 00|"; depth:4; offset:43; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; sid:2101; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 14|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2103; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2190; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; classtype:attempted-dos; sid:2191; rev:3;)
alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; within:1; content:"|0C|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00 00|"; within:2; distance:33; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2350; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,&,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,little,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2351; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; within:1; byte_test:1,<,16,3,relative; content:"|5C 00 5C 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2352; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2192; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2193; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2492; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2493; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2251; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2252; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2257; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2258; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0B|"; depth:3; byte_test:1,&,16,1,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|98 D0 FF|k|12 A1 10|6|98|3F|C3 F8|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 00 00 05 00 0B|"; within:17; distance:5; byte_test:1,&,16,1,relative; content:"xV4|12|4|12 CD AB EF 00 01 23|Eg|89 AB|"; within:16; distance:29; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; distance:1; content:"|00|"; within:1; distance:1; byte_test:1,&,3,0,relative; content:"|00 00|"; within:2; distance:19; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2382; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|06 06|+|06 01 05 05 02|"; within:8; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; classtype:attempted-dos; sid:2383; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2384; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"|00 00 00|b|06 83 00 00 06|+|06 01 05 05 02|"; within:15; distance:1; content:"|06 0A|+|06 01 04 01 82|7|02 02 0A|"; distance:0; content:"|A3|>0<|A0|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; classtype:attempted-dos; sid:2385; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"|00|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2403; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|FF|SMBs"; depth:5; offset:4; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2404; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2495; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|05|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; within:1; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; flowbits:isset,netbios.lsass.bind.attempt; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; content:"|0B|"; within:1; distance:1; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00 05 00 0B|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"j|28 19|9|0C B1 D0 11 9B A8 00 C0|O|D9|.|F5|"; within:16; distance:29; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; depth:4; offset:4; nocase; content:"|05|"; distance:59; content:"|00|"; within:1; distance:1; content:"|09 00|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:7;)
alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:4;)
alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,>,127,2; content:"|00 01|"; depth:2; offset:6; reference:bugtraq,10334; reference:bugtraq,10335; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:4;)

18
scripts/s2b/snort_rules2.2/nntp.rules Normal file
View file

@ -0,0 +1,18 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: nntp.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# NNTP RULES
#----------
alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return code buffer overflow attempt"; flow:to_server,established,no_stream; content:"200"; isdataat:64,relative; pcre:"/^200\s[^\n]{64}/smi"; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:1538; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2424; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2425; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2426; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2427; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2428; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2429; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2430; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-00045; classtype:attempted-admin; sid:2431; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:2;)

44
scripts/s2b/snort_rules2.2/oracle.rules Normal file
View file

@ -0,0 +1,44 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: oracle.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# ORACLE RULES
#----------
#
# These signatures detect unusual and potentially malicious oracle traffic.
# These signatures are based from signatures written by Hank Leininger
# <hlein@progressive-comp.com> for Enterasys's Dragon IDS that he released
# publicly.
#
# These signatures are not enabled by default as they may generate false
# positive alarms on networks that do oracle development. If you use an
# Oracle based web application, you should set the destination port to
# 80 to catch attackers attempting to exploit your web application.
#
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:system-call-detect; sid:1673; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; classtype:protocol-command-decode; sid:1674; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE misparsed login response"; flow:from_server,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; classtype:suspicious-login; sid:1675; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; classtype:protocol-command-decode; sid:1676; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; classtype:protocol-command-decode; sid:1677; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; classtype:protocol-command-decode; sid:1678; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; classtype:protocol-command-decode; sid:1679; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; classtype:protocol-command-decode; sid:1680; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; classtype:protocol-command-decode; sid:1681; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; classtype:protocol-command-decode; sid:1682; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; classtype:protocol-command-decode; sid:1683; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; classtype:protocol-command-decode; sid:1684; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; classtype:protocol-command-decode; sid:1685; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; classtype:protocol-command-decode; sid:1686; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; classtype:protocol-command-decode; sid:1687; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; classtype:protocol-command-decode; sid:1688; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; classtype:protocol-command-decode; sid:1689; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; classtype:protocol-command-decode; sid:1690; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; classtype:protocol-command-decode; sid:1691; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1692; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; classtype:protocol-command-decode; sid:1694; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; classtype:protocol-command-decode; sid:1695; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; classtype:protocol-command-decode; sid:1696; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; classtype:protocol-command-decode; sid:1697; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE generate_replication_support prefix overflow attempt"; flow:to_server,established; content:"generate_replication_support"; nocase; pcre:"/(package|procedure)_prefix[\s\r\n]*=>[\s\r\n]*('[^']{1000,}|"[^"]{1000,})/Rsmi"; classtype:attempted-user; sid:2576; rev:2;)

22
scripts/s2b/snort_rules2.2/other-ids.rules Normal file
View file

@ -0,0 +1,22 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: other-ids.rules 91 2004-07-15 08:13:57Z rwinslow $
# ---------------
# OTHER-IDS RULES
# ---------------
# These signatures look for uses of other IDSs.
#
# These signatures serve two purposes.
# 1) If you are "IDS GUY" for a company, and someone else sets up an IDS
# without letting you know, thats bad.
# 2) If you are "pen-tester", this is a good way to find out what IDS
# systems your target is using after you have gained access to their
# network.
#
alert tcp $HOME_NET 902 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 event collector connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1760; rev:3;)
alert tcp $HOME_NET 2998 -> $EXTERNAL_NET any (msg:"OTHER-IDS ISS RealSecure 6 daemon connection attempt"; flow:from_server,established; content:"6ISS ECNRA Built-In Provider, Strong Encryption"; depth:70; offset:30; nocase; classtype:successful-recon-limited; sid:1761; rev:3;)
# To limit false positives, limit to the default port of 975
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OTHER-IDS SecureNetPro traffic"; flow:established; content:"|00|g|00 01 00 03|"; depth:6; classtype:bad-unknown; sid:1629; rev:6;)

