mirror of
https://github.com/vimagick/dockerfiles
synced 2024-06-30 18:51:24 +00:00
3936 lines
1.7 MiB
3936 lines
1.7 MiB
# Copyright 2001-2020 Sourcefire, Inc. All Rights Reserved.
|
|
#
|
|
# This file contains rules that were created by Sourcefire, Inc. and other third parties
|
|
# (the "GPL Rules") that are distributed under the GNU General Public License (GPL),
|
|
# v2. The GPL Rules created by Sourcefire are owned by Sourcefire, Inc., and the GPL
|
|
# Rules not created by Sourcefire are owned by their respective owners. Please see
|
|
# the AUTHORS file included in the community package for a list of third party owners and their
|
|
# respective copyrights.
|
|
#
|
|
# This file does not contain any Sourcefire VRT Certified Rules; the VRT Certified
|
|
# Rules are distributed by Sourcefire separately under the VRT Certified Rules License
|
|
# Agreement (v 2.0)
|
|
#
|
|
#-----------------
|
|
# COMMUNITY RULES
|
|
#-----------------
|
|
|
|
# alert tcp $HOME_NET 2589 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR - Dagger_1.4.0"; flow:to_client,established; content:"2|00 00 00 06 00 00 00|Drives|24 00|"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:105; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"MALWARE-BACKDOOR QAZ Worm Client Login access"; flow:to_server,established; content:"qazwsx.hsq"; metadata:ruleset community; reference:mcafee,98775; classtype:misc-activity; sid:108; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"MALWARE-BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0D|"; metadata:ruleset community; classtype:trojan-activity; sid:110; rev:10;)
|
|
# alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection established"; flow:to_client,established; flowbits:isset,backdoor.netbus_2.connect; content:"BN|10 00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; metadata:ruleset community; classtype:trojan-activity; sid:115; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Infector.1.x"; flow:established,to_client; content:"WHATISIT"; depth:9; metadata:impact_flag red, ruleset community; reference:nessus,11157; classtype:misc-activity; sid:117; rev:17;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SatansBackdoor.2.0.Beta"; flow:to_client,established; content:"Remote|3A| "; depth:11; nocase; content:"You are connected to me.|0D 0A|Remote|3A| Ready for commands"; distance:0; nocase; metadata:ruleset community; reference:url,www.megasecurity.org/trojans/s/satanzbackdoor/SBD2.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=5260; classtype:trojan-activity; sid:118; rev:12;)
|
|
# alert tcp $HOME_NET 6789 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly 2.0 access"; flow:established,to_client; content:"Wtzup Use"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:119; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"MALWARE-BACKDOOR Infector 1.6 Client to Server Connection Request"; flow:to_server,established; content:"FC "; metadata:ruleset community; reference:nessus,11157; classtype:misc-activity; sid:121; rev:14;)
|
|
# alert tcp $HOME_NET 31785 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR HackAttack 1.20 Connect"; flow:established,to_client; content:"host"; metadata:ruleset community; classtype:misc-activity; sid:141; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:"w0rm"; distance:1; nocase; pcre:"/^USER\s+w0rm/smi"; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:144; rev:16;)
|
|
# alert tcp $HOME_NET 30100:30102 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR NetSphere access"; flow:established,to_client; content:"NetSphere"; metadata:ruleset community; classtype:trojan-activity; sid:146; rev:13;)
|
|
# alert tcp $HOME_NET 6969 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR GateCrasher"; flow:established,to_client; content:"GateCrasher"; depth:11; nocase; content:"Server"; distance:0; nocase; content:"On-Line..."; distance:0; nocase; pcre:"/^GateCrasher\s+v\d+\x2E\d+\x2C\s+Server\s+On-Line\x2E\x2E\x2E/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.spywareguide.com/product_show.php?id=973; classtype:trojan-activity; sid:147; rev:12;)
|
|
# alert tcp $HOME_NET 5401:5402 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Connection"; flow:established,to_client; content:"c|3A 5C|"; metadata:ruleset community; classtype:misc-activity; sid:152; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 666 (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Client FTP Open Request"; flow:to_server,established; content:"FTPON"; metadata:ruleset community; classtype:misc-activity; sid:157; rev:9;)
|
|
# alert tcp $HOME_NET 666 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR BackConstruction 2.1 Server FTP Open Reply"; flow:to_client,established; content:"FTP Port open"; metadata:ruleset community; classtype:misc-activity; sid:158; rev:10;)
|
|
# alert udp $EXTERNAL_NET 3344 -> $HOME_NET 3345 (msg:"MALWARE-BACKDOOR Matrix 2.0 Client connect"; flow:to_server; content:"activate"; metadata:ruleset community; classtype:misc-activity; sid:161; rev:10;)
|
|
# alert udp $EXTERNAL_NET 3345 -> $HOME_NET 3344 (msg:"MALWARE-BACKDOOR Matrix 2.0 Server access"; flow:to_server; content:"logged in"; metadata:ruleset community; classtype:misc-activity; sid:162; rev:10;)
|
|
# alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR WinCrash 1.0 Server Active"; flow:stateless; flags:SA,12; content:"|B4 B4|"; metadata:ruleset community; classtype:misc-activity; sid:163; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"MALWARE-BACKDOOR CDK"; flow:to_server,established; content:"ypi0ca"; depth:15; nocase; metadata:ruleset community; classtype:misc-activity; sid:185; rev:10;)
|
|
# alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:195; rev:14;)
|
|
# alert tcp $HOME_NET 555 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR PhaseZero Server Active on Network"; flow:established,to_client; content:"phAse zero server"; depth:17; nocase; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.megasecurity.org/trojans/p/phasezero/PhaseZero1.0b.html; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=4539; classtype:trojan-activity; sid:208; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR w00w00 attempt"; flow:to_server,established; content:"w00w00"; metadata:ruleset community; classtype:attempted-admin; sid:209; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR attempt"; flow:to_server,established; content:"backdoor"; nocase; metadata:ruleset community; classtype:attempted-admin; sid:210; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC r00t attempt"; flow:to_server,established; content:"r00t"; metadata:ruleset community; classtype:attempted-admin; sid:211; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC rewt attempt"; flow:to_server,established; content:"rewt"; metadata:ruleset community; classtype:attempted-admin; sid:212; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"wh00t!"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:213; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt lrkr0x"; flow:to_server,established; content:"lrkr0x"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:214; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit attempt"; flow:to_server,established; content:"d13hh["; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:215; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Linux rootkit satori attempt"; flow:to_server,established; content:"satori"; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1014; classtype:attempted-admin; sid:216; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC sm4ck attempt"; flow:to_server,established; content:"hax0r"; metadata:ruleset community; classtype:attempted-admin; sid:217; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR MISC Solaris 2.5 attempt"; flow:to_server,established; content:"friday"; metadata:ruleset community; classtype:attempted-user; sid:218; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HidePak backdoor attempt"; flow:to_server,established; content:"StoogR"; metadata:ruleset community; classtype:misc-activity; sid:219; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"MALWARE-BACKDOOR HideSource backdoor attempt"; flow:to_server,established; content:"wank"; metadata:ruleset community; classtype:misc-activity; sid:220; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN Probe"; icmp_id:678; itype:8; content:"1234"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:221; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP tfn2k icmp possible communication"; icmp_id:0; itype:0; content:"AAAAAAAAAA"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:222; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [31335,35555] (msg:"MALWARE-OTHER Trin00 Daemon to Master PONG message detected"; flow:to_server; content:"PONG"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:223; rev:13;)
|
|
# alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server spoof"; icmp_id:666; itype:0; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:224; rev:10;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht gag server response"; icmp_id:669; itype:0; content:"sicken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:225; rev:13;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Stacheldraht server response"; icmp_id:667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:226; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client spoofworks"; icmp_id:1000; itype:0; content:"spoofworks"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:227; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TFN client command BE"; icmp_id:456; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:228; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check skillz"; icmp_id:666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:229; rev:12;)
|
|
# alert tcp $HOME_NET 20432 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER shaft client login to handler"; flow:to_client,established; content:"login|3A|"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; reference:url,security.royans.net/info/posts/bugtraq_ddos3.shtml; classtype:attempted-dos; sid:230; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master message detected"; flow:to_server; content:"l44"; fast_pattern:only; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:231; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"MALWARE-OTHER Trin00 Daemon to Master *HELLO* message detected"; flow:to_server; content:"*HELLO*"; metadata:ruleset community; reference:cve,2000-0138; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:233; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default password"; flow:established,to_server; content:"gOrave"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:234; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"MALWARE-OTHER Trin00 Attacker to Master default mdie password"; flow:established,to_server; content:"killme"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:235; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht client check gag"; icmp_id:668; itype:0; content:"gesundheit!"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:236; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"MALWARE-OTHER Trin00 Master to Daemon default password attempt"; flow:to_server; content:"l44adsl"; metadata:ruleset community; reference:cve,2000-0138; reference:url,attack.mitre.org/techniques/T1078; classtype:attempted-dos; sid:237; rev:11;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP TFN server response"; icmp_id:123; itype:0; content:"shell bound"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:238; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 18753 (msg:"MALWARE-OTHER shaft handler to agent"; flow:to_server; content:"alive tijgu"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:239; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 20433 (msg:"MALWARE-OTHER shaft agent to handler"; flow:to_server; content:"alive"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:240; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 6838 (msg:"MALWARE-OTHER mstream agent to handler"; flow:to_server; content:"newserver"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:243; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler to agent"; flow:to_server; content:"stream/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:244; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream handler ping to agent"; flow:to_server; content:"ping"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:245; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10498 (msg:"MALWARE-OTHER mstream agent pong to handler"; flow:to_server; content:"pong"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:246; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 12754 (msg:"MALWARE-OTHER mstream client to handler"; flow:to_server,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:247; rev:8;)
|
|
# alert tcp $HOME_NET 12754 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:248; rev:8;)
|
|
# alert tcp $HOME_NET 15104 -> $EXTERNAL_NET any (msg:"MALWARE-OTHER mstream handler to client"; flow:to_client,established; content:">"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:250; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP - TFN client command LE"; icmp_id:51201; icmp_seq:0; itype:0; pcre:"/^[0-9]{1,5}\x00/"; metadata:ruleset community; reference:cve,2000-0138; classtype:attempted-dos; sid:251; rev:11;)
|
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response PTR with TTL of 1 min. and no authority"; flow:to_client; content:"|85 80 00 01 00 01 00 00 00 00|"; content:"|C0 0C 00 0C 00 01 00 00 00|<|00 0F|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service dns; classtype:bad-unknown; sid:253; rev:15;)
|
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"PROTOCOL-DNS SPOOF query response with TTL of 1 min. and no authority"; flow:to_client; content:"|81 80|"; depth:4; offset:2; fast_pattern; byte_test:2,>,0,0,relative,big; byte_test:2,>,0,2,relative,big; content:"|00 00 00 00|"; within:4; distance:4; content:"|C0 0C 00 01 00 01|"; distance:0; byte_test:4,<,61,0,relative,big; byte_test:4,>,0,0,relative,big; metadata:policy max-detect-ips drop, ruleset community, service dns; classtype:bad-unknown; sid:254; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via TCP detected"; flow:to_server,established; content:"|00 01 00 00 00 00 00|"; depth:8; offset:6; byte_test:1,!&,0xF8,4; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:24;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:256; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server,established; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:257; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records"; flow:to_server,established; content:"../../../"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; fast_pattern:only; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow via NXT records named overflow ADMROCKS"; flow:to_server,established; content:"ADMROCKS"; metadata:ruleset community, service dns; reference:bugtraq,788; reference:cve,1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; classtype:attempted-admin; sid:260; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind named overflow attempt"; flow:to_server,established; content:"|CD 80 E8 D7 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service dns; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0|?1|DB B3 FF|1|C9 CD 80|1|C0|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:262; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt"; flow:to_server,established; content:"1|C0 B0 02 CD 80 85 C0|uL|EB|L^|B0|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:264; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-LINUX x86 Linux overflow attempt ADMv2"; flow:to_server,established; content:"|89 F7 29 C7 89 F3 89 F9 89 F2 AC|<|FE|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:265; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-OTHER x86 FreeBSD overflow attempt"; flow:to_server,established; content:"|EB|n^|C6 06 9A|1|C9 89|N|01 C6|F|05|"; metadata:ruleset community, service dns; classtype:attempted-admin; sid:266; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"OS-SOLARIS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1A C0 0F 90 02| |08 92 02| |0F D0 23 BF F8|"; fast_pattern:only; metadata:ruleset community, service dns; classtype:attempted-admin; sid:267; rev:13;)
|
|
# alert udp any 19 <> any 7 (msg:"SERVER-OTHER UDP echo+chargen bomb"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:12;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft WIndows IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:ruleset community; reference:bugtraq,514; reference:cve,1999-0918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-034; classtype:attempted-dos; sid:272; rev:16;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ath"; itype:8; content:"+++ath"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Audio Server denial of service attempt"; flow:to_server,established; content:"|FF F4 FF FD 06|"; fast_pattern:only; metadata:ruleset community; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER RealNetworks Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SERVER-OTHER Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"SERVER-OTHER Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:13;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"BROWSER-OTHER Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"^|0E|1|C0 B0 3B 8D|~|0E 89 FA 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 BSD overflow"; flow:to_server,established; content:"h]^|FF D5 FF D4 FF F5 8B F5 90|f1"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:287; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 Linux overflow"; flow:to_server,established; content:"|D8|@|CD 80 E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:288; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT x86 SCO overflow"; flow:to_server,established; content:"V|0E|1|C0 B0 3B 8D|~|12 89 F9 89 F9|"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,133; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP EXPLOIT qpopper overflow"; flow:to_server,established; content:"|E8 D9 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-LINUX x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; metadata:ruleset community; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"OS-SOLARIS Oracle Solaris npls x86 overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; metadata:ruleset community; reference:bugtraq,2319; reference:cve,1999-1588; classtype:attempted-admin; sid:300; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-LINUX Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; metadata:ruleset community; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01| |02|a"; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; reference:nessus,10605; classtype:attempted-admin; sid:303; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"SERVER-OTHER SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; metadata:ruleset community; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-OTHER delegate proxy overflow"; flow:to_server,established; isdataat:1000; content:"whois|3A|//"; nocase; metadata:ruleset community; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-OTHER VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; metadata:ruleset community; reference:bugtraq,1610; reference:cve,2000-0766; reference:nessus,10354; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"SERVER-OTHER CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; metadata:ruleset community; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"SERVER-OTHER NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; metadata:ruleset community, service ftp; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL sniffit overflow"; flow:to_server,established; isdataat:512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"BROWSER-OTHER Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; metadata:ruleset community; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"OS-LINUX ntalkd x86 Linux overflow"; flow:to_server; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"SERVER-OTHER Bind Buffer Overflow named tsig overflow attempt"; flow:to_server; content:"|80 00 07 00 00 00 00 00 01|?|00 01 02|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2302; reference:cve,2001-0010; classtype:attempted-admin; sid:314; rev:23;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"OS-LINUX x86 Linux mountd overflow"; flow:to_server; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cmd_rootsh backdoor attempt"; flow:to_server,established; content:"cmd_rootsh"; metadata:ruleset community; reference:nessus,10070; reference:url,www.sans.org/y2k/TFN_toolkit.htm; reference:url,www.sans.org/y2k/fingerd.htm; classtype:attempted-admin; sid:320; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER account enumeration attempt"; flow:to_server,established; content:"a b c d e f"; nocase; metadata:ruleset community; reference:nessus,10788; classtype:attempted-recon; sid:321; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER search query"; flow:to_server,established; content:"search"; metadata:ruleset community; reference:cve,1999-0259; classtype:attempted-recon; sid:322; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER root query"; flow:to_server,established; content:"root"; metadata:ruleset community; classtype:attempted-recon; sid:323; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER null request"; flow:to_server,established; content:"|00|"; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:324; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command execution attempt"; flow:to_server,established; content:"|3B|"; metadata:ruleset community; reference:bugtraq,974; reference:cve,1999-0150; classtype:attempted-user; sid:326; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER remote command pipe execution attempt"; flow:to_server,established; content:"|7C|"; metadata:ruleset community; reference:bugtraq,2220; reference:cve,1999-0152; classtype:attempted-user; sid:327; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER bomb attempt"; flow:to_server,established; content:"@@"; metadata:ruleset community; reference:cve,1999-0106; classtype:attempted-dos; sid:328; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER redirection attempt"; flow:to_server,established; content:"@"; metadata:ruleset community; reference:cve,1999-0105; reference:nessus,10073; classtype:attempted-recon; sid:330; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER cybercop query"; flow:to_server,established; content:"|0A| "; depth:10; metadata:ruleset community; reference:cve,1999-0612; classtype:attempted-recon; sid:331; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER 0 query"; flow:to_server,established; content:"0"; metadata:ruleset community; reference:cve,1999-0197; reference:nessus,10069; classtype:attempted-recon; sid:332; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER . query"; flow:to_server,established; content:"."; metadata:ruleset community; reference:cve,1999-0198; reference:nessus,10072; classtype:attempted-recon; sid:333; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .forward"; flow:to_server,established; content:".forward"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:334; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP .rhosts"; flow:to_server,established; content:".rhosts"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:suspicious-filename-detect; sid:335; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CEL overflow attempt"; flow:to_server,established; content:"CEL"; nocase; isdataat:100,relative; pcre:"/^CEL(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,679; reference:cve,1999-0789; reference:nessus,10009; classtype:attempted-admin; sid:337; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0A|"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:353; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:354; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:355; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:356; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; metadata:ruleset community, service ftp; reference:url,www.mines.edu/fs_home/dlarue/cc/baby-doe.html; classtype:suspicious-login; sid:357; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP saint scan"; flow:to_server,established; content:"pass -saint"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:358; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP satan scan"; flow:to_server,established; content:"pass -satan"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-login; sid:359; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP serv-u directory traversal"; flow:to_server,established; content:".%20."; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2052; reference:cve,2001-0054; reference:nessus,10565; classtype:bad-unknown; sid:360; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2241; reference:cve,1999-0080; reference:cve,1999-0955; classtype:bad-unknown; sid:361; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; metadata:ruleset community, service ftp; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:362; rev:20;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router advertisement"; itype:9; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IRDP router selection"; itype:10; metadata:ruleset community; reference:bugtraq,578; reference:cve,1999-0875; classtype:misc-activity; sid:364; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING undefined code"; icode:>0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:365; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Unix"; itype:8; content:"|10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:366; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BSDtype"; itype:8; content:"|08 09 0A 0B 0C 0D 0E 0F 10 11 12 13 14 15 16 17|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:368; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BayRS Router"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:369; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING BeOS4.x"; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 08 09 0A 0B|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:370; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Cisco Type.x"; itype:8; content:"|AB CD AB CD AB CD AB CD AB CD AB CD AB CD AB CD|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:371; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Delphi-Piette Windows"; itype:8; content:"Pinging from Del"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:372; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Flowpoint2200 or Network Management Software"; itype:8; content:"|01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:373; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING IP NetMonitor Macintosh"; itype:8; content:"|A9| Sustainable So"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:374; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING LINUX/*BSD"; dsize:8; id:13170; itype:8; metadata:ruleset community; classtype:misc-activity; sid:375; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Microsoft Windows"; itype:8; content:"0123456789abcdefghijklmnop"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:376; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Network Toolbox 3 Windows"; itype:8; content:"================"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:377; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Ping-O-MeterWindows"; itype:8; content:"OMeterObeseArmad"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:378; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Pinger Windows"; itype:8; content:"Data|00 00 00 00 00 00 00 00 00 00 00 00|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:379; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Seer Windows"; itype:8; content:"|88 04| "; depth:32; metadata:ruleset community; classtype:misc-activity; sid:380; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Oracle Solaris"; dsize:8; itype:8; metadata:ruleset community; classtype:misc-activity; sid:381; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Windows"; itype:8; content:"abcdefghijklmnop"; depth:16; metadata:ruleset community; classtype:misc-activity; sid:382; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING"; icode:0; itype:8; metadata:ruleset community; classtype:misc-activity; sid:384; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP traceroute"; itype:8; ttl:1; metadata:ruleset community; classtype:attempted-recon; sid:385; rev:8;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Address Mask Reply"; icode:0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:386; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Reply undefined code"; icode:>0; itype:18; metadata:ruleset community; classtype:misc-activity; sid:387; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request"; icode:0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:388; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Address Mask Request undefined code"; icode:>0; itype:17; metadata:ruleset community; classtype:misc-activity; sid:389; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address"; icode:0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:390; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Alternate Host Address undefined code"; icode:>0; itype:6; metadata:ruleset community; classtype:misc-activity; sid:391; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error"; icode:0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:392; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Datagram Conversion Error undefined code"; icode:>0; itype:31; metadata:ruleset community; classtype:misc-activity; sid:393; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Host Unknown"; icode:7; itype:3; metadata:ruleset community; classtype:misc-activity; sid:394; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Destination Network Unknown"; icode:6; itype:3; metadata:ruleset community; classtype:misc-activity; sid:395; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; reference:cve,2015-7759; classtype:misc-activity; sid:396; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Precedence Violation"; icode:14; itype:3; metadata:ruleset community; classtype:misc-activity; sid:397; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; metadata:ruleset community; classtype:misc-activity; sid:398; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Host Unreachable"; icode:1; itype:3; metadata:ruleset community; classtype:misc-activity; sid:399; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; metadata:ruleset community; classtype:misc-activity; sid:400; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Network Unreachable"; icode:0; itype:3; metadata:ruleset community; classtype:misc-activity; sid:401; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP destination unreachable port unreachable packet detected"; icode:3; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:402; rev:16;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Precedence Cutoff in effect"; icode:15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:403; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Protocol Unreachable"; icode:2; itype:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0790; reference:cve,2005-0068; classtype:misc-activity; sid:404; rev:14;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Host Isolated"; icode:8; itype:3; metadata:ruleset community; classtype:misc-activity; sid:405; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable Source Route Failed"; icode:5; itype:3; metadata:ruleset community; classtype:misc-activity; sid:406; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Destination Unreachable cndefined code"; icode:>15; itype:3; metadata:ruleset community; classtype:misc-activity; sid:407; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply"; icode:0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:408; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Echo Reply undefined code"; icode:>0; itype:0; metadata:ruleset community; classtype:misc-activity; sid:409; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Fragment Reassembly Time Exceeded"; icode:1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:410; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here"; icode:0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:411; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 I-Am-Here undefined code"; icode:>0; itype:34; metadata:ruleset community; classtype:misc-activity; sid:412; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You"; icode:0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:413; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP IPV6 Where-Are-You undefined code"; icode:>0; itype:33; metadata:ruleset community; classtype:misc-activity; sid:414; rev:10;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply"; icode:0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:415; rev:8;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Information Reply undefined code"; icode:>0; itype:16; metadata:ruleset community; classtype:misc-activity; sid:416; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request"; icode:0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:417; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Information Request undefined code"; icode:>0; itype:15; metadata:ruleset community; classtype:misc-activity; sid:418; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect"; icode:0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:419; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Host Redirect undefined code"; icode:>0; itype:32; metadata:ruleset community; classtype:misc-activity; sid:420; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply"; icode:0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:421; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Reply undefined code"; icode:>0; itype:36; metadata:ruleset community; classtype:misc-activity; sid:422; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request"; icode:0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:423; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Mobile Registration Request undefined code"; icode:>0; itype:35; metadata:ruleset community; classtype:misc-activity; sid:424; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Bad Length"; icode:2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:425; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Missing a Required Option"; icode:1; itype:12; metadata:ruleset community; classtype:misc-activity; sid:426; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem Unspecified Error"; icode:0; itype:12; metadata:ruleset community; classtype:misc-activity; sid:427; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Parameter Problem undefined Code"; icode:>2; itype:12; metadata:ruleset community; classtype:misc-activity; sid:428; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Reserved"; icode:0; itype:40; metadata:ruleset community; classtype:misc-activity; sid:429; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Unknown Security Parameters Index"; icode:1; itype:40; metadata:ruleset community; classtype:misc-activity; sid:430; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Authentication Failed"; icode:2; itype:40; metadata:ruleset community; classtype:misc-activity; sid:431; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris Valid Security Parameters, But Decryption Failed"; icode:3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:432; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Photuris undefined code!"; icode:>3; itype:40; metadata:ruleset community; classtype:misc-activity; sid:433; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Host"; icode:3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:436; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect for TOS and Network"; icode:2; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:437; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Redirect undefined code"; icode:>3; itype:5; metadata:ruleset community; reference:cve,1999-0265; classtype:misc-activity; sid:438; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19"; icode:0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:439; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Reserved for Security Type 19 undefined code"; icode:>0; itype:19; metadata:ruleset community; classtype:misc-activity; sid:440; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Advertisement"; icode:0; itype:9; metadata:ruleset community; classtype:misc-activity; sid:441; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Router Selection"; icode:0; itype:10; metadata:ruleset community; classtype:misc-activity; sid:443; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP"; icode:0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:445; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SKIP undefined code"; icode:>0; itype:39; metadata:ruleset community; classtype:misc-activity; sid:446; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Source Quench undefined code"; icode:>0; itype:4; metadata:ruleset community; classtype:misc-activity; sid:448; rev:10;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit"; icode:0; itype:11; metadata:ruleset community; classtype:misc-activity; sid:449; rev:9;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Time-To-Live Exceeded in Transit undefined code"; icode:>1; itype:11; metadata:ruleset community; classtype:misc-activity; sid:450; rev:11;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply"; icode:0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:451; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Reply undefined code"; icode:>0; itype:14; metadata:ruleset community; classtype:misc-activity; sid:452; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request"; icode:0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:453; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Timestamp Request undefined code"; icode:>0; itype:13; metadata:ruleset community; classtype:misc-activity; sid:454; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute"; icode:0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:456; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Traceroute undefined code"; icode:>0; itype:30; metadata:ruleset community; classtype:misc-activity; sid:457; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1"; icode:0; itype:1; metadata:ruleset community; classtype:misc-activity; sid:458; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 1 undefined code"; itype:1; metadata:ruleset community; classtype:misc-activity; sid:459; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2"; icode:0; itype:2; metadata:ruleset community; classtype:misc-activity; sid:460; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 2 undefined code"; itype:2; metadata:ruleset community; classtype:misc-activity; sid:461; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7"; icode:0; itype:7; metadata:ruleset community; classtype:misc-activity; sid:462; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP unassigned type 7 undefined code"; itype:7; metadata:ruleset community; reference:cve,1999-0454; classtype:misc-activity; sid:463; rev:14;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP ISS Pinger"; itype:8; content:"ISSPNGRQ"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:465; rev:8;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP L3retriever Ping"; icode:0; itype:8; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:ruleset community; classtype:attempted-recon; sid:466; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP Nemesis v1.1 Echo"; dsize:20; icmp_id:0; icmp_seq:0; itype:8; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:467; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP superscan echo"; dsize:8; itype:8; content:"|00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:474; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP webtrends scanner"; icode:0; itype:8; content:"|00 00 00 00|EEEEEEEEEEEE"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:476; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING speedera"; itype:8; content:"89|3A 3B|<=>?"; depth:100; metadata:ruleset community; classtype:misc-activity; sid:480; rev:9;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP TJPingPro1.1Build 2 Windows"; itype:8; content:"TJPingPro by Jim"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:481; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING WhatsupGold Windows"; itype:8; content:"WhatsUp - A Netw"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:482; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING CyberKit 2.2 Windows"; itype:8; content:"|AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA|"; depth:32; metadata:ruleset community; classtype:misc-activity; sid:483; rev:10;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP PING Sniffer Pro/NetXRay network scan"; itype:8; content:"Cinco Network, Inc."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:484; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP no password"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s*\n/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; classtype:unknown; sid:489; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL battle-mail traffic"; flow:to_server,established; content:"BattleMail"; metadata:ruleset community, service smtp; classtype:policy-violation; sid:490; rev:12;)
|
|
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"PROTOCOL-FTP Bad login"; flow:to_client,established; content:"530 "; fast_pattern:only; pcre:"/^530\s+(Login|User)/smi"; metadata:ruleset community, service ftp; classtype:bad-unknown; sid:491; rev:15;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login failed"; flow:to_client,established; content:"Login failed"; nocase; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:492; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"APP-DETECT psyBNC access"; flow:to_client,established; content:"Welcome!psyBNC@lam3rz.de"; fast_pattern:only; metadata:ruleset community; classtype:bad-unknown; sid:493; rev:11;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command completed"; flow:established; content:"Command completed"; fast_pattern:only; pcre:"/^Command\s+?completed\b/sm"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-078; classtype:bad-unknown; sid:494; rev:21;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE command error"; flow:established; content:"Bad command or filename"; nocase; metadata:ruleset community, service http; classtype:bad-unknown; sid:495; rev:14;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE file copied ok"; flow:to_client,established; file_data; content:"1 file|28|s|29| copied"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1806; reference:cve,2000-0884; classtype:bad-unknown; sid:497; rev:21;)
|
|
# alert ip any any -> any any (msg:"INDICATOR-COMPROMISE id check returned root"; content:"uid=0|28|root|29|"; metadata:ruleset community; classtype:bad-unknown; sid:498; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1417 (msg:"SERVER-OTHER Insecure TIMBUKTU Password"; flow:to_server,established; content:"|05 00|>"; depth:16; metadata:ruleset community; classtype:bad-unknown; sid:505; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"PUA-OTHER PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; metadata:ruleset community; classtype:attempted-admin; sid:507; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 70 (msg:"SERVER-OTHER gopher proxy"; flow:to_server,established; content:"ftp|3A|"; fast_pattern:only; content:"@/"; metadata:ruleset community; classtype:bad-unknown; sid:508; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PCCS mysql database admin tool access"; flow:to_server,established; content:"pccsmysqladm/incs/dbconnect.inc"; depth:36; nocase; metadata:ruleset community, service http; reference:bugtraq,1557; reference:cve,2000-0707; reference:nessus,10783; classtype:web-application-attack; sid:509; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:510; rev:12;)
|
|
# alert tcp $HOME_NET 5631:5632 -> $EXTERNAL_NET any (msg:"PUA-OTHER PCAnywhere Failed Login"; flow:to_client,established; content:"Invalid login"; depth:16; metadata:ruleset community; classtype:unsuccessful-user; sid:512; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 27374 (msg:"SERVER-OTHER ramen worm"; flow:to_server,established; content:"GET "; depth:8; nocase; metadata:ruleset community; classtype:bad-unknown; sid:514; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP NT UserList"; flow:to_server; content:"+|06 10|@|14 D1 02 19|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp query"; flow:to_server; content:"|00 01 00 03 00 01 00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-recon; sid:517; rev:7;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Put"; flow:to_server; content:"|00 02|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; reference:url,github.com/rapid7/metasploit-framework/blob/unstable/unstable-modules/auxiliary/d20tftpbd.rb; classtype:bad-unknown; sid:518; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP parent directory"; flow:to_server; content:".."; offset:2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; reference:cve,2002-1209; reference:cve,2011-4722; classtype:bad-unknown; sid:519; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP root directory"; flow:to_server; content:"|00 01|/"; depth:3; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0183; classtype:bad-unknown; sid:520; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"NETBIOS DCERPC NCACN-IP-TCP srvsvc NetrShareEnum null policy handle attempt"; flow:established,to_server; dce_iface:4b324fc8-1670-01d3-1278-5a47bf6ee188; dce_opnum:15; dce_stub_data; pcre:"/^.{4}(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; content:"|00 00 00 00|"; within:4; distance:8; metadata:ruleset community; classtype:protocol-command-decode; sid:529; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS NT NULL session"; flow:to_server,established; content:"|00 00 00 00|W|00|i|00|n|00|d|00|o|00|w|00|s|00| |00|N|00|T|00| |00|1|00|3|00|8|00|1"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:530; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD.."; flow:to_server,established; content:"|5C|../|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:534; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB CD..."; flow:to_server,established; content:"|5C|...|00 00 00|"; metadata:ruleset community; classtype:attempted-recon; sid:535; rev:9;)
|
|
# alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A|"; nocase; content:"text/plain"; distance:1; metadata:ruleset community; classtype:policy-violation; sid:540; rev:17;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-SOCIAL ICQ access"; flow:to_server,established; content:"User-Agent|3A|ICQ"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:541; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC nick change"; flow:to_server,established; isdataat:!139; content:"NICK "; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:542; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:543; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:544; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:545; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:546; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD ' possible warez site"; flow:to_server,established; content:"MKD "; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:547; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; metadata:ruleset community, service ftp; classtype:misc-activity; sid:548; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY-OTHER FTP anonymous login attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+(anonymous|ftp)[^\w]*[\r\n]/smi"; metadata:ruleset community, service ftp; classtype:misc-activity; sid:553; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; metadata:ruleset community, service ftp; classtype:misc-activity; sid:554; rev:10;)
|
|
# alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"POLICY-OTHER WinGate telnet server response"; flow:to_client,established; content:"WinGate>"; metadata:ruleset community; reference:cve,1999-0657; classtype:misc-activity; sid:555; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:556; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; metadata:ruleset community; classtype:policy-violation; sid:557; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"APP-DETECT VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; metadata:ruleset community; classtype:misc-activity; sid:560; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"APP-DETECT PCAnywhere server response"; content:"ST"; depth:2; metadata:ruleset community; classtype:misc-activity; sid:566; rev:10;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL SMTP relaying denied"; flow:established,to_client; content:"550 5.7.1"; depth:70; metadata:ruleset community, service smtp; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY-OTHER HP JetDirect LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG DISPLAY ="; metadata:ruleset community; reference:bugtraq,2245; classtype:misc-activity; sid:568; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"|00 01 87 99|"; depth:4; offset:16; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC DOS ttdbserv Solaris"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; depth:32; offset:16; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-dos; sid:572; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:574; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:575; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:576; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:577; rev:23;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:578; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap mountd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:579; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:cve,1999-0008; classtype:rpc-portmap-decode; sid:580; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:581; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:582; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:583; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:20;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC Solaris UDP portmap sadmin port query request attempt"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,8615; reference:cve,2003-0722; classtype:rpc-portmap-decode; sid:585; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,8; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:586; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:587; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:27;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:589; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:591; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:31;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:598; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:599; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin LinuxNIS"; flow:to_server,established; content:"|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:601; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-user; sid:602; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin echo++"; flow:to_server,established; content:"echo |22| + + |22|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:603; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES Unix rlogin froot parameter root access attempt"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,458; reference:cve,1999-0113; classtype:attempted-admin; sid:604; rev:14;)
|
|
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"login incorrect"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unsuccessful-user; sid:605; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"PROTOCOL-SERVICES rlogin root"; flow:to_server,established; content:"root|00|root|00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:606; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh bin"; flow:to_server,established; content:"bin|00|bin|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:607; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh echo + +"; flow:to_server,established; content:"echo |22|+ +|22|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:608; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-admin; sid:609; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"PROTOCOL-SERVICES rsh root"; flow:to_server,established; content:"|00|root|00|"; fast_pattern:only; pcre:"/^(\d{1,5})?\x00?[^\x00]+?\x00root\x00/i"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,57221; reference:cve,2012-6392; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130109-lms; classtype:attempted-admin; sid:610; rev:16;)
|
|
# alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"PROTOCOL-SERVICES rlogin login failure"; flow:to_client,established; content:"|01|rlogind|3A| Permission denied."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unsuccessful-user; sid:611; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rusers query UDP"; content:"|00 01 86 A2|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"INDICATOR-SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:613; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"MALWARE-BACKDOOR hack-a-tack attempt"; flow:stateless; flags:A+; content:"A"; depth:1; metadata:ruleset community; classtype:attempted-recon; sid:614; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"INDICATOR-SCAN ident version request"; flow:to_server,established; content:"VERSION|0A|"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:616; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; isdataat:!0; flags:SF12; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:619; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN ipEye SYN scan"; flow:stateless; flags:S; seq:1958810375; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:622; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:626; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:627; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN synscan portscan"; flow:stateless; flags:SF; id:39426; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:630; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:631; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; fast_pattern:only; metadata:ruleset community, service smtp; classtype:protocol-command-decode; sid:632; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 10080:10081 (msg:"INDICATOR-SCAN Amanda client-version request"; flow:to_server; content:"Amanda"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:634; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"INDICATOR-SCAN XTACACS logout"; flow:to_server; content:"|80 07 00 00 07 00 00 04 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:635; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 7 (msg:"INDICATOR-SCAN cybercop udp bomb"; flow:to_server; content:"cybercop"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:bad-unknown; sid:636; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SCAN Webtrends Scanner UDP Probe"; flow:to_server; content:"|0A|help|0A|quite|0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,www.netiq.com/products/vsm/default.asp; classtype:attempted-recon; sid:637; rev:13;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%|03 E0 F8|%"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:638; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE SGI NOOP"; content:"|24 0F 12|4|24 0F 12|4|24 0F 12|4|24 0F 12|4"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:639; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE AIX NOOP"; content:"O|FF FB 82|O|FF FB 82|O|FF FB 82|O|FF FB 82|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:640; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Digital UNIX NOOP"; content:"G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|G|FF 04 1F|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:641; rev:12;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|08|!|02 80 08|!|02 80 08|!|02 80 08|!|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:642; rev:12;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE HP-UX NOOP"; content:"|0B|9|02 80 0B|9|02 80 0B|9|02 80 0B|9|02 80|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:643; rev:13;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:644; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|80 1C|@|11 80 1C|@|11 80 1C|@|11 80 1C|@|11|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:645; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE sparc NOOP"; content:"|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13|"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:646; rev:11;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Oracle sparc setuid 0"; content:"|82 10| |17 91 D0| |08|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:647; rev:15;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 NOOP"; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:648; rev:18;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setgid 0"; content:"|B0 B5 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:649; rev:15;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 setuid 0"; content:"|B0 17 CD 80|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:system-call-detect; sid:650; rev:15;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE Linux shellcode"; content:"|90 90 90 E8 C0 FF FF FF|/bin/sh"; fast_pattern:only; metadata:ruleset community; classtype:shellcode-detect; sid:652; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:256,relative; pcre:"/^RCPT TO\x3a\s*\x3c?[^\n\x3e]{256}/im"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,2283; reference:bugtraq,43182; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2003-0694; reference:cve,2008-0394; reference:cve,2009-0410; reference:cve,2010-2580; classtype:attempted-admin; sid:654; rev:28;)
|
|
# alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Netmanager chameleon SMTPd buffer overflow attempt"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:ruleset community, service smtp; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Microsoft Windows Exchange Server 5.5 mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; metadata:ruleset community, service smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-082; classtype:attempted-dos; sid:658; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; fast_pattern:only; pcre:"/^expn\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern:only; pcre:"/^expn\s+root/smi"; metadata:ruleset community, service smtp; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; fast_pattern:only; metadata:ruleset community, service smtp; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; fast_pattern:only; pcre:"/^rcpt\s+to\:\s*[\x7c\x3b]/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; fast_pattern:only; metadata:ruleset community, service smtp; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; metadata:ruleset community, service smtp; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:673; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_start_job - program execution"; flow:to_server,established; content:"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:676; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_password password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:677; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:678; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL sp_adduser database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; depth:32; offset:32; nocase; metadata:ruleset community; classtype:attempted-user; sid:679; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_cmdshell program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:681; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_password - password change"; flow:to_server,established; content:"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:683; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:684; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_adduser - database user creation"; flow:to_server,established; content:"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:685; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_reg* - registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_cmdshell - program execution"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:687; rev:10;)
|
|
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:to_client,established; content:"Login failed for user 'sa'"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_reg* registry access"; flow:to_server,established; content:"x|00|p|00|_|00|r|00|e|00|g|00|"; depth:32; offset:32; nocase; metadata:ruleset community; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:691; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"9 |D0 00 92 01 C2 00|R|00|U|00|9 |EC 00|"; metadata:ruleset community; classtype:shellcode-detect; sid:692; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:shellcode-detect; sid:693; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"INDICATOR-SHELLCODE shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; metadata:ruleset community; classtype:attempted-user; sid:694; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,1204; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:695; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SERVER-MSSQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:704; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; metadata:ruleset community, service telnet; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; fast_pattern:only; content:"bin/sh"; metadata:ruleset community, service telnet; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:15;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET Attempted SU from wrong group"; flow:to_client,established; content:"to su root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:attempted-admin; sid:715; rev:14;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET not on console"; flow:to_client,established; content:"not on system console"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:717; rev:15;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET login incorrect"; flow:to_client,established; content:"Login incorrect"; metadata:ruleset community, service telnet; classtype:bad-unknown; sid:718; rev:16;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET root login"; flow:to_client,established; content:"login|3A| root"; fast_pattern:only; metadata:ruleset community, service telnet; classtype:suspicious-login; sid:719; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi directory traversal attempt"; flow:to_server,established; content:"/hsx.cgi"; http_uri; content:"../../"; http_raw_uri; content:"%00"; distance:1; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-attack; sid:803; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWSoft ASPSeek Overflow attempt"; flow:to_server,established; content:"/s.cgi"; fast_pattern; nocase; http_uri; content:"tmpl="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2492; reference:cve,2001-0476; classtype:web-application-attack; sid:804; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Progress webspeed access"; flow:to_server,established; content:"/wsisa.dll/WService="; fast_pattern; nocase; http_uri; content:"WSMadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,969; reference:cve,2000-0127; reference:nessus,10304; classtype:attempted-user; sid:805; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb directory traversal attempt"; flow:to_server,established; content:"/YaBB"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:806; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /wwwboard/passwd.txt access"; flow:to_server,established; content:"/wwwboard/passwd.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,649; reference:cve,1999-0953; reference:cve,1999-0954; reference:nessus,10321; classtype:attempted-recon; sid:807; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdriver access"; flow:to_server,established; content:"/webdriver"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2166; reference:nessus,10592; classtype:attempted-recon; sid:808; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whois_raw.cgi?"; http_uri; content:"|0A|"; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; reference:url,attack.mitre.org/techniques/T1065; classtype:web-application-attack; sid:809; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whois_raw.cgi access"; flow:to_server,established; content:"/whois_raw.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,304; reference:cve,1999-1063; reference:nessus,10306; classtype:attempted-recon; sid:810; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websitepro path access"; flow:to_server,established; content:" /HTTP/1."; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,932; reference:cve,2000-0066; reference:nessus,10303; classtype:attempted-recon; sid:811; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus version access"; flow:to_server,established; content:"/webplus?about"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; classtype:attempted-recon; sid:812; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus directory traversal"; flow:to_server,established; content:"/webplus?script"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1102; reference:cve,2000-0282; reference:nessus,10367; classtype:web-application-attack; sid:813; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP websendmail access"; flow:to_server,established; content:"/websendmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2077; reference:cve,1999-0196; reference:nessus,10301; classtype:attempted-recon; sid:815; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi invalid user addition attempt"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; content:"command=register"; content:"%7cadmin"; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:web-application-attack; sid:817; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcforum.cgi access"; flow:to_server,established; content:"/dcforum.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:818; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mmstdod.cgi access"; flow:to_server,established; content:"/mmstdod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2063; reference:cve,2001-0021; reference:nessus,10566; classtype:attempted-recon; sid:819; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anaconda directory traversal attempt"; flow:to_server,established; content:"/apexec.pl"; http_uri; content:"template=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2338; reference:bugtraq,2388; reference:cve,2000-0975; reference:cve,2001-0308; reference:nessus,10536; classtype:web-application-attack; sid:820; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP imagemap.exe overflow attempt"; flow:to_server,established; content:"/imagemap.exe?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-attack; sid:821; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb.cgi access"; flow:to_server,established; content:"/cvsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1469; reference:cve,2000-0670; reference:nessus,10465; classtype:attempted-recon; sid:823; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.cgi access"; flow:to_server,established; content:"/php.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0058; reference:cve,1999-0238; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:27;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP glimpse access"; flow:to_server,established; content:"/glimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:825; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htmlscript access"; flow:to_server,established; content:"/htmlscript"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:attempted-recon; sid:826; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP info2www access"; flow:to_server,established; content:"/info2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1995; reference:cve,1999-0266; reference:nessus,10127; classtype:attempted-recon; sid:827; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP maillist.pl access"; flow:to_server,established; content:"/maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:828; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-test-cgi access"; flow:to_server,established; content:"/nph-test-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,686; reference:cve,1999-0045; reference:nessus,10165; classtype:attempted-recon; sid:829; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe access"; flow:to_server,established; content:"/perl.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:832; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rguest.exe access"; flow:to_server,established; content:"/rguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; classtype:attempted-recon; sid:833; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rwwwshell.pl access"; flow:to_server,established; content:"/rwwwshell.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.itsecurity.com/papers/p37.htm; classtype:attempted-recon; sid:834; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi access"; flow:to_server,established; content:"/test-cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:attempted-recon; sid:835; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP textcounter.pl access"; flow:to_server,established; content:"/textcounter.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2265; reference:cve,1999-1479; reference:nessus,11451; classtype:attempted-recon; sid:836; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP uploader.exe access"; flow:to_server,established; content:"/uploader.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1611; reference:cve,1999-0177; reference:cve,2000-0769; reference:nessus,10291; classtype:attempted-recon; sid:837; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webgais access"; flow:to_server,established; content:"/webgais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2058; reference:cve,1999-0176; reference:nessus,10300; classtype:attempted-recon; sid:838; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP finger access"; flow:to_server,established; content:"/finger"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0612; reference:nessus,10071; classtype:attempted-recon; sid:839; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perlshop.cgi access"; flow:to_server,established; content:"/perlshop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1374; classtype:attempted-recon; sid:840; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP aglimpse access"; flow:to_server,established; content:"/aglimpse"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2026; reference:cve,1999-0147; reference:nessus,10095; classtype:attempted-recon; sid:842; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP anform2 access"; flow:to_server,established; content:"/AnForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; classtype:attempted-recon; sid:843; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.bat access"; flow:to_server,established; content:"/args.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:844; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-admin.cgi access"; flow:to_server,established; content:"/AT-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:845; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bnbform.cgi access"; flow:to_server,established; content:"/bnbform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2147; reference:cve,1999-0937; classtype:attempted-recon; sid:846; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas access"; flow:to_server,established; content:"/campas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:attempted-recon; sid:847; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source directory traversal"; flow:to_server,established; content:"/view-source"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:web-application-attack; sid:848; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view-source access"; flow:to_server,established; content:"/view-source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:bugtraq,8883; reference:cve,1999-0174; classtype:attempted-recon; sid:849; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wais.pl access"; flow:to_server,established; content:"/wais.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:850; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP files.pl access"; flow:to_server,established; content:"/files.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1081; classtype:attempted-recon; sid:851; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wguest.exe access"; flow:to_server,established; content:"/wguest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,1999-0467; classtype:attempted-recon; sid:852; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wrap access"; flow:to_server,established; content:"/wrap"; http_uri; metadata:ruleset community, service http; reference:bugtraq,373; reference:cve,1999-0149; reference:nessus,10317; classtype:attempted-recon; sid:853; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP classifieds.cgi access"; flow:to_server,established; content:"/classifieds.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2020; reference:cve,1999-0934; classtype:attempted-recon; sid:854; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.cgi access"; flow:to_server,established; content:"/environ.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:856; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faxsurvey access"; flow:to_server,established; content:"/faxsurvey"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2056; reference:cve,1999-0262; reference:nessus,10067; classtype:web-application-activity; sid:857; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; classtype:attempted-recon; sid:858; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP man.sh access"; flow:to_server,established; content:"/man.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2276; reference:cve,1999-1179; classtype:attempted-recon; sid:859; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snork.bat access"; flow:to_server,established; content:"/snork.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:cve,1999-0233; classtype:attempted-recon; sid:860; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3-msql access"; flow:to_server,established; content:"/w3-msql/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,591; reference:bugtraq,898; reference:cve,1999-0276; reference:cve,1999-0753; reference:cve,2000-0012; reference:nessus,10296; classtype:attempted-recon; sid:861; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csh access"; flow:to_server,established; content:"/csh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:862; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datacopier.cgi access"; flow:to_server,established; content:"/day5datacopier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:863; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP day5datanotifier.cgi access"; flow:to_server,established; content:"/day5datanotifier.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1232; classtype:attempted-recon; sid:864; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ksh access"; flow:to_server,established; content:"/ksh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:865; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP post-query access"; flow:to_server,established; content:"/post-query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6752; reference:cve,2001-0291; classtype:attempted-recon; sid:866; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP visadmin.exe access"; flow:to_server,established; content:"/visadmin.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1808; reference:cve,1999-0970; reference:nessus,10295; classtype:attempted-recon; sid:867; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rsh access"; flow:to_server,established; content:"/rsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:868; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dumpenv.pl access"; flow:to_server,established; content:"/dumpenv.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1178; reference:nessus,10060; classtype:attempted-recon; sid:869; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP snorkerz.cmd access"; flow:to_server,established; content:"/snorkerz.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:870; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP survey.cgi access"; flow:to_server,established; content:"/survey.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1817; reference:cve,1999-0936; classtype:attempted-recon; sid:871; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tcsh access"; flow:to_server,established; content:"/tcsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:872; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP win-c-sample.exe access"; flow:to_server,established; content:"/win-c-sample.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2078; reference:cve,1999-0178; reference:nessus,10008; classtype:attempted-recon; sid:875; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rksh access"; flow:to_server,established; content:"/rksh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:877; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP w3tvars.pm access"; flow:to_server,established; content:"/w3tvars.pm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:878; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.pl access"; flow:to_server,established; content:"/admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3839; reference:cve,2002-1748; reference:url,online.securityfocus.com/archive/1/249355; classtype:attempted-recon; sid:879; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP LWGate access"; flow:to_server,established; content:"/LWGate"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.netspace.org/~dwb/lwgate/lwgate-history.html; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:880; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP archie access"; flow:to_server,established; content:"/archie"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:881; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar access"; flow:to_server,established; content:"/calendar"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:882; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP flexform access"; flow:to_server,established; content:"/flexform"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/p/doc.asp/i2/d6.htm; classtype:attempted-recon; sid:883; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bash access"; flow:to_server,established; content:"/bash"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:web-application-activity; sid:885; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf access"; flow:to_server,established; content:"/phf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-activity; sid:886; rev:28;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP www-sql access"; flow:to_server,established; content:"/www-sql"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=88704258804054&w=2; classtype:attempted-recon; sid:887; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwadmin.pl access"; flow:to_server,established; content:"/wwwadmin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:888; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ppdscgi.exe access"; flow:to_server,established; content:"/ppdscgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,491; reference:nessus,10187; reference:url,online.securityfocus.com/archive/1/16878; classtype:attempted-recon; sid:889; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendform.cgi access"; flow:to_server,established; content:"/sendform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5286; reference:cve,2002-0710; reference:url,www.scn.org/help/sendform.txt; classtype:attempted-recon; sid:890; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.pl access"; flow:to_server,established; content:"/upload.