Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 06:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
zeek/scripts/s2b/snort_rules2.2/scan.rules

36 lines
4.5 KiB
Text
Raw Blame History

# (C) Copyright 2001-2004, Martin Roesch, Brian Caswell, et al.
# All rights reserved.
# $Id: scan.rules 91 2004-07-15 08:13:57Z rwinslow $
#-----------
# SCAN RULES
#-----------
# These signatures are representitive of network scanners. These include
# port scanning, ip mapping, and various application scanners.
#
# NOTE: This does NOT include web scanners such as whisker. Those are
# in web*
#
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ack:0; flags:S; ttl:>220; flow:stateless; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; dsize:0; flags:SF12; flow:stateless; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:618; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; flow:stateless; classtype:attempted-recon; sid:620; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; flow:stateless; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; flow:stateless; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; ack:0; flags:0; seq:0; flow:stateless; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; flags:SF,12; flow:stateless; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; flow:stateless; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; flow:stateless; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; flags:SF; id:39426; flow:stateless; reference:arachnids,441; classtype:attempted-recon; sid:630; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; flags:PA12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; ack:0; flags:SFU12; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"SCAN Amanda client version request"; content:"Amanda"; nocase; classtype:attempted-recon; sid:634; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"SCAN XTACACS logout"; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; reference:arachnids,408; classtype:bad-unknown; sid:635; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"SCAN cybercop udp bomb"; content:"cybercop"; reference:arachnids,363; classtype:bad-unknown; sid:636; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN Webtrends Scanner UDP Probe"; content:"|0A|help|0A|quite|0A|"; reference:arachnids,308; classtype:attempted-recon; sid:637; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; nocase; classtype:network-scan; sid:1638; rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SCAN UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; classtype:network-scan; sid:1917; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; classtype:network-scan; sid:1918; rev:6;)
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; ack:0; flags:SFP; flow:stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:11;)
Reference in a new issue View git blame Copy permalink