25
scripts/s2b/snort_rules2.2/p2p.rules Normal file
View file

@ -0,0 +1,25 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: p2p.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# P2P RULES
#-------------
# These signatures look for usage of P2P protocols, which are usually
# against corporate policy
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster login"; flow:to_server,established; content:"|00 02 00|"; depth:3; offset:1; classtype:policy-violation; sid:549; rev:8;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8888 (msg:"P2P napster new user login"; flow:to_server,established; content:"|00 06 00|"; depth:3; offset:1; classtype:policy-violation; sid:550; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"P2P napster download attempt"; flow:to_server,established; content:"|00 CB 00|"; depth:3; offset:1; classtype:policy-violation; sid:551; rev:7;)
alert tcp $EXTERNAL_NET 8888 -> $HOME_NET any (msg:"P2P napster upload request"; flow:from_server,established; content:"|00|_|02|"; depth:3; offset:1; classtype:policy-violation; sid:552; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 6699 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:561; rev:6;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 7777 (msg:"P2P Napster Client Data"; flow:to_server,established; content:".mp3"; nocase; classtype:policy-violation; sid:562; rev:5;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 6666 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:563; rev:6;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 5555 (msg:"P2P Napster Client Data"; flow:established; content:".mp3"; nocase; classtype:policy-violation; sid:564; rev:7;)
alert tcp $HOME_NET any <> $EXTERNAL_NET 8875 (msg:"P2P Napster Server Login"; flow:established; content:"anon@napster.com"; classtype:policy-violation; sid:565; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1214 (msg:"P2P Fastrack kazaa/morpheus GET request"; flow:to_server,established; content:"GET "; depth:4; reference:url,www.kazaa.com; reference:url,www.musiccity.com/technology.htm; classtype:policy-violation; sid:1383; rev:6;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET"; depth:3; content:"UserAgent|3A| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:1699; rev:7;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"P2P BitTorrent announce request"; flow:to_server,established; content:"GET"; depth:4; content:"/announce"; distance:1; content:"info_hash="; offset:4; content:"event=started"; offset:4; classtype:policy-violation; sid:2180; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6881:6889 (msg:"P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; classtype:policy-violation; sid:2181; rev:2;)

40
scripts/s2b/snort_rules2.2/policy.rules Normal file
View file

@ -0,0 +1,40 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: policy.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# POLICY RULES
#-------------
#
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s+(anonymous|ftp)/smi"; classtype:misc-activity; sid:553; rev:7;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY WinGate telnet server response"; flow:from_server,established; content:"WinGate>"; reference:arachnids,366; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:8;)
# we have started to see multiple versions of this beyond 003.003, so we have
# expanded this signature to take that into account.
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"POLICY PCAnywhere server response"; content:"ST"; depth:2; reference:arachnids,239; classtype:misc-activity; sid:566; rev:4;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"POLICY SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; reference:arachnids,302; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:8;)
alert ip 63.251.224.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429; rev:2;)
# NOTES: This signature would be better off using uricontent, and having the
# http decoder looking at 5800 and 5802, but that is on by default
alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:543; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; classtype:misc-activity; sid:544; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:546; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD ' possible warez site"; flow:to_Server,established; content:"MKD "; depth:5; nocase; classtype:misc-activity; sid:547; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:548; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:545; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; classtype:attempted-admin; sid:2044; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY xtacacs login attempt"; content:"|80 01|"; depth:2; content:"|00|"; distance:4; classtype:misc-activity; sid:2040; rev:3;)
alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY xtacacs accepted login response"; content:"|80 02|"; depth:2; content:"|01|"; distance:4; classtype:misc-activity; sid:2042; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY IPSec PGPNet connection attempt"; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; classtype:protocol-command-decode; sid:1771; rev:6;)

11
scripts/s2b/snort_rules2.2/pop2.rules Normal file
View file

@ -0,0 +1,11 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: pop2.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# POP2 RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD overflow attempt"; flow:established,to_server; isdataat:256,relative; content:"FOLD"; pcre:"/^FOLD\s[^\n]{256}/smi"; reference:bugtraq,283; reference:cve,1999-0920; classtype:attempted-admin; sid:1934; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 FOLD arbitrary file attempt"; flow:established,to_server; pcre:"/^FOLD\s+\//smi"; content:"FOLD"; classtype:misc-attack; sid:1935; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|EB|,[|89 D9 80 C1 06|9|D9 7C 07 80 01|"; classtype:attempted-admin; sid:284; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"POP2 x86 Linux overflow"; flow:established,to_server; content:"|FF FF FF|/BIN/SH|00|"; classtype:attempted-admin; sid:285; rev:6;)