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:891; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AnyForm2 access"; flow:to_server,established; content:"/AnyForm2"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,719; reference:cve,1999-0066; reference:nessus,10277; classtype:attempted-recon; sid:892; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh access"; flow:to_server,established; content:"/bb-hist.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:894; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP redirect access"; flow:to_server,established; content:"/redirect"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1179; reference:cve,2000-0382; classtype:attempted-recon; sid:895; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-board access"; flow:to_server,established; content:"/way-board"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-activity; sid:896; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi access"; flow:to_server,established; content:"/pals-cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0216; reference:cve,2001-0217; reference:nessus,10611; classtype:attempted-recon; sid:897; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP commerce.cgi access"; flow:to_server,established; content:"/commerce.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:898; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Amaya templates sendtemp.pl directory traversal attempt"; flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri; content:"templ="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2504; reference:cve,2001-0272; reference:nessus,10614; classtype:web-application-attack; sid:899; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi directory traversal attempt"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern; nocase; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:web-application-attack; sid:900; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webspirs.cgi access"; flow:to_server,established; content:"/webspirs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2362; reference:cve,2001-0211; reference:nessus,10616; classtype:attempted-recon; sid:901; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tstisapi.dll access"; flow:to_server,established; content:"tstisapi.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2381; reference:cve,2001-0302; classtype:attempted-recon; sid:902; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfcache.map access"; flow:to_server,established; content:"/cfcache.map"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,917; reference:cve,2000-0057; classtype:attempted-recon; sid:903; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp application.cfm"; flow:to_server,established; content:"/cfdocs/exampleapp/email/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:904; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1021; reference:cve,2000-0189; reference:cve,2001-0535; classtype:attempted-recon; sid:905; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getfile.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/email/getfile.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,229; reference:cve,1999-0800; reference:cve,2001-0535; classtype:attempted-recon; sid:906; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion addcontent.cfm access"; flow:to_server,established; content:"/cfdocs/exampleapp/publish/admin/addcontent.cfm"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:907; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion administrator access"; flow:to_server,established; content:"/cfide/administrator/index.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1314; reference:cve,2000-0538; reference:nessus,10581; classtype:attempted-recon; sid:908; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:909; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion fileexists.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/fileexists.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:910; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exprcalc access"; flow:to_server,established; content:"/cfdocs/expeval/exprcalc.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,115; reference:bugtraq,550; reference:cve,1999-0455; reference:cve,1999-0760; classtype:attempted-recon; sid:911; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion parks access"; flow:to_server,established; content:"/cfdocs/examples/parks/detail.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:912; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfappman access"; flow:to_server,established; content:"/cfappman/index.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:913; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion beaninfo access"; flow:to_server,established; content:"/cfdocs/examples/cvbeans/beaninfo.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:914; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:915; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcdsn access"; flow:to_server,established; content:"CFUSION_GETODBCDSN|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:916; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion db connections flush attempt"; flow:to_server,established; content:"CFUSION_DBCONNECTIONS_FLUSH|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:917; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion expeval access"; flow:to_server,established; content:"/cfdocs/expeval/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0477; reference:cve,1999-0760; classtype:attempted-user; sid:918; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource passwordattempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:919; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:920; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin encrypt attempt"; flow:to_server,established; content:"CFUSION_ENCRYPT|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:921; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion displayfile access"; flow:to_server,established; content:"/cfdocs/expeval/displayopenedfile.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:922; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:923; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion admin decrypt attempt"; flow:to_server,established; content:"CFUSION_DECRYPT|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:924; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion mainframeset access"; flow:to_server,established; content:"/cfdocs/examples/mainframeset.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:925; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion set odbc ini attempt"; flow:to_server,established; content:"CFUSION_SETODBCINI|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:926; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion settings refresh attempt"; flow:to_server,established; content:"CFUSION_SETTINGS_REFRESH|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:web-application-attack; sid:927; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion exampleapp access"; flow:to_server,established; content:"/cfdocs/exampleapp/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-0535; classtype:attempted-recon; sid:928; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion CFUSION_VERIFYMAIL access"; flow:to_server,established; content:"CFUSION_VERIFYMAIL|28 29|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-user; sid:929; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion snippets attempt"; flow:to_server,established; content:"/cfdocs/snippets/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:930; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion cfmlsyntaxcheck.cfm access"; flow:to_server,established; content:"/cfdocs/cfmlsyntaxcheck.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:931; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion application.cfm access"; flow:to_server,established; content:"/application.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:932; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion onrequestend.cfm access"; flow:to_server,established; content:"/onrequestend.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; reference:cve,2000-0189; classtype:attempted-recon; sid:933; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion startstop DOS access"; flow:to_server,established; content:"/cfide/administrator/startstop.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,247; reference:cve,1999-0756; classtype:web-application-attack; sid:935; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion gettempdirectory.cfm access "; flow:to_server,established; content:"/cfdocs/snippets/gettempdirectory.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,550; reference:cve,1999-0760; classtype:attempted-recon; sid:936; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage posting"; flow:to_server,established; content:"POST"; content:"/author.dll"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-100; classtype:web-application-activity; sid:939; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.dll access"; flow:to_server,established; content:"/_vti_bin/shtml.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0413; reference:cve,2000-0746; reference:nessus,11395; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-060; classtype:web-application-activity; sid:940; rev:29;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage contents.htm access"; flow:to_server,established; content:"/admcgi/contents.htm"; fast_pattern; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:941; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.htm access"; flow:to_server,established; content:"/_private/orders.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:942; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpsrvadm.exe access"; flow:to_server,established; content:"/fpsrvadm.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:943; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpremadm.exe access"; flow:to_server,established; content:"/fpremadm.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:944; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmin.htm access"; flow:to_server,established; content:"/admisapi/fpadmin.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:945; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage fpadmcgi.exe access"; flow:to_server,established; content:"/scripts/Fpadmcgi.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:946; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage orders.txt access"; flow:to_server,established; content:"/_private/orders.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:947; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results access"; flow:to_server,established; content:"/_private/form_results.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:948; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.htm access"; flow:to_server,established; content:"/_private/registrations.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:949; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage cfgwiz.exe access"; flow:to_server,established; content:"/cfgwiz.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:950; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:952; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1205; reference:cve,2002-1717; classtype:web-application-activity; sid:953; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage form_results.htm access"; flow:to_server,established; content:"/_private/form_results.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-1052; classtype:web-application-activity; sid:954; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage access.cnf access"; flow:to_server,established; content:"/_vti_pvt/access.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:955; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.txt access"; flow:to_server,established; content:"/_private/register.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:956; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage registrations.txt access"; flow:to_server,established; content:"/_private/registrations.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:957; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.pwd"; flow:to_server,established; content:"/service.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage service.stp access"; flow:to_server,established; content:"/_vti_pvt/service.stp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:960; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage shtml.exe access"; flow:to_server,established; content:"/_vti_bin/shtml.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1608; reference:bugtraq,5804; reference:cve,2000-0413; reference:cve,2000-0709; reference:cve,2002-0692; reference:nessus,10405; reference:nessus,11311; classtype:web-application-activity; sid:962; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage svcacl.cnf access"; flow:to_server,established; content:"/_vti_pvt/svcacl.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:963; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage users.pwd access"; flow:to_server,established; content:"/users.pwd"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:964; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage .... request"; flow:to_server,established; content:"..../"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,989; reference:cve,1999-0386; reference:cve,2000-0153; reference:nessus,10142; classtype:web-application-attack; sid:966; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage dvwssr.dll access"; flow:to_server,established; content:"/dvwssr.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1108; reference:bugtraq,1109; reference:cve,2000-0260; reference:nessus,10369; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-025; classtype:web-application-activity; sid:967; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage register.htm access"; flow:to_server,established; content:"/_private/register.htm"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; classtype:web-application-activity; sid:968; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WebDAV file lock attempt"; flow:to_server,established; content:"LOCK "; depth:5; metadata:ruleset community, service http; reference:bugtraq,2736; reference:nessus,10732; classtype:web-application-activity; sid:969; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .printer access"; flow:to_server,established; content:".printer"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-023; classtype:web-application-activity; sid:971; rev:28;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS *.idc attempt"; flow:to_server,established; content:"/*.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1448; reference:cve,1999-0874; reference:cve,2000-0661; classtype:web-application-attack; sid:973; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Windows IIS directory traversal attempt"; flow:to_server,established; content:"..|5C|.."; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2218; reference:cve,1999-0229; classtype:web-application-attack; sid:974; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp|3A 3A 24|DATA"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q188806; classtype:web-application-attack; sid:975; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bat? access"; flow:to_server,established; content:".bat?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2023; reference:bugtraq,4335; reference:cve,1999-0233; reference:cve,2002-0061; reference:cve,2019-0232; reference:url,support.microsoft.com/support/kb/articles/Q148/1/88.asp; reference:url,support.microsoft.com/support/kb/articles/Q155/0/56.asp; classtype:web-application-activity; sid:976; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4078; reference:cve,2002-1717; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:"%20"; content:"&CiRestriction=none"; nocase; content:"&CiHiliteType=Full"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1084; reference:cve,2000-0302; reference:nessus,10356; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:978; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ASP contents view"; flow:to_server,established; content:".htw?CiWebHitsFile"; fast_pattern; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1861; reference:cve,2000-0942; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-006; classtype:web-application-attack; sid:979; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CGImail.exe access"; flow:to_server,established; content:"/scripts/CGImail.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:980; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/ctguestb.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-activity; sid:984; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS JET VBA access"; flow:to_server,established; content:"/scripts/samples/details.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; classtype:web-application-activity; sid:985; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MSProxy access"; flow:to_server,established; content:"/scripts/proxy/w3proxy.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:url,support.microsoft.com/?kbid=331066; classtype:web-application-activity; sid:986; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY .htr access file download request"; flow:to_server,established; content:".htr"; fast_pattern:only; http_uri; pcre:"/\x2ehtr([\?\x5c\x2f]|$)/smiU"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:misc-activity; sid:987; rev:32;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"MALWARE-CNC sensepost.exe command shell"; flow:to_server,established; content:"/sensepost.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage _vti_inf.html access"; flow:to_server,established; content:"/_vti_inf.html"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; reference:nessus,11455; classtype:web-application-activity; sid:990; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS achg.htr access"; flow:to_server,established; content:"/iisadmpwd/achg.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:991; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS adctest.asp access"; flow:to_server,established; content:"/msadc/samples/adctest.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:992; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:994; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll access"; flow:to_server,established; content:"/scripts/iisadmin/ism.dll?http/dir"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,189; reference:cve,1999-1538; reference:cve,2000-0630; classtype:web-application-attack; sid:995; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS anot.htr access"; flow:to_server,established; content:"/iisadmpwd/anot"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-activity; sid:996; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-dot attempt"; flow:to_server,established; content:".asp."; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1814; reference:nessus,10363; classtype:web-application-attack; sid:997; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS asp-srch attempt"; flow:to_server,established; content:"|23|filename=*.asp"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:998; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir access"; flow:to_server,established; content:"/scripts/iisadmin/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; classtype:web-application-activity; sid:999; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS bdir.htr access"; flow:to_server,established; content:"/bdir.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2280; reference:nessus,10577; classtype:web-application-activity; sid:1000; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP carbo.dll access"; flow:to_server,established; content:"/carbo.dll"; http_uri; content:"icatcommand="; nocase; metadata:ruleset community, service http; reference:bugtraq,2126; reference:cve,1999-1069; classtype:attempted-recon; sid:1001; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:1002; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd? access"; flow:to_server,established; content:".cmd?&"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1003; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser Exair access"; flow:to_server,established; content:"/iissamples/exair/howitworks/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0499; reference:cve,1999-0815; classtype:web-application-activity; sid:1004; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS codebrowser SDK access"; flow:to_server,established; content:"/iissamples/sdk/asp/docs/codebrws.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; classtype:web-application-activity; sid:1005; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_JScript.asp access"; flow:to_server,established; content:"/Form_JScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-028; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1007; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS del attempt"; flow:to_server,established; content:"&del+/s+c|3A 5C|*.*"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1008; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10573; classtype:web-application-attack; sid:1009; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS encoding access"; flow:to_server,established; content:"%1u"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,886; reference:cve,2000-0024; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-061; classtype:web-application-activity; sid:1010; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS exec-src access"; flow:to_server,established; content:"|23|filename=*.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1011; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount attempt"; flow:to_server,established; content:"/fpcount.exe"; fast_pattern; nocase; http_uri; content:"Digits="; nocase; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-attack; sid:1012; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS getdrvs.exe access"; flow:to_server,established; content:"/scripts/tools/getdrvs.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1015; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS global.asa access"; flow:to_server,established; content:"/global.asa"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2000-0778; reference:cve,2001-0004; reference:nessus,10491; reference:nessus,10991; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004; classtype:web-application-activity; sid:1016; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS idc-srch attempt"; flow:to_server,established; content:"|23|filename=*.idc"; fast_pattern:only; metadata:ruleset community, service http; reference:cve,1999-0874; classtype:web-application-attack; sid:1017; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; reference:nessus,10371; classtype:web-application-attack; sid:1018; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Malformed Hit-Highlighting Argument File Access Attempt"; flow:to_server,established; content:"CiWebHitsFile="; nocase; http_uri; pcre:"/CiWebHitsFile=\/?([^\r\n\x3b\&]*\.\.\/)?/i"; content:"CiRestriction=none"; fast_pattern; nocase; http_uri; content:"ciHiliteType=Full"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-006; reference:url,www.securityfocus.com/archive/1/43762; classtype:web-application-attack; sid:1019; rev:30;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS isc$data attempt"; flow:to_server,established; content:".idc|3A 3A 24|data"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,307; reference:cve,1999-0874; reference:nessus,10116; classtype:web-application-attack; sid:1020; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ism.dll attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; pcre:"/\s{230,}\.htr/U"; metadata:ruleset community, service http; reference:bugtraq,1193; reference:cve,2000-0457; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-031; classtype:web-application-attack; sid:1021; rev:29;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS jet vba access"; flow:to_server,established; content:"/advworks/equipment/catalog_type.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,286; reference:cve,1999-0874; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-030; classtype:web-application-activity; sid:1022; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-025; classtype:web-application-activity; sid:1023; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS newdsn.exe access"; flow:to_server,established; content:"/scripts/tools/newdsn.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1818; reference:cve,1999-0191; reference:nessus,10360; classtype:web-application-activity; sid:1024; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl access"; flow:to_server,established; content:"/scripts/perl"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1025; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse newline attempt"; flow:to_server,established; content:"|0A|.pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1026; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS perl-browse space attempt"; flow:to_server,established; content:" .pl"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,6833; reference:cve,2003-1365; classtype:web-application-attack; sid:1027; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS query.asp access"; flow:to_server,established; content:"/issamples/query.asp"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; classtype:web-application-activity; sid:1028; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS scripts-browse access"; flow:to_server,established; content:"/scripts/ "; fast_pattern:only; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1029; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS search97.vts access"; flow:to_server,established; content:"/search97.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:web-application-activity; sid:1030; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /SiteServer/Publishing/viewcode.asp access"; flow:to_server,established; content:"/SiteServer/Publishing/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10576; classtype:web-application-activity; sid:1031; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspired/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1032; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1033; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Membership/Inspiredtutorial/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1034; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Push/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1035; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode access"; flow:to_server,established; content:"/Sites/Samples/Knowledge/Search/ViewCode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; reference:url,technet.microsoft.com/en-us/security/bulletin/ms99-013; classtype:web-application-activity; sid:1036; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS showcode.asp access"; flow:to_server,established; content:"/showcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,10007; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-013; classtype:web-application-activity; sid:1037; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site server config access"; flow:to_server,established; content:"/adsamples/config/site.csc"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,256; reference:cve,1999-1520; classtype:web-application-activity; sid:1038; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srch.htm access"; flow:to_server,established; content:"/samples/isapi/srch.htm"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1039; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS srchadm access"; flow:to_server,established; content:"/srchadm"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1040; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS uploadn.asp access"; flow:to_server,established; content:"/scripts/uploadn.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1041; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS view source via translate header"; flow:to_server,established; content:"Translate|3A| F"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,14764; reference:bugtraq,1578; reference:cve,2000-0778; reference:nessus,10491; classtype:web-application-activity; sid:1042; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS viewcode.asp access"; flow:to_server,established; content:"/viewcode.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0737; reference:nessus,10576; classtype:web-application-activity; sid:1043; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS webhits access"; flow:to_server,established; content:".htw"; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1044; rev:17;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"SERVER-IIS Unauthorized IP Access Attempt"; flow:to_client,established; content:"403"; content:"Forbidden|3A|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1045; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise DOS"; flow:to_server,established; content:"REVLOG / "; depth:9; metadata:ruleset community, service http; reference:bugtraq,2294; reference:cve,2001-0251; classtype:web-application-attack; sid:1047; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise directory listing attempt"; flow:to_server,established; content:"INDEX "; depth:6; metadata:ruleset community, service http; reference:bugtraq,2285; reference:cve,2001-0250; reference:nessus,10691; classtype:web-application-attack; sid:1048; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet GETPROPERTIES attempt"; flow:to_server,established; content:"GETPROPERTIES"; depth:13; metadata:ruleset community, service http; reference:bugtraq,2732; reference:cve,2001-0746; classtype:web-application-attack; sid:1050; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-OTHER technote main.cgi file directory traversal attempt"; flow:to_server,established; content:"/technote/main.cgi"; fast_pattern; nocase; http_uri; content:"filename="; nocase; content:"../../"; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1051; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP technote print.cgi directory traversal attempt"; flow:to_server,established; content:"/technote/print.cgi"; fast_pattern; nocase; http_uri; content:"board="; nocase; content:"../../"; http_raw_uri; content:"%00"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2156; reference:cve,2001-0075; reference:nessus,10584; classtype:web-application-attack; sid:1052; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ads.cgi command execution attempt"; flow:to_server,established; content:"/ads.cgi"; fast_pattern; nocase; http_uri; content:"file="; nocase; content:"../../"; http_raw_uri; content:"|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-attack; sid:1053; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP weblogic/tomcat .jsp view source attempt"; flow:to_server,established; content:".jsp"; nocase; http_uri; pcre:!"/^\w+\s+[^\n\s\?]*\.jsp/smi"; metadata:ruleset community, service http; reference:bugtraq,2527; classtype:web-application-attack; sid:1054; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat view source attempt"; flow:to_server,established; content:"%252ejsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2527; reference:cve,2001-0590; classtype:web-application-attack; sid:1056; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL ftp attempt"; flow:to_server,established; content:"ftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1057; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1058; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1059; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1060; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,5309; classtype:web-application-attack; sid:1061; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nc.exe attempt"; flow:to_server,established; content:"nc.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1062; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wsh attempt"; flow:to_server,established; content:"wsh.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1064; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rcmd attempt"; flow:to_server,established; content:"rcmd.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1065; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP telnet attempt"; flow:to_server,established; content:"telnet.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1066; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP net attempt"; flow:to_server,established; content:"net.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1067; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tftp attempt"; flow:to_server,established; content:"tftp.exe"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1068; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL xp_regread attempt"; flow:to_server,established; content:"xp_regread"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1069; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebDAV search access"; flow:to_server,established; content:"SEARCH "; depth:8; nocase; metadata:ruleset community, service http; reference:bugtraq,1756; reference:cve,2000-0951; classtype:web-application-activity; sid:1070; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htpasswd access"; flow:to_server,established; content:".htpasswd"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:1071; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Domino directory traversal"; flow:to_server,established; content:".nsf/"; http_uri; content:"../"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2173; reference:cve,2001-0009; reference:nessus,12248; classtype:web-application-attack; sid:1072; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webhits.exe access"; flow:to_server,established; content:"/scripts/samples/search/webhits.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,950; reference:cve,2000-0097; classtype:web-application-activity; sid:1073; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS postinfo.asp access"; flow:to_server,established; content:"/scripts/postinfo.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:cve,1999-0360; classtype:web-application-activity; sid:1075; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS repost.asp access"; flow:to_server,established; content:"/scripts/repost.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10372; classtype:web-application-activity; sid:1076; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL queryhit.htm access"; flow:to_server,established; content:"/samples/search/queryhit.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-activity; sid:1077; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQL counter.exe access"; flow:to_server,established; content:"/counter.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,267; reference:cve,1999-1030; classtype:web-application-activity; sid:1078; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS Microsoft Windows WebDAV propfind access"; flow:to_server,established; content:"propfind"; nocase; pcre:"/<a\x3a\s*propfind.*?xmlns\x3a\s*a=[\x21\x22]?DAV[\x21\x22]?/iR"; metadata:ruleset community, service http; reference:bugtraq,1656; reference:cve,2000-0869; reference:cve,2003-0718; reference:nessus,10505; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-030; classtype:web-application-activity; sid:1079; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec upload"; flow:to_server,established; content:"/servlet/com.unify.servletexec.UploadServlet"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:bugtraq,1876; reference:cve,2000-1024; reference:cve,2000-1025; reference:nessus,10570; classtype:web-application-attack; sid:1080; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Servers suite DOS"; flow:to_server,established; content:"/dsgw/bin/search?context="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-attack; sid:1081; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP amazon 1-click cookie theft"; flow:to_server,established; content:"ref%3Cscript%20language%3D%22Javascript"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1194; reference:cve,2000-0439; classtype:web-application-attack; sid:1082; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP unify eWave ServletExec DOS"; flow:to_server,established; content:"/servlet/ServletExec"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1868; reference:cve,2000-1025; classtype:web-application-activity; sid:1083; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire JRUN DOS attempt"; flow:to_server,established; content:"servlet/......."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2337; reference:cve,2000-1049; classtype:web-application-attack; sid:1084; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"|BA|I|FE FF FF F7 D2 B9 BF FF FF FF F7 D1|"; metadata:ruleset community, service http; reference:bugtraq,802; classtype:web-application-attack; sid:1085; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP strings overflow"; flow:to_server,established; content:"?STRENGUR"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1786; reference:cve,2000-0967; classtype:web-application-attack; sid:1086; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore directory traversal"; flow:to_server,established; content:"/web_store.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-attack; sid:1088; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart directory traversal"; flow:to_server,established; content:"/shop.cgi"; http_uri; content:"page=../"; metadata:ruleset community, service http; reference:bugtraq,1777; reference:cve,2000-0921; classtype:web-application-attack; sid:1089; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Allaire Pro Web Shell attempt"; flow:to_server,established; content:"/authenticate.cgi?PASSWORD"; fast_pattern; nocase; http_uri; content:"config.ini"; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; classtype:web-application-attack; sid:1090; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ Webfront HTTP DOS"; flow:to_server,established; content:"??????????"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1463; reference:cve,2000-1078; classtype:web-application-attack; sid:1091; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Armada Style Master Index directory traversal"; flow:to_server,established; content:"/search.cgi?"; nocase; http_uri; content:"keys"; distance:0; nocase; http_uri; content:"catigory=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1772; reference:cve,2000-0924; reference:nessus,10562; reference:url,www.synnergy.net/downloads/advisories/SLA-2000-16.masterindex.txt; classtype:web-application-attack; sid:1092; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart directory traversal"; flow:to_server,established; content:"/cached_feed.cgi"; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-attack; sid:1093; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ Source Code view access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"script=test.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1722; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-attack; sid:1095; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ internal IP Address access"; flow:to_server,established; content:"/webplus.exe?"; nocase; http_uri; content:"about"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1720; reference:url,archives.neohapsis.com/archives/ntbugtraq/2000-q3/0168.html; classtype:web-application-activity; sid:1096; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Talentsoft Web+ exploit attempt"; flow:to_server,established; content:"/webplus.cgi?"; nocase; http_uri; content:"Script=/webplus/webping/webping.wml"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1725; classtype:web-application-attack; sid:1097; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SmartWin CyberOffice Shopping Cart access"; flow:to_server,established; content:"_private/shopping_cart.mdb"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1734; reference:cve,2000-0925; classtype:web-application-attack; sid:1098; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cybercop scan"; flow:to_server,established; content:"/cybercop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1099; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN L3retriever HTTP Probe"; flow:to_server,established; content:"User-Agent|3A| Java1.2.1|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1100; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN Webtrends HTTP probe"; flow:to_server,established; content:"User-Agent|3A| Webtrends Security Analyzer|0D 0A|"; http_header; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:web-application-activity; sid:1101; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; depth:32; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1102; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape admin passwd"; flow:to_server,established; content:"/admin-serv/config/admpw"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1579; reference:nessus,10468; classtype:web-application-attack; sid:1103; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BigBrother access"; flow:to_server,established; content:"/bb-hostsvc.sh?"; nocase; http_uri; content:"HOSTSVC"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:attempted-recon; sid:1105; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Poll-it access"; flow:to_server,established; content:"/pollit/Poll_It_SSI_v2.0.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1431; reference:cve,2000-0590; reference:nessus,10459; classtype:web-application-activity; sid:1106; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ftp.pl access"; flow:to_server,established; content:"/ftp.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-activity; sid:1107; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1532; reference:cve,2000-0760; reference:nessus,10478; classtype:attempted-recon; sid:1108; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROXEN directory list attempt"; flow:to_server,established; content:"/%00"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1510; reference:cve,2000-0671; reference:nessus,10479; classtype:attempted-recon; sid:1109; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ICQ webserver DOS"; flow:to_server,established; content:".html/......"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0474; reference:url,www.securiteam.com/exploits/2ZUQ1QAQOG.html; classtype:attempted-dos; sid:1115; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus DelDoc attempt"; flow:to_server,established; content:"?DeleteDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1116; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus EditDoc attempt"; flow:to_server,established; content:"?EditDocument"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/exploits/5NP080A1RE.html; classtype:attempted-recon; sid:1117; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ls 20-l"; flow:to_server,established; content:"ls%20-l"; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1118; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mlog.phtml access"; flow:to_server,established; content:"/mlog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1119; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mylog.phtml access"; flow:to_server,established; content:"/mylog.phtml"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,713; reference:cve,1999-0068; reference:cve,1999-0346; classtype:attempted-recon; sid:1120; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/passwd file access attempt"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:1122; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ?PageServices access"; flow:to_server,established; content:"?PageServices"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1063; reference:bugtraq,7621; reference:cve,1999-0269; classtype:attempted-recon; sid:1123; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce check.txt access"; flow:to_server,established; content:"/config/check.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1124; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart access"; flow:to_server,established; content:"/webcart/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:attempted-recon; sid:1125; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AuthChangeUrl access"; flow:to_server,established; content:"_AuthChangeUrl?"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:cve,1999-0407; classtype:attempted-recon; sid:1126; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP convert.bas access"; flow:to_server,established; content:"/scripts/convert.bas"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2025; reference:cve,1999-0175; classtype:attempted-recon; sid:1127; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cpshost.dll access"; flow:to_server,established; content:"/scripts/cpshost.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1811; reference:bugtraq,4002; reference:cve,1999-0360; classtype:attempted-recon; sid:1128; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htaccess access"; flow:to_server,established; content:".htaccess"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1170; classtype:attempted-recon; sid:1129; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".wwwacl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1130; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .wwwacl access"; flow:to_server,established; content:".www_acl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1131; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"SERVER-WEBAPP Netscape Unixware overflow"; flow:to_server,established; content:"|EB|_|9A FF FF FF FF 07 FF C3|^1|C0 89|F|9D|"; metadata:ruleset community; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"INDICATOR-SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; metadata:ruleset community, service http; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:attempted-recon; sid:1133; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum admin access"; flow:to_server,established; content:"/admin.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2271; reference:cve,2000-1228; classtype:attempted-recon; sid:1134; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cd.."; flow:to_server,established; content:"cd.."; nocase; metadata:ruleset community, service http; classtype:attempted-recon; sid:1136; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum authentication access"; flow:to_server,established; content:"PHP_AUTH_USER=boogieman"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2274; reference:cve,2000-1230; classtype:attempted-recon; sid:1137; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; metadata:ruleset community, service http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.pl access"; flow:to_server,established; content:"/guestbook.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,776; reference:cve,1999-0237; reference:cve,1999-1053; reference:nessus,10099; classtype:attempted-recon; sid:1140; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler access"; flow:to_server,established; content:"/handler"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-activity; sid:1141; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.... access"; flow:to_server,established; content:"/...."; metadata:ruleset community, service http; classtype:attempted-recon; sid:1142; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP root access"; flow:to_server,established; content:"/~root"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:1145; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/config/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1146; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cat_ access"; flow:to_server,established; content:"cat "; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; classtype:attempted-recon; sid:1147; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce import.txt access"; flow:to_server,established; content:"/orders/import.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1148; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP count.cgi access"; flow:to_server,established; content:"/count.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,128; reference:cve,1999-0021; reference:nessus,10049; classtype:web-application-activity; sid:1149; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino catalog.nsf access"; flow:to_server,established; content:"/catalog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1150; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domcfg.nsf access"; flow:to_server,established; content:"/domcfg.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1151; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino domlog.nsf access"; flow:to_server,established; content:"/domlog.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1152; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino log.nsf access"; flow:to_server,established; content:"/log.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1153; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino names.nsf access"; flow:to_server,established; content:"/names.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1154; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ecommerce checks.txt access"; flow:to_server,established; content:"/orders/checks.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2281; classtype:attempted-recon; sid:1155; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP apache directory disclosure attempt"; flow:to_server,established; content:"////////"; fast_pattern:only; content:"////////"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2503; reference:cve,2001-0925; classtype:attempted-dos; sid:1156; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape PublishingXpert access"; flow:to_server,established; content:"/PSUser/PSCOErrPage.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-1196; reference:nessus,10364; classtype:web-application-activity; sid:1157; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP windmail.exe access"; flow:to_server,established; content:"/windmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1073; reference:cve,2000-0242; reference:nessus,10365; classtype:attempted-recon; sid:1158; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webplus access"; flow:to_server,established; content:"/webplus?script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1174; reference:bugtraq,1720; reference:bugtraq,1722; reference:bugtraq,1725; reference:cve,2000-1005; classtype:attempted-recon; sid:1159; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape dir index wp"; flow:to_server,established; content:"?wp-"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1160; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP piranha passwd.php3 access"; flow:to_server,established; content:"/passwd.php3"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1149; reference:cve,2000-0322; classtype:attempted-recon; sid:1161; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart 32 AdminPwd access"; flow:to_server,established; content:"/c32web.exe/ChangeAdminPassword"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:cve,2000-0429; classtype:attempted-recon; sid:1162; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi access"; flow:to_server,established; content:"/webdist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-activity; sid:1163; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shopping cart access"; flow:to_server,established; content:"/quikstore.cfg"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1983; reference:bugtraq,2049; reference:cve,1999-0607; reference:cve,2000-1188; classtype:attempted-recon; sid:1164; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe access"; flow:to_server,established; content:"/GWWEB.EXE"; nocase; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1165; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ws_ftp.ini access"; flow:to_server,established; content:"/ws_ftp.ini"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,547; reference:cve,1999-1078; classtype:attempted-recon; sid:1166; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpm_query access"; flow:to_server,established; content:"/rpm_query"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1036; reference:cve,2000-0192; reference:nessus,10340; classtype:attempted-recon; sid:1167; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mall log order access"; flow:to_server,established; content:"/mall_log_files/order.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2266; reference:cve,1999-0606; classtype:attempted-recon; sid:1168; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bigconf.cgi access"; flow:to_server,established; content:"/bigconf.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,778; reference:cve,1999-1550; reference:nessus,10027; classtype:web-application-activity; sid:1172; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP architext_query.pl access"; flow:to_server,established; content:"/ews/architext_query.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2248; reference:cve,1999-0279; reference:nessus,10064; reference:url,www2.fedcirc.gov/alerts/advisories/1998/txt/fedcirc.98.03.txt; classtype:attempted-recon; sid:1173; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/jj access"; flow:to_server,established; content:"/cgi-bin/jj"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2002; reference:cve,1999-0260; reference:nessus,10131; classtype:web-application-activity; sid:1174; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwboard.pl access"; flow:to_server,established; content:"/wwwboard.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1795; reference:bugtraq,649; reference:cve,1999-0930; reference:cve,1999-0954; classtype:attempted-recon; sid:1175; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-verify-link"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1177; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum read access"; flow:to_server,established; content:"/read.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1178; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum violation access"; flow:to_server,established; content:"/violation.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2272; reference:cve,2000-1234; classtype:attempted-recon; sid:1179; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP get32.exe access"; flow:to_server,established; content:"/get32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10011; classtype:attempted-recon; sid:1180; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Annex Terminal DOS attempt"; flow:to_server,established; content:"/ping?query="; http_uri; metadata:ruleset community, service http; reference:cve,1999-1070; reference:nessus,10017; classtype:attempted-dos; sid:1181; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-cs-dump"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; reference:nessus,10352; classtype:attempted-recon; sid:1183; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-info"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1184; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch attempt"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern; nocase; http_uri; content:"mail"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-attack; sid:1185; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-ver-diff"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1186; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer web command attempt"; flow:to_server,established; content:"/slxweb.dll/admin?command="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; reference:nessus,10361; classtype:web-application-attack; sid:1187; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-start-ver"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1188; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-stop-ver"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1189; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-uncheckout"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1190; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-html-rend"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:attempted-recon; sid:1191; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan access"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1192; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi File attempt"; flow:to_server,established; content:"/sojourn.cgi?"; nocase; http_uri; content:"cat="; distance:0; nocase; http_uri; content:"%00"; nocase; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-attack; sid:1194; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sojourn.cgi access"; flow:to_server,established; content:"/sojourn.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1052; reference:cve,2000-0180; reference:nessus,10349; classtype:web-application-activity; sid:1195; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname attempt"; flow:to_server,established; content:"/infosrch.cgi?"; fast_pattern; nocase; http_uri; content:"fname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; reference:nessus,10128; classtype:web-application-attack; sid:1196; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum code access"; flow:to_server,established; content:"/code.php3"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1197; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Netscape Enterprise Server directory view"; flow:to_server,established; content:"?wp-usr-prop"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1063; reference:cve,2000-0236; classtype:web-application-attack; sid:1198; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq Insight directory traversal"; flow:to_server,established; content:"../"; metadata:ruleset community, service http; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:18;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Invalid URL"; flow:to_client,established; file_data; content:"Invalid URL"; nocase; metadata:ruleset community, service http; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-063; classtype:attempted-recon; sid:1200; rev:17;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE 403 Forbidden"; flow:to_client,established; content:"403"; http_stat_code; metadata:ruleset community, service http; classtype:attempted-recon; sid:1201; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.vts access"; flow:to_server,established; content:"/search.vts"; http_uri; metadata:ruleset community, service http; reference:bugtraq,162; classtype:attempted-recon; sid:1202; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ax-admin.cgi access"; flow:to_server,established; content:"/ax-admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1204; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP axs.cgi access"; flow:to_server,established; content:"/axs.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1205; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cachemgr.cgi access"; flow:to_server,established; content:"/cachemgr.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2059; reference:cve,1999-0710; reference:nessus,10034; classtype:web-application-activity; sid:1206; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep access"; flow:to_server,established; content:"/htgrep"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-activity; sid:1207; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP responder.cgi access"; flow:to_server,established; content:"/responder.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3155; classtype:web-application-activity; sid:1208; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .nsconfig access"; flow:to_server,established; content:"/.nsconfig"; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1209; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP web-map.cgi access"; flow:to_server,established; content:"/web-map.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1211; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Admin_files access"; flow:to_server,established; content:"/admin_files"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1212; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP backup access"; flow:to_server,established; content:"/backup"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1213; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP intranet access"; flow:to_server,established; content:"/intranet/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11626; classtype:attempted-recon; sid:1214; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ministats admin access"; flow:to_server,established; content:"/ministats/admin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1215; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP filemail access"; flow:to_server,established; content:"/filemail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1154; reference:cve,1999-1155; reference:url,www.securityfocus.com/archive/1/11175; classtype:attempted-recon; sid:1216; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP plusmail access"; flow:to_server,established; content:"/plusmail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2653; reference:cve,2000-0074; reference:nessus,10181; classtype:attempted-recon; sid:1217; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP adminlogin access"; flow:to_server,established; content:"/adminlogin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1218; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dfire.cgi access"; flow:to_server,established; content:"/dfire.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,564; reference:cve,1999-0913; classtype:web-application-activity; sid:1219; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ultraboard access"; flow:to_server,established; content:"/ultraboard"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1164; reference:bugtraq,1175; reference:cve,2000-0332; reference:cve,2000-0426; reference:nessus,11748; classtype:attempted-recon; sid:1220; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Muscat Empower cgi access"; flow:to_server,established; content:"/empower?DB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-activity; sid:1221; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pals-cgi arbitrary file access attempt"; flow:to_server,established; content:"/pals-cgi"; fast_pattern; nocase; http_uri; content:"documentName="; http_uri; metadata:ruleset community, service http; reference:bugtraq,2372; reference:cve,2001-0217; reference:nessus,10611; classtype:web-application-attack; sid:1222; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ROADS search.pl attempt"; flow:to_server,established; content:"/ROADS/cgi-bin/search.pl"; http_uri; content:"form="; nocase; metadata:ruleset community, service http; reference:bugtraq,2371; reference:cve,2001-0215; reference:nessus,10627; classtype:attempted-recon; sid:1224; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 MIT Magic Cookie detected"; flow:established; content:"MIT-MAGIC-COOKIE-1"; fast_pattern:only; metadata:ruleset community; classtype:attempted-user; sid:1225; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6000 (msg:"X11 xopen"; flow:established; content:"l|00 0B 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:unknown; sid:1226; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]*?\.\.\./smi"; metadata:ruleset community, service ftp; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSave access"; flow:to_server,established; content:"/FtpSave.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1230; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1231; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1812 (msg:"SERVER-WEBAPP VirusWall catinfo access"; flow:to_server,established; content:"/catinfo"; nocase; metadata:ruleset community, service http; reference:bugtraq,2579; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10650; classtype:attempted-recon; sid:1232; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCSP access"; flow:to_server,established; content:"/FtpSaveCSP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1234; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VirusWall FtpSaveCVP access"; flow:to_server,established; content:"/FtpSaveCVP.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2808; reference:cve,2001-0432; reference:nessus,10733; classtype:attempted-recon; sid:1235; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS RFParalyze Attempt"; flow:to_server,established; content:"BEAVIS"; content:"yep yep"; metadata:ruleset community; reference:bugtraq,1163; reference:cve,2000-0347; reference:nessus,10392; classtype:attempted-recon; sid:1239; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"SERVER-OTHER MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,1252; reference:cve,2000-0446; reference:nessus,10422; classtype:attempted-admin; sid:1240; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet directory traversal attempt"; flow:to_server,established; content:"/SWEditServlet"; http_uri; content:"template=../../../"; metadata:ruleset community, service http; reference:bugtraq,2868; reference:cve,2001-0555; classtype:attempted-user; sid:1241; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; reference:cve,2001-0500; classtype:web-application-attack; sid:1243; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:cve,2001-0500; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:29;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp30reg.dll access"; flow:to_server,established; content:"/fp30reg.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:cve,2003-0822; reference:nessus,10699; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-035; classtype:web-application-activity; sid:1248; rev:31;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage rad fp4areg.dll access"; flow:to_server,established; content:"/fp4areg.dll"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2906; reference:cve,2001-0341; reference:nessus,10699; classtype:web-application-activity; sid:1249; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-OTHER Cisco IOS HTTP configuration attempt"; flow:to_server,established; content:"/level/"; http_uri; pcre:"/\x2flevel\x2f\d+\x2f(exec|configure)/iU"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2936; reference:cve,2001-0537; reference:nessus,10700; classtype:web-application-attack; sid:1250; rev:22;)
|
|
# alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"PROTOCOL-TELNET bsd telnet exploit response"; flow:to_client,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; fast_pattern:only; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET bsd exploit client finishing"; flow:to_server,established; isdataat:200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; metadata:ruleset community, service telnet; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"_PHPLIB[libdir]"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; reference:nessus,14910; classtype:attempted-user; sid:1254; rev:16;)
|
|
# alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPLIB remote command attempt"; flow:to_server,established; content:"/db_mysql.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3079; reference:cve,2001-1370; classtype:attempted-user; sid:1255; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"SERVER-OTHER Winnuke attack"; flow:stateless; flags:U+; metadata:ruleset community; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SWEditServlet access"; flow:to_server,established; content:"/SWEditServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2868; classtype:attempted-recon; sid:1259; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"SERVER-OTHER AIX pdnsd overflow"; flow:to_server,established; isdataat:1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; metadata:ruleset community; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap admind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F7|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1262; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap amountd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 03|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,235; reference:bugtraq,450; reference:bugtraq,614; reference:cve,1999-0088; reference:cve,1999-0210; reference:cve,1999-0493; reference:cve,1999-0704; classtype:rpc-portmap-decode; sid:1263; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap bootparam request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BA|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1264; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cmsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 E4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1265; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nisd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 CC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1267; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap pcnfsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 02|I|F1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:bugtraq,4816; reference:cve,1999-0078; reference:cve,1999-0353; reference:cve,2002-0910; classtype:rpc-portmap-decode; sid:1268; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rexd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1269; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rstatd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A1|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1270; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rusers request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A2|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:1271; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap sadmind request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 88|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1272; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap selection_svc request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AF|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0209; classtype:rpc-portmap-decode; sid:1273; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap yppasswd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A9|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1275; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypserv request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A4|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap ypupdated request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 BC|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:rpc-portmap-decode; sid:1277; rev:22;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap snmpXdmi request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 99|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:28;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap listing UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1280; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"PROTOCOL-RPC portmap listing UDP 32771"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:1281; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Microsoft Office Outlook web dos"; flow:to_server,established; content:"/exchange/LogonFrm.asp?"; fast_pattern; nocase; http_uri; content:"mailbox="; nocase; content:"%%%"; metadata:ruleset community, service http; reference:bugtraq,3223; classtype:web-application-attack; sid:1283; rev:21;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-OTHER readme.eml download attempt"; flow:to_server,established; content:"/readme.eml"; nocase; http_uri; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1284; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1285; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS _mem_bin access"; flow:to_server,established; content:"/_mem_bin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1286; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Microsoft Frontpage /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2002-1717; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:17;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET Admin.dll"; flow:to_server; content:"|00 01|"; depth:2; content:"admin.dll"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:11;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER readme.eml autoload attempt"; flow:to_client,established; file_data; content:"window.open|28 22|readme.eml|22|"; nocase; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:attempted-user; sid:1290; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sml3com access"; flow:to_server,established; content:"/graphics/sml3com"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2721; reference:cve,2001-0740; classtype:web-application-activity; sid:1291; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE directory listing"; flow:established; content:"Volume Serial Number"; metadata:ruleset community; classtype:bad-unknown; sid:1292; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"INDICATOR-COMPROMISE nimda RICHED20.DLL"; flow:to_server,established; content:"R|00|I|00|C|00|H|00|E|00|D|00|2|00|0|00|.|00|D|00|L|00|L"; nocase; metadata:ruleset community; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1295; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php file upload attempt"; flow:to_server,established; content:"/admin.php"; fast_pattern; nocase; http_uri; content:"file_name="; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:cve,2001-1032; classtype:attempted-admin; sid:1300; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admin.php access"; flow:to_server,established; content:"/admin.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3361; reference:bugtraq,7532; reference:bugtraq,9270; reference:cve,2001-1032; classtype:attempted-recon; sid:1301; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP console.exe access"; flow:to_server,established; content:"/cgi-bin/console.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1302; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cs.exe access"; flow:to_server,established; content:"/cgi-bin/cs.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3375; reference:cve,2001-1252; classtype:attempted-recon; sid:1303; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi access"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1304; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP txt2html.cgi directory traversal attempt"; flow:to_server,established; content:"/txt2html.cgi"; fast_pattern:only; http_uri; content:"/../../../../"; http_raw_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1305; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi access"; flow:to_server,established; content:"/store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-activity; sid:1307; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sendmessage.cgi access"; flow:to_server,established; content:"/sendmessage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3673; reference:cve,2001-1100; classtype:attempted-recon; sid:1308; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zsh access"; flow:to_server,established; content:"/zsh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1309; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"SERVER-OTHER rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; metadata:ruleset community; reference:bugtraq,3474; reference:cve,2001-0838; reference:nessus,10790; classtype:misc-attack; sid:1323; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS (msg:"INDICATOR-SHELLCODE ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; metadata:ruleset community; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; reference:nessus,10607; classtype:shellcode-detect; sid:1327; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .htgroup access"; flow:to_server,established; content:".htgroup"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-activity; sid:1374; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sadmind worm access"; flow:to_server,established; content:"GET x HTTP/1.0"; depth:15; metadata:ruleset community, service http; reference:url,www.cert.org/advisories/CA-2001-11.html; classtype:attempted-recon; sid:1375; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jrun directory browse attempt"; flow:to_server,established; content:"/?.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3592; reference:cve,2001-1510; classtype:web-application-attack; sid:1376; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1377; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"{"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; reference:nessus,10821; classtype:misc-attack; sid:1378; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:190,relative; pcre:"/^STAT(?!\n)\s[^\n]{190}/mi"; metadata:ruleset community, service ftp; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:cve,2003-0772; reference:cve,2011-0762; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Form_VBScript.asp access"; flow:to_server,established; content:"/Form_VBScript.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1594; reference:bugtraq,1595; reference:cve,2000-0746; reference:cve,2000-1104; reference:nessus,10572; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-060; classtype:web-application-attack; sid:1380; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro OfficeScan attempt"; flow:to_server,established; content:"/officescan/cgi/jdkRqNotify.exe?"; nocase; http_uri; content:"domain="; nocase; http_uri; content:"event="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1057; classtype:attempted-recon; sid:1381; rev:13;)
|
|
# alert tcp any any -> any 6666:7000 (msg:"SERVER-OTHER CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; fast_pattern:only; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; metadata:ruleset community; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"OS-WINDOWS Microsoft Windows UPnP malformed advertisement"; flow:to_server,no_stream; content:"NOTIFY * "; fast_pattern:only; content:"LOCATION|3A|"; nocase; detection_filter:track by_dst, count 10, seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1384; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mod-plsql administration access"; flow:to_server,established; content:"/admin_/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3726; reference:bugtraq,3727; reference:cve,2001-1216; reference:cve,2001-1217; reference:nessus,10849; classtype:web-application-activity; sid:1385; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SERVER-MSSQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; offset:32; nocase; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-060; classtype:attempted-user; sid:1386; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows UPnP Location overflow attempt"; content:"Location"; fast_pattern:only; pcre:"/^Location\s*\x3a\s*\w+\x3a\/\/([^\n]*\x3a)?[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2007-2386; reference:nessus,10829; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-059; classtype:misc-attack; sid:1388; rev:23;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; metadata:policy max-detect-ips drop, ruleset community; classtype:shellcode-detect; sid:1390; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP lastlines.cgi access"; flow:to_server,established; content:"/lastlines.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3754; reference:bugtraq,3755; reference:cve,2001-1205; reference:cve,2001-1206; classtype:attempted-recon; sid:1392; rev:22;)
|