42
scripts/s2b/snort_rules2.2/pop3.rules Normal file
View file

@ -0,0 +1,42 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: pop3.rules 91 2004-07-15 08:13:57Z rwinslow $
#--------------
# POP3 RULES
#--------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; classtype:misc-attack; sid:2121; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; reference:bugtraq,6053; reference:cve,2002-1539; classtype:misc-attack; sid:2122; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:50,relative; pcre:"/^USER\s[^\n]{50,}/smi"; reference:bugtraq,789; reference:cve,1999-0494; reference:nessus,10311; classtype:attempted-admin; sid:1866; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2108; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:10,relative; pcre:"/^TOP\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2109; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2110; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2111; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2112; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1936; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; classtype:attempted-admin; sid:1937; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; classtype:attempted-admin; sid:1938; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; reference:cve,1999-1511; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:13;)
# bsd-qpopper.c
# overflow in the reading of a line in qpopper
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; reference:bugtraq,133; reference:cve,1999-0006; classtype:attempted-admin; sid:286; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; classtype:attempted-admin; sid:287; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:288; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; classtype:attempted-admin; sid:289; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; classtype:attempted-admin; sid:290; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; reference:bugtraq,7667; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 login brute force attempt"; flow:to_server,established; content:"USER"; nocase; threshold:type threshold, track by_dst, count 30, seconds 30; classtype:suspicious-login; sid:2274; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; reference:bugtraq,9794; classtype:attempted-admin; sid:2409; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; byte_test:4,>,2147483647,5,relative; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"PO3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:3;)
alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:3;)

36
scripts/s2b/snort_rules2.2/porn.rules Normal file
View file

@ -0,0 +1,36 @@
# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: porn.rules 91 2004-07-15 08:13:57Z rwinslow $
#-------------
# PORN RULES
#-------------
#
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.erotica"; flow:to_client,established; content:"alt.binaries.pictures.erotica"; nocase; classtype:kickass-porn; sid:1836; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN alt.binaries.pictures.tinygirls"; flow:to_client,established; content:"alt.binaries.pictures.tinygirls"; nocase; classtype:kickass-porn; sid:1837; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN free XXX"; content:"FREE XXX"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1310; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore anal"; content:"hardcore anal"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1311; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude cheerleader"; content:"nude cheerleader"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1312; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN up skirt"; content:"up skirt"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1313; rev:5;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN young teen"; content:"young teen"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1314; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hot young sex"; content:"hot young sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1315; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck fuck fuck"; content:"fuck fuck fuck"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1316; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN anal sex"; content:"anal sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1317; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN hardcore rape"; content:"hardcore rape"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1318; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN real snuff"; content:"real snuff"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1319; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fuck movies"; content:"fuck movies"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1320; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN dildo"; content:"dildo"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1781; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nipple clamp"; content:"nipple"; nocase; content:"clamp"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1782; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN oral sex"; content:"oral sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1783; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN nude celeb"; content:"nude celeb"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1784; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN voyeur"; content:"voyeur"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1785; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN raw sex"; content:"raw sex"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1786; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fetish"; content:"fetish"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1793; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN masturbation"; content:"masturbat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1794; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN ejaculation"; content:"ejaculat"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1795; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN virgin"; content:"virgin "; nocase; flow:to_client,established; classtype:kickass-porn; sid:1796; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN BDSM"; content:"BDSM"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1797; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN erotica"; content:"erotic"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1798; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN fisting"; content:"fisting"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1799; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"PORN naked lesbians"; content:"naked lesbians"; nocase; flow:to_client,established; classtype:kickass-porn; sid:1833; rev:1;)

14
scripts/s2b/snort_rules2.2/reference.config Normal file
View file

@ -0,0 +1,14 @@
# $Id: reference.config 91 2004-07-15 08:13:57Z rwinslow $
# The following defines URLs for the references found in the rules
#
# config reference: system URL
config reference: bugtraq http://www.securityfocus.com/bid/
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
# Note, this one needs a suffix as well.... lets add that in a bit.
config reference: McAfee http://vil.nai.com/vil/content/v_
config reference: nessus http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url http://

219
scripts/s2b/snort_rules2.2/rpc.rules Normal file
View file

@ -0,0 +1,219 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: rpc.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------
# RPC RULES
#----------
# portmap specific stuff.
## bleck. Not happy about this. because of the non-rule ordering foo, I'm
## checking the first byte in the version, which should always be 0. When we
## alert multiple times on a packet, I'll put these rules back to:
## content:"|0a 01 86 a0|"; offset:16; depth:4; content:"|00 00 00 05|";
## distance:4; within:4;
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2093; rev:5;)
# this rule makes me not happy as well. see above.
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy integer overflow attempt UDP"; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2092; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1922; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap proxy attempt UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1923; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1949; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1950; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UNSET attempt UDP 111"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2015; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1746; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:1747; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1732; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1733; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,19; classtype:rpc-portmap-decode; sid:1263; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:1264; rev:13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:1267; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:1268; rev:12;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:1269; rev:10;)
# rusers
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:14;)
# XXX - Need to find out if rusers exists on TCP and if so, implement one of
# these for TCP...
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2016; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap snmpXdmi request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt UDP"; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1890; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:1891; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap mountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount path overflow attempt"; content:"|00 01 86 A5 00|"; depth:5; offset:12; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2185; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:1951; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP mount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:1952; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2018; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP dump request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2019; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2020; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmount request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2021; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:attempted-recon; sid:2022; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP unmountall request"; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:attempted-recon; sid:2023; rev:4;)
# amd
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1953; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1954; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1955; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1956; rev:5;)
# cmsd
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1907; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2094; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2095; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:10;)
# sadmind
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:1272; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap sadmind request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:5;)
# statd
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,10; classtype:rpc-portmap-decode; sid:1270; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1913; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1914; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1915; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:1916; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:misc-attack; sid:2088; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:misc-attack; sid:2089; rev:5;)
# NFS
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1959; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1960; rev:7;)
# rquota
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:1961; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:1962; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1964; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:1965; rev:8;)
# not sure what this rule is looking for, other than the procedure 15
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; reference:arachnids,241; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2027; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2028; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2025; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2026; rev:9;)
# XXX - These need re-verified
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2029; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2030; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update UDP"; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2031; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2032; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request UDP"; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2033; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:Cve,CAN-2002-1232; reference:bugtraq,5914; reference:bugtraq,6016; classtype:rpc-portmap-decode; sid:2034; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2035; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2036; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request UDP"; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2037; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; classtype:rpc-portmap-decode; sid:2038; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2079; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2080; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt UDP"; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2255; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; classtype:misc-attack; sid:2256; rev:3;)