|
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-SHELLCODE x86 inc ecx NOOP"; content:"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"; metadata:ruleset community; classtype:shellcode-detect; sid:1394; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi attempt"; flow:to_server,established; content:"/zml.cgi"; http_uri; content:"file=../"; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1395; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP zml.cgi access"; flow:to_server,established; content:"/zml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3759; reference:cve,2001-1209; reference:nessus,10830; classtype:web-application-activity; sid:1396; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wayboard attempt"; flow:to_server,established; content:"/way-board/way-board.cgi"; http_uri; content:"db="; http_uri; content:"../.."; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2370; reference:cve,2001-0214; reference:nessus,10610; classtype:web-application-attack; sid:1397; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"SERVER-OTHER CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; metadata:ruleset community; reference:bugtraq,3517; reference:cve,2001-0803; reference:nessus,10833; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Nuke remote file include attempt"; flow:to_server,established; content:"/index.php"; fast_pattern; nocase; http_uri; content:"file="; http_uri; pcre:"/file=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,3889; reference:cve,2002-0206; classtype:web-application-attack; sid:1399; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /scripts/samples/ access"; flow:to_server,established; content:"/scripts/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10370; classtype:web-application-attack; sid:1400; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AHG search.cgi access"; flow:to_server,established; content:"/publisher/search.cgi"; fast_pattern; nocase; http_uri; content:"template="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3985; reference:cve,2002-2113; classtype:web-application-activity; sid:1405; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi access"; flow:to_server,established; content:"/store/agora.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-activity; sid:1406; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smssend.php access"; flow:to_server,established; content:"/smssend.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3982; reference:cve,2002-0220; classtype:web-application-activity; sid:1407; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"SERVER-OTHER MSDTC attempt"; flow:to_server,established; isdataat:1023; metadata:ruleset community; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt"; flow:to_server; content:"|02 01 00 04 82 01 00|"; offset:4; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcboard.cgi access"; flow:to_server,established; content:"/dcboard.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2728; reference:cve,2001-0527; reference:nessus,10583; classtype:attempted-recon; sid:1410; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access udp"; flow:to_server; content:"|06|public"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP public access tcp"; flow:to_server,established; content:"public"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:21;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access udp"; flow:to_server; content:"private"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP private access tcp"; flow:to_server,established; content:"private"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:19;)
|
|
# alert udp any any -> 255.255.255.255 161 (msg:"PROTOCOL-SNMP Broadcast request"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:18;)
|
|
# alert udp any any -> 255.255.255.255 162 (msg:"PROTOCOL-SNMP broadcast trap"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request udp"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP request tcp"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap udp"; flow:to_server; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP trap tcp"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"PROTOCOL-SNMP AgentX/tcp request"; flow:stateless; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"PROTOCOL-SNMP community string buffer overflow attempt with evasion"; flow:to_server; content:" |04 82 01 00|"; depth:5; offset:7; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition memchr overflow"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"name=|22 CC CC CC CC CC|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1423; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP content-disposition file upload attempt"; flow:to_server,established; content:"Content-Disposition|3A|"; nocase; http_header; content:"form-data|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,4183; reference:cve,2002-0081; reference:nessus,10867; classtype:web-application-attack; sid:1425; rev:22;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP PROTOS test-suite-req-app attempt"; content:"0&|02 01 00 04 06|public|A0 19 02 01 00 02 01 00 02 01 00|0|0E|0|0C 06 08|+|06 01 02 01 01 05 00 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1426; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"PROTOCOL-SNMP PROTOS test-suite-trap-app attempt"; content:"08|02 01 00 04 06|public|A4|+|06|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:13;)
|
|
# alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"POLICY-MULTIMEDIA audio galaxy keepalive"; flow:established; content:"E_|00 03 05|"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:1428; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; metadata:ruleset community; classtype:policy-violation; sid:1432; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .history access"; flow:to_server,established; content:"/.history"; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1433; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .bash_history access"; flow:to_server,established; content:"/.bash_history"; http_uri; metadata:ruleset community, service http; reference:bugtraq,337; reference:cve,1999-0408; reference:url,attack.mitre.org/techniques/T1139; classtype:web-application-attack; sid:1434; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:16;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-MULTIMEDIA Apple Quicktime User Agent access"; flow:to_server,established; content:"User-Agent|3A| Quicktime"; fast_pattern:only; metadata:ruleset community, service http; classtype:policy-violation; sid:1436; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows Media download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; pcre:"/^Content-Type\x3a\s*(?=[av])(video\/x\-ms\-(w[vm]x|asf)|a(udio\/x\-ms\-w(m[av]|ax)|pplication\/x\-ms\-wm[zd]))/smiH"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:1437; rev:27;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Shoutcast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-scpls"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1439; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-MULTIMEDIA Icecast playlist redirection"; flow:to_client,established; content:"Content-type|3A|"; nocase; http_header; content:"audio/x-mpegurl"; within:50; fast_pattern; nocase; http_header; metadata:ruleset community, service http; classtype:policy-violation; sid:1440; rev:17;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET nc.exe"; flow:to_server; content:"|00 01|"; depth:2; content:"nc.exe"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1441; rev:11;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET shadow"; flow:to_server; content:"|00 01|"; depth:2; content:"shadow"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1442; rev:11;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET passwd"; flow:to_server; content:"|00 01|"; depth:2; content:"passwd"; offset:2; nocase; metadata:policy max-detect-ips drop, ruleset community; classtype:successful-admin; sid:1443; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP Get"; flow:to_server; content:"|00 01|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1444; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INDICATOR-COMPROMISE FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1445; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; classtype:attempted-recon; sid:1446; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server RDP attempt"; flow:to_server,established; content:"|03 00 00 0B 06 E0 00 00 00 00 00|"; depth:11; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1447; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal server request attempt"; flow:to_server,established; content:"|03 00 00|"; depth:3; content:"|E0 00 00 00 00 00|"; depth:6; offset:5; metadata:ruleset community, service rdp; reference:bugtraq,3099; reference:cve,2001-0540; reference:cve,2001-0663; reference:nessus,10940; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-040; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:protocol-command-decode; sid:1448; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Vintra Mailserver expn *@"; flow:to_server,established; content:"expn"; fast_pattern:only; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:ruleset community, service smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NPH-maillist access"; flow:to_server,established; content:"/nph-maillist.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2563; reference:cve,2001-0400; reference:nessus,10164; classtype:attempted-recon; sid:1451; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP args.cmd access"; flow:to_server,established; content:"/args.cmd"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1180; reference:nessus,11465; classtype:attempted-recon; sid:1452; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AT-generated.cgi access"; flow:to_server,established; content:"/AT-generated.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1072; classtype:attempted-recon; sid:1453; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP wwwwais access"; flow:to_server,established; content:"/wwwwais"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0223; reference:nessus,10597; classtype:attempted-recon; sid:1454; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar.pl access"; flow:to_server,established; content:"calendar"; nocase; http_uri; pcre:"/calendar(|[-_]admin)\.pl/Ui"; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; classtype:attempted-recon; sid:1455; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calender_admin.pl access"; flow:to_server,established; content:"/calender_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0432; reference:nessus,10506; classtype:attempted-recon; sid:1456; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_admin.pl access"; flow:to_server,established; content:"/user_update_admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1457; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP user_update_passwd.pl access"; flow:to_server,established; content:"/user_update_passwd.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1486; reference:cve,2000-0627; classtype:attempted-recon; sid:1458; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histlog.sh access"; flow:to_server,established; content:"/bb-histlog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:attempted-recon; sid:1459; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-histsvc.sh access"; flow:to_server,established; content:"/bb-histsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1460; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-rep.sh access"; flow:to_server,established; content:"/bb-rep.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1461; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-replog.sh access"; flow:to_server,established; content:"/bb-replog.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; classtype:attempted-recon; sid:1462; rev:17;)
|
|
# alert tcp $HOME_NET any <> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC message"; flow:established; isdataat:!139; content:"PRIVMSG "; metadata:ruleset community; classtype:policy-violation; sid:1463; rev:16;)
|
|
# alert tcp $HOME_NET 8002 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE oracle one hour install"; flow:to_client,established; content:"Oracle Applications One-Hour Install"; metadata:ruleset community; reference:nessus,10737; classtype:bad-unknown; sid:1464; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi access"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-activity; sid:1465; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl access"; flow:to_server,established; content:"/cgiforum.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-activity; sid:1466; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directorypro.cgi access"; flow:to_server,established; content:"/directorypro.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-activity; sid:1467; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi attempt"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern; nocase; http_uri; content:"newpage=../"; nocase; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; reference:nessus,10533; classtype:web-application-attack; sid:1468; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Web Shopper shopper.cgi access"; flow:to_server,established; content:"/shopper.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1776; reference:cve,2000-0922; classtype:attempted-recon; sid:1469; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP listrec.pl access"; flow:to_server,established; content:"/listrec.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3328; reference:cve,2001-0997; reference:nessus,10769; classtype:attempted-recon; sid:1470; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailnews.cgi access"; flow:to_server,established; content:"/mailnews.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2391; reference:cve,2001-0271; reference:nessus,10641; classtype:attempted-recon; sid:1471; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi access"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-activity; sid:1472; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newsdesk.cgi access"; flow:to_server,established; content:"/newsdesk.cgi"; fast_pattern:only; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2172; reference:cve,2001-0232; reference:nessus,10586; classtype:attempted-recon; sid:1473; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl access"; flow:to_server,established; content:"/cal_make.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-activity; sid:1474; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailit.pl access"; flow:to_server,established; content:"/mailit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10417; classtype:attempted-recon; sid:1475; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2001-1130; reference:nessus,10503; reference:nessus,10720; classtype:attempted-recon; sid:1476; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Simple Web Counter URI Parameter Buffer Overflow attempt"; flow:to_server,established; content:"/swc"; nocase; http_uri; content:"ctr="; distance:0; nocase; http_uri; urilen:>500; metadata:ruleset community, service http; reference:bugtraq,6581; reference:nessus,10493; classtype:attempted-user; sid:1478; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi arbitrary file attempt"; flow:to_server,established; content:"/ttawebtop.cgi"; nocase; content:"pg=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:web-application-attack; sid:1479; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttawebtop.cgi access"; flow:to_server,established; content:"/ttawebtop.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2890; reference:cve,2001-0805; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP upload.cgi access"; flow:to_server,established; content:"/upload.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10290; classtype:attempted-recon; sid:1481; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP view_source access"; flow:to_server,established; content:"/view_source"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2251; reference:cve,1999-0174; reference:nessus,10294; classtype:attempted-recon; sid:1482; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl access"; flow:to_server,established; content:"/ustorekeeper.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-activity; sid:1483; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS mkilog.exe access"; flow:to_server,established; content:"/mkilog.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1485; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ctss.idc access"; flow:to_server,established; content:"/ctss.idc"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10359; classtype:web-application-activity; sid:1486; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP store.cgi directory traversal attempt"; flow:to_server,established; content:"/store.cgi"; fast_pattern; nocase; http_uri; content:"../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2385; reference:cve,2001-0305; reference:nessus,10639; classtype:web-application-attack; sid:1488; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10484; classtype:web-application-attack; sid:1489; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php attempt"; flow:to_server,established; content:"/support/common.php"; http_uri; content:"ForumLang=../"; metadata:ruleset community, service http; reference:bugtraq,1997; classtype:web-application-attack; sid:1490; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Phorum /support/common.php access"; flow:to_server,established; content:"/support/common.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1997; reference:bugtraq,9361; reference:cve,2004-0034; classtype:web-application-attack; sid:1491; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser directory traversal attempt"; flow:to_server,established; content:"/newuser?Image=../.."; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-attack; sid:1492; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP RBS ISP /newuser access"; flow:to_server,established; content:"/newuser"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1704; reference:cve,2000-1036; reference:nessus,10521; classtype:web-application-activity; sid:1493; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi attempt"; flow:to_server,established; content:"/generate.cgi"; http_uri; content:"content=../"; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-attack; sid:1494; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SIX webboard generate.cgi access"; flow:to_server,established; content:"/generate.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3175; reference:cve,2001-1115; reference:nessus,10725; classtype:web-application-activity; sid:1495; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spin_client.cgi access"; flow:to_server,established; content:"/spin_client.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10393; classtype:web-application-activity; sid:1496; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP SiteScope Service access"; flow:to_server,established; content:"/SiteScope/cgi/go.exe/SiteScope"; metadata:ruleset community, service http; reference:nessus,10778; classtype:web-application-activity; sid:1499; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ExAir access"; flow:to_server,established; content:"/exair/search/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,193; reference:cve,1999-0449; reference:nessus,10002; reference:nessus,10003; reference:nessus,10004; classtype:web-application-activity; sid:1500; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi directory traversal attempt"; flow:to_server,established; content:"/a1disp3.cgi?"; fast_pattern:only; http_uri; content:"/../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-attack; sid:1501; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats a1disp3.cgi access"; flow:to_server,established; content:"/a1disp3.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1502; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP admentor admin.asp access"; flow:to_server,established; content:"/admentor/admin/admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4152; reference:cve,2002-0308; reference:nessus,10880; reference:url,www.securiteam.com/windowsntfocus/5DP0N1F6AW.html; classtype:web-application-activity; sid:1503; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"POLICY-OTHER AFS access"; flow:to_server; content:"|00 00 03 E7 00 00 00 00 00 00 00|e|00 00 00 00 00 00 00 00 0D 05 00 00 00 00 00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,10441; classtype:misc-activity; sid:1504; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server PRN arbitrary command execution attempt"; flow:to_server,established; content:"/PRN/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1505; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alchemy http server NUL arbitrary command execution attempt"; flow:to_server,established; content:"/NUL/"; fast_pattern; http_uri; content:"../../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,3599; reference:cve,2001-0871; reference:nessus,10818; classtype:web-application-activity; sid:1506; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl arbitrary command execution attempt"; flow:to_server,established; content:"/alibaba.pl|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-attack; sid:1507; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alibaba.pl access"; flow:to_server,established; content:"/alibaba.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10013; classtype:web-application-activity; sid:1508; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AltaVista Intranet Search directory traversal attempt"; flow:to_server,established; content:"/query?mss=.."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,896; reference:cve,2000-0039; reference:nessus,10015; classtype:web-application-attack; sid:1509; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat arbitrary command execution attempt"; flow:to_server,established; content:"/test.bat|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1510; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.bat access"; flow:to_server,established; content:"/test.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1511; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1512; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input.bat access"; flow:to_server,established; content:"/input.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1513; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat arbitrary command execution attempt"; flow:to_server,established; content:"/input2.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1514; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP input2.bat access"; flow:to_server,established; content:"/input2.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1515; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat arbitrary command execution attempt"; flow:to_server,established; content:"/envout.bat|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-attack; sid:1516; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP envout.bat access"; flow:to_server,established; content:"/envout.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,762; reference:cve,1999-0947; reference:nessus,10016; classtype:web-application-activity; sid:1517; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"SERVER-WEBAPP nstelemetry.adp access"; flow:to_server,established; content:"/nstelemetry.adp"; metadata:ruleset community, service http; reference:nessus,10753; classtype:web-application-activity; sid:1518; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache ?M=D directory list attempt"; flow:to_server,established; content:"/?M=D"; http_uri; metadata:ruleset community, service http; reference:bugtraq,3009; reference:cve,2001-0731; reference:nessus,10704; classtype:web-application-activity; sid:1519; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-info access"; flow:to_server,established; content:"/server-info"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1520; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP server-status access"; flow:to_server,established; content:"/server-status"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,httpd.apache.org/docs/mod/mod_info.html; classtype:web-application-activity; sid:1521; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl attempt"; flow:to_server,established; content:"/ans.pl?"; nocase; http_uri; content:"p=../../"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-attack; sid:1522; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ans.pl access"; flow:to_server,established; content:"/ans.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4147; reference:bugtraq,4149; reference:cve,2002-0306; reference:cve,2002-0307; reference:nessus,10875; classtype:web-application-activity; sid:1523; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD attempt"; flow:to_server,established; content:"/cd/../config/html/cnf_gi.htm"; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-attack; sid:1524; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Axis Storpoint CD access"; flow:to_server,established; content:"/config/html/cnf_gi.htm"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1025; reference:cve,2000-0191; reference:nessus,10023; classtype:web-application-activity; sid:1525; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix sendmail.inc access"; flow:to_server,established; content:"/inc/sendmail.inc"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1526; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP basilix mysql.class access"; flow:to_server,established; content:"/class/mysql.class"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2198; reference:cve,2001-1044; reference:nessus,10601; classtype:web-application-activity; sid:1527; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BBoard access"; flow:to_server,established; content:"/servlet/sunexamples.BBoardServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1459; reference:cve,2000-0629; reference:nessus,10507; classtype:web-application-activity; sid:1528; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:1529; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hist.sh attempt"; flow:to_server,established; content:"/bb-hist.sh?"; nocase; http_uri; content:"HISTFILE=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,142; reference:cve,1999-1462; reference:nessus,10025; classtype:web-application-attack; sid:1531; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh attempt"; flow:to_server,established; content:"/bb-hostsvc.sh?"; fast_pattern:only; http_uri; content:"HOSTSVC"; nocase; http_uri; content:"../.."; distance:0; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-attack; sid:1532; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb-hostscv.sh access"; flow:to_server,established; content:"/bb-hostsvc.sh"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1455; reference:cve,2000-0638; reference:nessus,10460; classtype:web-application-activity; sid:1533; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP agora.cgi attempt"; flow:to_server,established; content:"/store/agora.cgi?"; nocase; http_uri; content:"cart_id=<SCRIPT>"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3702; reference:bugtraq,3976; reference:cve,2001-1199; reference:cve,2002-0215; reference:nessus,10836; classtype:web-application-attack; sid:1534; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bizdbsearch access"; flow:to_server,established; content:"/bizdb1-search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1104; reference:cve,2000-0287; reference:nessus,10383; classtype:web-application-activity; sid:1535; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar_admin.pl arbitrary command execution attempt"; flow:to_server,established; content:"/calendar_admin.pl?"; nocase; http_uri; content:"config=|7C|"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-attack; sid:1536; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar_admin.pl access"; flow:to_server,established; content:"/calendar_admin.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1537; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; metadata:ruleset community; reference:bugtraq,1156; reference:cve,2000-0341; reference:nessus,10388; classtype:attempted-admin; sid:1538; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/ls access"; flow:to_server,established; content:"/cgi-bin/ls"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,936; reference:cve,2000-0079; reference:nessus,10037; classtype:web-application-activity; sid:1539; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion ?Mode=debug attempt"; flow:to_server,established; content:"Mode=debug"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0760; reference:nessus,10797; classtype:web-application-activity; sid:1540; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER version query"; flow:to_server,established; content:"version"; metadata:ruleset community; classtype:attempted-recon; sid:1541; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgimail access"; flow:to_server,established; content:"/cgimail"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1623; reference:cve,2000-0726; reference:nessus,11721; classtype:web-application-activity; sid:1542; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiwrap access"; flow:to_server,established; content:"/cgiwrap"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1238; reference:bugtraq,3084; reference:bugtraq,777; reference:cve,1999-1530; reference:cve,2000-0431; reference:cve,2001-0987; reference:nessus,10041; classtype:web-application-activity; sid:1543; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco Catalyst command execution attempt"; flow:to_server,established; content:"/exec/show/config/cr"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1846; reference:cve,2000-0945; reference:nessus,10545; classtype:web-application-activity; sid:1544; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER Cisco denial of service attempt"; flow:to_server,established; isdataat:0; isdataat:!1; content:"|13|"; metadata:ruleset community, service http; classtype:web-application-attack; sid:1545; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco HTTP double-percent DOS attempt"; flow:to_server,established; content:"/%%"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1154; reference:cve,2000-0380; reference:nessus,10387; classtype:web-application-attack; sid:1546; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/csSearch.cgi"; http_uri; content:"setup="; content:"`"; content:"`"; distance:1; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-attack; sid:1547; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csSearch.cgi access"; flow:to_server,established; content:"/csSearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4368; reference:cve,2002-0495; reference:nessus,10924; classtype:web-application-activity; sid:1548; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:27;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL ETRN overflow attempt"; flow:to_server,established; content:"ETRN"; nocase; isdataat:500,relative; pcre:"/^ETRN\s[^\n]{500}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,1297; reference:bugtraq,7515; reference:cve,2000-0490; reference:nessus,10438; classtype:attempted-admin; sid:1550; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /CVS/Entries access"; flow:to_server,established; content:"/CVS/Entries"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10922; reference:nessus,11032; classtype:web-application-activity; sid:1551; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsweb version access"; flow:to_server,established; content:"/cvsweb/version"; http_uri; metadata:ruleset community, service http; reference:cve,2000-0670; reference:nessus,10465; classtype:web-application-activity; sid:1552; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dbman db.cgi access"; flow:to_server,established; content:"/dbman/db.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1178; reference:cve,2000-0381; reference:nessus,10403; classtype:web-application-activity; sid:1554; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop access"; flow:to_server,established; content:"/dcshop"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1555; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop orders.txt access"; flow:to_server,established; content:"/orders/orders.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1556; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCShop auth_user_file.txt access"; flow:to_server,established; content:"/auth_data/auth_user_file.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2889; reference:cve,2001-0821; classtype:web-application-activity; sid:1557; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Delegate whois overflow attempt"; flow:to_server,established; content:"whois|3A|//"; nocase; metadata:ruleset community, service http; reference:cve,2000-0165; reference:nessus,10054; classtype:web-application-activity; sid:1558; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/packages access"; flow:to_server,established; content:"/doc/packages"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1707; reference:cve,2000-1016; reference:nessus,10518; reference:nessus,11032; classtype:web-application-activity; sid:1559; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /doc/ access"; flow:to_server,established; content:"/doc/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,318; reference:cve,1999-0678; classtype:web-application-activity; sid:1560; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHOWN overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHOWN"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHOWN\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2120; reference:cve,2001-0065; reference:nessus,10579; classtype:attempted-admin; sid:1562; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP login.htm attempt"; flow:to_server,established; content:"/login.htm?"; nocase; http_uri; content:"password="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1563; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP login.htm access"; flow:to_server,established; content:"/login.htm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,665; reference:cve,1999-1533; classtype:web-application-activity; sid:1564; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eshop.pl arbitrary command execution attempt"; flow:to_server,established; content:"/eshop.pl?"; nocase; http_uri; content:"seite=|3B|"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-attack; sid:1565; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eshop.pl access"; flow:to_server,established; content:"/eshop.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3340; reference:cve,2001-1014; classtype:web-application-activity; sid:1566; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /exchange/root.asp attempt"; flow:to_server,established; content:"/exchange/root.asp?"; nocase; http_uri; content:"acs=anon"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-047; classtype:web-application-attack; sid:1567; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /exchange/root.asp access"; flow:to_server,established; content:"/exchange/root.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3301; reference:cve,2001-0660; reference:nessus,10755; reference:nessus,10781; classtype:web-application-activity; sid:1568; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP loadpage.cgi directory traversal attempt"; flow:to_server,established; content:"/loadpage.cgi"; http_uri; content:"file=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-attack; sid:1569; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP loadpage.cgi access"; flow:to_server,established; content:"/loadpage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2109; reference:cve,2000-1092; reference:nessus,10065; classtype:web-application-activity; sid:1570; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dcforum.cgi directory traversal attempt"; flow:to_server,established; content:"/dcforum.cgi"; http_uri; content:"forum=../.."; metadata:ruleset community, service http; reference:bugtraq,2611; reference:cve,2001-0436; reference:cve,2001-0437; reference:nessus,10583; classtype:web-application-attack; sid:1571; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP commerce.cgi arbitrary file access attempt"; flow:to_server,established; content:"/commerce.cgi"; http_uri; content:"page="; http_uri; content:"/../"; http_raw_uri; metadata:ruleset community, service http; reference:bugtraq,2361; reference:cve,2001-0210; reference:nessus,10612; classtype:attempted-recon; sid:1572; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiforum.pl attempt"; flow:to_server,established; content:"/cgiforum.pl?"; nocase; http_uri; content:"thesection=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1963; reference:cve,2000-1171; reference:nessus,10552; classtype:web-application-attack; sid:1573; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directorypro.cgi attempt"; flow:to_server,established; content:"/directorypro.cgi"; http_uri; content:"show="; content:"../.."; distance:1; metadata:ruleset community, service http; reference:bugtraq,2793; reference:cve,2001-0780; reference:nessus,10679; classtype:web-application-attack; sid:1574; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mab.nsf access"; flow:to_server,established; content:"/mab.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4022; reference:cve,2001-1567; reference:nessus,10953; classtype:attempted-recon; sid:1575; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino cersvr.nsf access"; flow:to_server,established; content:"/cersvr.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1576; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino setup.nsf access"; flow:to_server,established; content:"/setup.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1577; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino statrep.nsf access"; flow:to_server,established; content:"/statrep.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1578; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino webadmin.nsf access"; flow:to_server,established; content:"/webadmin.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9900; reference:bugtraq,9901; reference:cve,2004-2310; reference:cve,2004-2311; reference:cve,2004-2369; reference:nessus,10629; classtype:attempted-recon; sid:1579; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino events4.nsf access"; flow:to_server,established; content:"/events4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1580; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino ntsync4.nsf access"; flow:to_server,established; content:"/ntsync4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1581; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino collect4.nsf access"; flow:to_server,established; content:"/collect4.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1582; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mailw46.nsf access"; flow:to_server,established; content:"/mailw46.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1583; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino bookmark.nsf access"; flow:to_server,established; content:"/bookmark.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1584; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino agentrunner.nsf access"; flow:to_server,established; content:"/agentrunner.nsf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10629; classtype:attempted-recon; sid:1585; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Domino mail.box access"; flow:to_server,established; content:"/mail.box"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,881; reference:cve,2000-0021; reference:cve,2000-0022; reference:cve,2000-0023; reference:nessus,10629; classtype:attempted-recon; sid:1586; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgitest.exe access"; flow:to_server,established; content:"/cgitest.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1313; reference:bugtraq,3885; reference:cve,2000-0521; reference:cve,2002-0128; reference:nessus,10040; reference:nessus,10623; reference:nessus,11131; classtype:web-application-activity; sid:1587; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SalesLogix Eviewer access"; flow:to_server,established; content:"/slxweb.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1078; reference:bugtraq,1089; reference:cve,2000-0278; reference:cve,2000-0289; classtype:web-application-activity; sid:1588; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP musicat empower attempt"; flow:to_server,established; content:"/empower?DB="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2374; reference:cve,2001-0224; reference:nessus,10609; classtype:web-application-attack; sid:1589; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faqmanager.cgi arbitrary file access attempt"; flow:to_server,established; content:"/faqmanager.cgi?"; nocase; http_uri; content:"toc="; distance:0; nocase; http_uri; content:"|00|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-attack; sid:1590; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP faqmanager.cgi access"; flow:to_server,established; content:"/faqmanager.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3810; reference:cve,2002-2033; reference:nessus,10837; classtype:web-application-activity; sid:1591; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /fcgi-bin/echo.exe access"; flow:to_server,established; content:"/fcgi-bin/echo.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10838; classtype:web-application-activity; sid:1592; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi external site redirection attempt"; flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern:only; http_uri; content:"redirect=http"; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1593; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi access"; flow:to_server,established; content:"/FormHandler.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-activity; sid:1594; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS htimage.exe access"; flow:to_server,established; content:"/htimage.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1117; reference:bugtraq,964; reference:cve,2000-0122; reference:cve,2000-0256; reference:nessus,10376; classtype:web-application-activity; sid:1595; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP guestbook.cgi access"; flow:to_server,established; content:"/guestbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0237; reference:nessus,10098; classtype:web-application-activity; sid:1597; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Home Free search.cgi directory traversal attempt"; flow:to_server,established; content:"/search.cgi"; http_uri; content:"letter=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,921; reference:cve,2000-0054; reference:nessus,10101; classtype:web-application-attack; sid:1598; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.cgi access"; flow:to_server,established; content:"/search.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,921; reference:cve,2000-0054; classtype:web-application-activity; sid:1599; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch arbitrary configuration file attempt"; flow:to_server,established; content:"/htsearch?-c"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3410; reference:cve,2001-0834; classtype:web-application-attack; sid:1600; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch arbitrary file read attempt"; flow:to_server,established; content:"/htsearch?exclude=`"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-attack; sid:1601; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htsearch access"; flow:to_server,established; content:"/htsearch"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1026; reference:cve,2000-0208; reference:nessus,10105; classtype:web-application-activity; sid:1602; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DELETE attempt"; flow:to_server,established; content:"DELETE "; depth:7; nocase; metadata:ruleset community, service http; reference:nessus,10498; classtype:web-application-activity; sid:1603; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 4080 (msg:"SERVER-WEBAPP iChat directory traversal attempt"; flow:to_server,established; content:"/../../"; metadata:ruleset community, service http; reference:cve,1999-0897; classtype:web-application-activity; sid:1604; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"SERVER-OTHER iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; metadata:ruleset community; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP icat access"; flow:to_server,established; content:"/icat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1069; classtype:web-application-activity; sid:1606; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HyperSeek hsx.cgi access"; flow:to_server,established; content:"/hsx.cgi"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2314; reference:cve,2001-0253; reference:nessus,10602; classtype:web-application-activity; sid:1607; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htmlscript attempt"; flow:to_server,established; content:"/htmlscript?../.."; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2001; reference:cve,1999-0264; reference:nessus,10106; classtype:web-application-attack; sid:1608; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; fast_pattern; nocase; http_uri; content:"%0a"; nocase; metadata:ruleset community, service http; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:1610; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP eXtropia webstore access"; flow:to_server,established; content:"/web_store.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1774; reference:cve,2000-1005; reference:nessus,10532; classtype:web-application-activity; sid:1611; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ftp.pl attempt"; flow:to_server,established; content:"/ftp.pl?"; nocase; http_uri; content:"dir=../.."; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,1471; reference:cve,2000-0674; reference:nessus,10467; classtype:web-application-attack; sid:1612; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP handler attempt"; flow:to_server,established; content:"/handler"; http_uri; content:"|7C|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,380; reference:cve,1999-0148; reference:nessus,10100; classtype:web-application-attack; sid:1613; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Novell Groupwise gwweb.exe attempt"; flow:to_server,established; content:"/GWWEB.EXE?"; nocase; http_uri; content:"HELP="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,879; reference:cve,1999-1005; reference:cve,1999-1006; reference:nessus,10877; classtype:attempted-recon; sid:1614; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP htgrep attempt"; flow:to_server,established; content:"/htgrep"; http_uri; content:"hdr=/"; metadata:ruleset community, service http; reference:cve,2000-0832; reference:nessus,10495; classtype:web-application-attack; sid:1615; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS named version attempt"; flow:to_server; content:"|07|version"; offset:12; nocase; content:"|04|bind|00|"; offset:12; nocase; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:nessus,10028; classtype:attempted-recon; sid:1616; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugzilla doeditvotes.cgi access"; flow:to_server,established; content:"/doeditvotes.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3800; reference:cve,2002-0011; classtype:web-application-activity; sid:1617; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asp chunked Transfer-Encoding"; flow:to_server,established; content:".asp"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:cve,2002-0071; reference:cve,2002-0079; reference:nessus,10932; classtype:web-application-attack; sid:1618; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:200,relative; pcre:"/^CMD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; classtype:attempted-admin; sid:1621; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; fast_pattern:only; content:" ././"; metadata:ruleset community, service ftp; reference:cve,1999-0081; classtype:misc-attack; sid:1622; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; pcre:"/^MODE\s+[^ABSC]{1}/msi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1623; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PWD overflow attempt"; flow:to_server,established; content:"PWD"; nocase; isdataat:190,relative; pcre:"/^PWD\s.{190}/smi"; metadata:ruleset community, service ftp; classtype:protocol-command-decode; sid:1624; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SYST overflow attempt"; flow:to_server,established; content:"SYST"; nocase; isdataat:100,relative; pcre:"/^SYST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:url,www.faqs.org/rfcs/rfc959.html; classtype:protocol-command-decode; sid:1625; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /StoreCSVS/InstantOrder.asmx request"; flow:to_server,established; content:"/StoreCSVS/InstantOrder.asmx"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1626; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FormHandler.cgi directory traversal attempt attempt"; flow:to_server,established; content:"/FormHandler.cgi"; nocase; http_uri; content:"reply_message_attach="; fast_pattern:only; content:"/../"; metadata:ruleset community, service http; reference:bugtraq,798; reference:bugtraq,799; reference:cve,1999-1050; reference:nessus,10075; classtype:web-application-attack; sid:1628; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:50,relative; pcre:"/^PASS\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,21645; reference:bugtraq,791; reference:cve,1999-1511; reference:cve,2006-6605; reference:nessus,10325; classtype:attempted-admin; sid:1634; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,1652; reference:cve,2000-0840; reference:cve,2000-0841; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32000 (msg:"SERVER-OTHER Xtramail Username overflow attempt"; flow:to_server,established; content:"Username|3A|"; nocase; isdataat:100,relative; pcre:"/^Username\:[^\n]{100}/smi"; metadata:ruleset community; reference:bugtraq,791; reference:cve,1999-1511; reference:nessus,10323; classtype:attempted-admin; sid:1636; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP yabb access"; flow:to_server,established; content:"/YaBB"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1668; reference:cve,2000-0853; reference:nessus,10512; classtype:attempted-recon; sid:1637; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"INDICATOR-SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1638; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC file transfer request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC SEND"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1639; rev:13;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC DCC chat request"; flow:to_server,established; content:"PRIVMSG "; nocase; content:" |3A|.DCC CHAT chat"; distance:0; fast_pattern; nocase; metadata:ruleset community; classtype:policy-violation; sid:1640; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"SERVER-OTHER DB2 dos attempt"; flow:to_server,established; isdataat:0; isdataat:!1; metadata:ruleset community; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP document.d2w access"; flow:to_server,established; content:"/document.d2w"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2017; reference:cve,2000-1110; classtype:web-application-activity; sid:1642; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP db2www access"; flow:to_server,established; content:"/db2www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2000-0677; classtype:web-application-activity; sid:1643; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test-cgi attempt"; flow:to_server,established; content:"/test-cgi/*?*"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,2003; reference:cve,1999-0070; reference:nessus,10282; classtype:web-application-attack; sid:1644; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP testcgi access"; flow:to_server,established; content:"/testcgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7214; reference:cve,2003-1531; reference:nessus,11610; classtype:web-application-activity; sid:1645; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.cgi access"; flow:to_server,established; content:"/test.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1646; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl.exe command attempt"; flow:to_server,established; content:"/perl.exe?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1648; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP perl command attempt"; flow:to_server,established; content:"/perl?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:1649; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP tst.bat access"; flow:to_server,established; content:"/tst.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,770; reference:cve,1999-0885; reference:nessus,10014; classtype:web-application-activity; sid:1650; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP environ.pl access"; flow:to_server,established; content:"/environ.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1651; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP campas attempt"; flow:to_server,established; content:"/campas?|0A|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1975; reference:cve,1999-0146; reference:nessus,10035; classtype:web-application-attack; sid:1652; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart32.exe access"; flow:to_server,established; content:"/cart32.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1153; reference:nessus,10389; classtype:web-application-activity; sid:1654; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pfdispaly.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/pfdispaly.cgi?"; nocase; http_uri; content:"'"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-attack; sid:1655; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pfdispaly.cgi access"; flow:to_server,established; content:"/pfdispaly.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,64; reference:cve,1999-0270; reference:nessus,10174; classtype:web-application-activity; sid:1656; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi directory traversal attempt"; flow:to_server,established; content:"/pagelog.cgi"; nocase; http_uri; content:"name=../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1657; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pagelog.cgi access"; flow:to_server,established; content:"/pagelog.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1864; reference:cve,2000-0940; reference:nessus,10591; classtype:web-application-activity; sid:1658; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-OTHER Adobe Coldfusion sendmail.cfm access"; flow:to_server,established; content:"/sendmail.cfm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,1999-0760; reference:cve,2001-0535; classtype:attempted-recon; sid:1659; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS trace.axd access"; flow:to_server,established; content:"/trace.axd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10993; classtype:web-application-activity; sid:1660; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:1661; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /~ftp access"; flow:to_server,established; content:"/~ftp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:attempted-recon; sid:1662; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP *%20.pl access"; flow:to_server,established; content:" .pl"; fast_pattern:only; http_uri; pcre:"/\/[^\r\n]*\x20.pl/Ui"; metadata:ruleset community, service http; reference:nessus,11007; reference:url,rtfm.vn.ua/inet/sec/cgi-bugs.htm; reference:url,www.securityfocus.com/archive/1/149482; classtype:web-application-attack; sid:1663; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mkplog.exe access"; flow:to_server,established; content:"/mkplog.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1664; rev:13;)
|
|
# alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE index of /cgi-bin/ response"; flow:to_client,established; file_data; content:"Index of /cgi-bin/"; nocase; metadata:ruleset community, service http; reference:nessus,10039; classtype:bad-unknown; sid:1666; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cross site scripting HTML Image tag set to javascript attempt"; flow:to_server,established; content:"img src=javascript"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4858; reference:cve,2002-0902; classtype:web-application-attack; sid:1667; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/ access"; flow:to_server,established; content:"/cgi-bin/"; http_uri; content:"/cgi-bin/ HTTP"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1668; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-dos/ access"; flow:to_server,established; content:"/cgi-dos/"; http_uri; content:"/cgi-dos/ HTTP"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-attack; sid:1669; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /home/ftp access"; flow:to_server,established; content:"/home/ftp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1670; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /home/www access"; flow:to_server,established; content:"/home/www"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11032; classtype:web-application-activity; sid:1671; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; fast_pattern:only; pcre:"/^CWD\s+~/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,2601; reference:bugtraq,9215; reference:cve,2001-0421; classtype:denial-of-service; sid:1672; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; metadata:ruleset community; classtype:system-call-detect; sid:1673; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data|28|command=version|29|"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1674; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE misparsed login response"; flow:to_client,established; content:"description=|28|"; nocase; content:!"connect_data=|28|sid="; nocase; content:!"address=|28|protocol=tcp"; nocase; metadata:ruleset community; classtype:suspicious-login; sid:1675; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE select union attempt"; flow:to_server,established; content:"select "; nocase; content:" union "; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1676; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE select like '%' attempt"; flow:to_server,established; content:" where "; nocase; content:" like '%'"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1677; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like |22|%|22|"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1678; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE describe attempt"; flow:to_server,established; content:"describe "; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1679; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_constraints access"; flow:to_server,established; content:"all_constraints"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1680; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_views access"; flow:to_server,established; content:"all_views"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1681; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_source access"; flow:to_server,established; content:"all_source"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1682; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_tables access"; flow:to_server,established; content:"all_tables"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1683; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_tab_columns access"; flow:to_server,established; content:"all_tab_columns"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1684; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE all_tab_privs access"; flow:to_server,established; content:"all_tab_privs"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1685; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dba_tablespace access"; flow:to_server,established; content:"dba_tablespace"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1686; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dba_tables access"; flow:to_server,established; content:"dba_tables"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1687; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE user_tablespace access"; flow:to_server,established; content:"user_tablespace"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1688; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.all_users access"; flow:to_server,established; content:"sys.all_users"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1689; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE grant attempt"; flow:to_server,established; content:"grant "; nocase; content:" to "; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1690; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE ALTER USER attempt"; flow:to_server,established; content:"alter user"; nocase; content:" identified by "; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1691; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE drop table attempt"; flow:to_server,established; content:"drop table"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1692; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1693; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE alter table attempt"; flow:to_server,established; content:"alter table"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1694; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE truncate table attempt"; flow:to_server,established; content:"truncate table"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1695; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE create database attempt"; flow:to_server,established; content:"create database"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1696; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE alter database attempt"; flow:to_server,established; content:"alter database"; nocase; metadata:ruleset community; classtype:protocol-command-decode; sid:1697; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP imagemap.exe access"; flow:to_server,established; content:"/imagemap.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,739; reference:cve,1999-0951; reference:nessus,10122; classtype:web-application-activity; sid:1700; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar-admin.pl access"; flow:to_server,established; content:"/calendar-admin.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1215; reference:cve,2000-0432; reference:nessus,10506; classtype:web-application-activity; sid:1701; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Amaya templates sendtemp.pl access"; flow:to_server,established; content:"/sendtemp.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2504; reference:cve,2001-0272; classtype:web-application-activity; sid:1702; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP auktion.cgi directory traversal attempt"; flow:to_server,established; content:"/auktion.cgi"; fast_pattern; nocase; http_uri; content:"menue=../../"; nocase; metadata:ruleset community, service http; reference:bugtraq,2367; reference:cve,2001-0212; reference:nessus,10638; classtype:web-application-attack; sid:1703; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cal_make.pl directory traversal attempt"; flow:to_server,established; content:"/cal_make.pl"; nocase; http_uri; content:"p0=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2663; reference:cve,2001-0463; reference:nessus,10664; classtype:web-application-attack; sid:1704; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP echo.bat arbitrary command execution attempt"; flow:to_server,established; content:"/echo.bat"; http_uri; content:"&"; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1705; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP echo.bat access"; flow:to_server,established; content:"/echo.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1706; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP hello.bat arbitrary command execution attempt"; flow:to_server,established; content:"/hello.bat"; http_uri; content:"&"; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-attack; sid:1707; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP hello.bat access"; flow:to_server,established; content:"/hello.bat"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1002; reference:cve,2000-0213; reference:nessus,10246; classtype:web-application-activity; sid:1708; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ad.cgi access"; flow:to_server,established; content:"/ad.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2103; reference:cve,2001-0025; reference:nessus,11464; classtype:web-application-activity; sid:1709; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bbs_forum.cgi access"; flow:to_server,established; content:"/bbs_forum.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2177; reference:cve,2001-0123; reference:url,www.cgisecurity.com/advisory/3.1.txt; classtype:web-application-activity; sid:1710; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bsguest.cgi access"; flow:to_server,established; content:"/bsguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2159; reference:cve,2001-0099; classtype:web-application-activity; sid:1711; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bslist.cgi access"; flow:to_server,established; content:"/bslist.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2160; reference:cve,2001-0100; classtype:web-application-activity; sid:1712; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgforum.cgi access"; flow:to_server,established; content:"/cgforum.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1951; reference:cve,2000-1132; classtype:web-application-activity; sid:1713; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newdesk access"; flow:to_server,established; content:"/newdesk"; fast_pattern:only; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1714; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP register.cgi access"; flow:to_server,established; content:"/register.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2157; reference:cve,2001-0076; classtype:web-application-activity; sid:1715; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP gbook.cgi access"; flow:to_server,established; content:"/gbook.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1940; reference:cve,2000-1131; classtype:web-application-activity; sid:1716; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP simplestguest.cgi access"; flow:to_server,established; content:"/simplestguest.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2106; reference:cve,2001-0022; classtype:web-application-activity; sid:1717; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP statsconfig.pl access"; flow:to_server,established; content:"/statsconfig.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2211; reference:cve,2001-0113; classtype:web-application-activity; sid:1718; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP talkback.cgi directory traversal attempt"; flow:to_server,established; content:"/talkbalk.cgi"; nocase; http_uri; content:"article=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-attack; sid:1719; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP talkback.cgi access"; flow:to_server,established; content:"/talkbalk.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2547; reference:cve,2001-0420; classtype:web-application-activity; sid:1720; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP adcycle access"; flow:to_server,established; content:"/adcycle"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3741; reference:cve,2001-1226; classtype:web-application-activity; sid:1721; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MachineInfo access"; flow:to_server,established; content:"/MachineInfo"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1067; classtype:web-application-activity; sid:1722; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi NULL attempt"; flow:to_server,established; content:"/emumail.cgi"; http_uri; content:"type="; nocase; content:"%00"; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1723; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP emumail.cgi access"; flow:to_server,established; content:"/emumail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5824; reference:cve,2002-1526; classtype:web-application-activity; sid:1724; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS +.htr code fragment attempt"; flow:to_server,established; content:" .htr"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1488; reference:cve,2000-0630; reference:cve,2001-0004; reference:nessus,10680; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-044; reference:url,technet.microsoft.com/en-us/security/bulletin/ms01-004 ; classtype:web-application-attack; sid:1725; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS doctodep.btr access"; flow:to_server,established; content:"doctodep.btr"; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1726; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SGI InfoSearch fname access"; flow:to_server,established; content:"/infosrch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1031; reference:cve,2000-0207; classtype:web-application-activity; sid:1727; rev:20;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC channel join"; flow:to_server,established; isdataat:!139; content:"JOIN "; pcre:"/(&|#|\+|!)/R"; metadata:ruleset community; classtype:policy-violation; sid:1729; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ustorekeeper.pl directory traversal attempt"; flow:to_server,established; content:"/ustorekeeper.pl"; nocase; http_uri; content:"file=../../"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,2536; reference:cve,2001-0466; reference:nessus,10645; classtype:web-application-attack; sid:1730; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP a1stats access"; flow:to_server,established; content:"/a1stats/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2705; reference:cve,2001-0561; reference:nessus,10669; classtype:web-application-activity; sid:1731; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1732; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rwalld request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,205; reference:cve,1999-0181; classtype:rpc-portmap-decode; sid:1733; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; isdataat:100,relative; pcre:"/^USER(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1227; reference:bugtraq,1504; reference:bugtraq,15352; reference:bugtraq,1690; reference:bugtraq,22044; reference:bugtraq,22045; reference:bugtraq,4638; reference:bugtraq,49750; reference:bugtraq,7307; reference:bugtraq,8376; reference:cve,1999-1510; reference:cve,1999-1514; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-0479; reference:cve,2000-0656; reference:cve,2000-0761; reference:cve,2000-0943; reference:cve,2000-1194; reference:cve,2001-0256; reference:cve,2001-0794; reference:cve,2001-0826; reference:cve,2002-0126; reference:cve,2002-1522; reference:cve,2003-0271; reference:cve,2004-0286; reference:cve,2004-0695; reference:cve,2005-3683; classtype:attempted-admin; sid:1734; rev:50;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-OTHER Mozilla Netscape XMLHttpRequest local file read attempt"; flow:to_client,established; file_data; content:"new XMLHttpRequest|28|"; content:"file|3A|//"; nocase; metadata:ruleset community, service http; reference:bugtraq,4628; reference:cve,2002-0354; classtype:web-application-attack; sid:1735; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP squirrel mail spell-check arbitrary command attempt"; flow:to_server,established; content:"/squirrelspell/modules/check_me.mod.php"; fast_pattern; nocase; http_uri; content:"SQSPELL_APP["; nocase; metadata:ruleset community, service http; reference:bugtraq,3952; classtype:web-application-attack; sid:1736; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP squirrel mail theme arbitrary command attempt"; flow:to_server,established; content:"/left_main.php"; nocase; http_uri; content:"cmdd="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4385; reference:cve,2002-0516; classtype:web-application-attack; sid:1737; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP global.inc access"; flow:to_server,established; content:"/global.inc"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:1738; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools administrator authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; nocase; http_uri; content:"user_logged_in=true"; nocase; http_uri; content:"user_dnstools_administrator=true"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1739; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools authentication bypass attempt"; flow:to_server,established; content:"/dnstools.php"; fast_pattern; nocase; http_uri; content:"user_logged_in=true"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-attack; sid:1740; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DNSTools access"; flow:to_server,established; content:"/dnstools.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4617; reference:cve,2002-0613; classtype:web-application-activity; sid:1741; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Blahz-DNS dostuff.php modify user attempt"; flow:to_server,established; content:"/dostuff.php?"; nocase; http_uri; content:"action=modify_user"; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-attack; sid:1742; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Blahz-DNS dostuff.php access"; flow:to_server,established; content:"/dostuff.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4618; reference:cve,2002-0599; classtype:web-application-activity; sid:1743; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SecureSite authentication bypass attempt"; flow:to_server,established; content:"secure_site, ok"; nocase; metadata:ruleset community, service http; reference:bugtraq,4621; classtype:web-application-attack; sid:1744; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Messagerie supp_membre.php access"; flow:to_server,established; content:"/supp_membre.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4635; classtype:web-application-activity; sid:1745; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1746; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap cachefsd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87 8B|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; reference:nessus,10951; classtype:rpc-portmap-decode; sid:1747; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS users.xml access"; flow:to_server,established; content:"/users.xml"; nocase; http_uri; metadata:ruleset community, service http; classtype:web-application-activity; sid:1750; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"SERVER-OTHER cachefsd buffer overflow attempt"; flow:to_server,established; isdataat:720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS as_web.exe access"; flow:to_server,established; content:"/as_web.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1753; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS as_web4.exe access"; flow:to_server,established; content:"/as_web4.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4670; reference:cve,2002-1727; reference:cve,2002-1728; classtype:web-application-activity; sid:1754; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; isdataat:1024,relative; pcre:"/\sPARTIAL.*?BODY\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:1755; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NewsPro administration authentication attempt"; flow:to_server,established; content:"logged,true"; metadata:ruleset community, service http; reference:bugtraq,4672; reference:cve,2002-1734; classtype:web-application-activity; sid:1756; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 arbitrary command execution attempt"; flow:to_server,established; content:"/b2/b2-include/"; http_uri; content:"b2inc"; content:"http|3A|//"; metadata:ruleset community, service http; reference:bugtraq,4673; reference:cve,2002-0734; reference:cve,2002-1466; reference:nessus,11667; classtype:web-application-attack; sid:1757; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phf arbitrary command execution attempt"; flow:to_server,established; content:"/phf?"; nocase; http_uri; content:"QALIAS"; fast_pattern:only; http_uri; content:"%0a"; nocase; http_raw_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,629; reference:cve,1999-0067; classtype:web-application-attack; sid:1762; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?Nocfile="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1763; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc DOS attempt"; flow:to_server,established; content:"/cgiproc?|24|"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-attack; sid:1764; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Nortel Contivity cgiproc access"; flow:to_server,established; content:"/cgiproc"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,938; reference:cve,2000-0063; reference:cve,2000-0064; reference:nessus,10160; classtype:web-application-activity; sid:1765; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.dll directory listing attempt"; flow:to_server,established; content:"/search.dll"; http_uri; content:"query=%00"; metadata:ruleset community, service http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-attack; sid:1766; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP search.dll access"; flow:to_server,established; content:"/search.dll"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1684; reference:cve,2000-0835; reference:nessus,10514; classtype:web-application-activity; sid:1767; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .DS_Store access"; flow:to_server,established; content:"/.DS_Store"; http_uri; metadata:ruleset community, service http; reference:url,www.macintouch.com/mosxreaderreports46.html; classtype:web-application-activity; sid:1769; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP .FBCIndex access"; flow:to_server,established; content:"/.FBCIndex"; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/5LP0O005FS.html; classtype:web-application-activity; sid:1770; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"POLICY-OTHER IPSec PGPNet connection attempt"; flow:to_server; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00|P|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01|Q|80 00 00 00 10|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; classtype:protocol-command-decode; sid:1771; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS pbserver access"; flow:to_server,established; content:"/pbserver/pbserver.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2000-1089; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-094; classtype:web-application-activity; sid:1772; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP php.exe access"; flow:to_server,established; content:"/php.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securitytracker.com/alerts/2002/Jan/1003104.html; classtype:web-application-activity; sid:1773; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bb_smilies.php access"; flow:to_server,established; content:"/bb_smilies.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:url,www.securiteam.com/securitynews/Serious_security_hole_in_PHP-Nuke__bb_smilies_.html; classtype:web-application-activity; sid:1774; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; fast_pattern:only; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:1775; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; fast_pattern:only; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:1776; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT asterisk dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x2a/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1777; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT"; fast_pattern:only; pcre:"/^STAT\s+[^\n]*\x3f/smi"; metadata:ruleset community, service ftp; reference:bugtraq,4482; reference:cve,2002-0073; reference:nessus,10934; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:attempted-dos; sid:1778; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csPassword.cgi access"; flow:to_server,established; content:"/csPassword.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4885; reference:bugtraq,4886; reference:bugtraq,4887; reference:bugtraq,4889; reference:cve,2002-0917; reference:cve,2002-0918; classtype:web-application-activity; sid:1787; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP csPassword password.cgi.tmp access"; flow:to_server,established; content:"/password.cgi.tmp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4889; reference:cve,2002-0920; classtype:web-application-activity; sid:1788; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"POLICY-SOCIAL IRC dns request"; flow:to_server,established; content:"USERHOST "; metadata:ruleset community; classtype:policy-violation; sid:1789; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"POLICY-SOCIAL IRC dns response"; flow:to_client,established; content:"|3A|"; content:" 302 "; content:"=+"; fast_pattern:only; metadata:ruleset community; classtype:policy-violation; sid:1790; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"PROTOCOL-NNTP return code buffer overflow attempt"; flow:to_client,established; content:"200"; isdataat:256,relative; pcre:"/^200\s[^\n]{256}/smi"; metadata:ruleset community; reference:bugtraq,4900; reference:cve,2002-0909; classtype:protocol-command-decode; sid:1792; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .asa HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".asa"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1802; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cer HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".cer"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1803; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cdx HTTP header buffer overflow attempt"; flow:to_server,established; content:"HTTP/"; nocase; content:".cdx"; fast_pattern; nocase; http_uri; content:"|3A|"; content:"|0A|"; content:"|00|"; metadata:ruleset community, service http; reference:bugtraq,4476; reference:cve,2002-0150; reference:nessus,10936; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-018; classtype:web-application-attack; sid:1804; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Reports CGI access"; flow:to_server,established; content:"/rwcgi60"; fast_pattern:only; http_uri; content:"setauth="; metadata:ruleset community, service http; reference:bugtraq,4848; reference:cve,2002-0947; classtype:web-application-activity; sid:1805; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .htr chunked Transfer-Encoding"; flow:to_server,established; content:".htr"; nocase; http_uri; content:"Transfer-Encoding|3A|"; nocase; http_header; content:"chunked"; nocase; http_header; metadata:ruleset community, service http; reference:bugtraq,4855; reference:bugtraq,5003; reference:cve,2002-0364; reference:nessus,11028; classtype:web-application-attack; sid:1806; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"POLICY-OTHER Chunked-Encoding transfer with no data attempt"; flow:to_server,established; content:"Transfer-Encoding: chunked|0D 0A 0D 0A 0D 0A|"; nocase; isdataat:!0,relative; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0386; reference:cve,2002-0392; reference:nessus,10932; classtype:policy-violation; sid:1807; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP apache chunked encoding memory corruption exploit attempt"; flow:to_server,established; content:"|C0|PR|89 E1|PQRP|B8 3B 00 00 00 CD 80|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:1808; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"X-CCCCCCC|3A 20|"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:1809; rev:19;)
|
|
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit GOBBLE"; flow:to_client,established; content:"*GOBBLE*"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; classtype:successful-admin; sid:1810; rev:19;)
|
|
# alert tcp $HOME_NET 22 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful gobbles ssh exploit uname"; flow:to_client,established; content:"uname"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0640; reference:nessus,11031; classtype:misc-attack; sid:1811; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SERVER-OTHER gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; metadata:ruleset community; reference:bugtraq,5093; reference:cve,2002-0639; reference:nessus,11031; classtype:misc-attack; sid:1812; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP digital island bandwidth query"; content:"mailto|3A|ops@digisle.com"; depth:22; metadata:ruleset community; classtype:misc-activity; sid:1813; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO VoIP DOS ATTEMPT"; flow:to_server,established; content:"/StreamingStatistics"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4794; reference:cve,2002-0882; reference:nessus,11013; classtype:misc-attack; sid:1814; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php arbitrary command attempt"; flow:to_server,established; content:"/directory.php"; http_uri; content:"dir="; content:"|3B|"; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; reference:nessus,11017; classtype:misc-attack; sid:1815; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP directory.php access"; flow:to_server,established; content:"/directory.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4278; reference:cve,2002-0434; classtype:misc-attack; sid:1816; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; pcre:"/^Authorization\x3A\s*Basic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; metadata:ruleset community, service http; reference:nessus,11018; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-attack; sid:1817; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11018; classtype:web-application-attack; sid:1818; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2533 (msg:"SERVER-OTHER Alcatel PABX 4400 connection attempt"; flow:to_server,established; content:"|00 01|C"; depth:3; metadata:ruleset community; reference:nessus,11019; classtype:misc-activity; sid:1819; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IBM Net.Commerce orderdspc.d2w access"; flow:to_server,established; content:"/ncommerce3/ExecMacro/orderdspc.d2w"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2350; reference:cve,2001-0319; reference:nessus,11020; classtype:web-application-activity; sid:1820; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"SERVER-OTHER LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; metadata:ruleset community; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm alienform.cgi directory traversal attempt"; flow:to_server,established; content:"/alienform.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1822; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi directory traversal attempt"; flow:to_server,established; content:"/af.cgi"; http_uri; content:".|7C|./.|7C|."; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-attack; sid:1823; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm alienform.cgi access"; flow:to_server,established; content:"/alienform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1824; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP AlienForm af.cgi access"; flow:to_server,established; content:"/af.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4983; reference:cve,2002-0934; reference:nessus,11027; classtype:web-application-activity; sid:1825; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WEB-INF access"; flow:to_server,established; content:"/WEB-INF"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1830; reference:bugtraq,5119; reference:cve,2000-1050; reference:cve,2001-0179; reference:nessus,11037; classtype:web-application-activity; sid:1826; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat servlet mapping cross site scripting attempt"; flow:to_server,established; content:"/servlet/"; http_uri; content:"/org.apache."; http_uri; metadata:ruleset community, service http; reference:bugtraq,5193; reference:cve,2002-0682; reference:nessus,11041; classtype:web-application-attack; sid:1827; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet Search directory traversal attempt"; flow:to_server,established; content:"/search"; nocase; http_uri; content:"NS-query-pat="; fast_pattern:only; http_uri; content:"../"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,5191; reference:cve,2002-1042; reference:nessus,11043; classtype:web-application-attack; sid:1828; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat TroubleShooter servlet access"; flow:to_server,established; content:"/examples/servlet/TroubleShooter"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1829; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat SnoopServlet servlet access"; flow:to_server,established; content:"/examples/servlet/SnoopServlet"; http_uri; metadata:ruleset community, service http; reference:bugtraq,4575; reference:cve,2002-2006; reference:nessus,11046; classtype:web-application-activity; sid:1830; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP jigsaw dos attempt"; flow:to_server,established; content:"/servlet/con"; http_uri; pcre:"/\x2Fcon\b/Ui"; metadata:ruleset community, service http; reference:bugtraq,5258; reference:cve,2002-1052; reference:nessus,11047; classtype:web-application-attack; sid:1831; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"POLICY-SOCIAL ICQ forced user addition"; flow:established,to_client; content:"Content-Type|3A| application/x-icq"; fast_pattern:only; content:"[ICQ User]"; metadata:ruleset community; reference:bugtraq,3226; reference:cve,2001-1305; classtype:policy-violation; sid:1832; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-Wiki cross site scripting attempt"; flow:to_server,established; content:"/modules.php?"; http_uri; content:"name=Wiki"; fast_pattern; nocase; http_uri; content:"<script"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,5254; reference:cve,2002-1070; classtype:web-application-attack; sid:1834; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Macromedia SiteSpring cross site scripting attempt"; flow:to_server,established; content:"/error/500error.jsp"; nocase; http_uri; content:"et="; http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5249; reference:cve,2002-1027; classtype:web-application-attack; sid:1835; rev:14;)
|
|
# alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"SERVER-OTHER SSH server banner overflow"; flow:to_client,established; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s?[^\n]{200}/ism"; metadata:ruleset community; reference:bugtraq,5287; reference:cve,2002-1059; reference:nessus,15822; classtype:misc-attack; sid:1838; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman cross site scripting attempt"; flow:to_server,established; content:"/mailman/"; nocase; http_uri; content:"?"; http_uri; content:"info="; http_uri; content:"<script"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5298; reference:cve,2002-0855; reference:nessus,14984; classtype:web-application-attack; sid:1839; rev:14;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-JAVA Oracle Javascript document.domain attempt"; flow:to_client,established; file_data; content:"document.domain|28|"; nocase; metadata:ruleset community, service http; reference:bugtraq,5346; reference:cve,2002-0815; classtype:attempted-user; sid:1840; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_client,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:ruleset community, service http; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:1841; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/i"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,13727; reference:bugtraq,21110; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2004-1011; reference:cve,2005-1255; reference:cve,2006-5961; reference:cve,2007-1373; reference:cve,2007-2795; reference:cve,2007-3925; reference:nessus,10123; reference:nessus,10125; classtype:attempted-user; sid:1842; rev:34;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 33270 (msg:"MALWARE-BACKDOOR trinity connection attempt"; flow:to_server,established; content:"!@|23|"; depth:3; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10501; classtype:attempted-admin; sid:1843; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:1844; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; fast_pattern:only; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1845; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY-MULTIMEDIA vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; metadata:ruleset community; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webalizer access"; flow:to_server,established; content:"/webalizer/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:1847; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webcart-lite access"; flow:to_server,established; content:"/webcart-lite/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-0610; reference:nessus,10298; classtype:web-application-activity; sid:1848; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webfind.exe access"; flow:to_server,established; content:"/webfind.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1487; reference:cve,2000-0622; reference:nessus,10475; classtype:web-application-activity; sid:1849; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP way-board.cgi access"; flow:to_server,established; content:"/way-board.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10610; classtype:web-application-activity; sid:1850; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP active.log access"; flow:to_server,established; content:"/active.log"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1497; reference:cve,2000-0642; reference:nessus,10470; classtype:web-application-activity; sid:1851; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP robots.txt access"; flow:to_server,established; content:"/robots.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10302; classtype:web-application-activity; sid:1852; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 35555 (msg:"MALWARE-BACKDOOR win-trin00 connection attempt"; flow:to_server; content:"png []..Ks l44"; depth:14; metadata:ruleset community; reference:cve,2000-0138; reference:nessus,10307; classtype:attempted-admin; sid:1853; rev:12;)
|
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent niggahbitch"; icmp_id:9015; itype:0; content:"niggahbitch"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1854; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht agent->handler skillz"; icmp_id:6666; itype:0; content:"skillz"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1855; rev:13;)
|
|
# alert icmp $EXTERNAL_NET any <> $HOME_NET any (msg:"PROTOCOL-ICMP Stacheldraht handler->agent ficken"; icmp_id:6667; itype:0; content:"ficken"; metadata:ruleset community; reference:cve,2000-0138; reference:url,staff.washington.edu/dittrich/misc/stacheldraht.analysis; classtype:attempted-dos; sid:1856; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP robot.txt access"; flow:to_server,established; content:"/robot.txt"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10302; classtype:web-application-activity; sid:1857; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CISCO PIX Firewall Manager directory traversal attempt"; flow:to_server,established; content:"/pixfir~1/how_to_login.html"; http_uri; metadata:ruleset community, service http; reference:bugtraq,691; reference:cve,1999-0158; reference:nessus,10819; classtype:misc-attack; sid:1858; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"SERVER-WEBAPP Oracle JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; metadata:ruleset community, service http; reference:nessus,10995; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1859; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default password login attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+OmFkbWlu/smiH"; metadata:ruleset community, service http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1860; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Linksys router default username and password login attempt"; flow:to_server,established; content:"YWRtaW46YWRtaW4"; pcre:"/^Authorization\x3a\s*Basic\s+(?-i)YWRtaW46YWRtaW4[=\s]/smi"; metadata:ruleset community, service http; reference:nessus,10999; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:1861; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mrtg.cgi directory traversal attempt"; flow:to_server,established; content:"/mrtg.cgi"; http_uri; content:"cfg=/../"; metadata:ruleset community, service http; reference:bugtraq,4017; reference:cve,2002-0232; reference:nessus,11001; classtype:web-application-attack; sid:1862; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:1; nocase; pcre:"/^SITE\s+NEWER/smi"; metadata:ruleset community, service ftp; reference:cve,1999-0880; reference:nessus,10319; classtype:attempted-dos; sid:1864; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webdist.cgi arbitrary command attempt"; flow:to_server,established; content:"/webdist.cgi"; nocase; http_uri; content:"distloc=|3B|"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,374; reference:cve,1999-0039; reference:nessus,10299; classtype:web-application-attack; sid:1865; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER overflow attempt"; flow:to_server,established; content:"USER"; isdataat:50,relative; pcre:"/^USER\s[^\n]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community, service pop3; reference:bugtraq,11256; reference:bugtraq,19651; reference:bugtraq,789; reference:cve,1999-0494; reference:cve,2002-1781; reference:cve,2006-2502; reference:cve,2006-4364; reference:nessus,10311; reference:url,www.delegate.org/mail-lists/delegate-en/1475; classtype:attempted-admin; sid:1866; rev:25;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"X11 xdmcp info query"; flow:to_server; content:"|00 01 00 02 00 01 00|"; fast_pattern:only; metadata:ruleset community; reference:nessus,10891; classtype:attempted-recon; sid:1867; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl arbitrary file read attempt"; flow:to_server,established; content:"/story.pl"; http_uri; content:"next=../"; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1868; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SERVER-WEBAPP Interactive Story story.pl access"; flow:to_server,established; content:"/story.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3028; reference:cve,2001-0804; reference:nessus,10817; classtype:default-login-attempt; sid:1869; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP siteUserMod.cgi access"; flow:to_server,established; content:"/.cobalt/siteUserMod/siteUserMod.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,951; reference:cve,2000-0117; reference:nessus,10253; classtype:web-application-activity; sid:1870; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle XSQLConfig.xml access"; flow:to_server,established; content:"/XSQLConfig.xml"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4290; reference:cve,2002-0568; reference:nessus,10855; classtype:web-application-activity; sid:1871; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Dynamic Monitoring Services dms access"; flow:to_server,established; content:"/dms0"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10848; classtype:web-application-activity; sid:1872; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP globals.jsa access"; flow:to_server,established; content:"/globals.jsa"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4034; reference:cve,2002-0562; reference:nessus,10850; classtype:web-application-activity; sid:1873; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:nessus,10851; classtype:web-application-activity; sid:1874; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgicso access"; flow:to_server,established; content:"/cgicso"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6141; reference:cve,2002-1652; reference:nessus,10779; reference:nessus,10780; classtype:web-application-activity; sid:1875; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nph-publish.cgi access"; flow:to_server,established; content:"/nph-publish.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1177; reference:nessus,10164; classtype:web-application-activity; sid:1876; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP printenv access"; flow:to_server,established; content:"/printenv"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:1877; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sdbsearch.cgi access"; flow:to_server,established; content:"/sdbsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10503; classtype:web-application-activity; sid:1878; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP book.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/book.cgi"; fast_pattern:only; http_uri; content:"current=|7C|"; nocase; metadata:ruleset community, service http; reference:bugtraq,3178; reference:cve,2001-1114; reference:nessus,10721; classtype:web-application-attack; sid:1879; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle web application server access"; flow:to_server,established; content:"/ows-bin/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-activity; sid:1880; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bad HTTP 1.1 request - potential worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0D 0A 0D 0A|"; depth:18; metadata:ruleset community, service http; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:13;)
|
|
# alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE id check returned userid"; content:"uid="; nocase; content:" gid="; distance:0; pcre:"/uid=\d{1,5}\S+\s+gid=\d{1,5}/smi"; metadata:policy max-detect-ips drop, ruleset community; classtype:bad-unknown; sid:1882; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Worm traffic"; flow:to_server,established; content:"TERM=xterm"; fast_pattern:only; metadata:ruleset community, service ssl; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:web-application-attack; sid:1887; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CPWD overflow attempt"; flow:established,to_server; content:"SITE"; nocase; content:"CPWD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CPWD\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,5427; reference:cve,2002-0826; classtype:misc-attack; sid:1888; rev:14;)
|
|
# alert udp $EXTERNAL_NET 2002 -> $HOME_NET 2002 (msg:"MALWARE-CNC slapper worm admin traffic"; content:"|00 00|E|00 00|E|00 00|@|00|"; depth:10; metadata:ruleset community; reference:url,isc.incidents.org/analysis.html?id=167; reference:url,www.cert.org/advisories/CA-2002-27.html; classtype:trojan-activity; sid:1889; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1890; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC status GHBN format string attack"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:misc-attack; sid:1891; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP null community string attempt"; content:"|04 01 00|"; depth:15; offset:5; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:1892; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"PROTOCOL-SNMP missing community string attempt"; content:"0"; depth:1; content:"|02|"; within:6; content:"|04 00|"; within:8; pcre:"/^\x30(\x84....|\x82..|[^\x80-\xFF])\x02(\x84\x00\x00\x00\x01.|\x82\x00\x01.|\x01.)\x04\x00/"; metadata:policy max-detect-ips drop, ruleset community, service snmp; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:1893; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:nessus,15015; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"|FF FF|KADM0.0A|00 00 FB 03|"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 749 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 751 (msg:"INDICATOR-SHELLCODE kadmind buffer overflow attempt"; flow:to_server,established; content:"/shh//bi"; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:12;)
|
|
# alert tcp $HOME_NET 749 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1900; rev:15;)
|
|
# alert tcp $HOME_NET 751 -> $EXTERNAL_NET any (msg:"SERVER-OTHER successful kadmind buffer overflow attempt"; flow:to_client,established; content:"*GOBBLE*"; depth:8; metadata:ruleset community; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:successful-admin; sid:1901; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; fast_pattern:only; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1902; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1903; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/^\sFIND\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:1904; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP amqproc_mount plog overflow attempt"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1905; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,512,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,614; reference:cve,1999-0704; classtype:misc-attack; sid:1906; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,524; reference:cve,1999-0696; reference:cve,2009-3699; classtype:attempted-admin; sid:1907; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; classtype:attempted-admin; sid:1908; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD udp CMSD_INSERT buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1911; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,124,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,512,4,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,0866; reference:bugtraq,866; reference:cve,1999-0977; classtype:attempted-admin; sid:1912; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP stat mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1913; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1914; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD UDP monitor mon_name format string exploit attempt"; flow:to_server; content:"|00 01 86 B8|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1915; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,1480; reference:cve,2000-0666; reference:nessus,10544; classtype:attempted-admin; sid:1916; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"INDICATOR-SCAN UPnP service discover attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"ssdp|3A|discover"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:network-scan; sid:1917; rev:16;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-ICMP SolarWinds IP scan attempt"; icode:0; itype:8; content:"SolarWinds.Net"; fast_pattern:only; metadata:ruleset community; classtype:network-scan; sid:1918; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD overflow attempt"; flow:to_server,established; content:"CWD"; nocase; isdataat:180,relative; pcre:"/^CWD(?!\n)\s[^\n]{180}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11069; reference:bugtraq,1227; reference:bugtraq,1690; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7950; reference:cve,1999-0219; reference:cve,1999-1058; reference:cve,1999-1510; reference:cve,2000-1035; reference:cve,2000-1194; reference:cve,2001-0781; reference:cve,2002-0126; reference:cve,2002-0405; classtype:attempted-admin; sid:1919; rev:31;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE NEWER overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"NEWER"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+NEWER\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,229; reference:cve,1999-0800; classtype:attempted-admin; sid:1920; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE ZIPCHK overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"ZIPCHK"; distance:1; nocase; isdataat:100,relative; pcre:"/^SITE\s+ZIPCHK\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:cve,2000-0040; classtype:attempted-admin; sid:1921; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1922; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy attempt UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1923; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP export request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 05|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1924; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:1925; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP exportall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 06|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1926; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP authorized_keys"; flow:to_server,established; content:"authorized_keys"; fast_pattern:only; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1927; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP shadow retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"shadow"; pcre:"/^RETR[^\n]*shadow$/smi"; metadata:ruleset community, service ftp; classtype:suspicious-filename-detect; sid:1928; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; fast_pattern:only; pcre:"/({(?=\d+}[^\n]*?\sAUTH)|AUTH\s[^\n]*?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0005; reference:cve,2006-6424; classtype:misc-attack; sid:1930; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-nlog.pl access"; flow:to_server,established; content:"/rpc-nlog.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1278; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91470326629357&w=2; reference:url,marc.theaimsgroup.com/?l=bugtraq&m=91471400632145&w=2; classtype:web-application-activity; sid:1931; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rpc-smb.pl access"; flow:to_server,established; content:"/rpc-smb.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,1999-1278; classtype:web-application-activity; sid:1932; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cart.cgi access"; flow:to_server,established; content:"/cart.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1115; reference:cve,2000-0252; reference:nessus,10368; classtype:web-application-activity; sid:1933; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP AUTH overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:50,relative; pcre:"/^AUTH\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:1936; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:1937; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP XTND overflow attempt"; flow:to_server,established; content:"XTND"; nocase; isdataat:50,relative; pcre:"/^XTND\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:1938; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hardware address length overflow"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,6,2; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1939; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp invalid hardware type"; flow:to_server; content:"|01|"; depth:1; byte_test:1,>,7,1; metadata:policy max-detect-ips drop, ruleset community; reference:cve,1999-0798; classtype:misc-activity; sid:1940; rev:9;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP GET filename overflow attempt"; flow:to_server; content:"|00 01|"; depth:2; isdataat:100,relative; content:!"|00|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service tftp; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,36121; reference:bugtraq,5328; reference:cve,2002-0813; reference:cve,2006-4948; reference:cve,2007-1435; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:1941; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMDIR overflow attempt"; flow:to_server,established; content:"RMDIR"; nocase; isdataat:100,relative; pcre:"/^RMDIR(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,819; classtype:attempted-admin; sid:1942; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /Carello/add.exe access"; flow:to_server,established; content:"/Carello/add.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1245; reference:cve,2000-0396; reference:nessus,11776; classtype:web-application-activity; sid:1943; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ecscripts/ecware.exe access"; flow:to_server,established; content:"/ecscripts/ecware.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6066; classtype:web-application-activity; sid:1944; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 admin attempt"; flow:to_server,established; content:"/cgi-bin/admin/admin"; metadata:ruleset community, service http; reference:bugtraq,5383; reference:cve,2000-0696; classtype:web-application-activity; sid:1946; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8888 (msg:"SERVER-WEBAPP answerbook2 arbitrary command execution attempt"; flow:to_server,established; content:"/ab2/"; content:"|3B|"; distance:1; metadata:ruleset community, service http; reference:bugtraq,1556; reference:cve,2000-0697; classtype:web-application-attack; sid:1947; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS dns zone transfer via UDP detected"; flow:to_server; content:"|00 01 00 00 00 00 00|"; depth:8; offset:4; byte_test:1,!&,0xF8,2; content:"|00 00 FC 00 01|"; fast_pattern; isdataat:!1,relative; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:1948; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1949; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap SET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1950; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:cve,1999-0210; classtype:attempted-recon; sid:1951; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP mount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:1952; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1953; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP pid request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 09|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:1954; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; depth:4; offset:16; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:1955; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"PROTOCOL-RPC AMD UDP version request"; flow:to_server; content:"|00 04 93 F3|"; depth:4; offset:12; content:"|00 00 00 08|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1554; reference:cve,2000-0696; classtype:rpc-portmap-decode; sid:1956; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind UDP PING"; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1957; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,866; reference:cve,1999-0977; reference:nessus,10229; classtype:protocol-command-decode; sid:1958; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1959; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap NFS request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 A3|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1960; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request UDP"; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1961; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap RQUOTA request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 AB|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:1962; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt UDP"; content:"|00 01 86 AB|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:1963; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk UDP overflow attempt"; flow:to_server; content:"|00 01 86 F3|"; depth:4; offset:12; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,122; reference:cve,1999-0003; classtype:attempted-admin; sid:1964; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; depth:4; offset:16; content:"|00 00 00 07|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,122; reference:cve,1999-0003; reference:cve,2001-0717; classtype:attempted-admin; sid:1965; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> 255.255.255.255 27155 (msg:"SERVER-OTHER GlobalSunTech Access Point Information Disclosure attempt"; flow:to_server; content:"gstsearch"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,6100; reference:cve,2002-2137; classtype:misc-activity; sid:1966; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php arbitrary command attempt"; flow:to_server,established; content:"/quick-reply.php"; http_uri; content:"phpbb_root_path="; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-attack; sid:1967; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpbb quick-reply.php access"; flow:to_server,established; content:"/quick-reply.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6173; reference:cve,2002-2287; classtype:web-application-activity; sid:1968; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ion-p access"; flow:to_server,established; content:"/ion-p"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6091; reference:cve,2002-1559; reference:nessus,11729; classtype:web-application-activity; sid:1969; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; content:"/msadcs.dll"; nocase; http_uri; content:"Content-Type|3A|"; nocase; isdataat:50,relative; content:!"|0A|"; within:50; pcre:"/^POST\s/smi"; metadata:ruleset community, service http; reference:bugtraq,6214; reference:cve,2002-1142; reference:nessus,11161; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS98-004; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; distance:0; nocase; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,1387; reference:bugtraq,1505; reference:cve,2000-0573; classtype:bad-unknown; sid:1971; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,15457; reference:bugtraq,1690; reference:bugtraq,22045; reference:bugtraq,3884; reference:bugtraq,45957; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; reference:cve,2005-3683; reference:cve,2006-6576; classtype:attempted-admin; sid:1972; rev:32;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD overflow attempt"; flow:to_server,established; content:"MKD"; nocase; isdataat:150,relative; pcre:"/^MKD(?!\n)\s[^\n]{150}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:1973; rev:31;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,2972; reference:cve,2001-0826; reference:nessus,11755; classtype:attempted-admin; sid:1974; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE(?!\n)\s[^\n]{100}/mi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,46922; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-4228; reference:nessus,11755; classtype:attempted-admin; sid:1975; rev:27;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD(?!\n)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,2972; reference:bugtraq,39041; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; reference:cve,2005-3683; reference:cve,2010-0625; classtype:attempted-admin; sid:1976; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1977; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP xp_regdeletekey attempt"; flow:to_server,established; content:"xp_regdeletekey"; fast_pattern:only; metadata:ruleset community, service http; classtype:web-application-activity; sid:1978; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP perl post attempt"; flow:to_server,established; content:"POST"; depth:4; content:"/perl/"; http_uri; metadata:ruleset community, service http; reference:bugtraq,5520; reference:cve,2002-1436; reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection"; flow:to_server; content:"00"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1980; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 3150"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1981; rev:11;)
|
|
# alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 3150"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1982; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Connection attempt on port 4120"; flow:to_server; content:"00"; depth:2; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1983; rev:10;)
|
|
# alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR DeepThroat 3.1 Server Response on port 4120"; flow:to_client; content:"Ahhhh My Mouth Is Open"; metadata:ruleset community; reference:mcafee,98574; reference:nessus,10053; classtype:trojan-activity; sid:1984; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Doly variant outbound connection attempt"; flow:to_client,established; content:"* Doly trojan v1.5 - Connected."; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/499446edf3dfd200ebf3df2526cd4d101979e626afcd1860193f71829be23922/; classtype:trojan-activity; sid:1985; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; nocase; content:"INVITE"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1986; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"SERVER-OTHER xfs overflow attempt"; flow:to_server,established; isdataat:512; content:"B|00 02|"; depth:3; metadata:ruleset community; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 200 OK"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1988; rev:11;)
|
|
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"POLICY-SOCIAL Microsoft MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type|3A| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; metadata:ruleset community; classtype:policy-violation; sid:1989; rev:12;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:1990; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"POLICY-SOCIAL Microsoft MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; metadata:ruleset community; classtype:policy-violation; sid:1991; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal buffer overflow attempt"; flow:established,to_server; pcre:"/\sLOGIN\s[^\n]*?\{\s*(-|[3-9][0-9]{2}|2[6-9][0-9]|25[7-9]|[0-9]{4})/smi"; content:"LOGIN"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,14718; reference:bugtraq,21724; reference:bugtraq,23810; reference:bugtraq,6298; reference:cve,2002-1580; reference:cve,2005-1758; reference:cve,2006-6424; reference:cve,2007-0221; reference:nessus,12532; classtype:misc-attack; sid:1993; rev:24;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP vpasswd.cgi access"; flow:to_server,established; content:"/vpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6038; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alya.cgi access"; flow:to_server,established; content:"/alya.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11118; classtype:web-application-activity; sid:1995; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP viralator.cgi access"; flow:to_server,established; content:"/viralator.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3495; reference:cve,2001-0849; reference:nessus,11107; classtype:web-application-activity; sid:1996; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP read_body.php access attempt"; flow:to_server,established; content:"/read_body.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6302; reference:cve,2002-1341; reference:nessus,11415; classtype:web-application-activity; sid:1997; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP calendar.php access"; flow:to_server,established; content:"/calendar.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,5820; reference:bugtraq,9353; reference:cve,2002-1660; reference:cve,2004-1785; reference:nessus,11179; classtype:web-application-activity; sid:1998; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP edit_image.php access"; flow:to_server,established; content:"/edit_image.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3288; reference:cve,2001-1020; reference:nessus,11104; classtype:web-application-activity; sid:1999; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP readmsg.php access"; flow:to_server,established; content:"/readmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2001-1408; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP smartsearch.cgi access"; flow:to_server,established; content:"/smartsearch.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7133; classtype:web-application-activity; sid:2001; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP remote include path attempt"; flow:to_server,established; content:".php"; nocase; http_uri; content:"path="; fast_pattern:only; http_uri; pcre:"/path=(https?|ftps?|php)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/File_inclusion_vulnerability; reference:url,php.net/manual/en/function.include.php; classtype:web-application-attack; sid:2002; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; fast_pattern:only; content:"sock"; content:"send"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:16;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; fast_pattern:only; content:"sock"; content:"send"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap kcms_server request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 87|}"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"PROTOCOL-RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:16;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid user authentication response"; flow:to_client,established; content:"E Fatal error, aborting."; fast_pattern:only; content:"|3A| no such user"; metadata:ruleset community; classtype:misc-attack; sid:2008; rev:9;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid repository response"; flow:to_client,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2009; rev:7;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS double free exploit attempt response"; flow:to_client,established; content:"free|28 29 3A| warning|3A| chunk is already free"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2010; rev:12;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid directory response"; flow:to_client,established; content:"E protocol error|3A| invalid directory syntax in"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2011; rev:12;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS missing cvsroot response"; flow:to_client,established; content:"E protocol error|3A| Root request missing"; fast_pattern:only; metadata:ruleset community; classtype:misc-attack; sid:2012; rev:7;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS invalid module response"; flow:to_client,established; content:"cvs server|3A| cannot find module"; fast_pattern:only; content:"error"; metadata:ruleset community; classtype:misc-attack; sid:2013; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2014; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap UNSET attempt UDP 111"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1892; reference:cve,2011-0321; classtype:rpc-portmap-decode; sid:2015; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap status request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B8|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2016; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap espd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|u"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2017; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP dump request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2018; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP dump request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 02|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2019; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmount request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2020; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmount request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2021; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP unmountall request"; flow:to_server,established; content:"|00 01 86 A5|"; depth:4; offset:16; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:attempted-recon; sid:2022; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd UDP unmountall request"; flow:to_server; content:"|00 01 86 A5|"; depth:4; offset:12; content:"|00 00 00 04|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-recon; sid:2023; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,864; reference:cve,1999-0974; classtype:misc-attack; sid:2024; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2025; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd username overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; reference:nessus,10684; classtype:rpc-portmap-decode; sid:2026; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2027; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd old password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2028; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2029; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd new password overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,64,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2030; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update UDP"; flow:to_server; content:"|00 01 86 A9|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2031; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC yppasswd user update TCP"; flow:to_server,established; content:"|00 01 86 A9|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,2763; reference:cve,2001-0779; classtype:rpc-portmap-decode; sid:2032; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request UDP"; flow:to_server; content:"|00 01 86 A4|"; depth:4; offset:12; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; reference:nessus,13976; classtype:rpc-portmap-decode; sid:2033; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypserv maplist request TCP"; flow:to_server,established; content:"|00 01 86 A4|"; depth:4; offset:16; content:"|00 00 00 0B|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2034; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2035; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap network-status-monitor request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 03 0D|p"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; classtype:rpc-portmap-decode; sid:2036; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request UDP"; flow:to_server; content:"|00 03 0D|p"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; classtype:rpc-portmap-decode; sid:2037; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC network-status-monitor mon-callback request TCP"; flow:to_server,established; content:"|00 03 0D|p"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; classtype:rpc-portmap-decode; sid:2038; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"SERVER-OTHER bootp hostname format string attempt"; flow:to_server; content:"|01|"; depth:1; content:"|0C|"; distance:240; content:"%"; distance:0; content:"%"; within:8; distance:1; content:"%"; within:8; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,4701; reference:cve,2002-0702; reference:nessus,11312; classtype:misc-attack; sid:2039; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"POLICY-OTHER xtacacs login attempt"; flow:to_server; content:"|80 01|"; depth:2; content:"|00|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; classtype:misc-activity; sid:2040; rev:8;)
|
|
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"INDICATOR-SCAN xtacacs failed login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|02|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2041; rev:9;)
|
|
# alert udp $HOME_NET 49 -> $EXTERNAL_NET any (msg:"POLICY-OTHER xtacacs accepted login response"; flow:to_client; content:"|80 02|"; depth:2; content:"|01|"; distance:4; metadata:policy max-detect-ips drop, ruleset community; classtype:misc-activity; sid:2042; rev:8;)
|
|
# alert udp $HOME_NET 500 -> $EXTERNAL_NET 500 (msg:"INDICATOR-SCAN isakmp login failed"; content:"|10 05|"; depth:2; offset:17; content:"|00 00 00 01 01 00 00 18|"; within:8; distance:13; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; classtype:misc-activity; sid:2043; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"POLICY-OTHER PPTP Start Control Request attempt"; flow:to_server,established,no_stream; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:ruleset community; classtype:attempted-admin; sid:2044; rev:8;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC snmpXdmi overflow attempt UDP"; flow:to_server; content:"|00 01 87 99|"; depth:4; offset:12; content:"|00 00 01 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,2417; reference:cve,2001-0236; reference:nessus,10659; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2045; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; distance:0; nocase; pcre:"/\sPARTIAL.*BODY\.PEEK\[[^\]]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,4713; reference:cve,2002-0379; reference:nessus,10966; classtype:misc-attack; sid:2046; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsyncd module list access"; flow:to_server,established; content:"|23|list"; depth:5; metadata:ruleset community; classtype:misc-activity; sid:2047; rev:5;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt"; flow:to_server; content:"|02|"; depth:1; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SERVER-MSSQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-039; classtype:attempted-admin; sid:2050; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cached_feed.cgi moreover shopping cart access"; flow:to_server,established; content:"/cached_feed.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1762; reference:cve,2000-0906; classtype:web-application-activity; sid:2051; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP overflow.cgi access"; flow:to_server,established; content:"/overflow.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6326; reference:cve,2002-1361; reference:nessus,11190; reference:url,www.cert.org/advisories/CA-2002-35.html; classtype:web-application-activity; sid:2052; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq process_bug.cgi access"; flow:to_server,established; content:"/process_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2053; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi arbitrary command attempt"; flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern; nocase; http_uri; content:"who="; content:"|3B|"; distance:0; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-attack; sid:2054; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Bugtraq enter_bug.cgi access"; flow:to_server,established; content:"/enter_bug.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3272; reference:cve,2002-0008; classtype:web-application-activity; sid:2055; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TRACE attempt"; flow:to_server,established; content:"TRACE"; depth:5; metadata:ruleset community, service http; reference:bugtraq,9561; reference:cve,2003-1567; reference:cve,2004-2320; reference:cve,2010-0360; reference:nessus,11213; classtype:web-application-attack; sid:2056; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP helpout.exe access"; flow:to_server,established; content:"/helpout.exe"; http_uri; metadata:ruleset community, service http; reference:bugtraq,6002; reference:cve,2002-1169; reference:nessus,11162; classtype:web-application-activity; sid:2057; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MsmMask.exe attempt"; flow:to_server,established; content:"/MsmMask.exe"; http_uri; content:"mask="; metadata:ruleset community, service http; reference:nessus,11163; classtype:web-application-attack; sid:2058; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MsmMask.exe access"; flow:to_server,established; content:"/MsmMask.exe"; http_uri; metadata:ruleset community, service http; reference:nessus,11163; classtype:web-application-activity; sid:2059; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DB4Web access"; flow:to_server,established; content:"/DB4Web/"; http_uri; metadata:ruleset community, service http; reference:nessus,11180; classtype:web-application-activity; sid:2060; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-APACHE Apache Tomcat null byte directory listing attempt"; flow:to_server,established; content:"|00|.jsp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2518; reference:bugtraq,6721; reference:cve,2003-0042; reference:nessus,11438; classtype:web-application-attack; sid:2061; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP iPlanet .perf access"; flow:to_server,established; content:"/.perf"; http_uri; metadata:ruleset community, service http; reference:nessus,11220; classtype:web-application-activity; sid:2062; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Demarc SQL injection attempt"; flow:to_server,established; content:"/dm/demarc"; http_uri; content:"s_key="; content:"'"; distance:0; content:"'"; distance:1; content:"'"; distance:0; metadata:ruleset community, service http; reference:bugtraq,4520; reference:cve,2002-0539; classtype:web-application-activity; sid:2063; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .csp script source download attempt"; flow:to_server,established; content:".csp."; http_uri; metadata:ruleset community, service http; classtype:web-application-attack; sid:2065; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .pl script source download attempt"; flow:to_server,established; content:".pl"; http_uri; content:".pl"; content:"."; within:1; metadata:ruleset community, service http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2066; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Lotus Notes .exe script source download attempt"; flow:to_server,established; content:".exe"; http_uri; content:".exe"; content:"."; within:1; metadata:ruleset community, service http; reference:bugtraq,6841; reference:cve,2003-1408; classtype:web-application-attack; sid:2067; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BitKeeper arbitrary command attempt"; flow:to_server,established; content:"/diffs/"; http_uri; content:"'"; content:"|3B|"; distance:0; content:"'"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6588; classtype:web-application-attack; sid:2068; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP chip.ini access"; flow:to_server,established; content:"/chip.ini"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2755; reference:bugtraq,2775; reference:cve,2001-0749; reference:cve,2001-0771; classtype:web-application-activity; sid:2069; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP post32.exe arbitrary command attempt"; flow:to_server,established; content:"/post32.exe|7C|"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; classtype:web-application-attack; sid:2070; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP post32.exe access"; flow:to_server,established; content:"/post32.exe"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1485; classtype:web-application-activity; sid:2071; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP lyris.pl access"; flow:to_server,established; content:"/lyris.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1584; reference:cve,2000-0758; classtype:web-application-activity; sid:2072; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP globals.pl access"; flow:to_server,established; content:"/globals.pl"; http_uri; metadata:ruleset community, service http; reference:bugtraq,2671; reference:cve,2001-0330; classtype:web-application-activity; sid:2073; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo uploadimage.php upload php file attempt"; flow:to_server,established; content:"/uploadimage.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2074; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo upload.php upload php file attempt"; flow:to_server,established; content:"/upload.php"; http_uri; content:"userfile_name="; content:".php"; distance:1; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-attack; sid:2075; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo uploadimage.php access"; flow:to_server,established; content:"/uploadimage.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2076; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Mambo upload.php access"; flow:to_server,established; content:"/upload.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6572; reference:cve,2003-1204; reference:nessus,16315; classtype:web-application-activity; sid:2077; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpBB privmsg.php access"; flow:to_server,established; content:"/privmsg.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6634; reference:cve,2003-1530; classtype:web-application-activity; sid:2078; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2079; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap nlockmgr request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 B5|"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,1372; reference:cve,2000-0508; reference:nessus,10220; classtype:rpc-portmap-decode; sid:2080; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request UDP"; flow:to_server; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2081; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap rpc.xfsmd request TCP"; flow:to_server,established; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 05 F7|h"; within:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community, service sunrpc; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2082; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt UDP"; flow:to_server; content:"|00 05 F7|h"; depth:4; offset:12; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2083; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC rpc.xfsmd xfs_export attempt TCP"; flow:to_server,established; content:"|00 05 F7|h"; depth:4; offset:16; content:"|00 00 00 0D|"; within:4; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2084; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2085; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP streaming server parse_xml.cgi access"; flow:to_server,established; content:"/parse_xml.cgi"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6954; reference:bugtraq,6955; reference:bugtraq,6956; reference:bugtraq,6958; reference:cve,2003-0050; reference:cve,2003-0051; reference:cve,2003-0052; reference:cve,2003-0053; reference:cve,2003-0423; classtype:web-application-activity; sid:2086; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL From comment overflow attempt"; flow:to_server,established; content:"From|3A|"; nocase; content:"<><><><><><><><><><><><><><><><><><><><><><>"; distance:0; content:"|28|"; distance:1; content:"|29|"; distance:1; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:url,www.kb.cert.org/vuls/id/398025; classtype:attempted-admin; sid:2087; rev:14;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt UDP"; content:"|00 01 86 BC|"; depth:4; offset:12; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:bugtraq,28383; reference:cve,1999-0208; classtype:misc-attack; sid:2088; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"|00 01 86 BC|"; depth:4; offset:16; content:"|00 00 00 01|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|7C|"; distance:4; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,1749; reference:cve,1999-0208; classtype:misc-attack; sid:2089; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0A|Content-type|3A| text/xml|0A|HOST|3A|"; http_header; content:"Accept|3A| */*|0A|Translate|3A| f|0A|Content-length|3A|5276|0A 0A|"; http_header; metadata:ruleset community, service http; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2090; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0D 0A|Host|3A|"; content:"|0D 0A 0D 0A|"; within:255; metadata:ruleset community, service http; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-007; classtype:attempted-admin; sid:2091; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt UDP"; flow:to_server; content:"|00 01 86 A0 00|"; depth:5; offset:12; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36564; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2092; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"PROTOCOL-RPC portmap proxy integer overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 A0 00|"; depth:5; offset:16; content:"|00 00 00 05|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,7123; reference:cve,2003-0028; reference:nessus,11420; classtype:rpc-portmap-decode; sid:2093; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; flow:to_server; content:"|00 01 86 E4|"; depth:4; offset:12; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; reference:bugtraq,36615; reference:bugtraq,5356; reference:cve,2002-0391; reference:cve,2009-3699; reference:nessus,11418; classtype:attempted-admin; sid:2094; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; depth:4; offset:16; content:"|00 00 00 15|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,5356; reference:cve,2002-0391; reference:nessus,11418; classtype:attempted-admin; sid:2095; rev:14;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR SubSeven 2.1 Gold server connection response"; flow:to_client,established; content:"connected. time/date|3A| "; depth:22; content:"version|3A| GOLD 2.1"; distance:1; metadata:ruleset community; reference:mcafee,10566; reference:nessus,10409; classtype:trojan-activity; sid:2100; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Trans Max Param/Count OS-WINDOWS attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00 00 00|"; within:4; distance:5; metadata:ruleset community; reference:bugtraq,5556; reference:cve,2002-0724; reference:nessus,11110; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-045; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:protocol-command-decode; sid:2101; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 OPEN2 unicode maximum param count overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; content:"|00 00|"; within:2; distance:29; byte_test:2,>,1024,-12,relative,little; metadata:ruleset community; reference:cve,2003-0201; classtype:protocol-command-decode; sid:2103; rev:16;)
|
|
# alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE rexec username too long response"; flow:to_client,established; content:"username too long"; depth:17; metadata:ruleset community; reference:bugtraq,7459; reference:cve,2003-1097; classtype:unsuccessful-user; sid:2104; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; fast_pattern:only; pcre:"/\sAUTHENTICATE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,21724; reference:cve,1999-0042; reference:cve,2006-6424; reference:nessus,10292; classtype:misc-attack; sid:2105; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2106; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2107; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP CAPA overflow attempt"; flow:to_server,established; content:"CAPA"; nocase; isdataat:10,relative; pcre:"/^CAPA\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2108; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP TOP overflow attempt"; flow:to_server,established; content:"TOP"; nocase; isdataat:50,relative; pcre:"/^TOP\s[^\n]{50}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2109; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:10,relative; pcre:"/^STAT\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2110; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2111; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP RSET overflow attempt"; flow:to_server,established; content:"RSET"; nocase; isdataat:10,relative; pcre:"/^RSET\s[^\n]{10}/smi"; metadata:ruleset community, service pop3; classtype:attempted-admin; sid:2112; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2113; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"PROTOCOL-SERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; metadata:ruleset community; classtype:attempted-admin; sid:2114; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP album.pl access"; flow:to_server,established; content:"/album.pl"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7444; reference:cve,2003-1456; reference:nessus,11581; classtype:web-application-activity; sid:2115; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP chipcfg.cgi access"; flow:to_server,established; content:"/chipcfg.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2767; reference:cve,2001-1341; reference:url,archives.neohapsis.com/archives/bugtraq/2001-05/0233.html; classtype:web-application-activity; sid:2116; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Battleaxe Forum login.asp access"; flow:to_server,established; content:"myaccount/login.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7416; reference:cve,2003-0215; reference:nessus,11548; classtype:web-application-activity; sid:2117; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,1110; reference:bugtraq,15006; reference:cve,2000-0284; reference:cve,2005-3155; reference:nessus,10374; classtype:misc-attack; sid:2118; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; fast_pattern:only; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2119; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; fast_pattern:only; pcre:"/\sCREATE\s*\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,7446; reference:cve,2003-1470; classtype:misc-attack; sid:2120; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP DELE negative argument attempt"; flow:to_server,established; content:"DELE"; fast_pattern:only; pcre:"/^DELE\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:bugtraq,7445; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2121; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP UIDL negative argument attempt"; flow:to_server,established; content:"UIDL"; fast_pattern:only; pcre:"/^UIDL\s+-\d/smi"; metadata:ruleset community, service pop3; reference:bugtraq,6053; reference:cve,2002-1539; reference:nessus,11570; classtype:misc-attack; sid:2122; rev:17;)
|
|
# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"|28|C|29| Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:2123; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 34012 (msg:"MALWARE-BACKDOOR Remote PC Access connection"; flow:to_server,established; content:"|28 00 01 00 04 00 00 00 00 00 00 00|"; depth:12; metadata:ruleset community; reference:nessus,11673; classtype:trojan-activity; sid:2124; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP CWD Root directory traversal attempt"; flow:to_server,established; content:"CWD"; nocase; content:"C|3A 5C|"; distance:1; metadata:ruleset community, service ftp; reference:bugtraq,7674; reference:cve,2003-0392; reference:nessus,11677; classtype:protocol-command-decode; sid:2125; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"OS-WINDOWS Microsoft Windows PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-063; classtype:attempted-admin; sid:2126; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ikonboard.cgi access"; flow:to_server,established; content:"/ikonboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7361; reference:nessus,11605; classtype:web-application-activity; sid:2127; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP swsrv.cgi access"; flow:to_server,established; content:"/swsrv.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7510; reference:cve,2003-0217; reference:nessus,11608; classtype:web-application-activity; sid:2128; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS nsiislog.dll access"; flow:to_server,established; content:"/nsiislog.dll"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,8035; reference:cve,2003-0227; reference:cve,2003-0349; reference:nessus,11664; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-018; classtype:web-application-activity; sid:2129; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect siteadmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/SiteAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7675; reference:cve,2003-0377; reference:nessus,11662; classtype:web-application-activity; sid:2130; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2131; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS Synchrologic Email Accelerator userid list access attempt"; flow:to_server,established; content:"/en/admin/aggregate.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11657; classtype:web-application-activity; sid:2132; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS MS BizTalk server access"; flow:to_server,established; content:"/biztalkhttpreceive.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,2003-0117; reference:cve,2003-0118; reference:nessus,11638; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-016; classtype:web-application-activity; sid:2133; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS register.asp access"; flow:to_server,established; content:"/register.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard.mdb access"; flow:to_server,established; content:"/philboard.mdb"; http_uri; metadata:ruleset community, service http; reference:nessus,11682; classtype:web-application-activity; sid:2135; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard_admin.asp authentication bypass attempt"; flow:to_server,established; content:"/philboard_admin.asp"; http_uri; content:"Cookie"; nocase; content:"philboard_admin=True"; distance:0; metadata:ruleset community, service http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-attack; sid:2136; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP philboard_admin.asp access"; flow:to_server,established; content:"/philboard_admin.asp"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7739; reference:nessus,11675; classtype:web-application-activity; sid:2137; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP logicworks.ini access"; flow:to_server,established; content:"/logicworks.ini"; http_uri; metadata:ruleset community, service http; reference:bugtraq,6996; reference:cve,2003-1383; reference:nessus,11639; classtype:web-application-activity; sid:2138; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP /*.shtml access"; flow:to_server,established; content:"/*.shtml"; http_uri; metadata:ruleset community, service http; reference:bugtraq,1517; reference:cve,2000-0683; reference:nessus,11604; classtype:web-application-activity; sid:2139; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP p-news.php access"; flow:to_server,established; content:"/p-news.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11669; classtype:web-application-activity; sid:2140; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shoutbox.php directory traversal attempt"; flow:to_server,established; content:"/shoutbox.php"; http_uri; content:"conf="; content:"../"; distance:0; metadata:ruleset community, service http; reference:nessus,11668; classtype:web-application-attack; sid:2141; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP shoutbox.php access"; flow:to_server,established; content:"/shoutbox.php"; fast_pattern; nocase; http_uri; content:"conf="; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11668; classtype:web-application-activity; sid:2142; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php remote file include attempt"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern; nocase; http_uri; content:"b2inc="; pcre:"/b2inc=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-attack; sid:2143; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP b2 cafelog gm-2-b2.php access"; flow:to_server,established; content:"/gm-2-b2.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11667; classtype:web-application-activity; sid:2144; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password admin attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=admin"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2145; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TextPortal admin.php default password 12345 attempt"; flow:to_server,established; content:"/admin.php"; http_uri; content:"op=admin_enter"; content:"password=12345"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7673; reference:nessus,11660; reference:url,attack.mitre.org/techniques/T1078; classtype:web-application-activity; sid:2146; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 remote file include attempt"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; content:"Server[path]="; pcre:"/Server\x5bpath\x5d=(https?|ftps?|php)/"; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-attack; sid:2147; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BLNews objects.inc.php4 access"; flow:to_server,established; content:"/objects.inc.php4"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7677; reference:cve,2003-0394; reference:nessus,11647; classtype:web-application-activity; sid:2148; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Turba status.php access"; flow:to_server,established; content:"/turba/status.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11646; classtype:web-application-activity; sid:2149; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttCMS header.php remote file include attempt"; flow:to_server,established; content:"/admin/templates/header.php"; fast_pattern; nocase; http_uri; content:"admin_root="; nocase; http_uri; pcre:"/admin_root=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-attack; sid:2150; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttCMS header.php access"; flow:to_server,established; content:"/admin/templates/header.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:bugtraq,7625; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11636; classtype:web-application-activity; sid:2151; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP test.php access"; flow:to_server,established; content:"/test.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11617; classtype:web-application-activity; sid:2152; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP autohtml.php directory traversal attempt"; flow:to_server,established; content:"/autohtml.php"; fast_pattern; nocase; http_uri; content:"name="; content:"../../"; distance:0; metadata:ruleset community, service http; reference:nessus,11630; classtype:web-application-attack; sid:2153; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP autohtml.php access"; flow:to_server,established; content:"/autohtml.php"; http_uri; metadata:ruleset community, service http; reference:nessus,11630; classtype:web-application-activity; sid:2154; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ttforum remote file include attempt"; flow:to_server,established; content:"forum/index.php"; http_uri; content:"template="; http_uri; pcre:"/template=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7542; reference:bugtraq,7543; reference:cve,2003-1458; reference:cve,2003-1459; reference:nessus,11615; classtype:web-application-attack; sid:2155; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP mod_gzip_status access"; flow:to_server,established; content:"/mod_gzip_status"; http_uri; metadata:ruleset community, service http; reference:nessus,11685; classtype:web-application-activity; sid:2156; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS IISProtect globaladmin.asp access"; flow:to_server,established; content:"/iisprotect/admin/GlobalAdmin.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11661; classtype:web-application-activity; sid:2157; rev:14;)
|
|