20
scripts/s2b/snort_rules2.2/rservices.rules Normal file
View file

@ -0,0 +1,20 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: rservices.rules 91 2004-07-15 08:13:57Z rwinslow $
#----------------
# RSERVICES RULES
#----------------
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; classtype:bad-unknown; sid:601; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"|01|rlogind|3A| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;)
alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"RSERVICES rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"RSERVICES rsh root"; flow:to_server,established; content:"root|00|root|00|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;)

36
scripts/s2b/snort_rules2.2/scan.rules Normal file
View file

@ -0,0 +1,36 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: scan.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# SCAN RULES
#-----------
# These signatures are representitive of network scanners. These include
# port scanning, ip mapping, and various application scanners.
#
# NOTE: This does NOT include web scanners such as whisker. Those are
# in web*
#
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ack:0; flags:S; ttl:>220; flow:stateless; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; dsize:0; flags:SF12; flow:stateless; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; flow:stateless; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; flow:stateless; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; ack:0; flags:0; seq:0; flow:stateless; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF,12; flow:stateless; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; flow:stateless; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; flow:stateless; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; flow:stateless; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flags:PA12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; ack:0; flags:SFU12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; ack:0; flags:SFP; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:11;)

36
scripts/s2b/snort_rules2.2/shellcode.rules Normal file
View file

@ -0,0 +1,36 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: shellcode.rules 91 2004-07-15 08:13:57Z rwinslow $
# ---------------
# SHELLCODE RULES
# ---------------
# These signatures are based on shellcode that is common ammong multiple
# publicly available exploits.
#
# Because these signatures check ALL traffic for shellcode, these signatures
# are disabled by default. There is a LARGE performance hit by enabling
# these signatures.
#
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:6;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:8;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:8;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; classtype:shellcode-detect; sid:640; rev:6;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:6;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:6;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:7;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 stealth NOOP"; content:"|EB 02 EB 02 EB 02|"; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:8;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 unicode NOOP"; content:"|90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:653; rev:8;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:9;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; classtype:shellcode-detect; sid:1390; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 NOOP"; content:"aaaaaaaaaaaaaaaaaaaaa"; classtype:shellcode-detect; sid:1394; rev:5;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0xEB0C NOOP"; content:"|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C|"; classtype:shellcode-detect; sid:1424; rev:6;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP"; content:"q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|q|FB|{|AB|"; classtype:shellcode-detect; sid:2312; rev:2;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|q|00 FB 00|{|00 AB 00|"; classtype:shellcode-detect; sid:2313; rev:2;)
alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"SHELLCODE x86 0x90 NOOP unicode"; content:"|90 00 90 00 90 00 90 00 90 00 90 00 90 00 90 00|"; classtype:shellcode-detect; sid:2314; rev:1;)

2
scripts/s2b/snort_rules2.2/sid Normal file
View file

@ -0,0 +1,2 @@
# $Id: sid 91 2004-07-15 08:13:57Z rwinslow $
2577

2431
scripts/s2b/snort_rules2.2/sid-msg.map Normal file
View file

File diff suppressed because it is too large Load diff

68
scripts/s2b/snort_rules2.2/smtp.rules Normal file
View file

@ -0,0 +1,68 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: smtp.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# SMTP RULES
#-----------
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:12;)
alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; classtype:attempted-dos; sid:658; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; reference:arachnids,143; reference:cve,1999-0208; classtype:attempted-admin; sid:661; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; reference:arachnids,119; classtype:attempted-admin; sid:662; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s+[|\x3b]/smi"; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s+decode/smi"; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:13;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; reference:arachnids,123; classtype:attempted-user; sid:667; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; reference:arachnids,124; classtype:attempted-user; sid:668; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:16;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; reference:bugtraq,1297; reference:cve,2000-0490; classtype:attempted-admin; sid:1550; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding|3A|"; isdataat:100,relative; content:!"|0A|"; within:100; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2261; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2262; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2264; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:misc-attack; sid:2266; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2268; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,2003-0161; classtype:attempted-admin; sid:2270; rev:4;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2487; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow:to_server, established; content:"Content-Type|3A|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype:attempted-user; sid:2488; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP Client_Hello overflow attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:3;)
alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0D 0A|"; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; content:!"|03|"; depth:1; offset:9; reference:bugtraq,10115; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,6; byte_test:2,!,0,8; byte_test:2,!,16,8; byte_test:2,>,20,10; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2542; rev:3;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; depth:1; offset:5; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; depth:1; offset:5; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:3;)