# alert tcp any any <> any 179 (msg:"SERVER-OTHER BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; metadata:ruleset community; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"Documents and Settings|5C|All Users|5C|Start Menu|5C|Programs|5C|Startup|00|"; distance:0; nocase; metadata:ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2176; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|5C 00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00 5C 00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00 5C 00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1060; classtype:attempted-recon; sid:2177; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2178; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; reference:cve,2007-1195; reference:nessus,10490; classtype:misc-attack; sid:2179; rev:16;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent announce request"; flow:to_server,established; content:"/announce"; content:"info_hash="; content:"peer_id="; content:"event="; metadata:ruleset community, service http; classtype:policy-violation; sid:2180; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-P2P BitTorrent transfer"; flow:to_server,established; content:"|13|BitTorrent protocol"; depth:20; metadata:ruleset community; classtype:policy-violation; sid:2181; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"|3A|"; distance:0; isdataat:100,relative; content:!"|0A|"; within:100; pcre:"/^\s*Content-Transfer-Encoding\s*\x3A[^\n]{100}/mi"; metadata:ruleset community, service smtp; reference:cve,2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"PROTOCOL-RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; depth:5; offset:16; content:"|00 00 00 01|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; depth:4; offset:8; metadata:ruleset community; reference:bugtraq,8179; reference:cve,2003-0252; reference:nessus,11800; classtype:misc-attack; sid:2184; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC invalid bind attempt"; flow:to_server,established; content:"|05|"; depth:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community; classtype:attempted-dos; sid:2190; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|00|"; within:1; distance:21; metadata:ruleset community, service netbios-ssn; classtype:attempted-dos; sid:2191; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CSMailto.cgi access"; flow:to_server,established; content:"/CSMailto.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-0749; reference:nessus,11748; classtype:web-application-activity; sid:2194; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP alert.cgi access"; flow:to_server,established; content:"/alert.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2195; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP catgy.cgi access"; flow:to_server,established; content:"/catgy.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3714; reference:bugtraq,4579; reference:cve,2001-1212; reference:nessus,11748; classtype:web-application-activity; sid:2196; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvsview2.cgi access"; flow:to_server,established; content:"/cvsview2.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cvslog.cgi access"; flow:to_server,established; content:"/cvslog.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2198; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP multidiff.cgi access"; flow:to_server,established; content:"/multidiff.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,5517; reference:cve,2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2199; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP dnewsweb.cgi access"; flow:to_server,established; content:"/dnewsweb.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1172; reference:bugtraq,4579; reference:cve,2000-0423; reference:nessus,11748; classtype:web-application-activity; sid:2200; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Matt Wright download.cgi access"; flow:to_server,established; content:"/download.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,1999-1377; reference:nessus,11748; classtype:web-application-activity; sid:2201; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Webmin Directory edit_action.cgi access"; flow:to_server,established; content:"/edit_action.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3698; reference:bugtraq,4579; reference:cve,2001-1196; reference:nessus,11748; classtype:web-application-activity; sid:2202; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif M. Wright everythingform.cgi access"; flow:to_server,established; content:"/everythingform.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2101; reference:bugtraq,4579; reference:cve,2001-0023; reference:nessus,11748; classtype:web-application-activity; sid:2203; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezadmin.cgi access"; flow:to_server,established; content:"/ezadmin.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2204; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezboard.cgi access"; flow:to_server,established; content:"/ezboard.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2205; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP EasyBoard 2000 ezman.cgi access"; flow:to_server,established; content:"/ezman.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4068; reference:bugtraq,4579; reference:cve,2002-0263; reference:nessus,11748; classtype:web-application-activity; sid:2206; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP FileSeek fileseek.cgi access"; flow:to_server,established; content:"/fileseek.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6784; reference:cve,2002-0611; reference:nessus,11748; classtype:web-application-activity; sid:2207; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Faq-O-Matic fom.cgi access"; flow:to_server,established; content:"/fom.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2002-0230; reference:nessus,11748; classtype:web-application-activity; sid:2208; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Infonautics getdoc.cgi access"; flow:to_server,established; content:"/getdoc.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2000-0288; reference:nessus,11748; classtype:web-application-activity; sid:2209; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Multiple Vendors global.cgi access"; flow:to_server,established; content:"/global.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2000-0952; reference:nessus,11748; classtype:web-application-activity; sid:2210; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Lars Ellingsen guestserver.cgi access"; flow:to_server,established; content:"/guestserver.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:cve,2001-0180; reference:nessus,11748; classtype:web-application-activity; sid:2211; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiCentral WebStore imageFolio.cgi access"; flow:to_server,established; content:"/imageFolio.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4579; reference:bugtraq,6265; reference:cve,2002-1334; reference:nessus,11748; classtype:web-application-activity; sid:2212; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oatmeal Studios Mail File mailfile.cgi access"; flow:to_server,established; content:"/mailfile.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1807; reference:bugtraq,4579; reference:cve,2000-0977; reference:nessus,11748; classtype:web-application-activity; sid:2213; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3R Soft MailStudio 2000 mailview.cgi access"; flow:to_server,established; content:"/mailview.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1335; reference:bugtraq,4579; reference:cve,2000-0526; reference:nessus,11748; classtype:web-application-activity; sid:2214; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Alabanza Control Panel nsManager.cgi access"; flow:to_server,established; content:"/nsManager.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1710; reference:bugtraq,4579; reference:cve,2000-1023; reference:nessus,11748; classtype:web-application-activity; sid:2215; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch IMail readmail.cgi access"; flow:to_server,established; content:"/readmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2216; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch IMail printmail.cgi access"; flow:to_server,established; content:"/printmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3427; reference:bugtraq,4579; reference:cve,2001-1283; reference:nessus,11748; classtype:web-application-activity; sid:2217; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Cobalt RaQ service.cgi access"; flow:to_server,established; content:"/service.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4211; reference:bugtraq,4579; reference:cve,2002-0346; reference:nessus,11748; classtype:web-application-activity; sid:2218; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Trend Micro Interscan VirusWall setpasswd.cgi access"; flow:to_server,established; content:"/setpasswd.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2212; reference:bugtraq,4579; reference:cve,2001-0133; reference:nessus,11748; classtype:web-application-activity; sid:2219; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Leif M. Wright simplestmail.cgi access"; flow:to_server,established; content:"/simplestmail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2106; reference:bugtraq,4579; reference:cve,2001-0022; reference:nessus,11748; classtype:web-application-activity; sid:2220; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiCentral WebStore ws_mail.cgi access"; flow:to_server,established; content:"/ws_mail.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,2861; reference:bugtraq,4579; reference:cve,2001-1343; reference:nessus,11748; classtype:web-application-activity; sid:2221; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Infinity CGI exploit scanner nph-exploitscanget.cgi access"; flow:to_server,established; content:"/nph-exploitscanget.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7910; reference:bugtraq,7911; reference:bugtraq,7913; reference:cve,2003-0434; reference:nessus,11740; classtype:web-application-activity; sid:2222; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CGIScript.net csNews.cgi access"; flow:to_server,established; content:"/csNews.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4994; reference:cve,2002-0923; reference:cve,2002-1751; reference:nessus,11726; classtype:web-application-activity; sid:2223; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Psunami Bulletin Board psunami.cgi access"; flow:to_server,established; content:"/psunami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6607; reference:nessus,11750; classtype:web-application-activity; sid:2224; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys BEFSR41 gozila.cgi access"; flow:to_server,established; content:"/gozila.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6086; reference:cve,2002-1236; reference:nessus,11773; classtype:web-application-activity; sid:2225; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pmachine remote file include attempt"; flow:to_server,established; content:"lib.inc.php"; fast_pattern; nocase; http_uri; content:"pm_path="; http_uri; pcre:"/pm_path=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,7919; reference:nessus,11739; classtype:web-application-attack; sid:2226; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP forum_details.php access"; flow:to_server,established; content:"forum_details.php"; http_uri; metadata:ruleset community, service http; reference:bugtraq,7933; reference:nessus,11760; classtype:web-application-attack; sid:2227; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phpMyAdmin db_details_importdocsql.php access"; flow:to_server,established; content:"db_details_importdocsql.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7962; reference:bugtraq,7965; reference:nessus,11761; classtype:web-application-attack; sid:2228; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP viewtopic.php access"; flow:to_server,established; content:"/viewtopic.php"; fast_pattern; nocase; http_uri; content:"days="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7979; reference:cve,2003-0486; reference:nessus,11767; classtype:web-application-attack; sid:2229; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"YWRtaW46cGFzc3dvcmQ"; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+YWRtaW46cGFzc3dvcmQ/smiH"; metadata:ruleset community, service http; reference:nessus,11737; reference:url,attack.mitre.org/techniques/T1078; classtype:default-login-attempt; sid:2230; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP register.dll access"; flow:to_server,established; content:"/register.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2231; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ContentFilter.dll access"; flow:to_server,established; content:"/ContentFilter.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2232; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SFNofitication.dll access"; flow:to_server,established; content:"/SFNofitication.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2233; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TOP10.dll access"; flow:to_server,established; content:"/TOP10.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2234; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SpamExcp.dll access"; flow:to_server,established; content:"/SpamExcp.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2235; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP spamrule.dll access"; flow:to_server,established; content:"/spamrule.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3327; reference:cve,2001-0958; reference:nessus,11747; classtype:web-application-activity; sid:2236; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cgiWebupdate.exe access"; flow:to_server,established; content:"/cgiWebupdate.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3216; reference:cve,2001-1150; reference:nessus,11722; classtype:web-application-activity; sid:2237; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebLogic ConsoleHelp view source attempt"; flow:to_server,established; content:"/ConsoleHelp/"; nocase; http_uri; content:".jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1518; reference:cve,2000-0682; reference:nessus,11724; classtype:web-application-attack; sid:2238; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP redirect.exe access"; flow:to_server,established; content:"/redirect.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2239; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP changepw.exe access"; flow:to_server,established; content:"/changepw.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1256; reference:cve,2000-0401; reference:nessus,11723; classtype:web-application-activity; sid:2240; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cwmail.exe access"; flow:to_server,established; content:"/cwmail.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4093; reference:cve,2002-0273; reference:nessus,11727; classtype:web-application-activity; sid:2241; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ddicgi.exe access"; flow:to_server,established; content:"/ddicgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,1657; reference:cve,2000-0826; reference:nessus,11728; classtype:web-application-activity; sid:2242; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ndcgi.exe access"; flow:to_server,established; content:"/ndcgi.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3583; reference:cve,2001-0922; reference:nessus,11730; classtype:web-application-activity; sid:2243; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP VsSetCookie.exe access"; flow:to_server,established; content:"/VsSetCookie.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3784; reference:cve,2002-0236; reference:nessus,11731; classtype:web-application-activity; sid:2244; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Webnews.exe access"; flow:to_server,established; content:"/Webnews.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,4124; reference:cve,2002-0290; reference:nessus,11732; classtype:web-application-activity; sid:2245; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP webadmin.dll access"; flow:to_server,established; content:"/webadmin.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,7438; reference:bugtraq,7439; reference:bugtraq,8024; reference:cve,2003-0471; reference:nessus,11771; classtype:web-application-activity; sid:2246; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS UploadScript11.asp access"; flow:to_server,established; content:"/UploadScript11.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,3608; reference:cve,2001-0938; reference:nessus,11746; classtype:web-application-activity; sid:2247; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS DirectoryListing.asp access"; flow:to_server,established; content:"/DirectoryListing.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:cve,2001-0938; classtype:web-application-activity; sid:2248; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS /pcadmin/login.asp access"; flow:to_server,established; content:"/pcadmin/login.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8103; reference:nessus,11785; classtype:web-application-activity; sid:2249; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP USER format string attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:bugtraq,7667; reference:cve,2003-0391; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; content:"|0B|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"|B8|J|9F|M|1C|}|CF 11 86 1E 00| |AF|n|7C|W"; within:16; distance:29; tag:session,5,packets; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:2252; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; fast_pattern:only; pcre:"/^XEXCH50\s+-\d/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,8838; reference:cve,2003-0714; reference:nessus,11889; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-046; classtype:attempted-admin; sid:2253; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; depth:4; offset:16; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:ruleset community; classtype:misc-attack; sid:2255; rev:13;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"PROTOCOL-RPC sadmind query with root credentials attempt UDP"; flow:to_server; content:"|00 01 87 88|"; depth:4; offset:12; content:"|00 00 00 01 00 00 00 01|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; within:4; metadata:policy max-detect-ips drop, ruleset community, service sunrpc; classtype:misc-attack; sid:2256; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2257; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|04 00|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; metadata:ruleset community, service netbios-ssn; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-043; classtype:attempted-admin; sid:2258; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; isdataat:255,relative; pcre:"/^EXPN[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2259; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; isdataat:255,relative; pcre:"/^VRFY[^\n]{255}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:bugtraq,7230; reference:cve,2002-1337; reference:cve,2003-0161; classtype:attempted-admin; sid:2260; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND FROM prescan too many addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; reference:nessus,11316; classtype:attempted-admin; sid:2261; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SEND FROM prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM|3A|"; fast_pattern:only; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2262; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2263; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SAML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM|3A|"; fast_pattern:only; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2264; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML FROM prescan too many addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2265; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail SOML FROM prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM|3A|"; fast_pattern:only; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:misc-attack; sid:2266; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL FROM prescan too many addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2267; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail MAIL FROM prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM|3A|"; fast_pattern:only; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:nessus,11499; classtype:attempted-admin; sid:2268; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO prescan too many addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; metadata:ruleset community, service smtp; reference:bugtraq,6991; reference:cve,2002-1337; classtype:attempted-admin; sid:2269; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Sendmail RCPT TO prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO|3A|"; fast_pattern:only; pcre:"/^RCPT TO\x3a\s*[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,7230; reference:cve,2003-0161; reference:cve,2003-0694; reference:nessus,11499; classtype:attempted-admin; sid:2270; rev:18;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR FsSniffer connection attempt"; flow:to_server,established; content:"RemoteNC Control Password|3A|"; metadata:ruleset community; reference:nessus,11854; classtype:trojan-activity; sid:2271; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; fast_pattern:only; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; reference:nessus,11912; classtype:misc-attack; sid:2272; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login brute force attempt"; flow:to_server,established,no_stream; content:"LOGIN"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service imap; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2273; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP login brute force attempt"; flow:to_server,established,no_stream; content:"USER"; fast_pattern:only; detection_filter:track by_dst, count 30, seconds 30; metadata:ruleset community, service pop3; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2274; rev:11;)
|
|
# alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SERVER-MAIL AUTH LOGON brute force attempt"; flow:to_client,established,no_stream; content:"Authentication unsuccessful"; offset:54; nocase; detection_filter:track by_dst, count 5, seconds 60; metadata:ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1110; classtype:suspicious-login; sid:2275; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP oracle portal demo access"; flow:to_server,established; content:"/pls/portal/PORTAL_DEMO"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,11918; classtype:web-application-activity; sid:2276; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PeopleSoft PeopleBooks psdoccgi access"; flow:to_server,established; content:"/psdoccgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9037; reference:bugtraq,9038; reference:cve,2003-0626; reference:cve,2003-0627; classtype:web-application-activity; sid:2277; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP HTTP request with negative Content-Length attempt"; flow:to_server,established; content:"Content-Length|3A|"; nocase; byte_test:10,>,0x7FFFFFFF,1,relative,string,dec; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,16354; reference:bugtraq,17879; reference:bugtraq,9098; reference:bugtraq,9476; reference:bugtraq,9576; reference:cve,2004-0095; reference:cve,2005-3653; reference:cve,2006-2162; reference:cve,2006-3655; reference:cve,2014-9192; reference:cve,2015-5343; reference:cve,2017-1000470; classtype:misc-attack; sid:2278; rev:33;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP UpdateClasses.php access"; flow:to_server,established; content:"/UpdateClasses.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2279; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Title.php access"; flow:to_server,established; content:"/Title.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2280; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Setup.php access"; flow:to_server,established; content:"/Setup.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; reference:cve,2009-1151; classtype:web-application-activity; sid:2281; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP GlobalFunctions.php access"; flow:to_server,established; content:"/GlobalFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2282; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DatabaseFunctions.php access"; flow:to_server,established; content:"/DatabaseFunctions.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2283; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rolis guestbook remote file include attempt"; flow:to_server,established; content:"/insert.inc.php"; fast_pattern; nocase; http_uri; content:"path="; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-attack; sid:2284; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP rolis guestbook access"; flow:to_server,established; content:"/insert.inc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9057; classtype:web-application-activity; sid:2285; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP friends.php access"; flow:to_server,established; content:"/friends.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9088; classtype:web-application-activity; sid:2286; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_comment.php access"; flow:to_server,established; content:"/admin_comment.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2287; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_edit.php access"; flow:to_server,established; content:"/admin_edit.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2288; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_embed.php access"; flow:to_server,established; content:"/admin_embed.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2289; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_help.php access"; flow:to_server,established; content:"/admin_help.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2290; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_license.php access"; flow:to_server,established; content:"/admin_license.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2291; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_logout.php access"; flow:to_server,established; content:"/admin_logout.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2292; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_password.php access"; flow:to_server,established; content:"/admin_password.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2293; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_preview.php access"; flow:to_server,established; content:"/admin_preview.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2294; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_settings.php access"; flow:to_server,established; content:"/admin_settings.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2295; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_stats.php access"; flow:to_server,established; content:"/admin_stats.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2296; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; content:"/admin_templates_misc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2297; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_templates.php access"; flow:to_server,established; content:"/admin_templates.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2298; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; content:"/admin_tpl_misc_new.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2299; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; content:"/admin_tpl_new.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2300; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll booth.php access"; flow:to_server,established; content:"/booth.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2301; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll poll_ssi.php access"; flow:to_server,established; content:"/poll_ssi.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2302; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Advanced Poll popup.php access"; flow:to_server,established; content:"/popup.php"; fast_pattern; nocase; http_uri; content:"include_path="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8890; reference:cve,2003-1178; reference:cve,2003-1179; reference:cve,2003-1180; reference:cve,2003-1181; reference:nessus,11487; classtype:web-application-activity; sid:2303; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP files.inc.php access"; flow:to_server,established; content:"/files.inc.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8910; reference:cve,2003-1153; classtype:web-application-activity; sid:2304; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP chatbox.php access"; flow:to_server,established; content:"/chatbox.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8930; reference:cve,2003-1191; classtype:web-application-activity; sid:2305; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP gallery remote file include attempt"; flow:to_server,established; content:"/setup/"; http_uri; content:"GALLERY_BASEDIR="; http_uri; pcre:"/GALLERY_BASEDIR=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,8814; reference:cve,2003-1227; reference:nessus,11876; classtype:web-application-attack; sid:2306; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PayPal Storefront remote file include attempt"; flow:to_server,established; content:"do=ext"; http_uri; content:"page="; http_uri; pcre:"/page=(https?|ftps?|php)/Ui"; metadata:ruleset community, service http; reference:bugtraq,8791; reference:nessus,11873; classtype:web-application-attack; sid:2307; rev:15;)
|
|
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE CVS non-relative path error response"; flow:to_client,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; fast_pattern:only; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2317; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; metadata:ruleset community; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"SERVER-OTHER ebola USER overflow attempt"; flow:to_server,established; content:"USER"; fast_pattern:only; pcre:"/^USER\s[^\n]{49}/smi"; metadata:ruleset community; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS foxweb.exe access"; flow:to_server,established; content:"/foxweb.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS foxweb.dll access"; flow:to_server,established; content:"/foxweb.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP iSoft-Solutions QuickStore shopping cart quickstore.cgi access"; flow:to_server,established; content:"/quickstore.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9282; reference:nessus,11975; classtype:web-application-activity; sid:2323; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; content:"/shopsearch.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2324; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; content:"/ShopDisplayProducts.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9133; reference:bugtraq,9134; reference:nessus,11942; classtype:web-application-activity; sid:2325; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS sgdynamo.exe access"; flow:to_server,established; content:"/sgdynamo.exe"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,4720; reference:cve,2002-0375; reference:nessus,11955; classtype:web-application-activity; sid:2326; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP bsml.pl access"; flow:to_server,established; content:"/bsml.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9311; reference:nessus,11973; classtype:web-application-activity; sid:2327; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP authentication_index.php access"; flow:to_server,established; content:"/authentication_index.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0032; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SERVER-MSSQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-003; classtype:attempted-user; sid:2329; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP auth overflow attempt"; flow:to_server,established; content:"AUTH"; isdataat:368,relative; content:!"|0A|"; within:368; metadata:ruleset community, service imap; reference:bugtraq,8861; reference:cve,2003-1177; reference:nessus,11910; classtype:misc-attack; sid:2330; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8430; classtype:web-application-activity; sid:2331; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MKD format string attempt"; flow:to_server,established; content:"MKD"; fast_pattern:only; pcre:"/^MKD\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; fast_pattern:only; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; fast_pattern:only; pcre:"/^USER\s+y049575046/smi"; metadata:ruleset community; reference:bugtraq,9072; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2334; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"PROTOCOL-FTP RMD / attempt"; flow:to_server,established; content:"RMD"; fast_pattern:only; pcre:"/^RMD\s+\x2f$/smi"; metadata:ruleset community; reference:bugtraq,9159; classtype:attempted-dos; sid:2335; rev:10;)
|
|
# alert udp any any -> any 69 (msg:"PROTOCOL-TFTP PUT filename overflow attempt"; flow:to_server; content:"|00|"; depth:1; byte_test:1,<,3,0,relative; isdataat:101,relative; content:!"|00|"; within:100; distance:2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,20131; reference:bugtraq,22923; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; reference:cve,2003-0729; reference:cve,2006-4948; reference:cve,2006-6184; reference:cve,2008-1611; reference:cve,2009-2957; reference:cve,2009-2958; reference:nessus,18264; classtype:attempted-admin; sid:2337; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:128,relative; pcre:"/^LIST(?!\n)\s[^\n]{128}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,14339; reference:bugtraq,33454; reference:bugtraq,58247; reference:bugtraq,6869; reference:bugtraq,7251; reference:bugtraq,7861; reference:bugtraq,8486; reference:bugtraq,9675; reference:cve,1999-0349; reference:cve,1999-1510; reference:cve,2000-0129; reference:cve,2004-1992; reference:cve,2005-2373; reference:cve,2007-0019; reference:cve,2009-0351; reference:url,technet.microsoft.com/en-us/security/bulletin/MS99-003; classtype:misc-attack; sid:2338; rev:35;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"PROTOCOL-TFTP NULL command attempt"; flow:to_server; content:"|00 00|"; depth:2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,7575; classtype:bad-unknown; sid:2339; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:200,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2340; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include editor script attempt"; flow:to_server,established; content:"/library/editor/editor.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP DCP-Portal remote file include lib script attempt"; flow:to_server,established; content:"/library/lib.php"; fast_pattern; nocase; http_uri; content:"root="; http_uri; metadata:ruleset community, service http; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:200,relative; content:!"|0D|"; within:200; content:!"|0A|"; within:200; content:!"|00|"; within:200; metadata:ruleset community, service ftp; reference:bugtraq,8668; reference:cve,2000-0133; reference:url,exploit-db.com/exploits/39662/; classtype:attempted-admin; sid:2343; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,11542; reference:bugtraq,8704; reference:cve,2004-2728; classtype:attempted-admin; sid:2344; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView search.php access"; flow:to_server,established; content:"/search.php"; nocase; http_uri; content:"action=soundex"; fast_pattern; nocase; http_uri; content:"firstname="; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9369; reference:cve,2004-0032; classtype:web-application-activity; sid:2345; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myPHPNuke chatheader.php access"; flow:to_server,established; content:"/chatheader.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6544; classtype:web-application-activity; sid:2346; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myPHPNuke partner.php access"; flow:to_server,established; content:"/partner.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6544; classtype:web-application-activity; sid:2347; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IdeaBox cord.php file include"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"ideaDir="; fast_pattern:only; content:"cord.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,7488; classtype:web-application-activity; sid:2353; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IdeaBox notification.php file include"; flow:to_server,established; content:"/index.php"; nocase; http_uri; content:"gorumDir="; fast_pattern:only; content:"notification.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,7488; classtype:web-application-activity; sid:2354; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Board emailer.php file include"; flow:to_server,established; content:"/ad_member.php"; fast_pattern; nocase; http_uri; content:"emailer.php"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,7204; classtype:web-application-activity; sid:2355; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebChat db_mysql.php file include"; flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"db_mysql.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2356; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WebChat english.php file include"; flow:to_server,established; content:"/defines.php"; nocase; http_uri; content:"WEBCHATPATH="; nocase; content:"english.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,7000; reference:cve,2007-0485; classtype:web-application-attack; sid:2357; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Typo3 translations.php file include"; flow:to_server,established; content:"/translations.php"; fast_pattern; nocase; http_uri; content:"ONLY="; nocase; metadata:ruleset community, service http; reference:bugtraq,6984; classtype:web-application-attack; sid:2358; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Board ipchat.php file include"; flow:to_server,established; content:"/ipchat.php"; nocase; http_uri; content:"root_path="; content:"conf_global.php"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6976; reference:cve,2003-1385; classtype:web-application-attack; sid:2359; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP myphpPagetool pt_config.inc file include"; flow:to_server,established; content:"/doc/admin"; nocase; http_uri; content:"ptinclude="; nocase; content:"pt_config.inc"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,6744; classtype:web-application-attack; sid:2360; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP news.php file include"; flow:to_server,established; content:"/news.php"; fast_pattern; nocase; http_uri; content:"template="; nocase; metadata:ruleset community, service http; reference:bugtraq,6674; classtype:web-application-attack; sid:2361; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP YaBB SE packages.php file include"; flow:to_server,established; content:"/packages.php"; fast_pattern; nocase; http_uri; content:"packer.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,6663; classtype:web-application-attack; sid:2362; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cyboards default_header.php access"; flow:to_server,established; content:"/default_header.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6597; classtype:web-application-activity; sid:2363; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Cyboards options_form.php access"; flow:to_server,established; content:"/options_form.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6597; classtype:web-application-activity; sid:2364; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP newsPHP Language file include attempt"; flow:to_server,established; content:"/nphpd.php"; fast_pattern; nocase; http_uri; content:"LangFile"; nocase; metadata:ruleset community, service http; reference:bugtraq,8488; classtype:web-application-activity; sid:2365; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV authentication_index.php base directory manipulation attempt"; flow:to_server,established; content:"/authentication_index.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2366; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV functions.php base directory manipulation attempt"; flow:to_server,established; content:"/functions.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2367; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV config_gedcom.php base directory manipulation attempt"; flow:to_server,established; content:"/config_gedcom.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2368; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ISAPISkeleton.dll access"; flow:to_server,established; content:"/ISAPISkeleton.dll"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9516; reference:cve,2004-2128; classtype:web-application-activity; sid:2369; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP BugPort config.conf file access"; flow:to_server,established; content:"/config.conf"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9542; reference:cve,2004-2353; classtype:attempted-recon; sid:2370; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Sample_showcode.html access"; flow:to_server,established; content:"/Sample_showcode.html"; nocase; http_uri; content:"fname"; metadata:ruleset community, service http; reference:bugtraq,9555; reference:cve,2004-2170; classtype:web-application-activity; sid:2371; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Photopost PHP Pro showphoto.php access"; flow:to_server,established; content:"/showphoto.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9557; reference:cve,2004-0239; reference:cve,2004-0250; classtype:web-application-activity; sid:2372; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:200,relative; pcre:"/^XMKD(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:200,relative; pcre:"/^NLST(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,7909; reference:cve,1999-1544; reference:cve,2009-3023; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:2374; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3199 (msg:"MALWARE-CNC DoomJuice/mydoom.a backdoor upload/execute"; flow:to_server,established; content:"|85 13|<|9E A2|"; depth:5; metadata:ruleset community; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.hllw.doomjuice.html; classtype:trojan-activity; sid:2375; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP first payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP third payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Checkpoint Firewall-1 HTTP parsing format string vulnerability attempt"; flow:to_server,established; content:"|3A|/"; offset:11; http_uri; pcre:"/^[^\x3a\x3f]{11,}\x3a\x2f/Usmi"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9581; reference:cve,2004-0039; reference:nessus,12084; classtype:attempted-admin; sid:2381; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2382; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:2383; rev:26;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS NTLM ASN1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Negotiate"; within:20; nocase; http_header; content:"YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; within:100; http_header; metadata:ruleset community, service http; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:attempted-dos; sid:2386; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Apple QuickTime streaming server view_broadcast.cgi access"; flow:to_server,established; content:"/view_broadcast.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8257; reference:cve,2003-0422; classtype:web-application-activity; sid:2388; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:200,relative; pcre:"/^RNTO(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; reference:cve,2005-3683; classtype:attempted-admin; sid:2389; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:200,relative; pcre:"/^STOU\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP APPE overflow attempt"; flow:to_server,established; content:"APPE"; nocase; isdataat:200,relative; pcre:"/^APPE(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,8315; reference:bugtraq,8542; reference:cve,2000-0133; reference:cve,2003-0466; reference:cve,2003-0772; classtype:attempted-admin; sid:2391; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:200,relative; pcre:"/^RETR(?!\n)\s[^\n]{200}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,15457; reference:bugtraq,23168; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; reference:cve,2005-3683; classtype:attempted-admin; sid:2392; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /_admin access"; flow:to_server,established; content:"/_admin/"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9537; reference:cve,2007-1156; reference:nessus,12032; classtype:web-application-activity; sid:2393; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"SERVER-WEBAPP Compaq web-based management agent denial of service attempt"; flow:to_server,established; content:"<!"; depth:75; content:">"; within:50; metadata:ruleset community; reference:bugtraq,8014; classtype:web-application-attack; sid:2394; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP InteractiveQuery.jsp access"; flow:to_server,established; content:"/InteractiveQuery.jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8938; reference:cve,2003-0624; classtype:web-application-activity; sid:2395; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CCBill whereami.cgi arbitrary command execution attempt"; flow:to_server,established; content:"/whereami.cgi?"; nocase; http_uri; content:"g="; distance:0; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-attack; sid:2396; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP CCBill whereami.cgi access"; flow:to_server,established; content:"/whereami.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,8095; reference:url,secunia.com/advisories/9191/; classtype:web-application-activity; sid:2397; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WAnewsletter newsletter.php file include attempt"; flow:to_server,established; content:"newsletter.php"; nocase; http_uri; content:"waroot"; fast_pattern:only; content:"start.php"; nocase; metadata:ruleset community, service http; reference:bugtraq,6965; classtype:web-application-attack; sid:2398; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP WAnewsletter db_type.php access"; flow:to_server,established; content:"/sql/db_type.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6964; classtype:web-application-activity; sid:2399; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP edittag.pl access"; flow:to_server,established; content:"/edittag.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,6675; reference:cve,2003-1351; classtype:web-application-activity; sid:2400; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2401; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00|"; within:255; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2402; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Session Setup unicode username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2403; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup unicode andx username overflow attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"|00 00|"; within:510; distance:29; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9752; reference:cve,2004-0193; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2404; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP phptest.php access"; flow:to_server,established; content:"/phptest.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9737; reference:cve,2004-2374; classtype:web-application-activity; sid:2405; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; fast_pattern:only; metadata:ruleset community, service telnet; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; reference:url,attack.mitre.org/techniques/T1078; classtype:suspicious-login; sid:2406; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP util.pl access"; flow:to_server,established; content:"/util.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9748; reference:cve,2004-2379; classtype:web-application-activity; sid:2407; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Invision Power Board search.pl access"; flow:to_server,established; content:"/search.pl"; http_uri; content:"st="; nocase; metadata:ruleset community, service http; reference:bugtraq,9766; reference:cve,2004-0338; classtype:web-application-activity; sid:2408; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP APOP USER overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s+USER\s[^\n]{256}/smi"; metadata:ruleset community, service pop3; reference:bugtraq,9794; reference:cve,2004-2375; classtype:attempted-admin; sid:2409; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP IGeneric Free Shopping Cart page.php access"; flow:to_server,established; content:"/page.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9773; classtype:web-application-activity; sid:2410; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 554 (msg:"SERVER-WEBAPP RealNetworks RealSystem Server DESCRIBE buffer overflow attempt"; flow:to_server,established; content:"DESCRIBE"; nocase; content:"../"; distance:1; pcre:"/^DESCRIBE\s[^\n]{300}/smi"; metadata:ruleset community; reference:bugtraq,8476; reference:cve,2003-0725; reference:nessus,11642; reference:url,www.service.real.com/help/faq/security/rootexploit091103.html; classtype:web-application-attack; sid:2411; rev:16;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE successful cross site scripting forced download attempt"; flow:to_server,established; content:"|0A|Referer|3A| res|3A|/C|3A|"; metadata:ruleset community; classtype:successful-user; sid:2412; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP delete hash with empty hash attempt"; flow:to_server; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:16;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP second payload initial contact notification without SPI attempt"; flow:to_server; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; pcre:"/^MDTM \d+[-+]\D/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.*?%.*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,15352; reference:bugtraq,30993; reference:bugtraq,9800; reference:cve,2002-2074; reference:cve,2007-1195; reference:cve,2009-4769; classtype:string-detect; sid:2417; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"POLICY-OTHER Microsoft Windows Terminal Server no encryption session initiation attempt"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; depth:1; offset:288; metadata:ruleset community; reference:cve,2001-0663; reference:url,technet.microsoft.com/en-us/security/bulletin/MS01-052; classtype:attempted-dos; sid:2418; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .ram playlist file download request"; flow:to_server,established; content:".ra"; fast_pattern:only; http_uri; pcre:"/\x2eram?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2419; rev:30;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rmp playlist file download request"; flow:to_server,established; content:".rmp"; fast_pattern:only; http_uri; pcre:"/\x2ermp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rmp; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2420; rev:33;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rt playlist file download request"; flow:to_server,established; content:".rt"; fast_pattern:only; http_uri; pcre:"/\x2ert([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2422; rev:31;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RealNetworks Realplayer .rp playlist file download request"; flow:to_server,established; content:".rp"; fast_pattern:only; http_uri; pcre:"/\x2erp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.ram; classtype:misc-activity; sid:2423; rev:30;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; fast_pattern:only; pcre:"/^sendsys\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2424; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; fast_pattern:only; pcre:"/^senduuname\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2425; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP version overflow attempt"; flow:to_server,established; content:"version"; fast_pattern:only; pcre:"/^version\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2426; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; fast_pattern:only; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2427; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; fast_pattern:only; pcre:"/^ihave\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2428; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; fast_pattern:only; pcre:"/^sendme\x3a[^\n]{21}/smi"; metadata:ruleset community; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2429; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; fast_pattern:only; pcre:"/^newgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2430; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; fast_pattern:only; pcre:"/^rmgroup\x3a[^\n]{32}/smi"; metadata:ruleset community, service nntp; reference:bugtraq,9382; reference:cve,2004-0045; reference:nessus,11984; classtype:attempted-admin; sid:2431; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; fast_pattern:only; pcre:!"/^takethis.*?Path\x3a.*?[\r]{0,1}?\n[\r]{0,1}\n/si"; metadata:ruleset community; classtype:attempted-admin; sid:2432; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3000 (msg:"SERVER-WEBAPP MDaemon form2raw.cgi overflow attempt"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; pcre:"/\Wfrom=[^\x3b&\n]{100}/si"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-attack; sid:2433; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP MDaemon form2raw.cgi access"; flow:to_server,established; content:"/form2raw.cgi"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9317; reference:cve,2003-1200; reference:url,secunia.com/advisories/10512/; classtype:web-application-activity; sid:2434; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft emf file download request"; flow:to_server,established; content:".emf"; fast_pattern:only; http_uri; pcre:"/\x2eemf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.emf; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips alert, ruleset community, service http; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:2435; rev:33;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Windows Audio wmf file download request"; flow:to_server,established; content:".wmf"; fast_pattern:only; http_uri; pcre:"/\x2ewmf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.wmf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.wmf; classtype:misc-activity; sid:2436; rev:31;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer arbitrary javascript command attempt"; flow:to_client,established; content:"application/smi"; fast_pattern; nocase; http_header; file_data; content:"file|3A|javascript|3A|"; pcre:"/<area\s+href=[\x22\x27]file\x3ajavascript\x3a/smi"; metadata:ruleset community, service http; reference:bugtraq,8453; reference:bugtraq,9378; reference:cve,2003-0726; classtype:attempted-user; sid:2437; rev:20;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist file URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"file|3A|//"; nocase; pcre:"/^file\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2438; rev:23;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist http URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"http|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2439; rev:23;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA RealNetworks RealPlayer playlist rtsp URL overflow attempt"; flow:to_client,established; flowbits:isset,file.realplayer.playlist; file_data; content:"rtsp|3A|//"; nocase; pcre:"/^http\x3a\x2f\x2f[^\n]{400}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,13264; reference:bugtraq,9579; reference:cve,2004-0258; reference:cve,2005-0755; classtype:attempted-user; sid:2440; rev:23;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetObserve authentication bypass attempt"; flow:to_server,established; content:"login=0"; nocase; content:"login=0"; nocase; http_cookie; metadata:ruleset community, service http; reference:bugtraq,9319; classtype:web-application-attack; sid:2441; rev:14;)
|
|
# alert udp any 4000 -> any any (msg:"SERVER-OTHER ICQ SRV_MULTI/SRV_META_USER overflow attempt - ISS Witty Worm"; flow:to_server; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1,>,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2,>,512,-11,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ServletManager access"; flow:to_server,established; content:"/servlet/ServletManager"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3697; reference:cve,2001-1195; reference:nessus,12122; classtype:web-application-activity; sid:2447; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP setinfo.hts access"; flow:to_server,established; content:"/setinfo.hts"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9973; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2448; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:200,relative; pcre:"/^ALLO(?!\n)\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9953; reference:cve,2004-1883; reference:nessus,14598; classtype:attempted-admin; sid:2449; rev:12;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful logon"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 01|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2450; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM voicechat"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00|J"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2451; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 12|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2452; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference invitation"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 18|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2453; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference logon success"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 19|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2454; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00 1D|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2455; rev:8;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"|00|M"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2456; rev:9;)
|
|
# alert tcp any any <> any 5101 (msg:"POLICY-SOCIAL Yahoo IM message"; flow:established; content:"YMSG"; depth:4; nocase; metadata:ruleset community; classtype:policy-violation; sid:2457; rev:7;)
|
|
# alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM successful chat join"; flow:to_client,established; content:"YMSG"; depth:4; nocase; content:"|00 98|"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2458; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY-SOCIAL Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"|00|P"; depth:2; offset:10; metadata:ruleset community; classtype:policy-violation; sid:2459; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"POLICY-SOCIAL Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; metadata:ruleset community; classtype:policy-violation; sid:2460; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"POLICY-SOCIAL Yahoo IM conference watch"; flow:to_client,established; content:"|0D 00 05 00|"; depth:4; metadata:ruleset community; classtype:policy-violation; sid:2461; rev:10;)
|
|
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:10;)
|
|
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:10;)
|
|
# alert ip any any -> any any (msg:"SERVER-OTHER Ethereal EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; metadata:ruleset community; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; byte_jump:2,7,little,relative; content:"ADMIN|24 00|"; distance:2; nocase; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:2474; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP source.jsp access"; flow:to_server,established; content:"/source.jsp"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-PLUGINS Symantec Norton Internet Security 2004 ActiveX clsid access"; flow:to_client,established; file_data; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9916; reference:cve,2004-0363; classtype:attempted-user; sid:2485; rev:19;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-type buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2487; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL WinZip MIME content-disposition buffer overflow"; flow:to_server,established; content:"Content-Type|3A|"; fast_pattern:only; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3A|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; metadata:ruleset community, service smtp; reference:bugtraq,9758; reference:cve,2004-0333; reference:nessus,12621; classtype:attempted-user; sid:2488; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1040,relative; content:!"</STREAMQUOTE>"; within:1040; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2489; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SERVER-OTHER esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; within:1052; nocase; metadata:ruleset community; reference:bugtraq,9978; reference:cve,2004-1868; classtype:attempted-admin; sid:2490; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP lsass DsRolerUpgradeDownlevelServer overflow attempt"; flow:to_server,established; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2508; rev:24;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,138,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP lsass DsRolerUpgradeDownlevelServer overflow attempt"; dce_iface:3919286a-b10c-11d0-9ba8-00c04fd92ef5; dce_opnum:9; dce_stub_data; byte_test:4,>,256,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-dgm; reference:bugtraq,10108; reference:cve,2003-0533; reference:nessus,12205; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; classtype:attempted-admin; sid:2511; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"SERVER-OTHER BGP spoofed connection reset attempt"; flow:established,no_stream; flags:RSF*; detection_filter:track by_dst,count 10,seconds 10; metadata:ruleset community; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 548 (msg:"SERVER-OTHER AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; metadata:ruleset community; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM(?!\n)\s[^\n]{100}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2546; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin setinfo access attempt"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9972; reference:cve,2004-1856; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; fast_pattern:only; content:"WriteToFile"; nocase; metadata:ruleset community; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER Nullsoft Winamp XM file buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.xm; file_data; content:"Extended Module|3A 20|"; nocase; byte_test:1,!=,26,20,relative; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1896; reference:url,www.securityfocus.com/bid/10045; classtype:attempted-user; sid:2550; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"SERVER-OTHER Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; metadata:ruleset community; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"SERVER-OTHER rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; fast_pattern:only; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; metadata:ruleset community; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 81 (msg:"SERVER-WEBAPP McAfee ePO file upload attempt"; flow:to_server,established; content:"/spipe/repl_file"; nocase; content:"Command=BEGIN"; nocase; metadata:ruleset community, service http; reference:bugtraq,10200; reference:cve,2004-0038; classtype:attempted-admin; sid:2562; rev:9;)
|
|
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup response name overflow attempt"; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; byte_test:1,>,32,12; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,10333; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2563; rev:8;)
|
|
# alert udp $EXTERNAL_NET 137 -> $HOME_NET 137 (msg:"NETBIOS NS lookup short response attempt"; dsize:<56; byte_test:1,&,0x80,2; content:"|00 01|"; depth:2; offset:6; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,10335; reference:cve,2004-0444; reference:url,www.eeye.com/html/Research/Advisories/AD20040512C.html; classtype:attempted-admin; sid:2564; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP modules.php access"; flow:to_server,established; content:"/modules.php"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9879; reference:cve,2004-1817; classtype:web-application-activity; sid:2565; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PHPBB viewforum.php access"; flow:to_server,established; content:"/viewforum.php"; nocase; http_uri; content:"topic_id="; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9865; reference:bugtraq,9866; reference:cve,2004-1809; reference:nessus,12093; classtype:web-application-activity; sid:2566; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Emumail init.emu access"; flow:to_server,established; content:"/init.emu"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2567; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Emumail emumail.fcgi access"; flow:to_server,established; content:"/emumail.fcgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9861; reference:cve,2004-2334; reference:cve,2004-2385; reference:nessus,12095; classtype:web-application-activity; sid:2568; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP cPanel resetpass access"; flow:to_server,established; content:"/resetpass"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9848; reference:cve,2004-1769; classtype:web-application-activity; sid:2569; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP invalid HTTP version string"; flow:to_server,established; content:" HTTP/"; depth:300; nocase; isdataat:5,relative; content:!"0.9"; within:3; content:!"1.0"; within:3; content:!"1.1"; within:3; pcre:!"/^[^\n]* HTTP\x2f(0\.9|1\.[01])\s*\n/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,34240; reference:bugtraq,9809; reference:cve,2009-0478; reference:nessus,11593; classtype:non-standard-protocol; sid:2570; rev:25;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail frmGetAttachment.aspx access"; flow:to_server,established; content:"/frmGetAttachment.aspx"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2571; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail login.aspx buffer overflow attempt"; flow:to_server,established; content:"/login.aspx"; nocase; http_uri; content:"txtusername="; isdataat:980,relative; content:!"|0A|"; within:980; nocase; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-attack; sid:2572; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS SmarterTools SmarterMail frmCompose.asp access"; flow:to_server,established; content:"/frmCompose.aspx"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,9805; reference:cve,2004-2585; classtype:web-application-activity; sid:2573; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; fast_pattern:only; pcre:"/^RETR\s[^\n]*?%[^\n]*?%/smi"; metadata:ruleset community, service ftp; reference:bugtraq,9800; reference:cve,2004-1883; classtype:attempted-admin; sid:2574; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Opt-X header.php remote file include attempt"; flow:to_server,established; content:"/header.php"; nocase; http_uri; content:"systempath="; fast_pattern:only; pcre:"/systempath=(https?|ftps?|php)/i"; metadata:ruleset community, service http; reference:bugtraq,9732; reference:cve,2004-2368; classtype:web-application-attack; sid:2575; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*package_prefix[\r\n\s]*=>[\r\n\s]*\2|package_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*procedure_prefix[\r\n\s]*=>[\r\n\s]*\2|procedure_prefix\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2576; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-OTHER local resource redirection attempt"; flow:to_client,established; content:"Location|3A|"; nocase; http_header; pcre:"/^Location\x3a(\s*|\s*\r?\n\s+)*URL\s*\x3a/smiH"; metadata:ruleset community, service http; reference:cve,2004-0549; reference:url,www.kb.cert.org/vuls/id/713878; classtype:attempted-user; sid:2577; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow UDP"; flow:to_server; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:policy max-detect-ips drop, ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"SERVER-OTHER kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; metadata:ruleset community, service kerberos; reference:cve,2003-0072; reference:nessus,11512; reference:url,attack.mitre.org/techniques/T1097; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:8;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP server negative Content-Length attempt"; flow:to_client,established; content:"Content-Length"; nocase; pcre:"/^Content-Length\s*\x3a\s*-\d+/mi"; metadata:ruleset community, service http; reference:bugtraq,10508; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2580; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP SAP Crystal Reports crystalimagehandler.aspx access"; flow:to_server,established; content:"/crystalimagehandler.aspx"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:cve,2004-0204; reference:url,www.microsoft.com/security/bulletins/200406_crystal.mspx; classtype:web-application-activity; sid:2581; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"OS-WINDOWS SAP Crystal Reports crystalImageHandler.asp directory traversal attempt"; flow:to_server,established; content:"/crystalimagehandler"; fast_pattern:only; http_uri; content:"dynamicimage=../"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,10260; reference:cve,2004-0204; reference:nessus,12271; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-017; classtype:web-application-attack; sid:2582; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"SERVER-OTHER CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; fast_pattern:only; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:9;)
|
|
# alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"SERVER-OTHER eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; fast_pattern:only; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:ruleset community; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10386; classtype:attempted-recon; sid:2585; rev:9;)
|
|
# alert tcp $HOME_NET 4711 -> $EXTERNAL_NET any (msg:"PUA-P2P eDonkey server response"; flow:established,to_client; content:"Server|3A| eMule"; fast_pattern:only; metadata:ruleset community; reference:url,www.emule-project.net; classtype:policy-violation; sid:2587; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP TUTOS path disclosure attempt"; flow:to_server,established; content:"/note_overview.php"; http_uri; content:"id="; metadata:ruleset community, service http; reference:bugtraq,10129; reference:url,www.securiteam.com/unixfocus/5FP0J15CKE.html; classtype:web-application-activity; sid:2588; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; http_header; pcre:"/^Content-Disposition\x3a(\s*|\s*\r?\n\s+)[^\r\n]*?\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smiH"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-024; classtype:attempted-user; sid:2589; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization|3A|"; nocase; http_header; content:"Basic"; within:50; nocase; http_header; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smiH"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2597; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Samba SWAT Authorization port 901 overflow attempt"; flow:to_server,established; content:"Authorization|3A| Basic"; nocase; pcre:"/^Authorization\x3a(\s*|\s*\r?\n\s+)Basic\s+=/smi"; metadata:ruleset community, service http; reference:bugtraq,10780; reference:cve,2004-0600; classtype:web-application-attack; sid:2598; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2599; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2601; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*fname[\r\n\s]*=>[\r\n\s]*\2|fname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2609; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE LINK metadata buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"DATABASE"; nocase; content:"LINK"; nocase; pcre:"/USING\s*((\x27[^\x27]{1000})|(\x22[^\x22]{1000}))/Rmsi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12296; reference:bugtraq,7453; reference:cve,2003-0222; reference:cve,2005-0297; reference:nessus,11563; reference:url,archives.neohapsis.com/archives/bugtraq/2003-04/0360.html; classtype:attempted-user; sid:2611; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; pcre:"/TIME_ZONE\s*=\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community; reference:bugtraq,9587; reference:cve,2003-1208; reference:nessus,12047; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*operation[\r\n\s]*=>[\r\n\s]*\2|operation\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gowner[\r\n\s]*=>[\r\n\s]*\2|gowner\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(true|false)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2641; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\s*TIMESTAMP\s*(\s*(\x27[^\x27]+'|\x22[^\x22]+\x22)\s*,)\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/Rmsi"; metadata:ruleset community; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2645; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $ORACLE_PORTS (msg:"SERVER-ORACLE Oracle 9i TNS Listener SERVICE_NAME Remote Buffer Overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|service_name="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2002-0965; classtype:attempted-user; sid:2649; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"|28|user="; nocase; isdataat:1000,relative; content:!"|29|"; within:1000; metadata:ruleset community; reference:bugtraq,6849; reference:cve,2003-0095; reference:url,otn.oracle.com/deploy/security/pdf/2003alert51.pdf; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE NUMTODSINTERVAL/NUMTOYMINTERVAL buffer overflow attempt"; flow:to_server,established; content:"NUMTO"; nocase; content:"INTERVAL"; distance:2; nocase; pcre:"/NUMTO(DS|YM)INTERVAL\s*\(\s*\d+\s*,\s*((\x27[^\x27]{1000,})|(\x22[^\x22]{1000,}))/msi"; metadata:ruleset community; reference:bugtraq,9587; reference:cve,2003-1208; reference:url,www.nextgenss.com/advisories/ora_numtodsinterval.txt; reference:url,www.nextgenss.com/advisories/ora_numtoyminterval.txt; classtype:attempted-user; sid:2651; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2652; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; content:"/modules.php"; nocase; http_uri; content:"name=Forums"; content:"file=viewtopic"; fast_pattern:only; pcre:"/forum=.*'/"; metadata:ruleset community, service http; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; fast_pattern:only; content:"ExecuteFile"; nocase; metadata:ruleset community; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:1,>,127,0; byte_test:2,>,32,9; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:bugtraq,11015; reference:cve,2004-0826; classtype:attempted-admin; sid:2656; rev:22;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-WEBAPP SSLv2 Client_Hello with pad Challenge Length overflow attempt"; flow:to_server,established; ssl_version:sslv2; ssl_state:client_hello; content:"|01 00 02|"; depth:3; offset:2; byte_test:2,>,32,9; metadata:policy max-detect-ips drop, ruleset community, service ssl; classtype:attempted-admin; sid:2657; rev:20;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Ipswitch WhatsUpGold instancename overflow attempt"; flow:to_server,established; content:"/_maincfgret.cgi"; fast_pattern:only; http_uri; content:"instancename="; nocase; http_uri; isdataat:513,relative; pcre:"/instancename=[^&\x3b\r\n]{513}/Usmi"; metadata:ruleset community, service http; reference:bugtraq,11043; reference:cve,2004-0798; classtype:web-application-attack; sid:2663; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s[^\n]*?%/smi"; metadata:ruleset community, service imap; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2664; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; fast_pattern:only; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]*?%/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,10976; reference:cve,2007-0221; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-026; classtype:attempted-admin; sid:2665; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"PROTOCOL-POP PASS format string attempt"; flow:to_server,established; content:"PASS"; fast_pattern:only; pcre:"/^PASS\s+[^\n]*?%/smi"; metadata:ruleset community, service pop3; reference:bugtraq,10976; reference:cve,2004-0777; classtype:attempted-admin; sid:2666; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS ping.asp access"; flow:to_server,established; content:"/ping.asp"; nocase; http_uri; metadata:ruleset community, service http; reference:nessus,10968; classtype:web-application-activity; sid:2667; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP processit access"; flow:to_server,established; content:"/processit.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:nessus,10649; classtype:web-application-activity; sid:2668; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP ibillpm.pl access"; flow:to_server,established; content:"/ibillpm.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3476; reference:cve,2001-0839; reference:nessus,11083; classtype:web-application-activity; sid:2669; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP pgpmail.pl access"; flow:to_server,established; content:"/pgpmail.pl"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,3605; reference:cve,2001-0937; reference:nessus,11070; classtype:web-application-activity; sid:2670; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; flowbits:isset,file.bmp; file_data; content:"BM"; byte_test:4,>,2147480000,8,relative,little; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,9663; reference:cve,2004-0566; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-025; classtype:attempted-user; sid:2671; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP sresult.exe access"; flow:to_server,established; content:"/sresult.exe"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,10837; reference:cve,2004-2528; reference:nessus,14186; classtype:web-application-activity; sid:2672; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE libpng tRNS overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|(\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*oname[\r\n\s]*=>[\r\n\s]*\2|oname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2674; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*privilege_type[\r\n\s]*=>[\r\n\s]*\2|privilege_type\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2675; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2677; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2678; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*tst[\r\n\s]*=>[\r\n\s]*\2|tst\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*\d+\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2679; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*logfile[\r\n\s]*=>[\r\n\s]*\2|logfile\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\d+\s*,\s*){3}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2680; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2681; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{128,}\x27|\x22[^\x22]{128,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,})|\(\s*(\x27[^\x27]{128,}|\x22[^\x22]{128,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2682; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*layer[\r\n\s]*=>[\r\n\s]*\2|layer\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2683; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{512,}\x27|\x22[^\x22]{512,}\x22)[\r\n\s]*\x3b.*repgrpname[\r\n\s]*=>[\r\n\s]*\2|repgrpname\s*=>\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,})|\(\s*(\x27[^\x27]{512,}|\x22[^\x22]{512,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2684; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*SCHEMA_NAME[\r\n\s]*=>[\r\n\s]*\2|SCHEMA_NAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2685; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*sname1[\r\n\s]*=>[\r\n\s]*\2|sname1\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]*\x22)\s*,\s*){9}(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2687; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2688; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2689; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*dblink[\r\n\s]*=>[\r\n\s]*\2|dblink\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2690; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*destination[\r\n\s]*=>[\r\n\s]*\2|destination\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2691; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2692; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2693; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*src_queue_name[\r\n\s]*=>[\r\n\s]*\2|src_queue_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2694; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*qt_name[\r\n\s]*=>[\r\n\s]*\2|qt_name\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2695; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1024,}\x27|\x22[^\x22]{1024,}\x22)[\r\n\s]*\x3b.*CANON_GNAME[\r\n\s]*=>[\r\n\s]*\2|CANON_GNAME\s*=>\s*(\x27[^\x27]{1024,}|\x22[^\x22]{1024,}))/si"; metadata:ruleset community; classtype:attempted-user; sid:2696; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; pcre:"/ALTER\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community; classtype:attempted-user; sid:2697; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; pcre:"/CREATE\s.*?FILE\s+((AS|MEMBER|TO)\s+)?(\x27[^\x27]{512}|\x22[^\x22]{512})/smi"; metadata:ruleset community; classtype:attempted-user; sid:2698; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s*\(\s*SYSTIMESTAMP\s*,\s*(\x27[^\x27]{256}|\x22[^\x22]{256})/smi"; metadata:ruleset community; reference:bugtraq,10871; reference:cve,2004-1364; classtype:attempted-user; sid:2699; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus sid overflow attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/sid=[^&\x3b\r\n]{255}/si"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2701; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus username overflow attempt"; flow:to_server,established; content:"/isqlplus"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{255}/si"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2702; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; nocase; http_uri; pcre:"/username=[^&\x3b\r\n]{250}/smi"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle 10g iSQLPlus login.unix connectID overflow attempt"; flow:to_server,established; content:"/login.uix"; nocase; http_uri; content:"connectID="; nocase; isdataat:255,relative; pcre:"/connectID=[^&\x3b\r\n]{255}/smi"; metadata:ruleset community, service http; reference:bugtraq,10871; reference:cve,2004-1362; reference:cve,2004-1363; reference:cve,2004-1364; reference:cve,2004-1365; reference:cve,2004-1366; reference:cve,2004-1368; reference:cve,2004-1369; reference:cve,2004-1370; reference:cve,2004-1371; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2704; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_client,established; content:"Content-Type"; nocase; http_header; content:"image/"; nocase; http_header; pcre:"/^Content-Type\x3A\s*image\x2F/smiH"; file_data; content:"|FF D8|"; within:2; fast_pattern; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/sR"; metadata:ruleset community, service http; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:2705; rev:18;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE JPEG parser multipacket heap overflow attempt"; flow:to_client,established; flowbits:isset,file.jpeg; file_data; content:"|00 48 00 00 FF|"; fast_pattern:only; pcre:"/\x00\x48\x00\x00\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11173; reference:cve,2004-0200; reference:cve,2017-16392; reference:url,helpx.adobe.com/security/products/acrobat/apsb17-36.html; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-028; classtype:attempted-admin; sid:2707; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){10}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(missing_rows_oname1|missing_rows_oname2)[\r\n\s]*=>[\r\n\s]*\2|(missing_rows_oname1|missing_rows_oname2)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){8}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){9}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*userid[\r\n\s]*=>[\r\n\s]*\2|userid\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gowner|gname)[\r\n\s]*=>[\r\n\s]*\2|(gowner|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*refresh_template_name[\r\n\s]*=>[\r\n\s]*\2|refresh_template_name\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(object_type|user_name)[\r\n\s]*=>[\r\n\s]*\2|(object_type|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(refresh_template_name|user_name)[\r\n\s]*=>[\r\n\s]*\2|(refresh_template_name|user_name)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*type[\r\n\s]*=>[\r\n\s]*\2|type\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|gname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|gname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1073,}\x27|\x22[^\x22]{1073,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,})|\(\s*(\x27[^\x27]{1073,}|\x22[^\x22]{1073,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){3}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type|gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type|gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){7}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){5}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(sname|oname|type)[\r\n\s]*=>[\r\n\s]*\2|(sname|oname|type)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*sname[\r\n\s]*=>[\r\n\s]*\2|sname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){4}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|fname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|fname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*(gname|gowner)[\r\n\s]*=>[\r\n\s]*\2|(gname|gowner)\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*((\x27[^\x27]*\x27|\x22[^\x22]+\x22)\s*,\s*){2}(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"SERVER-ORACLE sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]*\x3a=[\r\n\s]*(\x27[^\x27]{1075,}\x27|\x22[^\x22]{1075,}\x22)[\r\n\s]*\x3b.*gname[\r\n\s]*=>[\r\n\s]*\2|gname\s*=>\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,})|\(\s*(\x27[^\x27]{1075,}|\x22[^\x22]{1075,}))/si"; metadata:ruleset community; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query"; flow:to_server; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2921; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,2321; reference:cve,2001-0012; reference:nessus,10605; classtype:attempted-recon; sid:2922; rev:12;)
|