24
scripts/s2b/snort_rules2.2/snmp.rules Normal file
View file

@ -0,0 +1,24 @@
# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: snmp.rules 91 2004-07-15 08:13:57Z rwinslow $
# ---------------
# SNMP RULES
# ---------------
#
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP missing community string attempt"; content:"|04 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt"; content:"|02 01 00 04 82 01 00|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"SNMP community string buffer overflow attempt with evasion"; content:" |04 82 01 00|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access udp"; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:10;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;)
alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;)
alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:11;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:4;)

617
scripts/s2b/snort_rules2.2/snort.conf Normal file
View file

@ -0,0 +1,617 @@
#--------------------------------------------------
# http://www.snort.org Snort 2.1.0 Ruleset
# Contact: snort-sigs@lists.sourceforge.net
#--------------------------------------------------
# $Id: snort.conf 91 2004-07-15 08:13:57Z rwinslow $
#
###################################################
# This file contains a sample snort configuration.
# You can take the following steps to create your own custom configuration:
#
# 1) Set the network variables for your network
# 2) Configure preprocessors
# 3) Configure output plugins
# 4) Customize your rule set
#
###################################################
# Step #1: Set the network variables:
#
# You must change the following variables to reflect your local network. The
# variable is currently setup for an RFC 1918 address space.
#
# You can specify it explicitly as:
#
# var HOME_NET 10.1.1.0/24
#
# or use global variable $<interfacename>_ADDRESS which will be always
# initialized to IP address and netmask of the network interface which you run
# snort at. Under Windows, this must be specified as
# $(<interfacename>_ADDRESS), such as:
# $(\Device\Packet_{12345678-90AB-CDEF-1234567890AB}_ADDRESS)
#
# var HOME_NET $eth0_ADDRESS
#
# You can specify lists of IP addresses for HOME_NET
# by separating the IPs with commas like this:
#
# var HOME_NET [10.1.1.0/24,192.168.1.0/24]
#
# MAKE SURE YOU DON'T PLACE ANY SPACES IN YOUR LIST!
#
# or you can specify the variable to be any IP address
# like this:
var HOME_NET any
# Set up the external network addresses as well. A good start may be "any"
var EXTERNAL_NET any
# Configure your server lists. This allows snort to only look for attacks to
# systems that have a service up. Why look for HTTP attacks if you are not
# running a web server? This allows quick filtering based on IP addresses
# These configurations MUST follow the same configuration scheme as defined
# above for $HOME_NET.
# List of DNS servers on your network
var DNS_SERVERS $HOME_NET
# List of SMTP servers on your network
var SMTP_SERVERS $HOME_NET
# List of web servers on your network
var HTTP_SERVERS $HOME_NET
# List of sql servers on your network
var SQL_SERVERS $HOME_NET
# List of telnet servers on your network
var TELNET_SERVERS $HOME_NET
# List of snmp servers on your network
var SNMP_SERVERS $HOME_NET
# Configure your service ports. This allows snort to look for attacks destined
# to a specific application only on the ports that application runs on. For
# example, if you run a web server on port 8081, set your HTTP_PORTS variable
# like this:
#
# var HTTP_PORTS 8081
#
# Port lists must either be continuous [eg 80:8080], or a single port [eg 80].
# We will adding support for a real list of ports in the future.
# Ports you run web servers on
#
# Please note: [80,8080] does not work.
# If you wish to define multiple HTTP ports,
#
## var HTTP_PORTS 80
## include somefile.rules
## var HTTP_PORTS 8080
## include somefile.rules
var HTTP_PORTS 80
# Ports you want to look for SHELLCODE on.
var SHELLCODE_PORTS !80
# Ports you do oracle attacks on
var ORACLE_PORTS 1521
# other variables
#
# AIM servers. AOL has a habit of adding new AIM servers, so instead of
# modifying the signatures when they do, we add them to this list of servers.
var AIM_SERVERS [64.12.24.0/24,64.12.25.0/24,64.12.26.14/24,64.12.28.0/24,64.12.29.0/24,64.12.161.0/24,64.12.163.0/24,205.188.5.0/24,205.188.9.0/24]
# Path to your rules files (this can be a relative path)
var RULE_PATH ../rules
# Configure the snort decoder
# ============================
#
# Snort's decoder will alert on lots of things such as header
# truncation or options of unusual length or infrequently used tcp options
#
#
# Stop generic decode events:
#
# config disable_decode_alerts
#
# Stop Alerts on experimental TCP options
#
# config disable_tcpopt_experimental_alerts
#
# Stop Alerts on obsolete TCP options
#
# config disable_tcpopt_obsolete_alerts
#
# Stop Alerts on T/TCP alerts
#
# In snort 2.0.1 and above, this only alerts when a TCP option is detected
# that shows T/TCP being actively used on the network. If this is normal
# behavior for your network, disable the next option.
#
# config disable_tcpopt_ttcp_alerts
#
# Stop Alerts on all other TCPOption type events:
#
# config disable_tcpopt_alerts
#
# Stop Alerts on invalid ip options
#
# config disable_ipopt_alerts
# Configure the detection engine
# ===============================
#
# Use a different pattern matcher in case you have a machine with very limited
# resources:
#
# config detection: search-method lowmem
###################################################
# Step #2: Configure preprocessors
#
# General configuration for preprocessors is of
# the form
# preprocessor <name_of_processor>: <configuration_options>
# Configure Flow tracking module
# -------------------------------
#
# The Flow tracking module is meant to start unifying the state keeping
# mechanisms of snort into a single place. Right now, only a portscan detector
# is implemented but in the long term, many of the stateful subsystems of
# snort will be migrated over to becoming flow plugins. This must be enabled
# for flow-portscan to work correctly.
#
# See README.flow for additional information
#
preprocessor flow: stats_interval 0 hash 2
# frag2: IP defragmentation support
# -------------------------------
# This preprocessor performs IP defragmentation. This plugin will also detect
# people launching fragmentation attacks (usually DoS) against hosts. No
# arguments loads the default configuration of the preprocessor, which is a 60
# second timeout and a 4MB fragment buffer.
# The following (comma delimited) options are available for frag2
# timeout [seconds] - sets the number of [seconds] that an unfinished
# fragment will be kept around waiting for completion,
# if this time expires the fragment will be flushed
# memcap [bytes] - limit frag2 memory usage to [number] bytes
# (default: 4194304)
#
# min_ttl [number] - minimum ttl to accept
#
# ttl_limit [number] - difference of ttl to accept without alerting
# will cause false positves with router flap
#
# Frag2 uses Generator ID 113 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Oversized fragment (reassembled frag > 64k bytes)
# 2 Teardrop-type attack
preprocessor frag2
# stream4: stateful inspection/stream reassembly for Snort
#----------------------------------------------------------------------
# Use in concert with the -z [all|est] command line switch to defeat stick/snot
# against TCP rules. Also performs full TCP stream reassembly, stateful
# inspection of TCP streams, etc. Can statefully detect various portscan
# types, fingerprinting, ECN, etc.
# stateful inspection directive
# no arguments loads the defaults (timeout 30, memcap 8388608)
# options (options are comma delimited):
# detect_scans - stream4 will detect stealth portscans and generate alerts
# when it sees them when this option is set
# detect_state_problems - detect TCP state problems, this tends to be very
# noisy because there are a lot of crappy ip stack
# implementations out there
#
# disable_evasion_alerts - turn off the possibly noisy mitigation of
# overlapping sequences.
#
#
# min_ttl [number] - set a minium ttl that snort will accept to
# stream reassembly
#
# ttl_limit [number] - differential of the initial ttl on a session versus
# the normal that someone may be playing games.
# Routing flap may cause lots of false positives.
#
# keepstats [machine|binary] - keep session statistics, add "machine" to
# get them in a flat format for machine reading, add
# "binary" to get them in a unified binary output
# format
# noinspect - turn off stateful inspection only
# timeout [number] - set the session timeout counter to [number] seconds,
# default is 30 seconds
# memcap [number] - limit stream4 memory usage to [number] bytes
# log_flushed_streams - if an event is detected on a stream this option will
# cause all packets that are stored in the stream4
# packet buffers to be flushed to disk. This only
# works when logging in pcap mode!
#
# Stream4 uses Generator ID 111 and uses the following SIDS
# for that GID:
# SID Event description
# ----- -------------------
# 1 Stealth activity
# 2 Evasive RST packet
# 3 Evasive TCP packet retransmission
# 4 TCP Window violation
# 5 Data on SYN packet
# 6 Stealth scan: full XMAS
# 7 Stealth scan: SYN-ACK-PSH-URG
# 8 Stealth scan: FIN scan
# 9 Stealth scan: NULL scan
# 10 Stealth scan: NMAP XMAS scan
# 11 Stealth scan: Vecna scan
# 12 Stealth scan: NMAP fingerprint scan stateful detect
# 13 Stealth scan: SYN-FIN scan
# 14 TCP forward overlap
preprocessor stream4: disable_evasion_alerts
# tcp stream reassembly directive
# no arguments loads the default configuration
# Only reassemble the client,
# Only reassemble the default list of ports (See below),
# Give alerts for "bad" streams
#
# Available options (comma delimited):
# clientonly - reassemble traffic for the client side of a connection only
# serveronly - reassemble traffic for the server side of a connection only
# both - reassemble both sides of a session
# noalerts - turn off alerts from the stream reassembly stage of stream4
# ports [list] - use the space separated list of ports in [list], "all"
# will turn on reassembly for all ports, "default" will turn
# on reassembly for ports 21, 23, 25, 53, 80, 143, 110, 111
# and 513
preprocessor stream4_reassemble
# http_inspect: normalize and detect HTTP traffic and protocol anomalies
#
# lots of options available here. See doc/README.http_inspect.
# unicode.map should be wherever your snort.conf lives, or given
# a full path to where snort can find it.
preprocessor http_inspect: global \
iis_unicode_map unicode.map 1252
preprocessor http_inspect_server: server default \
profile all ports { 80 8080 8180 } oversize_dir_length 500
#
# Example unqiue server configuration
#
#preprocessor http_inspect_server: server 1.1.1.1 \