|
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"NETBIOS SMB repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community; classtype:unsuccessful-user; sid:2923; rev:14;)
|
|
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"NETBIOS SMB-DS repeated logon failure"; flow:to_client,established,no_stream; content:"|FF|SMBs"; depth:5; offset:4; content:"m|00 00 C0|"; within:4; detection_filter:track by_dst,count 10,seconds 60; metadata:ruleset community, service netbios-ssn; classtype:unsuccessful-user; sid:2924; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP PhpGedView PGV base directory manipulation"; flow:to_server,established; content:"_conf.php"; nocase; http_uri; content:"PGV_BASE_DIRECTORY"; fast_pattern:only; metadata:ruleset community, service http; reference:bugtraq,9368; reference:cve,2004-0030; classtype:web-application-attack; sid:2926; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"OS-WINDOWS Microsoft Windows XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT|20|"; depth:5; nocase; isdataat:160,relative; pcre:"/^X?PAT\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:2927; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP nddeapi NDdeSetTrustedShareW overflow attempt"; flow:to_server,established; dce_iface:2f5f3220-c126-1076-b549-074d078619da; dce_opnum:12; dce_stub_data; isdataat:256; content:!"|00|"; depth:256; offset:12; metadata:ruleset community, service netbios-ssn; reference:bugtraq,11372; reference:cve,2004-0206; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-031; classtype:attempted-admin; sid:2936; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS DCERPC NCACN-IP-TCP winreg InitiateSystemShutdown attempt"; flow:established,to_server; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:24; metadata:ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/library/default.asp?url=/library/en-us/shutdown/base/initiatesystemshutdown.asp; classtype:protocol-command-decode; sid:2942; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3000; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3001; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"OS-WINDOWS Microsoft Windows SMB Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3002; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3003; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3004; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB-DS Session Setup NTLMSSP unicode andx asn1 overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; metadata:ruleset community, service netbios-ssn; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-007; classtype:protocol-command-decode; sid:3005; rev:12;)
|
|
# alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"SERVER-OTHER Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP command overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\s(APPEND|CHECK|CLOSE|CREATE|DELETE|EXAMINE|EXPUNGE|FETCH|LIST|RENAME|SEARCH|SELECT|STATUS|SUBSCRIBE|UNSUBSCRIBE)\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11675; reference:bugtraq,11775; reference:bugtraq,15006; reference:bugtraq,15753; reference:cve,2004-1211; reference:cve,2005-0707; reference:cve,2005-1520; reference:cve,2005-2923; reference:cve,2005-3155; reference:nessus,15771; classtype:misc-attack; sid:3007; rev:21;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; pcre:"/\sDELETE\s[^\n]*?\{/smi"; byte_test:5,>,100,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11675; reference:cve,2005-1520; reference:nessus,15771; classtype:misc-attack; sid:3008; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20034 (msg:"MALWARE-BACKDOOR NetBus Pro 2.0 connection request"; flow:to_server,established; content:"BN |00 02 00|"; depth:6; content:"|05 00|"; depth:2; offset:8; flowbits:set,backdoor.netbus_2.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3009; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get windows directory"; flow:to_server,established; content:"WINDIR"; depth:6; metadata:ruleset community; classtype:misc-activity; sid:3010; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick get system directory"; flow:to_server,established; content:"SYSDIR"; depth:6; metadata:ruleset community; classtype:misc-activity; sid:3011; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 22222 (msg:"MALWARE-CNC RUX the Tick upload/execute arbitrary file"; flow:to_server,established; content:"ABCJZDATEIV"; depth:11; metadata:ruleset community; classtype:misc-activity; sid:3012; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23432 (msg:"MALWARE-CNC Asylum 0.1 connection request"; flow:to_server,established; content:"RQS"; depth:3; flowbits:set,backdoor.asylum.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3013; rev:8;)
|
|
# alert tcp $HOME_NET 23432 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Asylum 0.1 connection"; flow:to_client,established; flowbits:isset,backdoor.asylum.connect; content:"GNT"; depth:3; metadata:ruleset community; classtype:misc-activity; sid:3014; rev:10;)
|
|
# alert tcp $HOME_NET 2000 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3015; rev:10;)
|
|
# alert tcp $HOME_NET 63536 -> $EXTERNAL_NET any (msg:"MALWARE-CNC Insane Network 4.0 connection port 63536"; flow:to_client,established; content:"Insane Network vs 4.0 by Suid Flow|0A 0D|www.blackcode.com|0A 0D|[r00t]|23|"; depth:62; metadata:ruleset community; classtype:misc-activity; sid:3016; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:policy max-detect-ips drop, ruleset community, service wins; reference:bugtraq,11763; reference:cve,2004-0567; reference:cve,2004-1080; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-045; reference:url,www.immunitysec.com/downloads/instantanea.pdf; classtype:misc-attack; sid:3017; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3018; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3019; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3020; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3022; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3023; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3024; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3025; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3026; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3027; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3028; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3029; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3030; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3031; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3032; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx SACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3033; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3034; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3035; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3036; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3037; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3038; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3039; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3040; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx DACL overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; byte_test:4,>,32,-16,relative,little; metadata:ruleset community, service netbios-ssn; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3041; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3042; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3043; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3044; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3045; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3046; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3047; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3048; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:12; byte_jump:4,12,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3049; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3050; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3051; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3052; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community; classtype:protocol-command-decode; sid:3053; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3054; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3055; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB|A0|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3056; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"|A0|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; pcre:"/^.{4}/R"; content:!"|00 00 00 00|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"|00 00|"; within:2; distance:-10; metadata:ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3057; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; pcre:"/\sCOPY\s[^\n]*?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:3058; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"APP-DETECT distccd remote command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; metadata:ruleset community; reference:url,distcc.samba.org/security.html; classtype:policy-violation; sid:3061; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,9791; reference:cve,2004-0347; classtype:web-application-activity; sid:3062; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"MALWARE-BACKDOOR Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3063; rev:6;)
|
|
# alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Vampire 1.2 connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; metadata:ruleset community; classtype:misc-activity; sid:3064; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP append literal overflow attempt"; flow:established,to_server; content:"APPEND"; fast_pattern:only; pcre:"/\sAPPEND\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3065; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP APPEND overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:256,relative; content:!"|0D 0A|"; within:256; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,21729; reference:cve,2004-1211; reference:cve,2006-6425; reference:nessus,15867; classtype:misc-attack; sid:3066; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; pcre:"/\sEXAMINE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3067; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; pcre:"/\sFETCH\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3069; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:256,relative; pcre:"/\sFETCH\s[^\n]{256}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3070; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; pcre:"/\sSTATUS[^\n]*?\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15491; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3071; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP STATUS overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; content:!"|0D 0A|"; within:100; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,13727; reference:bugtraq,14243; reference:bugtraq,15491; reference:cve,2004-1211; reference:cve,2005-1256; reference:cve,2005-2278; reference:cve,2005-3314; reference:cve,2017-1274; reference:nessus,15867; classtype:misc-attack; sid:3072; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]*?\{/smi"; byte_test:5,>,256,0,relative,string; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3073; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP SUBSCRIBE overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+SUBSCRIBE\s[^\n]{100}/smi"; metadata:policy max-detect-ips drop, ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:bugtraq,23050; reference:bugtraq,26219; reference:cve,2004-1211; reference:cve,2005-3189; reference:cve,2007-1579; reference:cve,2007-3510; reference:nessus,15867; classtype:attempted-admin; sid:3074; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; pcre:"/\sUNSUBSCRIBE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:cve,2004-1211; reference:nessus,15867; classtype:misc-attack; sid:3075; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"PROTOCOL-IMAP UNSUBSCRIBE overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100; pcre:"/^\w+\s+UNSUBSCRIBE\s[^\n]{100}/smi"; metadata:ruleset community, service imap; reference:bugtraq,11775; reference:bugtraq,15488; reference:cve,2004-1211; reference:cve,2005-3189; reference:nessus,15867; classtype:attempted-admin; sid:3076; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:200,relative; pcre:"/^RNFR\s[^\n]{200}/smi"; metadata:ruleset community, service ftp; reference:bugtraq,14339; classtype:attempted-admin; sid:3077; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"PROTOCOL-NNTP Microsoft Windows SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH|20|"; depth:7; nocase; isdataat:160,relative; pcre:"/^SEARCH\s+[^\n]{160}/i"; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0574; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-036; classtype:attempted-admin; sid:3078; rev:12;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer ANI file parsing buffer overflow attempt"; flow:to_client,established; flowbits:isset,file.ani; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; content:"anih"; distance:0; nocase; byte_test:4,>,36,0,relative,little; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2004-1049; reference:cve,2007-0038; reference:cve,2007-1765; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-002; reference:url,technet.microsoft.com/en-us/security/bulletin/MS07-017; classtype:attempted-user; sid:3079; rev:25;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"SERVER-OTHER Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; fast_pattern:only; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:9;)
|
|
alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect"; flow:to_client,established; content:"connected"; depth:9; flowbits:set,backdoor.y3krat_15.connect; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3081; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 5880 (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connect Client Response"; flow:to_server,established; flowbits:isset,backdoor.y3krat_15.connect; content:"getclient"; depth:9; flowbits:set,backdoor.y3krat_15.client.response; flowbits:noalert; metadata:ruleset community; classtype:misc-activity; sid:3082; rev:13;)
|
|
# alert tcp $HOME_NET 5880 -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Y3KRAT 1.5 Connection confirmation"; flow:to_client,established; flowbits:isset,backdoor.y3krat_15.client.response; content:"client"; depth:7; metadata:ruleset community; classtype:misc-activity; sid:3083; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"SERVER-OTHER Veritas backup overflow attempt"; flow:to_server,established; content:"|02 00|"; depth:2; content:"|00|"; within:1; distance:1; isdataat:72; content:!"|00|"; depth:66; offset:6; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,11974; reference:cve,2004-1172; classtype:attempted-admin; sid:3084; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_client,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP 3Com 3CRADSL72 ADSL 11g Wireless Router app_sta.stm access attempt"; flow:to_server,established; content:"/app_sta.stm"; fast_pattern:only; http_uri; metadata:ruleset community, service http; reference:bugtraq,11408; reference:cve,2004-1596; classtype:web-application-activity; sid:3086; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS w3who.dll buffer overflow attempt"; flow:to_server,established; content:"/w3who.dll?"; nocase; http_uri; pcre:"/w3who\.dll\x3F[^\r\n]{519}/i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,11820; reference:cve,2004-1134; classtype:attempted-admin; sid:3087; rev:19;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-MULTIMEDIA Nullsoft Winamp cda file name overflow attempt"; flow:to_client,established; file_data; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; metadata:ruleset community, service http; reference:bugtraq,11730; reference:cve,2004-1119; reference:nessus,15817; classtype:attempted-user; sid:3088; rev:10;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"SERVER-OTHER squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP llsrpc LlsrConnect overflow attempt"; flow:to_server,established; dce_iface:342cfd40-3c6c-11ce-a893-08002b2e9c6d; dce_opnum:0; dce_stub_data; byte_test:4,>,52,0,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12481; reference:cve,2005-0050; reference:url,technet.microsoft.com/en-us/security/bulletin/ms05-010; classtype:attempted-admin; sid:3114; rev:19;)
|
|
# alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"PUA-OTHER Microsoft MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; metadata:ruleset community; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3130; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP mailman directory traversal attempt"; flow:to_server,established; content:"/mailman/"; http_uri; content:".../"; http_raw_uri; metadata:ruleset community, service http; reference:cve,2005-0202; classtype:web-application-attack; sid:3131; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3132; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft Multiple Products PNG large image height download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,4,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3133; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IMAGE Microsoft PNG large colour depth download attempt"; flow:to_client,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; metadata:ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:3134; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3135; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3136; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3137; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|07 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3138; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3139; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3140; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3141; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"|01 00|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:3142; rev:11;)
|
|
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 command response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3143; rev:17;)
|
|
# alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3144; rev:17;)
|
|
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3145; rev:16;)
|
|
# alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"OS-WINDOWS Microsoft Windows SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:to_client,established; flowbits:isset,smb.trans2; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,12484; reference:cve,2005-0045; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-011; classtype:protocol-command-decode; sid:3146; rev:18;)
|
|
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|TTYPROMPT|01|"; fast_pattern:only; rawbytes; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop, ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3147; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows HTML Help hhctrl.ocx clsid access attempt"; flow:to_client,established; file_data; content:"clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,11467; reference:bugtraq,4857; reference:bugtraq,5874; reference:cve,2002-0693; reference:cve,2002-0823; reference:cve,2004-1043; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-055; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-001; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:21;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"BROWSER-IE Microsoft Internet Explorer malformed object type overflow attempt"; flow:to_client,established; file_data; content:"object"; nocase; content:"type"; within:200; nocase; content:"////////////////////////////////"; fast_pattern:only; pcre:"/object\s[^>]*type\s*=\s*[\x22\x27][^\x22\x27]*\x2f{32}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2003-0344; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-020; classtype:attempted-user; sid:3149; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS SQLXML content type overflow"; flow:to_server,established; pcre:"/\.x[sm]l/Ui"; content:"contenttype="; http_uri; pcre:"/contenttype=[^\r\n\x3b\x38]{100}/smiU"; metadata:ruleset community, service http; reference:bugtraq,5004; reference:cve,2002-0186; reference:nessus,11304; reference:url,technet.microsoft.com/en-us/security/bulletin/MS02-030; reference:url,www.westpoint.ltd.uk/advisories/wp-02-0007.txt; classtype:attempted-admin; sid:3150; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"PROTOCOL-FINGER / execution attempt"; flow:to_server,established; content:"/"; pcre:"/^\x2f/smi"; metadata:ruleset community; reference:cve,1999-0612; reference:cve,2000-0915; classtype:attempted-recon; sid:3151; rev:8;)
|
|
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login attempt"; flow:to_client,established,no_stream; content:"Login failed for user 'sa'"; fast_pattern:only; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3152; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; metadata:ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:9;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS UDP inverse query overflow"; flow:to_server; isdataat:400; byte_test:1,<,16,2; byte_test:1,&,8,2; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:12;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"MALWARE-BACKDOOR BackOrifice 2000 Inbound Traffic"; flow:to_server,established; content:"1j|D0 D9|"; metadata:ruleset community; classtype:trojan-activity; sid:3155; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator CoGetInstanceFromFile attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:ruleset community, service netbios-ssn; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3158; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator CoGetInstanceFromFile attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:1; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-039; classtype:protocol-command-decode; sid:3159; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP msqueue function 4 overflow attempt"; dce_iface:975201B0-59CA-11D0-A8D5-00A0C90D8051; dce_opnum:4; dce_stub_data; byte_test:4,>,128,8,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:cve,2005-0059; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-017; classtype:attempted-admin; sid:3171; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Windows Media Player directory traversal via Content-Disposition attempt"; flow:to_client,established; content:".wmz"; fast_pattern; nocase; http_header; content:"Content-Disposition|3A|"; nocase; http_header; content:"filename="; nocase; http_header; pcre:"/filename=[^\x3b\x3a\r\n]*(\x25\x2e\x25\x2e\x25\x5c|\x25\x32\x65\x25\x35\x63|\x2e\x2e\x5c)[^\x3b\x3a\r\n]*\x2ewmz/smiH"; metadata:ruleset community, service http; reference:bugtraq,7517; reference:cve,2003-0228; reference:nessus,11595; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-017; classtype:attempted-user; sid:3192; rev:19;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .cmd executable file parsing attack"; flow:to_server,established; content:".cmd|22|"; nocase; http_uri; pcre:"/\x2ecmd\x22.*?\x26/smUi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-IIS .bat executable file parsing attack"; flow:to_server,established; content:".bat|22|"; nocase; http_uri; pcre:"/\x2ebat\x22.*?\x26/Usmi"; metadata:ruleset community, service http; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3194; rev:16;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3195; rev:11;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"OS-WINDOWS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community, service netbios-ns; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/ms04-006; classtype:attempted-admin; sid:3196; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3199; rev:12;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"OS-WINDOWS Microsoft Windows WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-006; classtype:attempted-admin; sid:3200; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-IIS httpodbc.dll access - nimda"; flow:to_server,established; content:"/httpodbc.dll"; nocase; http_uri; metadata:ruleset community, service http; reference:bugtraq,2708; reference:cve,2001-0333; classtype:web-application-activity; sid:3201; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP winreg OpenKey overflow attempt"; flow:to_server,established; dce_iface:338cd001-2244-31f1-aaaa-900038001003; dce_opnum:15; dce_stub_data; byte_test:2,>,1024,20,dce; metadata:ruleset community, service netbios-ssn; reference:bugtraq,1331; reference:cve,2000-0377; reference:url,technet.microsoft.com/en-us/security/bulletin/ms00-040; classtype:attempted-admin; sid:3218; rev:23;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message little endian overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,8,little,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3234; rev:6;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"OS-WINDOWS Messenger message overflow attempt"; content:"|04 00|"; depth:2; byte_test:1,!&,16,2,relative; content:"|F8 91|{Z|00 FF D0 11 A9 B2 00 C0|O|B6 E6 FC|"; within:16; distance:22; content:"|00 00|"; within:2; distance:28; byte_jump:4,18,align,relative; byte_jump:4,8,align,relative; byte_test:4,>,1024,8,relative; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,8826; reference:cve,2003-0717; classtype:attempted-admin; sid:3235; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP irot IrotIsRunning/Revoke overflow attempt"; flow:to_server,established; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3238; rev:15;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP irot IrotIsRunning/Revoke overflow attempt"; dce_iface:b9e79e60-3d52-11ce-aaa1-00006901293f; dce_opnum:1,2; dce_stub_data; pcre:"/^(\x00\x00\x00\x00|.{12})/s"; byte_jump:4,-4,relative,align,dce; byte_test:4,>,1024,0,relative,dce; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,technet.microsoft.com/en-us/security/bulletin/ms03-010; classtype:attempted-admin; sid:3239; rev:15;)
|
|
# alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:to_client,established,no_stream; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; detection_filter:track by_src, count 5, seconds 2; metadata:ruleset community; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; reference:url,attack.mitre.org/techniques/T1110; classtype:unsuccessful-user; sid:3273; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"PROTOCOL-TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; metadata:policy max-detect-ips drop, ruleset community, service telnet; reference:bugtraq,3681; reference:cve,2001-0797; reference:nessus,10827; classtype:attempted-admin; sid:3274; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP ISystemActivator RemoteCreateInstance attempt"; flow:to_server,established; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3397; rev:18;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET [135,1024:] (msg:"OS-WINDOWS DCERPC NCADG-IP-UDP ISystemActivator RemoteCreateInstance attempt"; dce_iface:000001a0-0000-0000-c000-000000000046; dce_opnum:4; dce_stub_data; content:"|01 10 08 00 CC CC CC CC|"; content:"|5C 00 5C 00|"; distance:0; byte_test:4,>,256,-8,relative,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:protocol-command-decode; sid:3398; rev:17;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [135,139,445,593,1024:] (msg:"OS-WINDOWS DCERPC NCACN-IP-TCP IActivation remoteactivation overflow attempt"; flow:to_server,established; dce_iface:4d9f4ab8-7d1c-11cf-861e-0020af6e7c57; dce_opnum:0; dce_stub_data; byte_test:4,>,256,52,dce; metadata:policy max-detect-ips drop, ruleset community, service dcerpc, service netbios-ssn; reference:bugtraq,8205; reference:cve,2003-0352; reference:cve,2003-0528; reference:cve,2003-0715; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-026; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-039; classtype:attempted-admin; sid:3409; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,126; reference:cve,1999-0017; reference:nessus,10081; classtype:misc-attack; sid:3441; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"OS-WINDOWS Microsoft Windows TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/s"; content:"|00|"; within:497; content:"|0A|"; within:497; metadata:ruleset community; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,technet.microsoft.com/en-us/security/bulletin/MS00-021; classtype:attempted-dos; sid:3442; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup system info probe"; flow:to_server,established; content:"ARKADMIN_GET_"; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia client backup generic info probe"; flow:to_server,established; content:"ARKFS|00|root|00|root"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3454; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"SERVER-OTHER Bontago Game Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; metadata:ruleset community; reference:bugtraq,12603; reference:cve,2005-0501; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"SERVER-MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:3; content:"root|00|"; within:5; distance:5; nocase; metadata:ruleset community, service mysql; classtype:protocol-command-decode; sid:3456; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup client type 77 overflow attempt"; flow:to_server,established; content:"|00|M"; depth:2; byte_test:2,>,23,6; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; reference:nessus,17158; classtype:attempted-user; sid:3457; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"SERVER-OTHER Arkeia backup client type 84 overflow attempt"; flow:to_server,established; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:8;)
|
|
# alert udp $HOME_NET any -> $EXTERNAL_NET 41170 (msg:"PUA-P2P Manolito Search Query"; flow:to_server; content:"|01 02 00 14|"; depth:4; offset:16; metadata:ruleset community; reference:url,openlito.sourceforge.net; reference:url,www.blubster.com; classtype:policy-violation; sid:3459; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP REST with numeric argument"; flow:to_server,established; content:"REST"; fast_pattern:only; pcre:"/REST\s+[0-9]+\n/i"; metadata:ruleset community, service ftp; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-MAIL Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Type\s*\x3A\s*[^\r\n]{300}/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,44732; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3461; rev:18;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-IE Microsoft Internet Explorer Content-Encoding overflow attempt"; flow:to_server,established; content:"Content-Encoding"; nocase; content:"|3A|"; distance:0; pcre:"/^\s*Content-Encoding\s*\x3A\s*[^\r\n]{300}/mi"; metadata:ruleset community, service smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,technet.microsoft.com/en-us/security/bulletin/MS03-015; classtype:attempted-admin; sid:3462; rev:14;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats access"; flow:to_server,established; content:"/awstats.pl"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-activity; sid:3463; rev:15;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP awstats.pl command execution attempt"; flow:to_server,established; content:"/awstats.pl?"; fast_pattern; nocase; http_uri; content:"update="; http_uri; pcre:"/update=[^\r\n\x26]+/Ui"; content:"logfile="; nocase; http_uri; pcre:"/awstats.pl?[^\r\n]*logfile=\x7C/Ui"; metadata:ruleset community, service http; reference:bugtraq,12572; reference:nessus,16456; classtype:web-application-attack; sid:3464; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package download attempt"; flow:to_client,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-4692; reference:url,technet.microsoft.com/en-us/security/bulletin/ms06-065; classtype:misc-activity; sid:8445; rev:17;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP inbound INVITE message"; flow:to_server; content:"INVITE"; fast_pattern:only; sip_method:invite; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,www.ietf.org/rfc/rfc3261.txt; classtype:protocol-command-decode; sid:11968; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY RTF file download request"; flow:to_server,established; content:".rtf"; fast_pattern:only; http_uri; pcre:"/\x2ertf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:13801; rev:26;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PDF file download request"; flow:to_server,established; content:".pdf"; fast_pattern:only; http_uri; pcre:"/\x2epdf([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Pdf; classtype:misc-activity; sid:15013; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Office Word file download request"; flow:to_server,established; content:".doc"; fast_pattern:only; http_uri; pcre:"/\x2edoc([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.doc; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Microsoft_word; classtype:misc-activity; sid:15587; rev:25;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY BMP file download request"; flow:to_server,established; content:".bmp"; fast_pattern:only; http_uri; pcre:"/\x2ebmp([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:16205; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Hydraq variant outbound connection"; flow:to_server,established; content:"|FF FF FF FF FF FF 00 00 FE FF FF FF FF FF FF FF FF FF 88 FF|"; depth:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/#/file/9051f618a5a8253a003167e65ce1311fa91a8b70d438a384be48b02e73ba855c/detection; classtype:trojan-activity; sid:16368; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpg"; fast_pattern:only; http_uri; pcre:"/\x2ejpg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16406; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpeg"; fast_pattern:only; http_uri; pcre:"/\x2ejpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16407; rev:20;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Portable Executable binary file download request"; flow:to_server,established; content:".exe"; fast_pattern:only; http_uri; pcre:"/\x2eexe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/.exe; classtype:misc-activity; sid:16425; rev:24;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16474; rev:27;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:16475; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; http_uri; pcre:"/\x2epjpeg([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:16529; rev:20;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY OLE document file magic detected"; flow:to_client,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:17314; rev:27;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY PNG file download request"; flow:to_server,established; content:".png"; fast_pattern:only; http_uri; pcre:"/\x2epng([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:17380; rev:23;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XML file download request"; flow:to_server,established; content:".xml"; fast_pattern:only; http_uri; pcre:"/\x2exml([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:17733; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB TRANS2 Find_First2 request attempt"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|00|"; within:1; distance:18; content:"|00 00|"; within:2; distance:6; content:"|01 00|"; within:2; distance:10; flowbits:set,smb.trans2.findfirst2; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:17745; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg:"NETBIOS SMB-DS Trans2 Distributed File System GET_DFS_REFERRAL request"; flow:established,to_server; content:"|00|"; offset:1; content:"|FF|SMB2"; depth:5; offset:4; content:"|00 00 00 00|"; within:4; content:"|10 00|"; depth:2; offset:65; flowbits:set,smb.trans2.get_dfs_referral; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:19190; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ZIP archive file download request"; flow:to_server,established; content:".zip"; fast_pattern:only; http_uri; pcre:"/\x2ezip([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:19211; rev:23;)
|
|
# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-OTHER multiple products blacknurse ICMP denial of service attempt"; icode:3; itype:3; detection_filter:track by_src,count 250,seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2011-1871; reference:url,soc.tdc.dk/blacknurse/blacknurse.pdf; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-064; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-083; classtype:attempted-dos; sid:19678; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 12080 (msg:"MALWARE-CNC Win.Trojan.Derusbi.A variant outbound connection"; flow:to_server,established; content:"|00 00 00 01 00 00 00|"; depth:7; offset:1; content:"|01 00 00 00 68 01 00 00|"; within:8; distance:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6fecd042c3c0b54e7354cd8dfb1975c626acd8df55f88c4149462e15e77918b0/analysis/; reference:url,www.virustotal.com/en/file/705404d6bbf6dae254e2d3bc44eca239976be7f0dc4d49fe93b0fb1d1c2704fe/analysis/; classtype:trojan-activity; sid:20080; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Opera|5C|9.64|0A|"; fast_pattern:only; http_header; content:"bb.php?v="; http_uri; content:"id="; distance:0; http_uri; content:"b="; distance:0; http_uri; content:"tm="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2afb098dfea7d2acd73da520fe26d09acee1449c79d2c8753f3008a2a8f648b2/analysis/; classtype:trojan-activity; sid:20221; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SMI file download request"; flow:to_server,established; content:".smi"; fast_pattern:only; http_uri; pcre:"/\x2esmi([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:set,file.dmg; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:bugtraq,49149; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20223; rev:24;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Microsoft Client Agent Helper JAR file download request"; flow:to_server,established; content:"_helper.jar"; fast_pattern:only; pcre:"/agent_(win|lin|mac)_helper\.jar$/siU"; flowbits:set,file.jar.agent_helper; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2011-1969; reference:url,technet.microsoft.com/en-us/security/bulletin/MS11-079; classtype:misc-activity; sid:20260; rev:19;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20463; rev:26;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK00PK|03 04|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20464; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|01 02|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20465; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|05 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20466; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 08|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20467; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 07|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20468; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_client,established; file_data; content:"PK|06 06|"; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20469; rev:25;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_client,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20478; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_client,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20480; rev:21;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20483; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_client,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20486; rev:23;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_client,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:20494; rev:19;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JAR file download request"; flow:to_server,established; content:".jar"; fast_pattern:only; http_uri; pcre:"/\x2ejar([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:20621; rev:18;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_client,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:20850; rev:17;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Windows EMF metafile file attachment detected"; flow:to_server,established; content:".emf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eemf/i"; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:20851; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY DIB file download request"; flow:to_server,established; content:".dib"; fast_pattern:only; http_uri; pcre:"/\x2edib([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:20963; rev:16;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY SAMI file download request"; flow:to_server,established; content:".sami"; fast_pattern:only; http_uri; pcre:"/\x2esami([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/SAMI; classtype:misc-activity; sid:20964; rev:15;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jpe"; fast_pattern:only; http_uri; pcre:"/\x2ejpe([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20965; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jif"; fast_pattern:only; http_uri; pcre:"/\x2ejif([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20966; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file download request"; flow:to_server,established; content:".jfi"; fast_pattern:only; http_uri; pcre:"/\x2ejfif?([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Jpg; classtype:misc-activity; sid:20967; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_client,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21035; rev:17;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file attachment detected"; flow:to_server,established; content:".pdf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epdf/i"; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21036; rev:18;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Betad variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/login.php"; nocase; http_uri; content:"|C9 97 A2 F3 7E 37 CB 7E 27|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46a87d0818ffd828df5c8fca63b1628f068e50cf3d20ec0e4e009e1dd547b9e9/analysis/; classtype:trojan-activity; sid:21230; rev:9;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string DataCha0s"; flow:to_server, established; content:"User-Agent|3A 20|DataCha0s"; fast_pattern:only; http_header; metadata:ruleset community, service http; reference:url,www.internetofficer.com/web-robot/datacha0s/; classtype:network-scan; sid:21246; rev:6;)
|
|
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP login banner - 0wns j0"; flow:established,to_client; content:"220|20|"; depth:4; content:"0wns j0"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,seclists.org/fulldisclosure/2004/Sep/895; reference:url,www.cyber-ta.org/releases/malware-analysis/public/SOURCES/CLUSTERS-NEW/behavior-summary.html; classtype:trojan-activity; sid:21255; rev:6;)
|
|
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-OTHER known malicious FTP quit banner - Goodbye happy r00ting"; flow:established,to_client; content:"221 Goodbye happy r00ting"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,taosecurity.blogspot.com/2006/01/nepenthes-discoveries-earlier-today-i.html; classtype:trojan-activity; sid:21256; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC URI - known scanner tool muieblackcat"; flow:to_server, established; content:"/muieblackcat"; nocase; http_uri; pcre:"/\/muieblackcat$/Ui"; metadata:policy security-ips drop, ruleset community, service http; reference:url,serverfault.com/questions/309309/what-is-muieblackcat; classtype:network-scan; sid:21257; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Morfeus Scanner"; flow:to_server, established; content:"User|2D|Agent|3A 20|Morfeus|20|Fucking|20|Scanner"; fast_pattern:only; http_header; metadata:ruleset community, service http; classtype:network-scan; sid:21266; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER TRENDnet IP Camera anonymous access attempt"; flow:to_server,established; content:"/anony/"; fast_pattern:only; http_uri; pcre:"/\/anony\/(jpgview\.htm|mjpeg\.cgi|view2\.cgi|mjpg\.cgi)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,console-cowboys.blogspot.com/2012/01/trendnet-cameras-i-always-feel-like.html; reference:url,www.trendnet.com/press/view.asp?id=1958; reference:url,www.wired.com/threatlevel/2012/02/home-cameras-exposed/; classtype:policy-violation; sid:21267; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSL file download request"; flow:to_server,established; content:".xsl"; fast_pattern:only; http_uri; pcre:"/\x2exsl([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21282; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_client,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21283; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSL file attachment detected"; flow:to_server,established; content:".xsl"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exsl/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21284; rev:14;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XSLT file download request"; flow:to_server,established; content:".xslt"; fast_pattern:only; http_uri; pcre:"/\x2exslt([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21285; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_client,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21286; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XSLT file attachment detected"; flow:to_server,established; content:".xslt"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exslt/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1220; classtype:misc-activity; sid:21287; rev:14;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML download detected"; flow:to_client,established; content:"Content-Type|3A|"; nocase; http_header; content:"text/xml"; within:20; fast_pattern; nocase; http_header; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:21288; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent ASafaWeb Scan"; flow:to_server,established; content:"User-Agent|3A| asafaweb.com"; fast_pattern:only; http_header; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,asafaweb.com; classtype:network-scan; sid:21327; rev:7;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Remote Execution Backdoor Attempt Against Horde"; flow:to_server,established; content:"/services/javascript.php"; fast_pattern:only; http_uri; content:"href="; http_cookie; content:"file=open_calendar.js"; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2012-0209; reference:url,dev.horde.org/h/jonah/stories/view.php?channel_id=1&id=155; reference:url,eromang.zataz.com/2012/02/15/cve-2012-0209-horde-backdoor-analysis/; reference:url,pastebin.com/U3ADiWrP; classtype:web-application-attack; sid:21375; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY paq8o file download request"; flow:to_server,established; content:".paq8o"; fast_pattern:only; http_uri; pcre:"/\x2epaq8o([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:21410; rev:15;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_client,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21411; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY paq8o file attachment detected"; flow:to_server,established; content:".paq8o"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epaq8o/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21412; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-PDF hostile PDF associated with Laik exploit kit"; flow:to_client,established; flowbits:isset,file.pdf; file_data; content:"%PDF-1."; content:") /CreationDate (D:20110405234628)>>"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:21417; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit JavaScript carat string splitting with hostile applet"; flow:to_client,established; content:"<html><body><applet|20|code="; nocase; content:"|20|archive="; distance:0; nocase; content:"display|3A|none|3B|"; distance:0; nocase; pcre:"/([@\x2da-z0-9]+?\x5e){10}/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:21438; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC URI request for known malicious URI - base64 encoded"; flow:to_server,established; content:"GET http|3A 2F 2F|"; depth:11; base64_decode:relative; base64_data; content:"clk="; content:"&bid="; distance:0; content:"&aid="; within:5; distance:40; content:"&sid="; distance:0; content:"&rd="; distance:0; content:"&x86="; distance:0; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1132; reference:url,www.damballa.com/tdl4/; classtype:trojan-activity; sid:21442; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TDSS variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B 20|)"; fast_pattern:only; http_header; content:"HOST|3A|"; http_header; content:!"X-BlueCoat-Via"; nocase; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,about-threats.trendmicro.com/Malware.aspx?language=apac&name=TDSS; reference:url,www.virustotal.com/file/75e8b49e1d316f28363cccb697cfd2ebca3122dba3dba321dba6391b49fc757e/analysis/; classtype:trojan-activity; sid:21444; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string core-project"; flow:to_server, established; content:"User-Agent|3A 20|core-project"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:misc-activity; sid:21475; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21480; rev:16;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; content:"try"; content:"prototype"; within:30; content:"}catch("; within:30; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\x28/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21492; rev:22;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_client,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:set,file.xul; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21498; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_client,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21499; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file attachment detected"; flow:to_server,established; content:".xml"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exml/i"; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21500; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bredolab variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; content:"smk="; depth:4; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/9384733182a6cbe5236b9b253d1f070570b7f6b6ff31aa86be253421f4c5c645/analysis/; classtype:trojan-activity; sid:21562; rev:5;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_client,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21613; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file attachment detected"; flow:to_server,established; content:".png"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epng/i"; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21614; rev:17;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackhole exploit kit landing page with specific structure - prototype catch"; flow:to_client,established; file_data; content:"prototype"; content:"}catch("; distance:0; pcre:"/prototype([^\x7d]{1,3})?\x7dcatch\(\w{3}\)/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2006-0003; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2008-2992; reference:cve,2009-0927; reference:cve,2010-1885; reference:cve,2011-0559; reference:cve,2011-2110; reference:cve,2011-3544; reference:cve,2012-0188; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-1889; reference:cve,2012-4681; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:attempted-user; sid:21646; rev:16;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_client,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21695; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SMI file attachment detected"; flow:to_server,established; content:".smi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esmi/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.dmg; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21696; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_client,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21697; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY SAMI file attachment detected"; flow:to_server,established; content:".sami"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2esami/i"; flowbits:set,file.realplayer.playlist; flowbits:set,file.smi; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21698; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY ANI file download request"; flow:to_server,established; content:".ani"; fast_pattern:only; http_uri; pcre:"/\x2eani([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; classtype:misc-activity; sid:21724; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_client,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21725; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ANI file attachment detected"; flow:to_server,established; content:".ani"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eani/i"; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21726; rev:13;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ANI file magic detection"; flow:to_client,established; file_data; content:"RIFF"; depth:4; content:"ACON"; within:4; distance:4; flowbits:set,file.ani; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21727; rev:12;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21728; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21729; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21730; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21731; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21732; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".pjpeg"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2epjpeg/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21733; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21734; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jpe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejpe/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21735; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21736; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jif"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejif/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21737; rev:13;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_client,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21738; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPG file attachment detected"; flow:to_server,established; content:".jfi"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ejfi/i"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21739; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_client,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21746; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file attachment detected"; flow:to_server,established; content:".rtf"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ertf/i"; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21747; rev:13;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %ALLUSERSPROFILE%"; flow:to_server,established; content:"%ALLUSERSPROFILE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21818; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMDATA%"; flow:to_server,established; content:"%PROGRAMDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21819; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %APPDATA%"; flow:to_server,established; content:"%APPDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21820; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES%"; flow:to_server,established; content:"%COMMONPROGRAMFILES%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21821; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMMONPROGRAMFILES - x86%"; flow:to_server,established; content:"%COMMONPROGRAMFILES|40|x86|41|%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21822; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %COMSPEC%"; flow:to_server,established; content:"%COMSPEC%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21823; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEDRIVE%"; flow:to_server,established; content:"%HOMEDRIVE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21824; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %HOMEPATH%"; flow:to_server,established; content:"%HOMEPATH%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21825; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %LOCALAPPDATA%"; flow:to_server,established; content:"%LOCALAPPDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21826; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES%"; flow:to_server,established; content:"%PROGRAMFILES%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21827; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PROGRAMFILES - X86%"; flow:to_server,established; content:"%PROGRAMFILES|40|X86|41|%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21828; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemDrive%"; flow:to_server,established; content:"%SystemDrive%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21829; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %SystemRoot%"; flow:to_server,established; content:"%SystemRoot%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21830; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TEMP%"; flow:to_server,established; content:"%TEMP%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21831; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %TMP%"; flow:to_server,established; content:"%TMP%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21832; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERDATA%"; flow:to_server,established; content:"%USERDATA%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21833; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERNAME%"; flow:to_server,established; content:"%USERNAME%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21834; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %USERPROFILE%"; flow:to_server,established; content:"%USERPROFILE%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21835; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %WINDIR%"; flow:to_server,established; content:"%WINDIR%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21836; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PUBLIC%"; flow:to_server,established; content:"%PUBLIC%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21837; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable directory traversal attempt - %PSModulePath%"; flow:to_server,established; content:"%PSModulePath%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21838; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %COMPUTERNAME%"; flow:to_server,established; content:"%COMPUTERNAME%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21839; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %LOGONSERVER%"; flow:to_server,established; content:"%LOGONSERVER%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21840; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATH%"; flow:to_server,established; content:"%PATH%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21841; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PATHEXT%"; flow:to_server,established; content:"%PATHEXT%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21842; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %PROMPT%"; flow:to_server,established; content:"%PROMPT%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21843; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP System variable in URI attempt - %USERDOMAIN%"; flow:to_server,established; content:"%USERDOMAIN%"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:21844; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"_0000="; fast_pattern; content:"SL_"; http_cookie; content:"_0000="; within:8; http_cookie; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21845; rev:9;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC TDS Sutra - request in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Ui"; metadata:impact_flag red, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21846; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - page redirecting to a SutraTDS"; flow:to_client,established; file_data; content:"/in.cgi?"; isdataat:15,relative; content:!"id="; within:3; nocase; content:!"&"; within:6; content:!"="; within:6; pcre:"/\x2Fin\.cgi\?(\w{1,6}|default)\b/smi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21848; rev:15;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - HTTP header redirecting to a SutraTDS"; flow:to_client,established; content:"/in.cgi"; http_header; pcre:"/\x2Fin\.cgi\?(\d{1,2}|default)$/Hsmi"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21849; rev:10;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER TDS Sutra - request hi.cgi"; flow:to_server,established; content:"/hi.cgi"; http_uri; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21850; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER TDS Sutra - redirect received"; flow:to_client,established; content:"302"; http_stat_code; content:"=_"; content:"_|5C 3B| domain="; within:11; distance:1; pcre:"/^[a-z]{5}\d=_\d_/C"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wepawet.iseclab.org/view.php?hash=822b95927fd4d8bb6eb2e62f4e1ef645&t=1243359208&type=js; reference:url,www.nartv.org/tag/tds/; reference:url,xylibox.blogspot.com/2011/12/sutra-tds-v34.html; classtype:trojan-activity; sid:21851; rev:7;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_client,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21856; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; content:".zip"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ezip/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21857; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_client,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:21908; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable file attachment detected"; flow:to_server,established; content:".exe"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eexe/i"; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:21909; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_client,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:21940; rev:13;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY XM file download request"; flow:to_server,established; content:".xm"; fast_pattern:only; http_uri; pcre:"/\x2exm([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; classtype:misc-activity; sid:22043; rev:8;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_client,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:22044; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file attachment detected"; flow:to_server,established; content:".xm"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2exm/i"; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:22045; rev:10;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_client,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:22046; rev:9;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Alureon - Malicious IFRAME load attempt"; flow:to_client,established; file_data; content:"name=|5C 22|Twitter|5C 22| scrolling=|5C 22|auto|5C 22| frameborder=|5C 22|no|5C 22| align=|5C 22|center|5C 22| height = |5C 22|1px|5C 22| width = |5C 22|1px|5C 22|>"; fast_pattern:only; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; classtype:trojan-activity; sid:22061; rev:8;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP PHP-CGI remote file include attempt"; flow:to_server,established; content:"auto_prepend_file"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2012-1823; reference:cve,2012-2311; reference:cve,2012-2335; reference:cve,2012-2336; classtype:attempted-admin; sid:22063; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"PROTOCOL-FTP Multiple Products FTP MKD buffer overflow attempt"; flow:to_server,established; content:"MKD "; depth:4; isdataat:75,relative; content:!"|0A|"; within:75; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:bugtraq,11772; reference:bugtraq,15457; reference:bugtraq,23885; reference:bugtraq,39041; reference:bugtraq,612; reference:bugtraq,7278; reference:bugtraq,9872; reference:cve,1999-0911; reference:cve,2004-1135; reference:cve,2005-3683; reference:cve,2007-2586; reference:cve,2009-3023; reference:cve,2010-0625; reference:nessus,12108; reference:url,technet.microsoft.com/en-us/security/bulletin/MS09-053; reference:url,www.exploit-db.com/exploits/14399/; reference:url,www.kb.cert.org/vuls/id/276653; classtype:attempted-admin; sid:23055; rev:10;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE script before DOCTYPE possible malicious redirect attempt"; flow:to_client,established; file_data; content:"</script><!DOCTYPE"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:23179; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in setTimeout call"; flow:established,to_client; file_data; content:"setTimeout|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/setTimeout\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23481; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION hex escaped characters in addEventListener call"; flow:established,to_client; file_data; content:"addEventListener|28|"; nocase; content:"|5C|x"; within:10; nocase; content:"|5C|x"; within:10; nocase; pcre:"/addEventListener\x28[\x22\x27][^\x2C]*?\x5cx[\da-f]{2}[^\x2C]*?[\da-f]{2,}\x5cx[\da-f]{2}/smi"; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:bad-unknown; sid:23482; rev:6;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.ZeroAccess outbound connection"; flow:to_server; dsize:20; content:"|9E 98|"; depth:2; offset:6; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:23492; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION known packer routine with secondary obfuscation"; flow:to_client,established; file_data; content:"eval(function(p,a,c,k,e,r)"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,dean.edwards.name/packer/; classtype:misc-activity; sid:23621; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION JavaScript built-in function parseInt appears obfuscated - likely packer or encoder"; flow:to_client,established; file_data; content:"|5B 27|parse|27 2B 27|Int|27 5D 28|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,snort.org/rule_docs/1-23636; classtype:trojan-activity; sid:23636; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; content:!"|14 00 06 00|"; within:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23651; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK00PK|03 04|"; depth:8; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23652; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|01 02|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23653; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|05 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23654; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 08|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23655; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 07|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23656; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JAR/ZIP file magic detected"; flow:to_server,established; file_data; content:"PK|06 06|"; depth:4; flowbits:set,file.zip; flowbits:set,file.jar; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23657; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PNG file magic detected"; flow:to_server,established; file_data; content:"|89|PNG|0D 0A 1A 0A|"; depth:8; flowbits:set,file.png; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23664; rev:17;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E0|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23667; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY RTF file magic detected"; flow:to_server,established; file_data; content:"{|5C|rt"; fast_pattern:only; flowbits:set,file.rtf; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23670; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY PDF file magic detected"; flow:to_server,established; file_data; content:"%PDF-"; nocase; flowbits:set,file.pdf; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23678; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v3 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 03 00|"; within:4; distance:16; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23707; rev:16;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Microsoft Compound File Binary v4 file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; content:">|00 04 00|"; within:4; distance:16; flowbits:set,file.oless.v4; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23708; rev:7;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY OLE Document file magic detected"; flow:to_server,established; file_data; content:"|D0 CF 11 E0 A1 B1 1A E1|"; depth:8; flowbits:set,file.ole; flowbits:set,file.fpx; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23711; rev:14;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23725; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<xml>"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23758; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XML file magic detected"; flow:to_server,established; file_data; content:"<?xml"; depth:50; nocase; flowbits:set,file.xml; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23759; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY EMF file magic detected"; flow:to_server,established; file_data; content:"|01 00 00 00|"; depth:4; content:"|20|EMF"; within:4; distance:36; fast_pattern; flowbits:set,file.emf; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23766; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XM file magic detected"; flow:to_server,established; file_data; content:"Extended Module:"; fast_pattern:only; flowbits:set,file.xm; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:23773; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Magania variant outbound connection"; flow:to_server,established; content:"User-Agent: Google page|0D 0A|"; fast_pattern:only; content:".asp?"; content:"mac="; within:4; content:"&ver="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/06/adversary-arsenal-exposed-part-i-pinkstats.html; reference:url,www.virustotal.com/file/6a813f96bb65367a8b5c5ba2937c773785a0a0299032a6c77b9b0862be8bdb71/analysis/; classtype:trojan-activity; sid:24015; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Possible malicious redirect - rebots.php"; flow:to_server,established; content:"/rebots.php"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/08/rebots-php-javascript-malware-being-actively-injected.html; reference:url,labs.sucuri.net/db/malware/mwjs-include-rebots; classtype:misc-activity; sid:24017; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER malicious redirection attempt"; flow:to_server,established; content:"a=YWZmaWQ9MDUyODg"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2012/09/compromised-websites-hosting-calls-to-java-exploit.html; classtype:bad-unknown; sid:24225; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android/Fakelash.A!tr.spy trojan command and control channel traffic"; flow:to_server,established; content:"/data.php?action="; nocase; http_uri; content:"&m="; distance:0; nocase; http_uri; content:"&p="; distance:0; nocase; http_uri; content:"&n="; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.fortiguard.com/android-malware-distributed-by-malicious-sms-in-france/; classtype:trojan-activity; sid:24251; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"<html><head><meta http-equiv=|22|refresh"; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:24253; rev:7;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE IP only webpage redirect attempt"; flow:to_client,established; file_data; content:"document.location="; pcre:"/^[^>]*\x2f\x2f\d{1,3}\x2e\d{1,3}\x2e\d{1,3}\x2e\d{1,3}/sR"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:24254; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 84 (msg:"MALWARE-OTHER Malicious UA detected on non-standard port"; flow:to_server,established,no_stream; content:"User-Agent|3A| Mozilla/5.0 |28|Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US|29|"; detection_filter:track by_src, count 1, seconds 120; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,anubis.iseclab.org/?action=result&task_id=1691c3b8835221fa4692960681f39c736&format=html; classtype:trojan-activity; sid:24265; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 48 00 00 00|"; within:8; distance:24; fast_pattern; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:24359; rev:9;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24455; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:24456; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:24457; rev:11;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_server,established; file_data; content:"|FF D8 FF EE|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:24458; rev:11;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"POLICY-SPAM 1.usa.gov URL in email, possible spam redirect"; flow:to_server, established; file_data; content:"http|3A 2F 2F|1.usa.gov"; pcre:"/http\x3A\x2f\x2f1\.usa\.gov\x2f[a-f0-9]{6,8}/smi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:url,www.symantec.com/connect/blogs/spam-gov-urls; classtype:bad-unknown; sid:24598; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Banking Trojan Config File Download"; flow:to_server,established; urilen:11; content:"|2F|Config|2E|txt"; fast_pattern:only; http_uri; content:"Mozilla|2F|3|2E|0|20 28|compatible|3B 20|Indy|20|Library|29 0D 0A|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/2418469245edf860633f791b972e1a8a11e5744c6deb0cc1a55531cba3d0bd7f/analysis/; classtype:trojan-activity; sid:24885; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dorkbot variant outbound connection"; flow:to_server,established; content:".php?ip="; http_uri; content:"&os="; distance:0; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c425af6875dff2c0627421086f66b7e058f51d22939478529702d193837c6cfe/analysis/; classtype:trojan-activity; sid:24886; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"NETBIOS SMB Trans2 FIND_FIRST2 find file and directory info request"; flow:to_server,established; content:"|FF|SMB2|00 00 00 00|"; depth:9; offset:4; byte_test:1,!