# ports { 80 3128 8080 } \
# flow_depth 0 \
# ascii no \
# double_decode yes \
# non_rfc_char { 0x00 } \
# chunk_length 500000 \
# non_strict \
# oversize_dir_length 300 \
# no_alerts
# rpc_decode: normalize RPC traffic
# ---------------------------------
# RPC may be sent in alternate encodings besides the usual 4-byte encoding
# that is used by default. This plugin takes the port numbers that RPC
# services are running on as arguments - it is assumed that the given ports
# are actually running this type of service. If not, change the ports or turn
# it off.
# The RPC decode preprocessor uses generator ID 106
#
# arguments: space separated list
# alert_fragments - alert on any rpc fragmented TCP data
# no_alert_multiple_requests - don't alert when >1 rpc query is in a packet
# no_alert_large_fragments - don't alert when the fragmented
# sizes exceed the current packet size
# no_alert_incomplete - don't alert when a single segment
# exceeds the current packet size
preprocessor rpc_decode: 111 32771
# bo: Back Orifice detector
# -------------------------
# Detects Back Orifice traffic on the network. Takes no arguments in 2.0.
#
# The Back Orifice detector uses Generator ID 105 and uses the
# following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Back Orifice traffic detected
preprocessor bo
# telnet_decode: Telnet negotiation string normalizer
# ---------------------------------------------------
# This preprocessor "normalizes" telnet negotiation strings from telnet and ftp
# traffic. It works in much the same way as the http_decode preprocessor,
# searching for traffic that breaks up the normal data stream of a protocol and
# replacing it with a normalized representation of that traffic so that the
# "content" pattern matching keyword can work without requiring modifications.
# This preprocessor requires no arguments.
# Portscan uses Generator ID 109 and does not generate any SID currently.
preprocessor telnet_decode
# Flow-Portscan: detect a variety of portscans
# ---------------------------------------
# Note: The Flow preprocessor (above) must first be enabled for Flow-Portscan to
# work.
#
# This module detects portscans based off of flow creation in the flow
# preprocessors. The goal is to catch catch one->many hosts and one->many
# ports scans.
#
# Flow-Portscan has numerous options available, please read
# README.flow-portscan for help configuring this option.
# Flow-Portscan uses Generator ID 121 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 flow-portscan: Fixed Scale Scanner Limit Exceeded
# 2 flow-portscan: Sliding Scale Scanner Limit Exceeded
# 3 flow-portscan: Fixed Scale Talker Limit Exceeded
# 4 flow-portscan: Sliding Scale Talker Limit Exceeded
# preprocessor flow-portscan: \
# talker-sliding-scale-factor 0.50 \
# talker-fixed-threshold 30 \
# talker-sliding-threshold 30 \
# talker-sliding-window 20 \
# talker-fixed-window 30 \
# scoreboard-rows-talker 30000 \
# server-watchnet [10.2.0.0/30] \
# server-ignore-limit 200 \
# server-rows 65535 \
# server-learning-time 14400 \
# server-scanner-limit 4 \
# scanner-sliding-window 20 \
# scanner-sliding-scale-factor 0.50 \
# scanner-fixed-threshold 15 \
# scanner-sliding-threshold 40 \
# scanner-fixed-window 15 \
# scoreboard-rows-scanner 30000 \
# src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
# dst-ignore-net [10.0.0.0/30] \
# alert-mode once \
# output-mode msg \
# tcp-penalties on
# arpspoof
#----------------------------------------
# Experimental ARP detection code from Jeff Nathan, detects ARP attacks,
# unicast ARP requests, and specific ARP mapping monitoring. To make use of
# this preprocessor you must specify the IP and hardware address of hosts on
# the same layer 2 segment as you. Specify one host IP MAC combo per line.
# Also takes a "-unicast" option to turn on unicast ARP request detection.
# Arpspoof uses Generator ID 112 and uses the following SIDS for that GID:
# SID Event description
# ----- -------------------
# 1 Unicast ARP request
# 2 Etherframe ARP mismatch (src)
# 3 Etherframe ARP mismatch (dst)
# 4 ARP cache overwrite attack
#preprocessor arpspoof
#preprocessor arpspoof_detect_host: 192.168.40.1 f0:0f:00:f0:0f:00
# Performance Statistics
# ----------------------
# Documentation for this is provided in the Snort Manual. You should read it.
# It is included in the release distribution as doc/snort_manual.pdf
#
# preprocessor perfmonitor: time 300 file /var/snort/snort.stats pktcnt 10000
####################################################################
# Step #3: Configure output plugins
#
# Uncomment and configure the output plugins you decide to use. General
# configuration for output plugins is of the form:
#
# output <name_of_plugin>: <configuration_options>
#
# alert_syslog: log alerts to syslog
# ----------------------------------
# Use one or more syslog facilities as arguments. Win32 can also optionally
# specify a particular hostname/port. Under Win32, the default hostname is
# '127.0.0.1', and the default port is 514.
#
# [Unix flavours should use this format...]
# output alert_syslog: LOG_AUTH LOG_ALERT
#
# [Win32 can use any of these formats...]
# output alert_syslog: LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname, LOG_AUTH LOG_ALERT
# output alert_syslog: host=hostname:port, LOG_AUTH LOG_ALERT
# log_tcpdump: log packets in binary tcpdump format
# -------------------------------------------------
# The only argument is the output file name.
#
# output log_tcpdump: tcpdump.log
# database: log to a variety of databases
# ---------------------------------------
# See the README.database file for more information about configuring
# and using this plugin.