&,0x80,0,relative; content:"|01 00|"; within:2; distance:52; byte_jump:2,-10,relative,little,from_beginning,post_offset 10; content:"|04 01|"; within:2; flowbits:set,smb.trans2.fileinfo; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service netbios-ssn; classtype:protocol-command-decode; sid:24972; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11<>20; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:!"Content-Disposition"; http_client_body; content:"Content-Length: "; nocase; byte_test:8,<,369,0,string,relative; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Clickserver callback"; flow:to_server,established; urilen:95; content:" HTTP/1.0|0D 0A|Host:"; fast_pattern:only; pcre:"/^\x2f[A-Z\d]{83}\x3d[A-Z\d]{10}$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25054; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - NewBrandTest"; flow:to_server,established; content:"User-Agent|3A 20|NewBrandTest|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/02b18d0aa415e299515891b56424751e846ca917d3bb55b82f07cfb97f62c4e1/analysis/; classtype:trojan-activity; sid:25119; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess URI and Referer"; flow:to_server,established; urilen:52; content:"/s/?k="; fast_pattern:only; http_header; pcre:"/^\x2f[a-z0-9]{51}$/Ui"; pcre:"/Referer\x3a\s*?http\x3a\x2f{2}[a-z0-9\x2e\x2d]+\x2fs\x2f\x3fk\x3d/Hi"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25224; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:12; content:"/a/image.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25256; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Skintrim variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bin/check.php?cv="; http_uri; content:"ThIs_Is_tHe_bouNdaRY_$"; fast_pattern; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/80e67695fa394f56fd6ddae74b72e9050f651244aad52ad48ebe6304edff95e2/analysis/1357239259/; classtype:trojan-activity; sid:25257; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast variant outbound connection"; flow:to_server,established; content:"/file.aspx?file="; fast_pattern:only; http_uri; content:"ksp/WS"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/af1ffe831112cbb34866fe1a65ed18613578039b002ca221757b791a5006894d/analysis/; classtype:trojan-activity; sid:25258; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BancosBanload variant outbound connection"; flow:to_server,established; content:".gif"; http_uri; content:"|0D 0A|Accept|2D|Encoding|3A 20|gzip|2C|deflateidentity|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/098fa9dbc519669a50fc6f3cdc8d9e4b05a6f0c32d154f515e403b54d72efff6/analysis/1357138873/; classtype:trojan-activity; sid:25259; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buterat variant outbound connection"; flow:to_server,established; content:"From|3A|"; http_header; content:"Via|3A|"; http_header; urilen:13; pcre:"/^\x2f\d{3}\x2f\d{3}\x2ehtml$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/90fb793d1fd7245b841ca4b195e3944a991d97d854090729062d700fe74553e5/analysis/; classtype:trojan-activity; sid:25269; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Buzus variant outbound connection"; flow:to_server,established; content:"/default.aspx?ver="; http_uri; content:"&uid="; distance:0; http_uri; content:"|3B 20|MRA|20|5.10|20|"; http_header; pcre:"/\x26uid\x3d[a-f0-9]{16}($|\x26)/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25271; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Request for a non-legit postal receipt"; flow:to_server,established; content:".php?php=receipt"; fast_pattern:only; http_uri; pcre:"/\x2f[a-z0-9]+\.php\?php\x3dreceipt$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=.php%3Fphp%3Dreceipt&type=string; classtype:misc-activity; sid:25277; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scan attempt"; flow:to_server,established; flowbits:set,acunetix-scan; content:"Acunetix-"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25358; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner probe attempt"; flow:to_server,established; content:"/acunetix-wvs-test-for-some-inexistent-file"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25359; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner authentication attempt"; flow:to_server,established; content:"password=g00dPa$$w0rD"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25360; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner RFI attempt"; flow:to_server,established; content:"src=/testasp.vulnweb.com/"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25361; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner base64 XSS attempt"; flow:to_server,established; content:"PHNjcmlwdD"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25362; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner URI injection attempt"; flow:to_server,established; content:"http:/www.acunetix.com"; fast_pattern:only; http_uri; content:"Acunetix-"; nocase; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25363; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner prompt XSS attempt"; flow:to_server,established; content:"<ScRiPt>prompt("; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25364; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"APP-DETECT Acunetix web vulnerability scanner XSS attempt"; flow:to_server,established; content:">=|5C|xa2"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.acunetix.com; classtype:web-application-attack; sid:25365; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Pushdo Spiral Traffic"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\x2f\x3fptrxcz\x5f[a-zA-Z0-9]{30}$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,updates.atomicorp.com/channels/rules/delayed/modsec/10_asl_antimalware.conf; classtype:trojan-activity; sid:25471; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit sba.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:16; content:"/cgi-bin/sba.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25503; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Necurs Rootkit op.cgi"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/cgi-bin/op.cgi"; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/b1e6f0cad0ae5c60e9e4fa18fd3b4a045d6db172c10a1c8e054e22d1aff4c673/analysis/; classtype:trojan-activity; sid:25504; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lfstream|26|"; depth:9; offset:8; pcre:"/^POST\x20\x2fg[ao]lfstream\x26/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/f4c44b5331c30b62beacae5d343d591584715c2d9d6d65848216b61efd916ec1/analysis/; classtype:trojan-activity; sid:25511; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/octet-stream"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25513; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable download detected"; flow:to_client,established; content:"application/x-msdos-program"; fast_pattern:only; http_header; pcre:"/^Content-Type\x3a[\x20\x09]+application\/x-msdos-program/smiH"; file_data; content:"MZ"; within:2; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25514; rev:12;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:25515; rev:11;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPod User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPod"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPod/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25518; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPad User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPad"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPad/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25519; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Apple iPhone User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"iPhone"; distance:0; fast_pattern; http_header; pcre:"/^User-Agent\x3a[^\r\n]*iPhone/H"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25520; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Android User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"android"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*android/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25521; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Nokia User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nokia"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nokia/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25522; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Samsung User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"Samsung"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*samsung/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25523; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-MOBILE Kindle User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"kindle"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*kindle/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25524; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"OS-OTHER Nintendo User-Agent detected"; flow:established,to_server; content:"User-Agent|3A|"; http_header; content:"nintendo"; distance:0; fast_pattern; nocase; http_header; pcre:"/^User-Agent\x3a[^\r\n]*nintendo/iH"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:policy-violation; sid:25525; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs possible URI with encrypted POST"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/admin/host.php"; fast_pattern:only; http_uri; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/file/98fb9778208cb74c11a71afd065ae64e562ded1ae477ad42e392fe3711170319/analysis/; classtype:trojan-activity; sid:25577; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=PostalReceipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"PostalReceipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25578; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookinginfo HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingInfo.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingInfo.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25579; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake bookingdetails HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=BookingDetails.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"BookingDetails.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:25580; rev:4;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"M-SEARCH "; depth:9; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:25589; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Reventon variant outbound connection"; flow:to_server,established; isdataat:!5; content:"|9A 02 00 00|"; depth:4; fast_pattern; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/25c690dac0d17f9ba304e5e68c1da2381685b1aa0aa3cd503589bbc59daf81eb/analysis/; classtype:trojan-activity; sid:25627; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic variant outbound connection"; flow:to_server,established; content:"Accept-Language: en-us|3B 0D 0A|"; http_header; content:"wok5VLG.6"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/3ff78086c2e0fb839beeea7e4a209850c00f338005872e845155341cc30a5db5/analysis/; classtype:trojan-activity; sid:25652; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Medfos variant outbound connection"; flow:to_server,established; content:"/js/disable.js?type="; fast_pattern:only; http_uri; content:"Accept|3A 20|application/javascript|2C 20 2A 2F 2A 3B|q=0.8"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:JS/Medfos.B; classtype:trojan-activity; sid:25660; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"MALWARE-CNC Win.Trojan.Fakeavlock variant outbound connection"; flow:to_server,established; isdataat:266; isdataat:!276; content:"User-Agent|3A| Mozilla/5.0 (Windows|3B| U|3B| MSIE 9.0|3B| Windows NT 9.0|3B| en-US)|0D 0A|"; fast_pattern:only; http_header; urilen:159; pcre:"/\x2f[A-F0-9]{158}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/c49f7dbc036ad0a86df02cbbde00cb3b3fbd651d82f6c9c5a98170644374f64f/analysis/; classtype:trojan-activity; sid:25675; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Agent YEH variant outbound connection"; flow:to_server,established; content:"|29 3B 28|b|3A|3790|3B|c|3A|INT|2D|6760|3B|l|3A|09|29 0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f\?ts\x3d[a-f0-9]{40}\x26/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-YEH/detailed-analysis.aspx; classtype:trojan-activity; sid:25765; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/cmd.php?cmd="; http_uri; content:"arq="; distance:0; http_uri; content:"cmd2="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Win32%2fBancos; classtype:trojan-activity; sid:25766; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Urausy Botnet variant outbound connection"; flow:to_server,established; urilen:95<>102; content:"|29 20|Chrome|2F|"; http_header; content:!"|0A|Accept-Encoding|3A 20|"; http_header; pcre:"/^\x2f[a-z\x2d\x5f]{90,97}\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.botnets.fr/index.php/Urausy; classtype:trojan-activity; sid:25807; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Banker FTC variant outbound connection"; flow:to_server,established; urilen:18; content:"/listas/out/si.php"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|"; depth:10; offset:24; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Banker-FTC/detailed-analysis.aspx; classtype:trojan-activity; sid:25829; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Einfo\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|info|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:25854; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"APP-DETECT Ammyy remote access tool"; flow:to_server,established; content:"POST"; http_method; content:"|0A|Host|3A 20|rl.ammyy.com|0D 0A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.ammyy.com; classtype:policy-violation; sid:25947; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT redirection to driveby download"; flow:to_client,established; file_data; content:"/Home/index.php|22| width=1 height=1 scrolling=no></iframe>"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25948; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy outbound data connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"User|2D|Agent|3A 20|Mozilla|2F|3.0|20 28|compatible|3B 20|Indy Library|29 0D 0A|"; http_header; content:"form-data|3B| name=|22|userfile|22 3B| filename="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/979c14f993a1cd91f1b890f93a59ab5b14e059e056b9cf069222f529e50a4d5f/; reference:url,www.virustotal.com/#/file/ac9aea57da03206b1df12b5c012537c899bf5d67a5eb8113b4a4d99e0a0eb893/; reference:url,www.virustotal.com/en/file/04edf40eaf652dfab4e8dc2ca21fbf2e99d361746995767071789cc3fa24d2cc/analysis/1361822708/; classtype:trojan-activity; sid:25949; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sibhost exploit kit"; flow:to_server,established; content:"yoO4TAbn2tpl5DltCfASJIZ2spEJPLSn"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.malwaresigs.com/2013/02/26/sport-cd-am-sibhost; classtype:trojan-activity; sid:26020; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant in.php outbound connection"; flow:to_server,established; urilen:7; content:"/in.php"; http_uri; content:".ru|0D 0A|User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"|0A|Content-Length|3A 20|"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,zeustracker.abuse.ch/monitor.php?ipaddress=195.22.26.231; classtype:trojan-activity; sid:26023; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Wecod variant outbound connection"; flow:to_server,established; urilen:20; content:"/b/n/winrar/tudo.rar"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/22e0300501e6bbb7f46c2fb5aed12e4c0d23385cc6319d430cd4faed5241f362/analysis/; classtype:trojan-activity; sid:26024; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY ZIP file download detected"; flow:to_client,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26057; rev:13;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY ZIP file attachment detected"; flow:to_server,established; file_data; content:"PK|03 04 14 00 06 00|"; depth:8; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:26058; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos variant outbound connection SQL query POST data"; flow:to_server,established; content:"a=select CAMPO from PAGINA where CODIGO = "; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/88efcb549a52e3fb6359a3888e72726aac00c730edcd5280e0248d11306a645d/analysis/; classtype:trojan-activity; sid:26075; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:"|0D 0A|Accept|2D|Encoding|3A 20|identity|0D 0A|"; distance:0; http_header; pcre:"/\x0d\x0aContent\x2dLength\x3a\x20(124|132)\x0d\x0a/H"; pcre:"/\x3d?\x3d\r\n$/P"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26106; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gupd variant outbound connection"; flow:to_server,established; content:"cstype="; depth:7; http_client_body; content:"&authname="; within:48; distance:1; http_client_body; content:"&authpass="; within:48; distance:1; http_client_body; content:"&hostname="; within:48; distance:1; http_client_body; content:"&ostype="; within:256; distance:1; http_client_body; content:"&macaddr="; within:64; distance:16; http_client_body; content:"&owner="; within:48; distance:17; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0DD9018A9AF609382FABDA8E4EC86033DA83E42FEC25499C329DBDCBB00F2AF0/analysis/; classtype:trojan-activity; sid:26203; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Eldorado variant outbound connection"; flow:to_server,established; urilen:12; content:"/pid/pid.txt"; fast_pattern:only; http_uri; content:"(compatible|3B 20|Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/46b01e093493ff14a4f1a43905d4943f5559fb518c04edde46084d9672d0f20f/analysis/1363359002/; classtype:trojan-activity; sid:26211; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Proxyier variant outbound connection"; flow:to_server,established; content:"GET /?"; depth:6; content:"HTTP/1.1|0D 0A|Host|3A 20|update|2E|"; distance:0; content:"0b8pre|0D 0A|"; fast_pattern:only; http_header; content:!"|0A|Referer"; http_header; metadata:ruleset community, service http; classtype:trojan-activity; sid:26212; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY JPEG file magic detected"; flow:to_client,established; file_data; content:"|00 10|JFIF"; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:26251; rev:12;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake postal receipt HTTP Response phishing attack"; flow:to_client,established; content:"|3B 20|filename=Postal-Receipt.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"Postal-Receipt.exe"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.urlquery.net/search.php?q=receipt&type=string&start=2013-01-03&end=2013-01-18&max=50; classtype:trojan-activity; sid:26261; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Dapato banking Trojan variant outbound connection"; flow:to_server,established; urilen:21; content:"/pics/_vti_cnf/00.inf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ebcff32473d032041bd69e9599fbff4ad295128003f76d1f452ba7cb6e2d20d4/analysis/1364314446/; classtype:trojan-activity; sid:26264; rev:6;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DD-WRT httpd cgi-bin remote command execution attempt"; flow:to_server,established; content:"/cgi-bin/"; depth:10; nocase; http_uri; content:"${IFS}"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,35742; reference:bugtraq,94819; reference:cve,2009-2765; reference:cve,2016-6277; classtype:attempted-admin; sid:26275; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_client_body; content:"%0"; distance:0; http_client_body; pcre:"/(^|&)submit_button=[^&]+%0[^&]/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-admin; sid:26276; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi submit_button page redirection attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:"submit_button"; http_raw_uri; content:"%0"; distance:0; http_raw_uri; pcre:"/[?&]submit_button=[^&]+%0[^&]/i"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-admin; sid:26277; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_client_body; content:"PasswdModify=1"; nocase; http_client_body; content:"http_passwd="; nocase; http_client_body; content:"http_passwdConfirm="; nocase; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26278; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E1500/E2500 apply.cgi unauthenticated password reset attempt"; flow:to_server,established; content:"/apply.cgi"; fast_pattern:only; http_uri; content:!"Authorization:"; nocase; http_header; content:"action=Apply"; nocase; http_uri; content:"PasswdModify=1"; nocase; http_uri; content:"http_passwd="; nocase; http_uri; content:"http_passwdConfirm="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,57760; reference:url,www.s3cur1ty.de/m1adv2013-004; classtype:attempted-admin; sid:26279; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.dnssearch.org"; flow:to_server,established; content:"Host|3A| search.dnssearch.org|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26286; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.namequery.com"; flow:to_server,established; content:"Host|3A| search.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:26287; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brontok Worm variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| Brontok.A8 Browser|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securelist.com/en/descriptions/10286064/Email-Worm.Win32.Brontok.rf?print_mode=1; classtype:trojan-activity; sid:26288; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Daws Trojan Outbound Plaintext over SSL Port"; flow:to_server,established; content:"POST"; depth:4; pcre:"/^POST\x20\x2f[a-z]+\.[a-z]{3}\x20HTTP\x2f1\.1\r\n/"; content:"|0D 0A|Content|2D|Disposition|3A 20|form|2D|data|3B 20|name|3D 22|"; pcre:"/[^\x0d\x0a\x09\x20-\x7e]{4}/R"; pcre:"/\d+\x2d{2}\r\n$/R"; metadata:impact_flag red, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/file/f810c56734a686fdf46eb3ff895db6f3dd0cebb45c1e74bcc1c43f8050242d53/analysis/1359999907/; classtype:trojan-activity; sid:26289; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC file path used as User-Agent - potential Trojan"; flow:to_server,established; content:"User-Agent|3A 20|C:|5C|"; fast_pattern:only; http_header; pcre:"/\.exe$/iU"; pcre:"/^User\x2dAgent\x3a\x20c\x3a\x5c[^\r\n]*?\.exe\r\n/Him"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dd932e083cf9d910bc43bb998983f5ec35691c1b84708a355f7c46b358fa375/analysis/; classtype:trojan-activity; sid:26319; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Scar variant outbound connection"; flow:to_server,established; content:".php?mac="; fast_pattern:only; http_uri; content:"|0D 0A|Accept-Language|3A 20|ko|0D 0A|"; http_header; pcre:"/\.php\?mac\x3d([a-f0-9]{2}\x3a){5}[a-f0-9]{2}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/171a0b12197c1b1b525e2db1a62adb6f6c3f42ccb5704c8174944ee8b901abec/analysis/; classtype:trojan-activity; sid:26325; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC OSX.Trojan.Flashfake variant outbound connection"; flow:to_server,established; content:"|3B 20|sv|3A|"; http_header; content:"|3B 20|id|3A|"; within:5; distance:1; http_header; pcre:"/^User\x2dAgent\x3a\s[^\r\n]*?\x3b\x20id\x3a[A-F0-9]{8}\x2d([A-F0-9]{4}\x2d){3}[A-F0-9]{12}\)[^\r\n]*?\r\n/Hm"; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26327; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FBI Ransom Trojan variant outbound connection"; flow:to_server,established; content:"/nosignal.jpg?"; fast_pattern:only; http_uri; pcre:"/^\x2fnosignal\.jpg\?\d\.\d+$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26335; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to dyndns.org detected"; flow:to_server,established; content:"Host|3A 20|checkip.dyndns.org"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26353; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - ksa.txt"; flow:to_server,established; urilen:8; content:"/ksa.txt"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26370; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - op POST"; flow:to_server,established; content:"op="; depth:3; http_client_body; content:"&nmpc="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:26371; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_server,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; classtype:trojan-activity; sid:26380; rev:4;)
|
|
# alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service imap, service pop3; classtype:trojan-activity; sid:26381; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER UTF-8 BOM in zip file attachment detected"; flow:to_client,established; file_data; content:"|EF BB BF 50 4B 03 04|"; depth:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26382; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Ufasoft bitcoin miner possible data upload"; flow:to_server,established; content:"User-Agent|3A| Ufasoft"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,ufasoft.com/open/bitcoin/; classtype:policy-violation; sid:26395; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"panel1/gate.php"; content:" HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection|3A|"; fast_pattern:only; content:"+"; depth:15; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b34f23afc2f6ca093b2923f0aa12d942a5960cf48475272df5b60edf556e4299/analysis/; classtype:trojan-activity; sid:26398; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE IP address check to j.maxmind.com detected"; flow:to_server,established; content:"/app/geoip.js"; http_uri; content:"Host|3A 20|j.maxmind.com"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26410; rev:5;)
|
|
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot folder snkb0ptz creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26411; rev:3;)
|
|
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot executable snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; fast_pattern:only; content:".exe"; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26412; rev:3;)
|
|
# alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-OTHER Win.Worm.Dorkbot Desktop.ini snkb0ptz.exe creation attempt SMB"; flow:to_server,established; content:"|73 00 6E 00 6B 00 62 00 30 00 70 00 74 00 7A 00|"; content:"|5C|"; within:1; content:"|00 44 00 65 00 73 00 6B 00 74 00 6F 00 70 00 2E 00 69 00 6E 00 69 00|"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service netbios-ssn; classtype:trojan-activity; sid:26413; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Magic variant inbound connection"; flow:to_client,established; file_data; content:"some_magic_code1"; depth:36; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.seculert.com/blog/2013/04/magic-persistent-threat.html; classtype:trojan-activity; sid:26467; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Location"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26468; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SERVER-ORACLE Oracle WebCenter FatWire Satellite Server header injection on blobheadername2 attempt"; flow:to_server,established; content:"blobheadername2=Refresh"; fast_pattern:only; content:"blobheadervalue2="; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1509; reference:url,www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html; classtype:web-application-attack; sid:26469; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Zeus Spam 2013 dated zip/exe HTTP Response - potential malware download"; flow:to_client,established; content:"-2013.zip|0D 0A|"; fast_pattern:only; content:"-2013.zip|0D 0A|"; http_header; content:"-"; within:1; distance:-14; http_header; file_data; content:"-2013.exe"; content:"-"; within:1; distance:-14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2eff3ee6ac7f5bf85e4ebcbe51974d0708cef666581ef1385c628233614b22c0/analysis/; classtype:trojan-activity; sid:26470; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot fake PNG config file download without User-Agent"; flow:to_server,established; content:"Accept: application/xml,application/xhtml+xml,text/html|3B|q=0.9,text/plain|3B|q=0.8,image/png,*/*|3B|q=0.5|0D 0A|"; fast_pattern:only; http_header; pcre:"/\.png$/Ui"; content:!"User-Agent:"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26480; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown Thinner Encrypted POST botnet C&C"; flow:to_server,established; content:"/thinner/thumb?img="; fast_pattern:only; http_uri; pcre:"/[^\x20-\x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,support.clean-mx.de/clean-mx/viruses.php?sort=firstseen%20desc&review=95.57.120.111; classtype:trojan-activity; sid:26482; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP JavaScript tag in User-Agent field possible XSS attempt"; flow:to_server,established; content:"User-Agent|3A| <SCRIPT>"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.spiderlabs.com/2012/11/honeypot-alert-referer-field-xss-attacks.html; classtype:web-application-attack; sid:26483; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user agent NOKIAN95/WEB"; flow:to_server,established; content:"User-Agent|3A| NOKIAN95|2F|WEB"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/targeted-attack-campaign-hides-behind-ssl-communication/; classtype:trojan-activity; sid:26522; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Portable Executable downloaded with bad DOS stub"; flow:to_client,established; file_data; content:"MZ"; depth:2; content:"|2F 2A 14 20|"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-2423; reference:url,www.invincea.com/2013/04/k-i-a-java-cve-2013-2423-via-new-and-improved-cool-ek/; classtype:trojan-activity; sid:26526; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Unix.Backdoor.Cdorked redirect attempt"; flow:to_client,established; content:"0aW1lP"; fast_pattern; http_header; content:"/index.php?"; distance:-50; http_header; base64_decode:bytes 150, offset 10, relative; base64_data; content:"time="; content:"&src="; distance:0; content:"&surl="; distance:0; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/04/apache-binary-backdoors-on-cpanel-based-servers.html; reference:url,virustotal.com/en/file/7b3cd8c1bd0249df458084f28d91648ad14e1baf455fdd53b174481d540070c6/analysis/; classtype:trojan-activity; sid:26528; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unknown malware - Incorrect headers - Referer HTTP/1.0"; flow:to_server,established; content:"Referer: HTTP/1.0|0D 0A|"; fast_pattern:only; http_header; metadata:policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26533; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Stamp exploit kit portable executable download"; flow:to_server,established; content:"/elections.php?"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/elections\.php\?([a-z0-9]+\x3d\d{1,3}\&){9}[a-z0-9]+\x3d\d{1,3}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:cve,2013-0431; classtype:trojan-activity; sid:26534; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"PUA-ADWARE Win.Adware.BProtector browser hijacker dll list download attempt"; flow:to_server,established; content:"GET"; http_method; content:"/builds/"; nocase; http_uri; content:"fflists.txt"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:26553; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known Malicious user agent Brutus AET"; flow:to_server,established; content:"Mozilla|2F|3.0 |28|Compatible|29 3B|Brutus|2F|AET"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,sectools.org/tool/brutus; classtype:misc-activity; sid:26558; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection - getcomando POST data"; flow:to_server,established; content:"tipo=getcomando&"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a8f162a9c7347e485db374664227884b16112e2983923d0888c8b80661f25e44/analysis/1367267173/; classtype:trojan-activity; sid:26560; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"&sk1="; fast_pattern:only; http_client_body; content:"bn1="; depth:4; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26561; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit Spoofed Host Header .com- requests"; flow:to_server,established; content:".com-"; http_header; pcre:"/\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\x2d[a-z0-9\x2d\x2e]+(\x3a\d{1,5})?\r\n/Hi"; content:"|0D 0A|Accept|3A 20|text/html, image/gif, image/jpeg, *|3B| q=.2, */*|3B| q=.2|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26562; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Harakit botnet traffic"; flow:to_server,established; urilen:10; content:"sousi.extasix.com|0D 0A|"; fast_pattern:only; http_header; content:"/genst.htm"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23239; reference:url,www.virustotal.com/en/file/3df72fe102fddc74de2da518ea16948bd2c8c0e910c28c4358367e10723ba21f/analysis/; classtype:trojan-activity; sid:26563; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-content"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:26576; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent Opera 10"; flow:to_server,established; content:"Opera/10|20|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-s irefef-malware; reference:url,dev.opera.com/articles/view/opera-ua-string-changes; classtype:trojan-activity; sid:26577; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/images/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26578; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy/FakeAV Checkin with IE6 User-Agent"; flow:to_server,established; content:"/ccbill/m.php?id="; fast_pattern:only; http_uri; content:"|3B 20|MSIE 6.0|3B 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b288d6eadc9d4bca710f73e850a0901cf5fe62c775350c9a30ebaf9a05097a0f/analysis/1367713929/; classtype:trojan-activity; sid:26579; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE config.inc.php in iframe"; flow:to_client,established; file_data; content:"<iframe"; content:"config.inc.php"; within:100; content:"</iframe>"; distance:0; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/05/auto-generated-iframes-to-blackhole-exploit-kit-following-the-cookie-trail.html; classtype:trojan-activity; sid:26585; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Medfos Trojan variant outbound connection"; flow:to_server,established; content:"/feed?req=http"; fast_pattern:only; http_uri; content:"|3B| MSIE "; http_header; content:!"|0D 0A|Accept-Language:"; http_header; content:!"|0D 0A|Referer:"; http_header; pcre:"/^Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?\n/Hsmi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5bad5a2e4497f866291813aed264b5dc3c9fad4e56796306842c7b50b553ae11/analysis/; classtype:trojan-activity; sid:26613; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.PCRat data upload"; flow:to_server,established; content:"PCRatd"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/669DF9DED24D56997D7B1EA6249BB704226DADA09230DC285AE66CA0C9B7247B/analysis/; classtype:misc-activity; sid:26655; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Travnet Botnet data upload"; flow:to_server,established; content:"hostid="; http_uri; content:"|26|hostname="; http_uri; content:"|26|hostip="; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F7E9A1A4FC4766ABD799B517AD70CD5FA234C8ACC10D96CA51ECF9CF227B94E8/analysis/; classtype:trojan-activity; sid:26656; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Shiz variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"/login.php"; depth:10; http_uri; content:"Referer|3A| http://www.google.com"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 2.0|3B|"; fast_pattern:only; http_header; pkt_data; content:"HTTP/1.0|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6; reference:url,www.virustotal.com/en/file/58963fd6a567513990ec6be52dc036bc5b728bb6528fca61227b22681ac838e6/analysis/1368563326/; classtype:trojan-activity; sid:26657; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-WEBKIT Possible Google Chrome Plugin install from non-trusted source"; flow:to_server,established; content:!"googleusercontent"; http_header; content:!"google.com"; http_header; content:"|2F|crx|2F|blobs"; http_uri; content:!"gvt1.com"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2013/05/10/browser-extension-hijacks-facebook-profiles.aspx; classtype:bad-unknown; sid:26658; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BROWSER-FIREFOX Possible Mozilla Firefox Plugin install from non-Mozilla source"; flow:to_server,established; content:!"mozilla"; http_header; content:".xpi"; nocase; http_uri; pcre:"/\.xpi$/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2012/09/how-to-install-silently-malicious.html; classtype:bad-unknown; sid:26659; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake delivery information phishing attack"; flow:to_client,established; content:"|3B| filename="; http_header; content:"Delivery_Information_ID-"; fast_pattern:only; http_header; file_data; content:"Delivery_Information_ID-"; content:".exe"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:26660; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Namihno variant outbound request"; flow:to_server,established; content:"/windows/update/search?hl="; http_uri; content:"&q="; distance:0; http_uri; content:"&meta="; distance:0; http_uri; content:"&id="; distance:0; http_uri; metadata:policy balanced-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26695; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - Abnormal HTTP Headers"; flow:to_server,established; content:"POST /index.php HTTP/1.1|0D 0A|Content-Type: multipart/form-data|3B| boundary="; depth:70; content:"|0D 0A|Connection: close|0D 0A|Cache-Control: no-cache|0D 0A|Content-Length: "; http_header; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26696; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Cbeplay Ransomware variant outbound connection - POST Body"; flow:to_server,established; content:"index.php"; http_uri; content:"|3B| name=|22|data|22 3B| filename=|22|"; fast_pattern:only; http_client_body; content:"--"; depth:2; http_client_body; pcre:"/filename=\x22\d+\x22\r\n/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2013/02/cbeplayp-now-target-australia-and-moved.html; classtype:trojan-activity; sid:26697; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Compromised Website response - leads to Exploit Kit"; flow:to_client,established; file_data; content:"<!--ded509-->"; content:"<!--/ded509-->"; distance:0; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.jsunpack.jeek.org/?report=c94ca7cda909cf93ae95db22a27bb5d711c2ae8f; classtype:trojan-activity; sid:26698; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Kazy Trojan check-in"; flow:to_server,established; content:"User-Agent: Opera/11 |28|Windows NT 5.1|3B 20 3B| x86|29|"; fast_pattern:only; http_header; content:"/count.php?page="; depth:16; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=6d823488b26533f5151c3bab93c2a8ba832c9320e612d58d1134740abe3ca157; classtype:trojan-activity; sid:26712; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 1 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; fast_pattern:only; http_header; pcre:"/gate\x2ephp\x3freg=[a-z]{10}/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26713; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 2 outbound traffic"; flow:to_server,established; content:"gate.php|3F|reg="; http_uri; pcre:"/gate\x2ephp\x3freg=[a-zA-Z]{15}/U"; content:"User-Agent|3A| Mozilla/4.0 (SEObot)|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26714; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BlackRev rev 3 outbound traffic"; flow:to_server,established; content:"gate.php|3F|id="; http_uri; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| SEObot)|0D 0A|"; fast_pattern:only; http_header; pcre:"/gate\x2ephp\x3fid=[a-z]{15}/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26715; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_alive.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26719; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kbot variant outbound connection"; flow:to_server,established; content:"s_task.php?id="; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/22/grum-lives/; classtype:trojan-activity; sid:26720; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Bancos fake JPG encrypted config file download"; flow:to_server,established; content:".com.br|0D 0A 0D 0A|"; fast_pattern:only; content:"/imagens/"; depth:9; http_uri; content:".jpg"; distance:0; http_uri; pcre:"/\.jpg\x20HTTP\/1\.[01]\r\nUser\x2dAgent\x3a\x20[a-z]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.com\.br\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26722; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Trojan Downloader7"; flow:to_server,established; content:".lavaibrasilok.com|0D 0A 0D 0A|"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.drwebhk.com/en/virus_techinfo/Trojan.DownLoader7.25647.html; classtype:trojan-activity; sid:26723; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc http command"; flow:to_client,established; file_data; content:"http|7C|"; depth:5; pcre:"/^http\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26725; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc stop command"; flow:to_client,established; file_data; content:"stop|7C|"; depth:5; pcre:"/^stop\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26726; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc die command"; flow:to_client,established; file_data; content:"die|7C|"; depth:4; pcre:"/^die\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26727; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc sleep command"; flow:to_client,established; file_data; content:"sleep|7C|"; depth:6; pcre:"/^sleep\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26728; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc simple command"; flow:to_client,established; file_data; content:"simple|7C|"; depth:7; pcre:"/^simple\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26729; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc loginpost command"; flow:to_client,established; file_data; content:"loginpost|7C|"; depth:10; pcre:"/^loginpost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26730; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc datapost command"; flow:to_client,established; file_data; content:"datapost|7C|"; depth:9; pcre:"/^datapost\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26731; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc syn command"; flow:to_client,established; file_data; content:"syn|7C|"; depth:4; pcre:"/^syn\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26732; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udp command"; flow:to_client,established; file_data; content:"udp|7C|"; depth:4; pcre:"/^udp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26733; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc udpdata command"; flow:to_client,established; file_data; content:"udpdata|7C|"; depth:8; pcre:"/^udpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26734; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc data command"; flow:to_client,established; file_data; content:"data|7C|"; depth:5; pcre:"/^data\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26735; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc icmp command"; flow:to_client,established; file_data; content:"icmp|7C|"; depth:5; pcre:"/^icmp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26736; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc tcpdata command"; flow:to_client,established; file_data; content:"tcpdata|7C|"; depth:8; pcre:"/^tcpdata\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26737; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dataget command"; flow:to_client,established; file_data; content:"dataget|7C|"; depth:8; pcre:"/^dataget\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26738; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc connect command"; flow:to_client,established; file_data; content:"connect|7C|"; depth:8; pcre:"/^connect\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26739; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc dns command"; flow:to_client,established; file_data; content:"dns|7C|"; depth:4; pcre:"/^dns\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26740; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc exec command"; flow:to_client,established; file_data; content:"exec|7C|"; depth:5; isdataat:!200; pcre:"/^exec\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26741; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc resolve command"; flow:to_client,established; file_data; content:"resolve|7C|"; depth:8; pcre:"/^resolve\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26742; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc antiddos command"; flow:to_client,established; file_data; content:"antiddos|7C|"; depth:9; pcre:"/^antiddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26743; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc range command"; flow:to_client,established; file_data; content:"range|7C|"; depth:6; pcre:"/^range\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26744; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc ftp command"; flow:to_client,established; file_data; content:"ftp|7C|"; depth:4; pcre:"/^ftp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26745; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc download command"; flow:to_client,established; file_data; content:"download|7C|"; depth:9; pcre:"/^download\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26746; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc fastddos command"; flow:to_client,established; file_data; content:"fastddos|7C|"; depth:9; pcre:"/^fastddos\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26747; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc slowhttp command"; flow:to_client,established; file_data; content:"slowhttp|7C|"; depth:9; pcre:"/^slowhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26748; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc allhttp command"; flow:to_client,established; file_data; content:"allhttp|7C|"; depth:8; pcre:"/^allhttp\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26749; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRev cnc full command"; flow:to_client,established; file_data; content:"full|7C|"; depth:5; pcre:"/^full\x7c\d+\x7c\d+\x7C[a-z0-9]+\x2E[a-z]{2,3}\x7C[a-z0-9]+\x7C/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,ddos.arbornetworks.com/2013/05/the-revolution-will-be-written-in-delphi; classtype:trojan-activity; sid:26750; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Luder variant outbound connection"; flow:to_server,established; content:"/loader.cpl"; fast_pattern:only; http_uri; pcre:"/\/loader\.cpl$/U"; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1196; reference:url,www.virustotal.com/en/file/6077fd6cbb44c78a16d66fedb10492c7776127dc76ee071b051970971212bae8/analysis/; classtype:trojan-activity; sid:26774; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection HTTP Header Structure"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/index.html"; http_uri; content:".info|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; pcre:"/HTTP\/1.[01]\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\.info\r\n/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26775; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Blocker variant outbound connection POST"; flow:to_server,established; content:"POST"; http_method; content:"cmd=gravar&dados="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c157a06965bf9edc101350c6122d108ccb1d99600cbb6967ef41dfed255f2009/analysis/; classtype:trojan-activity; sid:26776; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex encrypted POST check-in"; flow:to_server,established; content:"/cos3q/in"; fast_pattern:only; http_uri; content:".exe"; nocase; http_client_body; pcre:"/\x5f\w{24}\.exe/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26779; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC cridex HTTP Response - default0.js"; flow:to_client,established; file_data; content:"|00|<script type=|22|text/javascript|22| src=|22|/scripts/default0.js|22|></script>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/843ffd922b9bd902d736ddb664b578cde6e3033fa5a14b862b09045c36aa7524/analysis/1369942427/; classtype:trojan-activity; sid:26780; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Payment Page Request"; flow:to_server,established; urilen:23; content:"/content/img/awards.jpg"; fast_pattern:only; http_uri; pcre:"/\r\nReferer\x3A\x20http\x3A\x2F\x2f[a-z0-9\x2d\x2e]+\x2F\x3Fdo\x3Dpayment\x26ver\x3D\d+\x26sid\x3D\d+\x26sn\x3D\d+\r\n/H"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26811; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC XP Fake Antivirus Check-in"; flow:to_server,established; urilen:11; content:"|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|Accept: */*|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\x2F\d{10}$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,camas.comodo.com/cgi-bin/submit?file=cf3eff5320b0c8d41490e412e89b97559bf34fcde8f9934e5fb7c76467a679d8; classtype:trojan-activity; sid:26812; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from Linked-In Mailing Campaign"; flow:to_server,established; urilen:17,norm; content:"/linkendorse.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26814; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sweet Orange exploit kit landing page in.php base64 uri"; flow:to_server,established; urilen:<75; content:"/in.php"; http_uri; content:"&q="; distance:0; http_uri; content:"=="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2010-0188; reference:cve,2012-0422; reference:cve,2012-0431; reference:cve,2012-0607; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-5076; reference:cve,2013-2423; classtype:trojan-activity; sid:26834; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker POST variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"op=IncluirAvisos&"; fast_pattern:only; http_client_body; content:"HostBD="; depth:7; offset:17; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26835; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Strange Google Traffic"; flow:to_server,established; urilen:30; content:"User-Agent: Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest.5)"; fast_pattern:only; http_header; content:"Host: www.google.com"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1a23f27b046af92b7dd2c4a8f8349c9fd9582ad91b5a61556470c58b15af3b26/analysis/1369251144/; classtype:trojan-activity; sid:26836; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC BitBot Idle C2 response"; flow:to_client,established; file_data; content:"<|5C||5C||5C|>IDLE<|5C||5C||5C|>"; depth:18; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26837; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2 exploit kit Initial Gate from NatPay Mailing Campaign"; flow:to_server,established; content:"/natpay.html?"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26838; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Boda Malware Checkin"; flow:to_server,established; content:"macName="; depth:60; http_client_body; content:"&macOS="; within:100; http_client_body; content:"&macMac="; within:200; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26842; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZeroAccess Encrypted 128-byte POST No Accept Headers"; flow:to_server,established; content:"POST"; http_method; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:" HTTP/1."; content:"|0D 0A|User-Agent: "; within:14; distance:1; content:!"|0D 0A|Accept"; http_header; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:ruleset community, service http; classtype:trojan-activity; sid:26910; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/info.php?act="; fast_pattern:only; http_uri; pcre:"/^\/info\.php\?act\x3d(list|online)/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26911; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rombrast Trojan outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"<|7C|>"; fast_pattern:only; http_client_body; content:"data="; depth:5; http_client_body; content:"<|7C|>"; within:3; distance:31; http_client_body; content:"<|7C|>"; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/deac0b06fb36e38520b002489dae6fff3d346e72d331c3889e9d2764fe2bcf14/analysis/; classtype:trojan-activity; sid:26912; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"/images/"; http_uri; content:".php?id="; distance:1; http_uri; pcre:"/\/images\/[a-zA-Z]\.php\?id\=[0-9]{2,3}(\.\d)?$/Ui"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26923; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Gozi Trojan HTTP Header Structure"; flow:to_server,established; urilen:255<>260; content:"= HTTP/1."; fast_pattern:only; content:".php?"; http_uri; content:!"Accept"; http_header; pcre:"/^\/[a-z]{2,20}\.php\?[a-z]{2,10}\x3d[a-zA-Z0-9\x2f\x2b]+\x3d$/I"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26924; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SQL generic convert injection attempt - GET parameter"; flow:to_server,established; content:"convert|28|"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.securiteam.com/securityreviews/5DP0N1P76E.html; classtype:web-application-attack; sid:26925; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=atom.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26947; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit inbound java exploit download"; flow:to_client,established; content:"filename=site.jar"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26948; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit landing page"; flow:to_client,established; file_data; content:"<applet width="; content:"0"; within:1; distance:1; content:" height="; within:8; distance:1; content:"0"; within:1; distance:1; content:" code="; within:6; distance:1; content:"site.avi"; within:8; distance:1; nocase; content:" archive="; within:9; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.basemont.com/new_exploit_kit_june_2013; classtype:trojan-activity; sid:26949; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Malvertising Campaign URI request"; flow:to_server,established; content:"/.cache/?f="; fast_pattern; http_uri; content:".jar"; http_uri; pcre:"/[^&]+&[a-z]=[a-f0-9]{16}&[a-z]=[a-f0-9]{16}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/06/openxadvertisingcom-mass-malvertising.html; classtype:trojan-activity; sid:26951; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Win32 Facebook Secure Cryptor C2"; flow:to_server,established; content:"/forum/search.php?email="; http_uri; content:"&method="; distance:0; http_uri; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/06/18/your-facebook-connection-is-now-secured; classtype:trojan-activity; sid:26965; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win32/Autorun.JN variant outbound connection"; flow:to_server,established; isdataat:141; isdataat:!142; urilen:8; content:"/u5.htm"; fast_pattern:only; http_uri; content:"//u5.htm"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Worm%3AWin32%2FAutorun.JN; reference:url,www.virustotal.com/en/file/36144738373c665d262bc007fceaeb9613e59ec29ea3d7424dd9f400af2c0f06/analysis/; classtype:trojan-activity; sid:26966; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Data Theft POST Data"; flow:to_server,established; content:"POST"; http_method; content:"data.php"; http_uri; content:"|0D 0A|URL: "; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name="; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26968; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi Trojan Data Theft POST URL"; flow:to_server,established; content:"POST"; http_method; content:".php?version="; http_uri; content:"&user="; distance:0; http_uri; content:"&server="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:26969; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; content:"Cookie: cache=cc2="; fast_pattern:only; content:"cache=cc2="; http_cookie; pcre:"/Host\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/97f97c2126ed6ffc447a5f8c72d504679129a38f8a62e4678321f9a8057c3307/analysis/; classtype:trojan-activity; sid:26970; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector Info Stealer Trojan variant outbound connection"; flow:to_server,established; content:"/xgi-bin/"; depth:9; http_uri; content:".php?"; within:5; distance:1; http_uri; content:"|3B| MSIE "; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4BAF26D033E17F0171AB27291649EEAE19EE33BD0246F17BC921E3ADB7F36F42/analysis/; classtype:trojan-activity; sid:26984; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rawin exploit kit outbound java retrieval"; flow:to_server,established; content:"rawin.php?b="; http_uri; content:"&v=1."; distance:0; http_uri; pcre:"/\.php\?b=[A-F0-9]+&v=1\./U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:26985; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dapato variant inbound response connection"; flow:to_client,established; content:"Content-Length: 150|0D 0A|"; fast_pattern:only; http_header; file_data; content:"|0D 0A|"; depth:2; offset:4; content:"|0D 0A|"; within:2; distance:4; content:"|0D 0A|"; within:2; distance:4; pcre:"/^([A-F0-9]{4})\r\n\1\r\n\1\r\n([A-F0-9]{26})\r\n[A-F0-9]{48}\r\n\2\r\n\2$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/111ffe389dc8fa802b8aff3b4e02a2f59d1b6492763f9dc5a20a84f4da46932a/analysis/; classtype:trojan-activity; sid:27017; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OnlineGameHack variant outbound connection"; flow:to_server,established; content:"/get.asp?mac="; http_uri; content:"&os="; within:36; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,image.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.39_Eng.pdf; classtype:trojan-activity; sid:27039; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jorg"; flow:to_server,established; content:"/jorg.html"; fast_pattern:only; http_uri; pcre:"/\/jorg\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27040; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jlnp"; flow:to_server,established; content:"/jlnp.html"; fast_pattern:only; http_uri; pcre:"/\/jlnp\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27041; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Styx exploit kit plugin detection connection jovf"; flow:to_server,established; content:"/jovf.html"; fast_pattern:only; http_uri; pcre:"/\/jovf\.html$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2007-5659; reference:cve,2008-0655; reference:cve,2011-3544; reference:cve,2012-0507; reference:cve,2012-1723; reference:cve,2012-4681; reference:cve,2012-4969; reference:cve,2013-0422; reference:cve,2013-2423; classtype:trojan-activity; sid:27042; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string pb - Htbot"; flow:to_server,established; content:"User-Agent: pb|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/MTNlMDg4ZTQwZjU2NDUxM2EwZDNlYzllNjZkMjRkNDI/; reference:url,www.virustotal.com/en/file/36802c72d1d5addc87d16688dcb37b680fd48f832fa7b93c15cf4f426aa3f0a7/analysis/; classtype:trojan-activity; sid:27044; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Blocker Download"; flow:to_client,established; flowbits:isset,file.exe; content:"filename="; http_header; content:"security_cleaner.exe"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6d4d93f68aaf783a2526d920fa3c070d061fd56853669a72a10b2c2232008582/analysis/1372086855/; classtype:trojan-activity; sid:27045; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Unknown ?1 redirect"; flow:to_server,established; content:"GET /?1 HTTP/1.1"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:bad-unknown; sid:27047; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit Hostile Jar pipe.class"; flow:to_client,established; flowbits:isset,file.jar; file_data; content:"PK"; content:"|00|pipe.class"; distance:0; content:"|00|inc.class"; distance:0; content:"|00|fdp.class"; distance:0; fast_pattern; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27085; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Unknown Malvertising exploit kit stage-1 redirect"; flow:to_client,established; content:"<html><body><script>|0A|var "; fast_pattern; content:"document.createElement("; within:80; content:".setAttribute(|22|archive|22|, "; within:65; content:".setAttribute(|22|codebase|22|, "; within:65; content:".setAttribute(|22|id|22|, "; within:65; content:".setAttribute(|22|code|22|, "; within:65; content:"|22|)|3B 0A|document.body.appendChild("; within:65; content:"</script>|0A|</body>|0A|</html>|0A 0A|"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27086; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit outbound portable executable request"; flow:to_server,established; content:"php?sf="; http_uri; content:"&Ze="; distance:0; http_uri; content:"&m="; distance:0; http_uri; pcre:"/php\?sf=\d+\&Ze=\d+\&m=\d+/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:trojan-activity; sid:27110; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT DotkaChef/Rmayana/DotCache exploit kit Zeroaccess download attempt"; flow:to_server,established; content:"/?f=a"; http_uri; content:"&k="; distance:0; http_uri; pcre:"/\&k=\d+($|\&h=)/U"; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,www.basemont.com/new_exploit_kit_june_2013; reference:url,www.malwaresigs.com/2013/06/14/dotcachef/; classtype:trojan-activity; sid:27113; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Private exploit kit outbound traffic"; flow:to_server,established; content:".php?"; http_uri; content:"content-type: application/"; http_header; content:" Java/1"; http_header; pcre:"/\x2ephp\x3f[a-z]+=[a-fA-Z0-9]+&[a-z]+=[0-9]+$/iU"; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2006-0003; reference:cve,2010-0188; reference:cve,2011-3544; reference:cve,2013-1347; reference:cve,2013-1493; reference:cve,2013-2423; reference:url,malwageddon.blogspot.com/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html; reference:url,malware.dontneedcoffee.com/2013/07/pep-new-bep.html; reference:url,www.malwaresigs.com/2013/07/03/another-unknown-ek; classtype:trojan-activity; sid:27144; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection GET Request"; flow:to_server,established; content:"/?"; depth:2; http_uri; content:"h=NT"; fast_pattern:only; http_uri; pcre:"/\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}/U"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27199; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Meredrop variant outbound connection POST Request"; flow:to_server,established; content:"POST"; content:"|3B 20|MSIE 28|3B 20|"; fast_pattern:only; http_header; content:"User-Agent"; http_header; pcre:"/User\x2dAgent\x3a\x20[ -~]*?\.[A-Z\d]{8}\x2d[A-Z\d]{6}\x2d[A-Z\d]{6}\x2d[A-Z\d]{8}\x3b[ -~]*?\r\n/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dfb0050cb7fd6c879027cbecda703613b8d9fb2b2a5682478dbcd0518172302c/analysis/1373576492/; classtype:trojan-activity; sid:27200; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neurevt variant outbound connection"; flow:to_server,established; content:"ps0="; depth:4; http_client_body; content:"ps1="; distance:0; http_client_body; content:"cs1="; distance:0; http_client_body; content:"cs2="; distance:0; http_client_body; content:"cs3="; distance:0; http_client_body; pcre:"/ps0=[A-F0-9]*&ps1=[A-F0-9]*&cs1=[A-F0-9]*&cs2=[A-F0-9]*&cs3=[A-F0-9]*/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27201; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Apache auto_prepend_file a.control.bin C2 traffic"; flow:to_server,established; content:"User-Agent|3A| SEX|2F|1"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/06/apache-php-injection-to-javascript-files.html; classtype:trojan-activity; sid:27203; rev:4;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Potential Bancos Brazilian Banking Trojan Browser Proxy Autoconfig File"; flow:to_client,established; file_data; content:"return |22|DIRECT|22|"; fast_pattern:only; content:".com.br"; nocase; pcre:"/\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22\s{0,3}\+\s{0,3}\x22[a-z\d\x2e\x2d]{1,10}\x22/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:27204; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Mac OSX FBI ransomware"; flow:to_client,established; file_data; content:"<iframe src=|22|YOUR|25|20BROWSER|25|20HAS|25|20BEEN|25|20LOCKED"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.org/intelligence/2013/07/fbi-ransomware-now-targeting-apples-mac-os-x-users/; classtype:trojan-activity; sid:27246; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue - Mozi1la User-Agent"; flow:to_server,established; content:"User-Agent|3A| Mozi1la/4.0|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/03103b40b95070e4d14803e949dc754ca02bcea25e8b3a4194f7d248f15ca515/analysis/; classtype:trojan-activity; sid:27248; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess 111-byte URL variant outbound connection"; flow:to_server,established; urilen:111; content:"=="; depth:2; offset:103; content:" HTTP/1.0|0D 0A|Host:"; within:16; distance:10; pcre:"/^\/[a-z\d]{98}\x3d{2}[a-z\d]{10}$/Ui"; content:!"Accept:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27252; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cridex Encrypted POST w/ URL Pattern"; flow:to_server,established; urilen:<34; content:"POST"; http_method; content:"U|3B| MSIE "; http_header; content:"|0D 0A|Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10}\x2f([A-Za-z0-9\x2b\x2f\x3d]{1,10})?(\x2f[A-Za-z0-9\x2b\x2f\x3d]{1,10})?/U"; pcre:"/[^ -~\x0d\x0a]{4}/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/cd0cdc216e456b34dc2e4c6db6bacbbba20122489e6751621f921ca53cc7e421/analysis/; classtype:trojan-activity; sid:27253; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Yakes Trojan HTTP Header Structure"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".php HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; within:113; pcre:"/coded\r\nUser\x2dAgent\x3a\x20[ -~]+\r\nContent\x2dLength\x3a\x20[2-9][02468]\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n\r\n[a-zA-Z0-9\x2f\x2b\x3d]{20,}$/"; pcre:"/[\x2f\x2b\x3d]/P"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27254; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE All Numbers .EXE file name from abnormally ordered HTTP headers - Potential Yakes Trojan Download"; flow:to_server,established; content:"GET"; http_method; content:".exe HTTP/1.1|0D 0A|Cache-Control: "; fast_pattern:only; content:".exe HTTP/1.1"; nocase; content:"|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|User-Agent: "; within:76; content:"|3A 20|"; distance:0; content:!"|3A 20|"; distance:0; pcre:"/\x2f\d+\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/980c4ed3dd130c9313a35434e0b102a6b8b038c98735814834334ccc03e4da3c/analysis/; classtype:trojan-activity; sid:27255; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptik Drive-by Download Malware"; flow:to_server,established; content:"GET"; http_method; content:".php?id="; offset:6; fast_pattern; http_uri; content:" HTTP/1."; within:11; distance:1; http_header; content:"|0D 0A|User-Agent: Mozilla/"; within:22; distance:1; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z0-9\x2d\x2e]+\r\n(Cache\x2dControl|Pragma)\x3a\x20no-cache\r\n\r\n$/H"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,threatpost.com/nsa-whistleblower-article-redirects-to-malware; reference:url,www.virustotal.com/en/file/5d7b09613c03cb3b54b9ab7a886558bba38861a899638f4318c09eaa56401821/analysis/1373466967/; classtype:trojan-activity; sid:27256; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kryptic 7-byte URI Invalid Firefox Headers - no Accept-Language"; flow:to_server,established; urilen:7; content:"GET"; http_method; content:"Firefox/3."; fast_pattern:only; http_header; pcre:"/^\/[A-Z]{6}$/U"; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8c1ff08a25b93da66921c75d0d21a9c08c5d3d36b95f9eaf113ecd84fa452944/analysis/1374505566/; classtype:trojan-activity; sid:27257; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential Win.Trojan.Kraziomel Download - 000.jpg"; flow:to_server,established; urilen:8; content:"/000.jpg"; fast_pattern:only; http_uri; content:"HTTP/1.0|0D 0A|Host: "; content:!"|3A 20|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33525f8cf5ca951095d4af7376e026821b81557526d4846916805387fb9c5bb2/analysis/; classtype:trojan-activity; sid:27533; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-OTHER self-signed SSL certificate with default MyCompany Ltd organization name"; flow:established,to_client; ssl_state:server_hello; content:"|55 04 0A|"; content:"|0E|MyCompany Ltd"; within:14; distance:1; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ssl; reference:url,attack.mitre.org/techniques/T1078; reference:url,en.wikipedia.org/wiki/Self-signed_certificate; reference:url,security.ncsa.illinois.edu/research/grid-howtos/usefulopenssl.html; classtype:policy-violation; sid:27538; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER HideMeBetter spam injection variant"; flow:to_client,established; file_data; content:"<div id=|22|HideMeBetter|22|>"; fast_pattern:only; content:"if(document|2E|getElementById(|22|HideMeBetter|22|)|20 21 3D 20|null)"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.sucuri.net/2013/07/hidemebetter-spam-injection-variant.html; classtype:trojan-activity; sid:27565; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download request"; flow:to_server,established; content:"/ld.aspx"; nocase; http_uri; content:"User-Agent|3A 20|FWVersionTestAgent|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.didierstevens.com/2013/08/04/quickpost-rovnix-pcap; reference:url,blogs.technet.com/b/mmpc/archive/2013/07/25/the-evolution-of-ronvix-private-tcp-ip-stacks.aspx; classtype:trojan-activity; sid:27567; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Redyms variant outbound connection"; flow:to_server,established; content:"&intip="; fast_pattern:only; http_uri; content:"?id="; http_uri; content:"&port="; distance:0; http_uri; content:"&bid="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1c61afd792257cbc72dc3221deb3d0093f0fc1abf2c3f2816e041e37769137a4/analysis/1375189147/; classtype:trojan-activity; sid:27596; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Fort Disco Registration variant outbound connection"; flow:to_server,established; content:"/cmd.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15370; classtype:trojan-activity; sid:27599; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/tomcat-docs/index.jsp?/"; http_uri; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.01|3B| Windows NT 5.0|29|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27629; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/bbs/search.asp"; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27630; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Aumlib variant outbound connection"; flow:to_server,established; content:"/buy-sell/search.asp?newsid="; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 5.0|3B| Windows NT 5.0|29|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27631; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Worm.Silly variant outbound connection"; flow:to_server,established; urilen:7; content:"/ul.htm"; fast_pattern:only; http_uri; content:"|3B| MSIE 6.0|3B 20|"; http_header; content:!"Accept-Language: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0ddd3488b618b17437413a9d579aa111f0a2ba302262d0a9b0d2832718a93524/analysis/; classtype:trojan-activity; sid:27633; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker.ZSL variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"valor="; depth:6; http_client_body; content:"]branco["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/709fa674b301e9123fc2c01e817da21cb29cdfb5a42634a793e27c9533d335b1/analysis/1375811416/; classtype:trojan-activity; sid:27648; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Brazilian Banking Trojan data theft"; flow:to_server,established; content:"POST"; http_method; content:"remetente="; depth:10; http_client_body; content:"&destinatario="; distance:0; http_client_body; content:"&assunto="; distance:0; http_client_body; content:"&mensagem="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27649; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess variant outbound connection"; flow:to_server,established; urilen:>95; content:".php HTTP/1.1|0D 0A|User-Agent: Opera/"; fast_pattern:only; pcre:"/(?=^[a-z\x2d\x5f\x2f]{95,}\.php$).*?[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d[a-z]{2,48}\x2d?\.php$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27680; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy outbound connection"; flow:to_server,established; urilen:>145,norm; content:".html"; http_uri; content:"|0D 0A|User-Agent|3A| Mozilla/5.0 |28|compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0"; fast_pattern:only; content:!"Cookie:"; http_header; content:!"X-BlueCoat-Via:"; http_header; content:!"Referer"; http_header; pcre:"/\x2f[a-z-_]{80,}\x2ehtml$/U"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/f53a483befed8d1494827a3f2444cfe638d3f7e595d72b722eab92d1aca9ede3/analysis/1376847283/; classtype:trojan-activity; sid:27708; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/ido.ipl"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27726; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/myinfo.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27727; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Orbit Downloader denial of service update"; flow:to_server,established; content:"/update/param.php?"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/2013/08/21/orbital-decay-the-dark-side-of-a-popular-file-downloading-tool; classtype:trojan-activity; sid:27728; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC RDN Banker Data Exfiltration"; flow:to_server,established; content:"POST"; http_method; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"_.log|22 0D 0A|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; classtype:trojan-activity; sid:27774; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:".htm"; http_uri; content:!"Accept"; http_header; content:"|0A|Content-Length: 164|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:"host|3A|"; nocase; http_header; content:"|2E|"; within:5; http_header; content:"|2E|"; within:4; http_header; content:"|2E|"; within:4; http_header; content:"|6C 55 55 45|"; depth:4; offset:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27775; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/page/index_htm_files2/"; nocase; http_uri; content:".png"; within:4; distance:3; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27802; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/form.php"; depth:9; http_uri; content:"RcpTfdsvoD9KB9O"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27803; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.PRISM variant outbound connection"; flow:to_server,established; content:"/page/index.php"; nocase; http_uri; content:"foo="; http_cookie; content:"data=RcpTfdssoD9KB9O"; depth:20; fast_pattern; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/417cb84f48d20120b92530c489e9c3ee9a9deab53fddc0dc153f1034d3c52c58/analysis/1377785686/; classtype:trojan-activity; sid:27804; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Bisonha variant outbound connection"; flow:to_server,established; content:"GET /3001"; fast_pattern; isdataat:260,relative; content:"0000000000000000000000000"; pcre:"/\/3001[0-9A-F]{262,304}/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,bl0g.cedricpernet.net/post/2013/08/29/APT-More-on-G20Summit-Espionage-Operation; reference:url,www.virustotal.com/en/file/f0d8834fb0e2d3c6e7c1fde7c6bcf9171e5deca119338e4fac21568e0bb70ab7/analysis/; classtype:trojan-activity; sid:27805; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page request"; flow:to_server,established; urilen:>32; content:".php"; fast_pattern:only; http_uri; content:"GET"; http_method; pcre:"/^\/[a-f0-9]{32}\/[a-z]{1,15}-[a-z]{1,15}\.php/U"; content:!"PacketShaper"; http_header; content:!"siteadvisor.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2012-1889; reference:cve,2012-4681; classtype:trojan-activity; sid:27865; rev:7;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2/Darkleech exploit kit landing page"; flow:to_client,established; file_data; content:"<body><b></b><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|height|3A|1px}</style><div>"; fast_pattern:only; flowbits:set,file.exploit_kit.jar; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27866; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27899; rev:4;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27900; rev:4;)
|
|
# alert udp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27901; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"PROTOCOL-VOIP Possible SIP OPTIONS service information gathering attempt"; flow:to_server,established,only_stream; sip_method:options; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27902; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Ghost call attack attempt"; flow:to_client,established,only_stream; sip_stat_code:180; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27903; rev:3;)
|
|