#
# output database: log, mysql, user=root password=test dbname=db host=localhost
# output database: alert, postgresql, user=snort dbname=snort
# output database: log, odbc, user=snort dbname=snort
# output database: log, mssql, dbname=snort user=snort password=test
# output database: log, oracle, dbname=snort user=snort password=test
# unified: Snort unified binary format alerting and logging
# -------------------------------------------------------------
# The unified output plugin provides two new formats for logging and generating
# alerts from Snort, the "unified" format. The unified format is a straight
# binary format for logging data out of Snort that is designed to be fast and
# efficient. Used with barnyard (the new alert/log processor), most of the
# overhead for logging and alerting to various slow storage mechanisms such as
# databases or the network can now be avoided.
#
# Check out the spo_unified.h file for the data formats.
#
# Two arguments are supported.
# filename - base filename to write to (current time_t is appended)
# limit - maximum size of spool file in MB (default: 128)
#
# output alert_unified: filename snort.alert, limit 128
# output log_unified: filename snort.log, limit 128
# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
#
# This example will create a rule type that will log to syslog and a mysql
# database:
# ruletype redalert
# {
# type alert
# output alert_syslog: LOG_AUTH LOG_ALERT
# output database: log, mysql, user=snort dbname=snort host=localhost
# }
#
# EXAMPLE RULE FOR REDALERT RULETYPE:
# redalert tcp $HOME_NET any -> $EXTERNAL_NET 31337 \
# (msg:"Someone is being LEET"; flags:A+;)
#
# Include classification & priority settings
#
include classification.config
#
# Include reference systems
#
include reference.config
####################################################################
# Step #4: Customize your rule set
#
# Up to date snort rules are available at http://www.snort.org
#
# The snort web site has documentation about how to write your own custom snort
# rules.
#
# The rules included with this distribution generate alerts based on on
# suspicious activity. Depending on your network environment, your security
# policies, and what you consider to be suspicious, some of these rules may
# either generate false positives ore may be detecting activity you consider to
# be acceptable; therefore, you are encouraged to comment out rules that are
# not applicable in your environment.
#
# The following individuals contributed many of rules in this distribution.
#
# Credits:
# Ron Gula <rgula@securitywizards.com> of Network Security Wizards
# Max Vision <vision@whitehats.com>
# Martin Markgraf <martin@mail.du.gtn.com>
# Fyodor Yarochkin <fygrave@tigerteam.net>
# Nick Rogness <nick@rapidnet.com>
# Jim Forster <jforster@rapidnet.com>
# Scott McIntyre <scott@whoi.edu>
# Tom Vandepoel <Tom.Vandepoel@ubizen.com>
# Brian Caswell <bmc@snort.org>
# Zeno <admin@cgisecurity.com>
# Ryan Russell <ryan@securityfocus.com>
#=========================================
# Include all relevant rulesets here
#
# The following rulesets are disabled by default:
#
# web-attacks, backdoor, shellcode, policy, porn, info, icmp-info, virus,
# chat, multimedia, and p2p
#
# These rules are either site policy specific or require tuning in order to not
# generate false positive alerts in most enviornments.
#
# Please read the specific include file for more information and
# README.alert_order for how rule ordering affects how alerts are triggered.
#=========================================
include $RULE_PATH/local.rules
include $RULE_PATH/bad-traffic.rules
include $RULE_PATH/exploit.rules
include $RULE_PATH/scan.rules
include $RULE_PATH/finger.rules
include $RULE_PATH/ftp.rules
include $RULE_PATH/telnet.rules
include $RULE_PATH/rpc.rules
include $RULE_PATH/rservices.rules
include $RULE_PATH/dos.rules
include $RULE_PATH/ddos.rules
include $RULE_PATH/dns.rules
include $RULE_PATH/tftp.rules
include $RULE_PATH/web-cgi.rules
include $RULE_PATH/web-coldfusion.rules
include $RULE_PATH/web-iis.rules
include $RULE_PATH/web-frontpage.rules
include $RULE_PATH/web-misc.rules
include $RULE_PATH/web-client.rules
include $RULE_PATH/web-php.rules
include $RULE_PATH/sql.rules
include $RULE_PATH/x11.rules
include $RULE_PATH/icmp.rules
include $RULE_PATH/netbios.rules
include $RULE_PATH/misc.rules
include $RULE_PATH/attack-responses.rules
include $RULE_PATH/oracle.rules
include $RULE_PATH/mysql.rules
include $RULE_PATH/snmp.rules
include $RULE_PATH/smtp.rules
include $RULE_PATH/imap.rules
include $RULE_PATH/pop2.rules
include $RULE_PATH/pop3.rules
include $RULE_PATH/nntp.rules
include $RULE_PATH/other-ids.rules
# include $RULE_PATH/web-attacks.rules
# include $RULE_PATH/backdoor.rules
# include $RULE_PATH/shellcode.rules
# include $RULE_PATH/policy.rules
# include $RULE_PATH/porn.rules
# include $RULE_PATH/info.rules
# include $RULE_PATH/icmp-info.rules
include $RULE_PATH/virus.rules
# include $RULE_PATH/chat.rules
# include $RULE_PATH/multimedia.rules
# include $RULE_PATH/p2p.rules
include $RULE_PATH/experimental.rules
# Include any thresholding or suppression commands. See threshold.conf in the
# <snort src>/etc directory for details. Commands don't necessarily need to be
# contained in this conf, but a separate conf makes it easier to maintain them.
# Uncomment if needed.
# include threshold.conf

Some files were not shown because too many files have changed in this diff Show more