# alert tcp $SIP_SERVERS $SIP_PORTS -> $EXTERNAL_NET any (msg:"PROTOCOL-VOIP Excessive number of SIP 4xx responses potential user or password guessing attempt"; flow:to_client,established,only_stream; sip_stat_code:4; content:"SIP/2.0"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 25; metadata:policy max-detect-ips drop, ruleset community, service sip; reference:url,blog.sipvicious.org/2008/02/detecting-sip-attacks-with-snort.html; classtype:attempted-recon; sid:27904; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:27907; rev:8;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - get ads"; flow:to_server,established; content:"/afr.php?zoneid="; http_uri; content:"/ads/ox.html"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27913; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware - post install"; flow:to_server,established; content:"/report.php?key="; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27914; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vittalia adware outbound connection - pre install"; flow:to_server,established; content:"/instapi.php?idMk="; http_uri; content:"&state="; distance:0; http_uri; content:"&idTime="; distance:0; http_uri; content:"&idA2="; distance:0; http_uri; content:"&xVal="; distance:0; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27915; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - Eazel toolbar install"; flow:to_server,established; content:"/utilsbar/EazelBar.exe"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27916; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Vittalia adware outbound connection - offers"; flow:to_server,established; content:"/listener.php"; http_uri; content:"User-Agent|3A| NSIS_ToolkitOffers (Mozilla)"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9cdb2b3095cfb94cf8f6204d0f073674dd808b0f742a16216c2f06cf3b5afd50/analysis/1378700802/; classtype:trojan-activity; sid:27917; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.0|0D 0A|Host:"; fast_pattern:only; content:"Accept-Encoding: identity, *|3B|q=0|0D 0A|"; http_header; content:"|3B| MSIE "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27918; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus encrypted POST Data exfiltration"; flow:to_server,established; content:"Accept-Encoding|3A| identity, *|3B|q=0|0D 0A|"; fast_pattern:only; http_header; content:"|3B| MSIE "; http_header; pcre:"/[^ -~\r\n]{4}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/8825abfca1a6d843ce5670858886cb63bb1317ddbb92f91ffd46cfdcaba9ac00/analysis/; classtype:trojan-activity; sid:27919; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"Gh0st"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:27964; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Eupuds variant connection"; flow:to_client,established; file_data; content:"insert into avs (id, pc,data,ref,country , id_user, mostrar)values("; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/09f4611c05dcff55d4471b90d41b0fd3e6d3289f71321301751008dab75ded4d/analysis/; classtype:trojan-activity; sid:27965; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Response"; nocase; http_client_body; content:"FromBase64String"; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27966; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"caidao="; fast_pattern:only; http_client_body; pcre:"/caidao\s?=\s?(Response|Write|Execute)/Pmi"; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27967; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=Execute"; nocase; http_client_body; content:"On+Error+Resume+Next:"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:27968; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound command"; flow:to_server,established,only_stream; content:"/index.php?"; http_uri; content:"-dsafe_mode"; distance:0; http_uri; content:"-ddisable_functions"; distance:0; http_uri; content:"-dallow_url_fopen"; distance:0; http_uri; content:"-dallow_url_include"; distance:0; http_uri; content:"-dauto_prepend_file"; distance:0; http_uri; content:"echo.txt"; detection_filter:track by_src, count 20, seconds 60; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d134b69c41fadc5d3a28c90e452323f1c54dd1aa20ac5f5e897feac8d86755a/analysis/; classtype:trojan-activity; sid:28005; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Kuluoz outbound download request"; flow:to_server,established; content:"?message="; fast_pattern:only; http_uri; pcre:"/(info|app)\x2ephp\x3fmessage\x3d/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwaremustdie.blogspot.com/2013/09/302-redirector-new-cushion-attempt-to.html; classtype:trojan-activity; sid:28006; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer startupkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=startupkey_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28007; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer reuse outbound traffic"; flow:to_server,established; content:"/index.aspx?info=reuse"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28008; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer configkey outbound traffic"; flow:to_server,established; content:"/index.aspx?info=configkey"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28009; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer tserror outbound traffic"; flow:to_server,established; content:"/index.aspx?info=tserror_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28010; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC BLYPT installer createproc outbound traffic"; flow:to_server,established; content:"/index.aspx?info=createproc_"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/blypt-a-new-backdoor-family-installed-via-java-exploit; classtype:trojan-activity; sid:28011; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"from=%20Nome..:"; depth:15; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d8870137f7f761055a2ac83b03eb3f8fe26015fa0ba99f41551ca59374c6a3ec/analysis/1365436849/; classtype:trojan-activity; sid:28012; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Blackholev2 exploit kit landing page"; flow:to_client,established; file_data; content:"</div><i></i><style>div{overflow|3A|hidden|3B|width|3A|1px|3B|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28026; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>250; content:"GET"; http_method; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}[_-][a-z]{2,16}([_-][a-z]{2,16})*?|closest\/[a-z0-9]{15,25})\.php\?[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\*\!\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+&[\(\)\!\*\w-]+=[\(\)\!\*\w-]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28028; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Urausy variant outbound connection"; flow:to_server,established; urilen:>95,norm; content:"User-Agent|3A| Opera/10.80 |28|Windows NT 5.1|3B| U|3B| Edition Yx|3B| en|29| Presto/2.9.168 Version/11.52|0D 0A|"; fast_pattern:only; pcre:"/\x2f[a-z-_]{90,}\x2e(html|php)$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e74e0b2f3efbe8edadeaeef501fe268e2ff7c8a8bc8550de7924f77f2a612941/analysis/1378636986/; classtype:trojan-activity; sid:28033; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Caphaw variant outbound connection"; flow:to_server,established; content:"/ping.html?r="; fast_pattern:only; http_uri; content:!"/utils/"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,research.zscaler.com/2013/09/a-new-wave-of-win32caphaw-attacks.html; classtype:trojan-activity; sid:28042; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoLocker variant connection"; flow:to_server,established; content:"/crypt_1_sell"; fast_pattern:only; http_uri; pcre:"/\/crypt_1_sell\d\d-\d\d.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis; classtype:trojan-activity; sid:28044; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Napolar variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"v="; http_client_body; content:"|26|u="; within:3; distance:3; http_client_body; content:"|26|c="; distance:0; http_client_body; content:"|26|s={"; distance:0; http_client_body; content:"}|26|w="; within:4; distance:36; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/463d39dcbf19b5c4c9e314e5ce77bf8a51848b8c7d64e4f0a6656b9d28941e2e/analysis/; classtype:trojan-activity; sid:28079; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Napolar data theft"; flow:to_server,established; content:".exe&h="; fast_pattern:only; http_client_body; content:"p="; depth:2; http_client_body; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12781be5908ecc3dbf4a459e4cbc7bedb654b50236f7a961e85f3af5e2275ddf/analysis/; classtype:trojan-activity; sid:28080; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; content:"/v22/mutabixa/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28105; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload information upload"; flow:to_server,established; content:"/v22/mutabixa/1nf3ct/"; http_uri; content:"chave="; distance:0; http_uri; content:"&url="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28106; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload download"; flow:to_server,established; content:".jpg"; http_uri; content:"User-Agent|3A| runddll32.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.nyxbone.com/malware/banload.html; classtype:trojan-activity; sid:28107; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /default.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/default.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28114; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /file.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/file.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28115; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /home.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/home.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28116; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /install.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/install.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28117; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /login.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/login.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28118; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /search.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/search.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28119; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /start.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/start.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28120; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /welcome.htm GET Encrypted Payload"; flow:to_server,established; urilen:12; content:"GET"; http_method; content:"/welcome.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28121; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /index.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/index.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28122; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /setup.htm GET Encrypted Payload"; flow:to_server,established; urilen:10; content:"GET"; http_method; content:"/setup.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28123; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; urilen:11; content:"/search?q="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE "; http_header; content:": no-cache|0D 0A 0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; pcre:"/^\/search\?q=[0-9]$/Umi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/57212e057db0d45d94d08cd47dec85f0d85a20a7f4d3824559c81a50999cc2a5/analysis/; classtype:trojan-activity; sid:28147; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Mevade variant outbound connection"; flow:to_server,established; content:"|0D 0A|uuid: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; pcre:"/[^\n -~\r]{4}/P"; content:"Content-Type|3A| binary/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/526fe8eee74dc51a23e458115179dcda4027277b696b6a06889ed52751b39f54/analysis/; classtype:trojan-activity; sid:28148; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - /html2/"; flow:to_server,established; urilen:7; content:"POST"; http_method; content:"/html2/"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28153; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.1"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.1|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28154; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Foreign variant outbound connection - MSIE 7.2"; flow:to_server,established; content:"POST"; http_method; content:"|3B| MSIE 7.2|3B 20|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:28155; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Linkury outbound time check"; flow:to_server,established; isdataat:71; isdataat:!72; urilen:8; content:"/utc/now HTTP/1.1|0D 0A|Host: www.timeapi.org|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a2c4e162624ddb169542e12e148a3be6bfe79a1fed4adfb28ad1a308a0d1bade/analysis/1380219003/; classtype:trojan-activity; sid:28156; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential Phishing URL"; flow:to_server,established; content:"/info.php?message="; fast_pattern:only; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/report.php?id=5117077; reference:url,www.soleranetworks.com/blogs/kuluoz-spam-uses-a-lot-of-stolen-web-servers/; classtype:trojan-activity; sid:28192; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin upgrade.php exploit attempt"; flow:to_server, established; content:"install/upgrade.php"; fast_pattern:only; http_uri; content:"firstrun=false"; http_client_body; content:"&customerid="; http_client_body; content:"username%5d="; http_client_body; content:"password%5d="; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.net-security.org/secworld.php?id=15743; classtype:attempted-admin; sid:28215; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit payload download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28233; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KanKan variant connection"; flow:to_server,established; content:"/?u="; depth:4; http_uri; content:"&u2="; http_uri; content:"&u5=inststart"; http_uri; content:"NSIS_Inetc (Mozilla)"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db31bdf400dd0d28487a0d298bc383a4a2912566130ea512b25639b3f95e94c4/analysis/; classtype:trojan-activity; sid:28242; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluoz Potential phishing URL"; flow:to_server,established; content:"/get.php?invite="; fast_pattern:only; http_uri; content:"Accept-Encoding: gzip"; http_header; pcre:"/^\/get.php\?invite=.*?=$/mU"; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,urlquery.net/search.php?q=get.php%3Finvite%3D&type=string&start=2013-10-01&end=2013-10-16&max=50; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:28255; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.hdog connectivity check-in version 2"; flow:to_server,established; content:"/?gws_rd=cr"; fast_pattern:only; http_uri; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ca1bc54e33064eb08163a17a56dcb1d0d811fc694c05af1d9ea768ef992cb489/analysis/1381870348/; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28285; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Blackholev2/Cool exploit kit exploit download attempt"; flow:to_server,established; urilen:50<>150; content:" Java/1."; fast_pattern:only; http_header; content:".php?"; http_uri; pcre:"/\/(?:[^\/]+?\/[a-z]{2,24}|closest\/[a-z0-9]{15,25})\.php\?[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+&[ab10]+=[ab10]+$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28291; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant connection"; flow:to_server,established; content:"/status/?&cmp="; fast_pattern; http_uri; content:"&src="; distance:0; http_uri; content:"&status=start"; distance:0; http_uri; content:!"User-Agent: "; http_uri; content:!"Accept"; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e21a7333f5e6fe6de87b0b4ef928202724680d46ee3524983ec6962b4061813c/analysis/1381409595/; classtype:trojan-activity; sid:28300; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"FromBase64String"; http_client_body; content:"z"; within:200; nocase; http_client_body; pcre:"/z\d{1,3}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:28323; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE FakeAV runtime detection"; flow:to_server,established; content:"&affid="; fast_pattern:only; http_uri; content:"/api/"; nocase; http_uri; content:"?ts="; nocase; http_uri; content:"&token="; nocase; http_uri; content:"&group="; nocase; http_uri; content:"&nid="; nocase; http_uri; content:"&lid="; nocase; http_uri; content:"&ver="; nocase; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28324; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"INDICATOR-OBFUSCATION large number of calls to chr function - possible sql injection obfuscation"; flow:established,to_server; content:"GET"; http_method; content:"CHR("; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; content:"CHR("; distance:0; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; reference:url,attack.mitre.org/techniques/T1190; reference:url,isc.sans.org/diary.html?storyid=3823; classtype:web-application-attack; sid:28344; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - split - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"ps=|22|split|22 3B|asd=function()"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28345; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"aq=|22|0x|22 3B|ff=String|3B|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28346; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:>90; content:"/p.ashx?prd="; fast_pattern; http_uri; content:"&pixGuid="; distance:0; http_uri; content:"&ver="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28405; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; content:".exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B| MSIE "; http_header; content:!"Accept"; http_header; content:"|29 0D 0A|Host: "; distance:0; http_header; pcre:"/^GET\x20\x2f[a-z]{1,12}\.exe\x20HTTP\x2f1\.1\r\nUser\x2dAgent\x3a\x20Mozilla\x2f[\x20-\x7e]{10,100}\)\r\nHost\x3a\x20[a-z0-9\x2e\x2d]{6,32}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a064a1d3d8b9d8ab649686b7fb01e0631e569412388084f5c391722c98660763/analysis/; classtype:trojan-activity; sid:28406; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - createElement - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|c|22|+|22|r|22 3A|2+|22|e|22|+|22|a|22|+|22|t|22|+|22|e|22|+|22|E|22|+|22|l|22|+|22|e|22|+|22|m|22|+((f)?|22|e|22|+|22|n|22|+|22|t|22 3A 22 22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28420; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION Javascript obfuscation - fromCharCode - seen in IFRAMEr Tool attack"; flow:to_client,established; file_data; content:"|22|fr|22|+|22|omCh|22|+|22|arCo|22|+|22|de|22|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1027; reference:url,attack.mitre.org/techniques/T1140; classtype:trojan-activity; sid:28421; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Glazunov exploit kit landing page"; flow:to_client,established; file_data; content:"= |22|applet|22 3B 20|"; content:"= |22|object|22 3B 20|"; within:50; content:"=|27|param|27 3B 20|"; within:50; content:".zip|27 3B| </script>"; distance:0; pcre:"/\/\d+\/\d\.zip\x27\x3b/"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28428; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit outbound jnlp download attempt"; flow:to_server,established; urilen:15; content:".jnlp"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/\/[a-z0-9]{9}\.jnlp$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28429; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Glazunov exploit kit zip file download"; flow:to_server,established; content:".zip"; fast_pattern; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\/\d\.zip$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-2471; reference:url,nakedsecurity.sophos.com/2013/07/02/the-four-seasons-of-glazunov-digging-further-into-sibhost-and-flimkit/; classtype:trojan-activity; sid:28430; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1039 (msg:"MALWARE-CNC Win.Trojan.Symmi variant SQL check-in"; flow:to_server,established; content:"s|00|e|00|l|00|e|00|c|00|t|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|f|00|r|00|o|00|m|00| |00|v|00|e|00|r|00|i|00|f|00|i|00|c|00|a|00|n|00|d|00|o|00| |00|w|00|h|00|e|00|r|00|e|00| |00|i|00|d|00|_|00|p|00|c|00|=|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28446; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Sakura exploit kit exploit payload retrieve attempt"; flow:to_server,established; urilen:<25; content:".ld"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/^\/\d+\.ld$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28450; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC DeputyDog diskless method outbound connection"; flow:to_server,established; content:"User-Agent: lynx|0D 0A|"; fast_pattern:only; http_header; content:"POST"; http_method; pcre:"/^\x2f[0-9a-f]+$/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2013-3918; reference:url,technet.microsoft.com/en-us/security/bulletin/MS13-090; classtype:trojan-activity; sid:28493; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Asprox/Kuluoz variant connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:23.0) Gecko/20100101 Firefox/23.0"; content:"Content-Disposition: form-data|3B| name=|22|key|22 3B| filename=|22|key.bin|22|"; fast_pattern:only; content:"Content-Disposition: form-data|3B| name=|22|data|22 3B| filename=|22|data.bin|22|"; content:"Content-Type: multipart/form-data|3B| boundary="; pcre:"/POST\s\/[A-F0-9]{42}\s/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html; reference:url,www.virustotal.com/en/file/929b62b673db55f443a36fa2de184a2be03788bbe714fc586b82a19444727a54/analysis/; classtype:trojan-activity; sid:28538; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ZeroAccess Download Headers"; flow:to_server,established; urilen:5<>14; content:"|0D 0A|Accept: */*|0D 0A|Accept-Encoding: identity, *|3B|q=0|0D 0A|Connection: close|0D 0A|User-Agent: "; fast_pattern:only; http_header; content:".exe HTTP/1.0|0D 0A|Host: "; pcre:"/^\x2f[a-z\d]{1,8}\.exe$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/eeaeb1506d805271b5147ce911df9c264d63e4d229de4464ef879a83fb225a40/detection; classtype:trojan-activity; sid:28541; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:145; isdataat:!146; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: checkip.dyndns.org|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28542; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Conficker variant outbound connection"; flow:to_server,established; isdataat:138; isdataat:!139; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| Trident/4.0)|0D 0A|Host: www.ask.com|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sans.org/security-resources/malwarefaq/conficker-worm.php; classtype:trojan-activity; sid:28543; rev:2;)
|
|
# alert udp $EXTERNAL_NET 2425 -> $HOME_NET 2425 (msg:"INDICATOR-SCAN inbound probing for IPTUX messenger port "; flow:to_server; content:"iptux"; depth:5; offset:2; content:"lws|3A|lws"; within:7; distance:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1018; reference:url,attack.mitre.org/techniques/T1040; reference:url,attack.mitre.org/techniques/T1046; reference:url,github.com/iptux-src/iptux; classtype:misc-activity; sid:28552; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /main.htm GET Encrypted Payload"; flow:to_server,established; urilen:9; content:"GET"; http_method; content:"/main.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28553; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection - /online.htm GET Encrypted Payload"; flow:to_server,established; urilen:11; content:"GET"; http_method; content:"/online.htm"; fast_pattern:only; http_uri; content:!"Referer"; http_header; content:!"Accept"; http_header; pcre:"/[^\r -~\n]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0682508f3d7c85e086055ce943aeaa634484d8e0cb22be776bac6930b00fae49/analysis/; classtype:trojan-activity; sid:28554; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MALWARE-OTHER SQL Slammer worm propagation attempt inbound"; flow:to_server; content:"|04|"; depth:1; content:"Qh.dll"; fast_pattern:only; content:"sock"; content:"send"; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; classtype:trojan-activity; sid:28555; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS DNS query amplification attempt"; flow:to_server; content:"|00 01|"; depth:2; offset:4; content:"|00 01|"; within:2; distance:4; byte_test:1,!&,0xF8,2; content:"|00 00 FF 00 01 00 00 29|"; byte_test:2,>,0x7FFF,0,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.us-cert.gov/ncas/alerts/TA13-088A; classtype:attempted-dos; sid:28556; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"PROTOCOL-DNS Malformed DNS query with HTTP content"; flow:to_server; content:"|54 20|"; fast_pattern:only; content:"GET |2F| HTTP"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.ietf.org/rfc/rfc2616.txt; classtype:misc-activity; sid:28557; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit payload request"; flow:to_server,established; urilen:24<>26,norm; content:"/f/"; fast_pattern:only; http_uri; pcre:"/^\/f\/1\d{9}\/\d{9,10}(\/\d)+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28596; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit payload download attempt"; flow:to_server,established; urilen:<30; content:".mp3"; fast_pattern:only; http_uri; content:" Java/1."; http_header; pcre:"/\/\d+\.mp3$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy max-detect-ips alert, ruleset community, service http; reference:cve,2012-0507; reference:url,blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html; classtype:trojan-activity; sid:28795; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus outbound connection"; flow:to_server,established; urilen:1; content:"GET / HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Language:"; depth:45; content:"|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern; content:"google.com|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Encoding: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d4b16269c9849c33a7bb2fdc782173a00e99db12a585689618dde3f4c6fcb101/analysis/; classtype:trojan-activity; sid:28800; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos outbound connection"; flow:to_server,established; urilen:17<>27; content:"ip-who-is.com|0D 0A|"; fast_pattern:only; http_header; content:"/locate-ip/"; depth:11; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26c60976776d212aefc9863efde914059dd2847291084c158ce51655fc1e48d0/analysis/1382620137/; classtype:trojan-activity; sid:28802; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Injector inbound connection"; flow:to_client,established; file_data; content:"UPDATE|7C|"; depth:7; pcre:"/^UPDATE\|[0-9]\.[0-9]\.[0-9]\|[A-F0-9]{48}\|{3}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28803; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector outbound connection"; flow:to_server,established; content:"|0D 0A 0D 0A|&nome="; fast_pattern:only; http_client_body; content:"conteudo="; depth:9; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/253b2cb7f6eacaaaca5053f73445defce5df2cd4a5564ebc0721e0323a6c3557/analysis/1383139183/; classtype:trojan-activity; sid:28804; rev:3;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 2090 (msg:"MALWARE-CNC Win.Trojan.Palevo outbound connection"; flow:to_server; dsize:21; content:"|00 00|"; depth:2; offset:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,palevotracker.abuse.ch/?ipaddress=209.222.14.3; reference:url,palevotracker.abuse.ch/?ipaddress=31.170.179.179; classtype:trojan-activity; sid:28805; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE potential malware download - single digit .exe file download"; flow:to_server,established; urilen:6; content:".exe"; fast_pattern:only; pcre:"/\/[a-z0-9]\.exe$/Ui"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5Ba-zA-Z%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-09-07&end=2013-12-06&max=400; classtype:trojan-activity; sid:28806; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:9; content:"/load.exe HTTP/1.1|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; content:")|0D 0A|Host: "; distance:0; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2Fload%5C.exe%24&type=regexp&start=2013-08-24&end=2013-11-22&max=400; reference:url,www.virustotal.com/en/file/032572ea1f34a060ecac98a8e2899dc0f2a41dff199e879050481ddd3818b4d0/analysis/; classtype:trojan-activity; sid:28807; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dofoil inbound connection"; flow:to_client,established; content:"|3B 20|filename=exe.exe|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2325492f457a8b7d3df48a570210f65f3a094fe8925278451713768d938bec86/analysis/; classtype:trojan-activity; sid:28809; rev:5;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection - MSIE7 No Referer No Cookie"; flow:to_server,established; urilen:1; content:"|2F|"; http_uri; pcre:"/\r\nHost\x3A\s+[^\r\n]*?[bcdfghjklmnpqrstvwxyz]{5,}[^\r\n]*?\x2Ebiz\r\n/Hi"; content:!"|0A|Referer|3A|"; http_header; content:!"|0A|Cookie|3A|"; http_header; content:"|3B 20|MSIE|20|7.0|3B 20|"; http_header; content:"|2E|biz|0D 0A|"; fast_pattern; nocase; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,en.wikipedia.org/wiki/Zeus_(Trojan_horse); classtype:trojan-activity; sid:28810; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"/post.aspx?forumID="; fast_pattern:only; http_uri; content:"|0D 0A|URL: http"; depth:11; offset:17; http_client_body; content:!"Accept"; http_header; pcre:"/^(?!\d{17}|[A-F]{17})[A-F0-9]{17}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28814; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gozi/Neverquest variant outbound connection"; flow:to_server,established; content:"forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:!"Accept"; http_header; pcre:"/^id\x3d[A-F\d]{32}(\x26info\x3d[A-F\d]{24})?$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b78c5c53d3b54acbca2b344a779528f0408258b6ac12899c860d99bf563e883a/analysis/; classtype:trojan-activity; sid:28815; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Iniduoh variant outbound connection"; flow:to_server,established; content:"/is-ready"; fast_pattern:only; http_uri; content:"User|2D|Agent|3A 20|"; http_header; content:"|3C 7C 3E|"; within:3; distance:8; http_header; content:"|3C 7C 3E|"; within:18; http_header; content:"|3C 7C 3E|Microsoft Windows"; within:84; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/220b551d9381fb56b48511b622a0bbc15482378396b3e83f708379f460f3347a/analysis/; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:28817; rev:4;)
|
|
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Linux.Trojan.Zollard"; flow:to_server,established; content:"User-Agent|3A| Zollard|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d757aa51974806e5402fb8a5c930518bf9ba0b2fd62f74e0f4c33d85bce08ada/analysis/; classtype:trojan-activity; sid:28852; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent z00sAgent - Win.Trojan.Zbot"; flow:to_server,established; content:"User-Agent|3A| z00sAgent"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0220b1071c8a0093e673d836ae436cb468b8cd1bd5873dad08351309e13af9e5/analysis/1383673331/; classtype:trojan-activity; sid:28859; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 58455 (msg:"MALWARE-BACKDOOR Zollard variant outbound connection attempt"; flow:to_server,established; content:".zollard/"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service telnet; reference:url,www.deependresearch.org/2013/12/hey-zollard-leave-my-internet-of-things.html; classtype:trojan-activity; sid:28913; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bit.ly|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/47c71ff0eb61b371e967b93b6909bb05f2aab973e3214ea2d5ed246884dd045e/analysis/; classtype:trojan-activity; sid:28918; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Symmi variant network connectivity check"; flow:to_server,established; content:"Host: bitly.com|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; fast_pattern:only; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/084455c1de5d9440eb95edd2e6868aab1ce3dd674c2e3ba481254edc65b30b89/analysis/; classtype:trojan-activity; sid:28919; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakeav variant outbound data connection"; flow:to_server,established; urilen:>150; content:"/?"; depth:2; http_uri; content:"Firefox/4.0b8pre|0D 0A|"; fast_pattern:only; http_header; pcre:"/^\/\?[a-z0-9]{2}\=[a-z1-9]{100}/siU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28930; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix malicious download"; flow:to_server,established; content:"/config.php?"; fast_pattern:only; http_uri; content:"version="; http_uri; content:"user="; http_uri; content:"server="; http_uri; content:"id="; http_uri; content:"crc="; http_uri; content:"id="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/forums/diary/Suspected+Active+Rovnix+Botnet+Controller/17180; reference:url,www.welivesecurity.com/2012/02/22/rovnix-reloaded-new-step-of-evolution/; classtype:trojan-activity; sid:28940; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE exe.exe download"; flow:to_server,established; urilen:>7; content:"/exe.exe"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,urlquery.net/search.php?q=%5C%2F%5BEe%5D%5BXx%5D%5BEe%5D%5C.%5BEe%5D%5BXx%5D%5BEe%5D%24&type=regexp&start=2013-11-21&end=2013-12-06&max=400; classtype:trojan-activity; sid:28945; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Alurewo outbound connection"; flow:to_server,established; content:"/cmd?version="; fast_pattern:only; http_uri; content:"&aid="; http_uri; content:"&id="; distance:0; http_uri; content:"&os="; within:4; distance:36; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.sophos.com/ja-jp/threat-center/threat-analyses/viruses-and-spyware/Troj~Agent-AFDE/detailed-analysis.aspx; reference:url,www.virustotal.com/en/file/9171bd76d3fa26a78225cb7c9d5112635fa84e8bdf3388577f22da9178871161/analysis/; classtype:trojan-activity; sid:28960; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT HiMan exploit kit outbound payload retreival - specific string"; flow:to_server,established; content:"/tx.exe"; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:28969; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - Data Exfiltration"; flow:to_server,established; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:"|0D 0A|TP="; http_client_body; content:"|0D 0A|LGSN="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28976; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent.DF - User-Agent Missing Bracket"; flow:to_server,established; content:"|3B 20|Windows NT 5.0|0D 0A|Host:"; fast_pattern:only; http_header; content:" HTTP/1.1|0D 0A|Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|User-Agent: Mozilla/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b9587fc86f1459ccf7b096b6bf68b4fcc165946a86f3ed9ce84c61907aa99dae/analysis/1386599712/; classtype:trojan-activity; sid:28977; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot requesting URL through IRC"; flow:to_client,established; content:"JOIN |3A|#"; content:"!dl http://"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28982; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Steckt IRCbot executable download"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:"/launch.php"; http_uri; content:"?f="; http_uri; content:"&s="; distance:0; http_uri; content:"&is_direct="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28983; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|29 0D 0A|"; fast_pattern:only; http_header; content:"/direct.php"; http_uri; content:"?f="; http_uri; content:"&s="; http_uri; pcre:"/\x2Fdirect\.php\x3Ff=[0-9]{8}\x26s=[a-z0-9]{3}\.[a-z]{1,4}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28984; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot executable download"; flow:to_server,established; content:"/site2/"; http_uri; content:!"Referer|3A| "; http_header; content:"60gp="; http_cookie; content:"60gpBAK="; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/411e93206a7750c8df25730349bf9756ddba52c1bc780eaac4bba2b3872bc037/analysis/; classtype:trojan-activity; sid:28985; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Neeris IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #biz abc|0D 0A|"; depth:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/0a8f320fc7535f164bbd9d0e462fd459c55ff448cf5e84dc2115f2f4aa800e6b/analysis/1387176826/; classtype:trojan-activity; sid:28986; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #n jobs|0D 0A|"; depth:14; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28987; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Worm.Steckt IRCbot variant outbound connection"; flow:to_server,established; content:"JOIN #test1|20 7C 0D 0A|JOIN #test2|20 7C 0D 0A|JOIN #test3 (null)|0D 0A|"; depth:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/480eb4aa76a55ad7b0db128138113615ca834f9e6c62f798f54c8ac0759657fe/analysis/1387177714/; reference:url,www.virustotal.com/en/file/5b1d04b7504a3ac1befe4408fd4f9cd877b92661db47a75f197924cb660551d3/analysis/1387178129/; classtype:trojan-activity; sid:28988; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant inbound connection"; flow:to_client,established; content:"/avcheck.exe|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"|0D 0A|Location: https://dl.dropboxusercontent.com/"; http_header; pcre:"/\r\nLocation\x3a\x20https\x3a\x2f{2}dl\.dropboxusercontent\.com\/[a-zA-Z\d\x2f]{5,32}\/avcheck\.exe\r\n\r\n$/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,www.virustotal.com/en/file/30032d2b7fd928392837eeb814cf1e2add0d80b0e17b8dbfec2e2c3be9164cf6/analysis/; classtype:trojan-activity; sid:29031; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:13,norm; content:"/webstat/?i="; depth:12; fast_pattern; http_uri; content:"User-Agent: Mozilla/7"; http_header; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29127; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_server,established; content:"/loadmsie.php?id="; fast_pattern:only; http_uri; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29166; rev:5;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT CritX exploit kit payload download attempt"; flow:to_client,established; content:".exe|0D 0A|"; fast_pattern:only; http_header; content:"filename="; http_header; content:".exe|0D 0A|"; within:6; distance:24; http_header; pcre:"/filename=(?![a-f]{24}|\d{24})[a-f\d]{24}\.exe\r\n/H"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29167; rev:4;)
|
|
alert tcp any any -> any $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string fortis"; flow:to_server,established; content:"User-Agent: fortis|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92614908e7842e0dfa72ecfee868b06017b5cc445f201874776583f754b137a3/analysis/; classtype:trojan-activity; sid:29174; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Magnitude exploit kit Microsoft Internet Explorer Payload request"; flow:to_server,established; urilen:34; content:"/?"; depth:2; fast_pattern; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:" MSIE "; http_header; content:!"Referer|3A|"; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29189; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; content:"/se/gate.php"; http_uri; content:"HTTP/1.1|0D 0A|Cache-Control: no-cache|0D 0A|Connection: close|0D 0A|Pragma: no-cache|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Content-Length: "; fast_pattern:only; pcre:"/\x3d\x0a$/P"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis/; classtype:trojan-activity; sid:29216; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/mod/lookfashon.jpg"; fast_pattern:only; http_uri; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fe413704c85751b060546ebfd428d57726d8fd002ca95ec8deb76f5f37ed9c4/analysis/1389125202/; classtype:trojan-activity; sid:29220; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/chamjavanv.inf?aapf/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29259; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"/novredir_inf.php?apt/login.jsp?="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a46c3fee842f1ded35b6a4e003c0e6ea62ee66d354d4b826b4c3e5aa9310b3ba/analysis/; classtype:trojan-activity; sid:29260; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:to_server,established; urilen:19,norm; content:"/FileToDownload.exe"; fast_pattern:only; http_uri; content:"Host: dl.dropbox.com|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1102; reference:url,file-analyzer.net/analysis/1087/5386/0/html; reference:url,www.virustotal.com/en/file/913cc54750e8bb6b88d5ccbfc988e0107f80ad14ba4d052a3f3db11ccfd8ce4a/analysis/; classtype:trojan-activity; sid:29261; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant inbound connection"; flow:to_client,established; content:"|3B 20|filename=CostcoForm.zip|0D 0A|"; fast_pattern:only; http_header; file_data; content:"CostcoForm.exe"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b20fcfe7d851dfe1f835e60072e53b0a3c54e14d0fc94814ce841be4740f295c/analysis; classtype:trojan-activity; sid:29300; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"rotina=UPDATE&tip=stat&nome="; depth:28; fast_pattern; http_client_body; content:"&tmp="; distance:0; http_client_body; content:"&stat="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6fdd7c0630ea89a58cdc1f3fb74bf5a99732bd5649a39411868bf71e90cfdc84/analysis/1389362066/; classtype:trojan-activity; sid:29349; rev:1;)
|
|
# alert tcp $EXTERNAL_NET [777,778] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper inbound encrypted traffic"; flow:to_client,established; isdataat:9; isdataat:!20; content:"|05 29 00 00 00 05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29378; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic - potential exfiltration"; flow:to_server,established; isdataat:1440; content:"|03 2B 82 86 02 A0 05|"; fast_pattern:only; metadata:ruleset community; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29379; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [777,778] (msg:"MALWARE-CNC Win.Trojan.Dropper outbound encrypted traffic"; flow:to_server,established; isdataat:4; isdataat:!5; content:"|05 29 00 00 00|"; fast_pattern:only; metadata:ruleset community; reference:url,www.virustotal.com/en/file/20b49af8b750a1899117827476402ccaf7095fb5b7aad2e96c8109290da453cb/analysis/; reference:url,www.virustotal.com/en/file/559e8dbe388c8c103996b208eb5532e295da717f84b4a7ddf5c9885de8115606/analysis/; classtype:trojan-activity; sid:29380; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"FILE-IDENTIFY Adobe AIR file download request"; flow:to_server,established; content:".air"; fast_pattern:only; http_uri; pcre:"/\x2eair([\?\x5c\x2f]|$)/smiU"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:29384; rev:14;)
|
|
alert tcp $EXTERNAL_NET [110,143] -> $HOME_NET any (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_client,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service imap, service pop3; classtype:misc-activity; sid:29385; rev:15;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY Adobe AIR file attachment detected"; flow:to_server,established; content:".air"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2eair/i"; flowbits:set,file.zip; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:29386; rev:15;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"NID="; depth:4; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:29395; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip receipt filename download with .exe name within .zip the same"; flow:to_client,established; content:"Receipt"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}receipt[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29396; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip shipping filename download with .exe name within .zip the same"; flow:to_client,established; content:"Shipping"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}shipping[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29397; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip voicemail filename download with .exe name within .zip the same"; flow:to_client,established; content:"voicemail"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}voicemail[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29398; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-SPAM Potential phishing attack - .zip statement filename download with .exe name within .zip the same"; flow:to_client,established; content:"statement"; fast_pattern:only; http_header; content:".zip"; http_header; pcre:"/\sfilename=[a-z0-9]{0,20}statement[a-z0-9]{0,20}\.zip/Hi"; file_data; content:"PK"; depth:2; content:".exe"; within:50; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; classtype:trojan-activity; sid:29399; rev:3;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual L3retriever Ping detected"; icode:0; itype:8; dsize:>32; content:"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29454; rev:2;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows Ping detected"; icode:0; itype:8; dsize:>32; content:"0123456789abcdefghijklmnopqrstuv"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29455; rev:2;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual PING detected"; icode:0; itype:8; fragbits:!M; content:!"ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; depth:32; content:!"0123456789abcdefghijklmnopqrstuv"; depth:32; content:!"EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"; depth:36; content:!"WANG2"; content:!"cacti-monitoring-system"; depth:65; content:!"SolarWinds"; depth:72; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29456; rev:3;)
|
|
# alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"PROTOCOL-ICMP Unusual Microsoft Windows 7 Ping detected"; icode:0; itype:8; dsize:>32; content:"abcdefghijklmnopqrstuvwabcdefghi"; depth:32; metadata:policy max-detect-ips drop, ruleset community; reference:url,krebsonsecurity.com/2014/01/a-closer-look-at-the-target-malware-part-ii/; reference:url,krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware/; classtype:successful-recon-limited; sid:29457; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Fexel variant outbound connection"; flow:to_server,established; content:"|0A|Agtid|3A 20|"; content:"08x|0D 0A|"; within:5; distance:8; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b33ffbec01b43301edd9db42a59dcd33dd45f638733e2f92f0cb5bfe86714734/analysis/; classtype:trojan-activity; sid:29459; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Backdoor.Shellbot outbound connection"; flow:to_server,established; content:"JOIN|20|#vnc|0A|"; depth:10; content:"PRIVMSG|20|#vnc|20 3A|"; within:14; content:"status checking program online"; within:30; distance:7; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/en/file/8eb6c4a844cbfe98db78aef08a634c460c7c9f7d576b62444114306effb4023d/analysis/1390763713/; classtype:trojan-activity; sid:29569; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DomaIQ variant outbound connection"; flow:to_server,established; content:"/trace/Start HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"/debug/Version/"; depth:15; http_uri; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1546/6325/0/html#network; reference:url,www.virustotal.com/en/file/59795540fc058979c6be02351507330fce8a8d3c6f10cbcd4ee21ab0144b9a7f/analysis/1390421409/; classtype:trojan-activity; sid:29664; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"&bolausado"; fast_pattern:only; http_client_body; content:"rotina="; depth:7; http_client_body; content:"&casa="; distance:0; http_client_body; content:"&idcliente"; distance:0; http_client_body; content:"&outro="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:29665; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Linkup outbound connection"; flow:to_server,established; urilen:20; content:"POST"; http_method; content:"/uplink.php?logo.jpg"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0"; http_header; content:"token="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.emsisoft.com/2014/02/03/malware-analysis-ransomware-linkup-blocks-dns-and-mines-bitcoins/; classtype:trojan-activity; sid:29666; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string MSIE 4.01 - Win.Trojan.Careto"; flow:to_server,established; content:"Mozilla/4.0 |28|compatible|3B| MSIE 4.01|3B| Windows NT|29 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29760; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto outbound connection"; flow:to_server,established; content:"Group|3D|"; http_uri; content:"Install|3D|"; http_uri; content:"Ver|3D|"; http_uri; content:"Ask|3D|"; http_uri; content:"Bn|3D|"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29788; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/ag/plugin.crx"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29789; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/l/af_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29790; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Careto plugin download"; flow:to_server,established; content:"/m/f_l_addon.xpi"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/19e818d0da361c4feedd456fca63d68d4b024fbbd3d9265f606076c7ee72e8f8/analysis/; classtype:trojan-activity; sid:29791; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; content:"/post"; http_uri; content:"User-Agent: something"; fast_pattern:only; http_header; content:"mac="; http_client_body; content:"&t1="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29816; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Jackpos outbound connection"; flow:to_server, established; urilen:10; content:"/post/echo"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/39c13ee490a2c4cf6f3aafe92734edbf2373f25cc6fab8e15cd4cf590f1abdf1/analysis; classtype:trojan-activity; sid:29817; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - TixDll - Win.Trojan.Adload.dyhq"; flow:to_server,established; content:"User-Agent: TixDll|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29824; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Adload.dyhq variant outbound connection"; flow:to_server,established; content:"/get/?ver="; depth:10; http_uri; content:"&aid="; distance:0; http_uri; content:"&hid="; distance:0; http_uri; content:"&rid="; distance:0; http_uri; content:"&data="; distance:0; http_uri; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f5fbdc74afc209f2648490e077a2fcddc402cbc57ababbc2f735aaecde95681b/analysis/; classtype:trojan-activity; sid:29828; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HNAP remote code execution attempt"; flow:established,to_server; urilen:6; content:"/HNAP1"; fast_pattern:only; http_uri; content:"Authorization: Basic YWRtaW46"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%22TheMoon%22+Summary%3A+What+we+know+so+far/17633; classtype:attempted-admin; sid:29829; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"%74%74%63%70%5f%69%70"; http_client_body; pcre:"/%74%74%63%70%5f%69%70%3d.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29830; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-series HNAP TheMoon remote code execution attempt"; flow:established,to_server; content:"/tmUnblock.cgi"; fast_pattern:only; http_uri; content:"ttcp_ip"; http_client_body; pcre:"/ttcp_ip=.*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,isc.sans.edu/diary/Linksys+Worm+%28%22TheMoon%22%29+Captured/17630; classtype:attempted-admin; sid:29831; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbout connection"; flow:to_client,established; content:"filename=|22|full__setup.zip|22 0D 0A|"; fast_pattern:only; http_header; file_data; content:"full__setup.exe"; depth:200; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29862; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pirminay variant outbound connection"; flow:to_server,established; urilen:33; content:"/read/swf/searchProductResult.jsp"; fast_pattern:only; http_uri; content:"cache=cc2="; depth:10; http_cookie; content:"|3B| core="; distance:0; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/5e1a615ddf73b27390d7a3c87a28932761fc1c843e01cd68253e873270bef69d/analysis/1392222514/; classtype:trojan-activity; sid:29863; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Redkit exploit kit payload request"; flow:to_server,established; content:"/download.asp?p="; nocase; http_uri; content:" Java/1."; fast_pattern:only; http_header; pcre:"/\/download\.asp\?p\=\d$/Ui"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.invincea.com/2014/02/ekia-citadel-a-k-a-the-malware-the-popped-fazio-mechanical/; classtype:trojan-activity; sid:29864; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:25.0) Gecko/20100101 Firefox/25.0|0D 0A|Host: "; fast_pattern:only; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8b53c46a7dfbe738c558e653f33fccf2004fc294848eee20903daa556bb3af09/analysis/; classtype:trojan-activity; sid:29865; rev:5;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Napolar phishing attack"; flow:to_client,established; content:"facebook.com.exe"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29869; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Pony HTTP response connection"; flow:to_client,established; content:"Content-Length: 16"; http_header; file_data; content:"STATUS-IMPORT-OK"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/1830/6840/0/html; reference:url,www.virustotal.com/en/file/58762cf6aa8eea5744716986773a2c22ae7412eae634be7bed648c96465bc8ef/analysis/; classtype:trojan-activity; sid:29870; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.WEC variant outbound connection"; flow:to_server,established; isdataat:68; isdataat:!69; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0|0D 0A|Host: checkip.dyndns.org|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/164c792247b2822ab1dce8271a9498d3c9172ff21d36feccf83265ded1be8d0b/analysis/; classtype:trojan-activity; sid:29882; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/gate.php"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; content:!"Accept-Encoding:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29884; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string Updates downloader - Win.Trojan.Upatre"; flow:to_server,established; content:"User-Agent|3A| Updates downloader|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/F167C95A467F584890F39BA2162F1B96E7626F5C575EB151C8E4E00E68F97478/analysis/; classtype:trojan-activity; sid:29887; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Pushdo variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:!"Referer|3A 20|"; http_header; content:"Accept|3A| */*|0D 0A|Accept-Language|3A| en-us|0D 0A|Content-Type|3A| application/octet-stream|0D 0A|Content-Length|3A| "; depth:93; http_header; content:"User-Agent|3A| Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|Host|3A|"; distance:0; fast_pattern:34,20; http_header; content:"Connection|3A| Keep-Alive|0D 0A|Cache-Control|3A| no-cache|0D 0A|"; distance:0; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:29891; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"Content-Length: 166"; content:".php HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|Host: "; fast_pattern:only; content:"v="; depth:2; http_client_body; content:"&c="; within:7; http_client_body; pcre:"/\x3d\x3d$/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:29895; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/prl/el.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b6f44c7466338ea14d1e711491b1d8174ee71e00541759eb18a31f959da521a9/analysis/; reference:url,www.virustotal.com/en/file/de67654959d29ffc5b9ec854d1e9e240ec96090ce8b3f9c3c9b337b7f2a54f8a/analysis/; classtype:trojan-activity; sid:29897; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tiny variant outbound connection"; flow:to_server,established; content:"/ie-error.gif?action=utility"; fast_pattern:only; http_uri; content:"&os="; http_uri; content:"&error="; distance:0; http_uri; content:"&rnd="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d446e176ba2141d0e7ae0799335fdd98f94d5e6b41c88083f4a3d3c04805a721/analysis/; classtype:trojan-activity; sid:29981; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Hello/LightsOut exploit kit payload download attempt"; flow:to_server,established; content:".php?a=dw"; fast_pattern:only; http_uri; pcre:"/\?a=dw[a-z]$/U"; content:" Java/1."; http_header; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2011-1255; reference:cve,2012-1723; reference:cve,2013-1489; reference:url,attack.mitre.org/techniques/T1189; reference:url,blogs.cisco.com/security/watering-hole-attacks-target-energy-sector/; reference:url,jsunpack.jeek.org/?report=2a298ffa14fd2772bd646bd559f610b0c3b51862; reference:url,jsunpack.jeek.org/?report=977b49ea5dc5ef85d8f50d1f1222befee8bf3581; classtype:trojan-activity; sid:30003; rev:6;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"POST"; http_method; content:"/and/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; pcre:"/^[a-z\d\x2f\+\x3d]{10,98}$/Pi"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0baf3197bdb2c665fea0a84db91d3f65171cf6cf9a732fd394ff9f707ddaf682/analysis; classtype:trojan-activity; sid:30068; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"/android/sms/sync.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&iscallhack="; distance:0; http_client_body; content:"&issmshack="; distance:0; http_client_body; content:"&isrecordhack="; distance:0; http_client_body; content:"&isadmin="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30070; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/android/sms/ping.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30071; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.iBanking outbound connection attempt"; flow:to_server,established; urilen:22; content:"/android/sms/index.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|"; http_header; content:"bot_id="; http_client_body; content:"&number=&iccid=&model="; distance:0; http_client_body; content:"&imei="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&control_number="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=3166; reference:url,www.virustotal.com/en/file/38f6fccfc8a31306c0a03cad6908c148e8506fd70ce03165fd89e18113b68e02/analysis/; classtype:trojan-activity; sid:30072; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamut configuration download"; flow:to_server,established; content:"|26|file=SenderClient.conf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dcb60900fcfd4ec83930177b7055fbdbba37f8e217409874be130f9c2e5b78fb/analysis/; classtype:trojan-activity; sid:30087; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:13; content:"/forum/db.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,file-analyzer.net/analysis/2306/8066/0/html#network; reference:url,www.virustotal.com/en/file/009f75196d1df18713d2572e3a797fb6a784a5c6c7dd7d253ba408ed7164c313/analysis/1393271978/; classtype:trojan-activity; sid:30091; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Uroburos usermode-centric client request"; flow:to_server,established; content:"/1/6b-558694705129b01c0"; fast_pattern:only; http_uri; content:"Connection: Keep-Alive|0D 0A|"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,info.baesystemsdetica.com/rs/baesystems/images/snake_whitepaper.pdf; reference:url,public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf; reference:url,www.virustotal.com/en/file/50edc955a6e8e431f5ecebb5b1d3617d3606b8296f838f0f986a929653d289ed/analysis/; classtype:trojan-activity; sid:30191; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:14; content:"/tmp/image.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:!"Accept"; http_header; pcre:"/^[a-z\d\x2b\x2f\x3d]{48,256}$/iP"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0fb9613582fd025b6fd14dcd003973c676db3798b733851a6b37ef6b0bc5f3be/analysis; classtype:trojan-activity; sid:30196; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".xpg.com.br|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d28a89d789d51b30730a43ef903bc0fbb58e7014e9d55fbb2e42fd640fee1eac/analysis/; classtype:trojan-activity; sid:30198; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound payload request"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(?:\/\d)?\/1[34]\d{8}(?:\/\d{9,10})?(?:\/\d)+[^a-zA-Z]{1,6}$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30220; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"|0D 0A|User-Agent: Mozilla/5.0 (Windows|3B| U|3B| Windows NT 6.1|3B| pt-BR|3B| rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5|0D 0A 0D 0A|"; fast_pattern:only; content:"|0D 0A|Accept-Encoding: gzip,deflate, identity|0D 0A|"; http_header; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9ce3d15cbb5bc8cd42570f44ab4eb8f6332c5d0f28291d295883bf2923c01d4b/analysis/; classtype:trojan-activity; sid:30234; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 6|0D 0A|"; http_header; file_data; content:"BRASIL"; depth:6; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30255; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Strictor HTTP Response - Non-Brazil Geolocated Infected User"; flow:to_client,established; content:"Content-Length: 13|0D 0A|"; http_header; file_data; content:"INTERNACIONAL"; depth:13; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4b6a4211191c8115a3bce64897159127dabcef0fbf6268007cb223dfa0870b60/analysis/; classtype:trojan-activity; sid:30256; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ExplorerHijack variant outbound connection"; flow:to_server,established; urilen:12; content:"/eh.html HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/29c3af334ce712ff66985f3584ad0af53ab16c2968ca41f06b900d703a27064e/analysis/1393266939/; reference:url,www.virustotal.com/en/file/5c2689920192836b3788a15f856ba311b54976a0a75016cbf0ae9a85d5a21d76/analysis/; classtype:trojan-activity; sid:30257; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/forumdisplay.php?fid="; fast_pattern:only; http_uri; content:"id="; depth:3; http_client_body; content:"&iv="; within:4; distance:36; http_client_body; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/52906104fa7cf93bbaba9ac9c6c5ffb8c72799e14248045e467c6568926cb494/analysis/1386078525/; reference:url,www.virustotal.com/en/file/5a9cd53f13825e17107d6b9f81ebe4013f3abf23429d9735c7258d43c101b71f/analysis/; classtype:trojan-activity; sid:30258; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Strictor variant outbound connection"; flow:to_server,established; content:"/20"; depth:3; http_uri; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".inf"; nocase; http_uri; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/143756537dfb4964c04d874fd16366ef384bdb4f64a739db019fa9b947b821a1/analysis/1395684118/; classtype:trojan-activity; sid:30259; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gcs?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30260; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Lucky Leap Adware outbound connection"; flow:to_server,established; content:"/gdi?alpha="; fast_pattern:only; http_uri; content:"|0D 0A|Cache-Control: no-store,no-cache|0D 0A|Pragma: no-cache|0D 0A|Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"Accept"; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/43c6fb02baf800b3ab3d8f35167c37dced8ef3244691e70499a7a9243068c016/analysis/1395425759/; classtype:trojan-activity; sid:30261; rev:8;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"lista"; http_uri; content:"|3B| name=|22|arquivo|22 3B| filename=|22|C:|5C|"; fast_pattern:only; http_client_body; content:".log|22 0D 0A|"; nocase; http_client_body; content:!"Accept-"; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c70ca3914e44cf574f50019892916ed910d7454cdb64b4eab403961c953fe44e/analysis/1395407305/; classtype:trojan-activity; sid:30262; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"MALWARE-CNC Win.Trojan.Glupteba.M initial outbound connection"; flow:to_server,established; content:"/stat?"; content:"uptime="; content:"&downlink="; distance:0; content:"&uplink="; distance:0; content:"&id="; distance:0; content:"&statpass=bpass"; distance:0; fast_pattern; content:"&version="; distance:0; content:"&features="; distance:0; content:"&guid="; distance:0; content:"&comment="; distance:0; content:"&p="; distance:0; content:"&s="; distance:0; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30288; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Goon/Infinity exploit kit malicious portable executable file request"; flow:to_server,established; content:".mp3?rnd="; fast_pattern:only; http_uri; pcre:"/\/\d+\.mp3\?rnd=\d+$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30319; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Calfbot outbound connection"; flow:to_server,established; content:"/b/index.php?id="; fast_pattern:only; http_uri; content:"&sent="; http_uri; content:"¬sent="; distance:0; http_uri; content:"&stat="; distance:0; http_uri; metadata:ruleset community, service http; reference:url,www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf; classtype:trojan-activity; sid:30336; rev:2;)
|
|
alert tcp $EXTERNAL_NET 1600:1604 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik inbound connection"; flow:to_client,established; content:"E|00|N|00|D|00|S|00|E|00|R|00|V|00|E|00|R|00|B|00|U|00|F|00|F|00|E|00|R|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30482; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; content:"GET /123456789.functionss"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30483; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1600:1604 (msg:"MALWARE-CNC Win.Trojan.Zbot/Bublik outbound connection"; flow:to_server,established; isdataat:!19; content:"myversion|7C|"; fast_pattern:only; pcre:"/myversion\x7c(\d\x2e){3}\d\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,isc.sans.edu/forums/diary/Malicious+PDF+sent+in+massive+scam+to+Colombian+users+claiming+to+be+from+Credit+score+agency/17875; reference:url,www.virustotal.com/en/file/bbc1a8b0892785c75f0f44d9414e424ed03cefbf951ed20eaae50031670c8a96/analysis/; classtype:trojan-activity; sid:30484; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:8;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:11;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:11;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:11;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; content:"|02|"; within:1; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 00|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30520; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 01|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30521; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 02|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30522; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt - vulnerable client response"; flow:to_server,established,only_stream; content:"|18 03 03|"; depth:3; byte_test:2,>,128,3; detection_filter:track by_dst, count 2, seconds 5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30523; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 02 00 03 01 40 00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30524; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [21,25,443,465,636,992,993,995,2484] (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; isdataat:68; isdataat:!69; content:"|18 03 03 00 40|"; depth:5; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30525; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ramdo variant outbound connection"; flow:to_server,established; urilen:1; content:"POST"; http_method; content:".org|0D 0A|Content-Length|3A| 128|0D 0A|Cache-Control|3A| no-cache|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:!"User-Agent|3A|"; http_header; content:!"Accept|3A|"; http_header; pcre:"/^Host\x3a\s[a-z]{16}\.org\x0d/Hm"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blogs.technet.com/b/mmpc/archive/2014/04/08/msrt-april-2014-ramdo.aspx; classtype:trojan-activity; sid:30547; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"POST"; http_method; content:"/write"; http_uri; content:"Host: default|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwaremustdie.org/2014/03/a-post-to-sting-zeus-p2pgameover-crooks.html; reference:url,www.virustotal.com/en/file/7647eec6ae87c203085fe433f25c78f415baf31d01ee8aa31241241712b46a0d/analysis/; classtype:trojan-activity; sid:30548; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL Heartbleed masscan access exploitation attempt"; flow:to_server,established; content:"[masscan/1.0]"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30549; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Minerd"; flow:to_server,established; urilen:>10; content:"/minerd.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; classtype:trojan-activity; sid:30551; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Malicious BitCoiner Miner download - Win.Trojan.Systema"; flow:to_server,established; urilen:20; content:"/aviatic/systema.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/583b585078f37f5d399a228f1b8021ca0a9e904a55792281048bae9cfe0e95c1/analysis/; reference:url,www.virustotal.com/en/file/e8bd297b1f59b7ea11db7d90e81002469a8f054f79638a57332ac448d819fb5d/analysis/; classtype:trojan-activity; sid:30552; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 10991 (msg:"MALWARE-CNC Linux.Trojan.Elknot outbound connection"; flow:to_server,established; isdataat:400; isdataat:!401; content:"Linux|20|"; depth:6; offset:17; pcre:"/Linux\x20\d\.[0-9]{1,2}\.[0-9]{1,2}/"; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/13f13f4e214c2755235ba36643e4ab08d4ea679da008397b7a540e0d45e70ab2/analysis/; classtype:trojan-activity; sid:30566; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"pdf_efax_"; fast_pattern:only; content:"PK"; depth:2; content:".pif"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30567; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Trojan.Agent E-FAX phishing attempt"; flow:to_server,established; content:"/cache/pdf_efax_"; fast_pattern:only; http_uri; pcre:"/\/cache\/pdf\x5Fefax\x5F\d{8,15}\.zip$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/4e102fd6fce767fa6c0d0a9871bb71ec5969ded694a9292c2c8a9749e5648ed4/analysis/; classtype:trojan-activity; sid:30568; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Agent Funeral ceremony phishing attempt"; flow:to_client,established; content:"filename=FuneralCeremony_"; fast_pattern:only; http_header; content:".zip"; nocase; http_header; file_data; content:"FuneralCeremony_"; content:".exe"; distance:0; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.virustotal.com/en/file/285ec7e2f8cbaed5d8cebde56bb6d44a921eb4e8384981832822329d8ccfb125/analysis/1395241815/; classtype:trojan-activity; sid:30569; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:6; content:"/webhp HTTP/1.1|0D 0A|Accept: */*|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/4.0 ("; fast_pattern:only; content:"|3B| MSIE "; http_header; content:"google."; http_header; content:!"Accept-"; http_header; content:"PREF="; depth:5; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/2f2e20d92f7551fccae73bba64d25dd1f18a4018fffd30bdb1f9fb6280182bd0/analysis/1396537812/; reference:url,www.virustotal.com/en/file/b268cba8515040055d866fb9e29d7fe2bc087f205711cdbad3e4b1bde7be2d75/analysis/ reference:url,www.virustotal.com/en/file/ef4e0ccc49decb41f213a20f61d92374c3b97497105d7c20e7284f65055d2ccb/analysis/; classtype:trojan-activity; sid:30570; rev:3;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30777; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30778; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30779; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30780; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30781; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30782; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|16 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30783; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|17 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; fast_pattern; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30784; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; byte_jump:2,0,relative; content:"|18 03 00|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30785; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; byte_jump:2,0,relative; content:"|18 03 01|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30786; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; byte_jump:2,0,relative; content:"|18 03 02|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30787; rev:4;)
|
|
alert tcp $HOME_NET [21,25,443,465,636,992,993,995,2484] -> $EXTERNAL_NET any (msg:"SERVER-OTHER OpenSSL TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; byte_jump:2,0,relative; content:"|18 03 03|"; within:3; byte_test:2,>,128,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30788; rev:4;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30906; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OTHER RARLAB WinRAR ZIP format filename spoof attempt"; flow:to_server,established; flowbits:isset,file.zip; file_data; content:"|50 4B 03 04|"; depth:4; content:"|00 00|"; within:2; distance:24; content:".exe"; within:64; flowbits:set,file.zip.winrar.spoof; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service smtp; reference:bugtraq,66383; reference:url,an7isec.blogspot.co.il/2014/03/winrar-file-extension-spoofing-0day.html; classtype:attempted-user; sid:30909; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 10.0|3B| Windows NT 6.2|3B| Trident/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30914; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpySmall variant outbound connection"; flow:to_server,established; content:"|3E 00|e|00|c|00|h|00|o|00 20 00|c|00|m|00|d|00 5F 00|b|00|e|00|g|00|i|00|n|00|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/df51eccf430ac391d09817d003977b4ea6af36117ce3aaee2fa0ebf04505c0d2/analysis/; classtype:trojan-activity; sid:30915; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent User-Agent Mozilla"; flow:to_server,established; content:"User-Agent: User-Agent: Mozilla/"; fast_pattern:only; http_header; content:!"Accept"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/D67B6706559C5F7AB97CC788E668E27A29B7D2D39C9ACA93AF73778E53993339/analysis/; classtype:trojan-activity; sid:30918; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/js/prototype/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:30919; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Multiple exploit kit redirection gate"; flow:to_server,established; urilen:72; content:"POST"; http_method; content:".php?q="; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{32}\.php\?q=[a-f0-9]{32}$/U"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30920; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Hikit outbound banner response"; flow:to_client,established; content:"|5D 00 20 00|h|00|i|00|k|00|i|00|t|00|>|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http, service ssl; reference:url,www.virustotal.com/en/file/aa4b2b448a5e246888304be51ef9a65a11a53bab7899bc1b56e4fc20e1b1fd9f/analysis/; classtype:trojan-activity; sid:30948; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT CritX exploit kit payload request"; flow:to_server,established; content:"/load"; http_uri; content:".php"; distance:0; http_uri; pcre:"/\/load(?:(?:db|rh|silver|msie|flash|fla[0-9]{4,5}))\.php/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware-traffic-analysis.net/2014/05/29/index.html; classtype:trojan-activity; sid:30973; rev:6;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .doc.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".doc.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30997; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .gif.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".gif.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30998; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpeg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpeg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:30999; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .jpg.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".jpg.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31000; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - .pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:".pdf.exe"; fast_pattern:only; content:"Content-Length:"; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:31001; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/hunter/123/order.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:31020; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php HTTP/1.0|0D 0A|Connection: keep-alive|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Content-Length: 0|0D 0A|Host: "; content:"|0D 0A|Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.9,*/*|3B|q=0.8|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; distance:0; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/726644e5f666b133159e6c2591cdd3bc628bcd335b381b74fcfd2e4db73689af/analysis/; reference:url,www.virustotal.com/en/file/af56f8f97c8872d043a4002daa6331f3b3be296427b0e5d0560fd174e9f59e78/analysis/; classtype:trojan-activity; sid:31036; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadnessPro outbound connection"; flow:to_server,established; content:"/?"; http_uri; content:"uid="; http_uri; content:"&mk="; fast_pattern; http_uri; content:"&os="; http_uri; content:"&rs="; http_uri; content:"&c="; http_uri; content:"&rq="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cylance.com/a-study-in-bots-madness-pro; classtype:trojan-activity; sid:31053; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Necurs outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:15; content:"/docs/index.php"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|application/octet-stream"; http_header; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.virustotal.com/en/file/b47a1bdf5e53f4a754413d2461f7db9a4c7d1e0845c1f676b5399061e3dc1a4b/analysis/; classtype:trojan-activity; sid:31070; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zbot variant outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:11; content:"/srt/ge.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/750d533898f19c606ee9e96ff72c1aa3d830c469f2f564890ebbc38b169eb41b/analysis/1400275398/; classtype:trojan-activity; sid:31084; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - User-Agent hello crazyk"; flow:to_server,established; content:"User-Agent: hello crazyk|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/file/e61acf1cf61938eaa9cfa40e9dcd357f271c17c20218ba895c1f4a/analysis/; classtype:trojan-activity; sid:31090; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos password stealing attempt"; flow:to_server,established; content:"rotina=plogin&login="; fast_pattern:only; http_client_body; content:"&senha="; http_client_body; content:"&casa="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31112; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:")&dt="; fast_pattern:only; http_client_body; content:"pc="; depth:3; http_client_body; content:"&av="; distance:0; http_client_body; content:"&wd="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658; classtype:trojan-activity; sid:31113; rev:2;)
|
|
alert udp $EXTERNAL_NET any -> $HOME_NET [16464,16465,16470,16471] (msg:"MALWARE-CNC Win.Trojan.ZeroAccess inbound connection"; flow:to_server; dsize:16; content:"|28 94 8D AB|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/file/50cdd9f6c5629630c8d8a3a4fe7d929d3c6463b2f9407d9a90703047e7db7ff9/analysis/; classtype:trojan-activity; sid:31136; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/notify.php HTTP/1.0|0D 0A|"; fast_pattern:only; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; content:"Content-Length: 0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31221; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; urilen:17; content:"/second/game1.inf"; fast_pattern:only; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31222; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Necurs variant outbound connection"; flow:to_server,established; urilen:15; content:"/news/index.php HTTP/1.1|0D 0A|Content-Type: application/octet-stream|0D 0A|Host: "; fast_pattern:only; content:!"User-Agent:"; http_header; content:!"Referer:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/565496cb40fc868d233dabfb1e178e8b9042d964cb1e4f5f3386a6db4f1cf30e/analysis/1400509611/; classtype:trojan-activity; sid:31243; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"MALWARE-CNC Win.Trojan.Kuluoz outbound connection"; flow:to_server,established; urilen:43; content:"POST /"; depth:6; content:" HTTP/1.1"; within:9; distance:42; content:"Firefox/"; distance:0; content:!"|0D 0A|Accept-"; pcre:"/^POST\x20\x2f[A-F\d]{42}\x20HTTP/"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/93a40a83977ca24df6e12d7d6f19a9b9d92cb3ea3174ea9d4398ad2048205c42/analysis/; classtype:trojan-activity; sid:31244; rev:4;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Andromeda HTTP proxy response attempt"; flow:to_client,established; file_data; content:"function FindProxyForURL(url, host)"; depth:35; content:"yx0=0|3B|yx1=1|3B|yx2=2|3B|yx3=3|3B|yx4=4|3B|yx5=5|3B|yx6=6|3B|yx7=7|3B|yx8=8|3B|yx9=9|3B|lit=|22 22|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.exposedbotnets.com/2013/06/localmworg-andromeda-http-botnet-hosted.html; classtype:trojan-activity; sid:31260; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi outbound connection"; flow:to_server,established; content:".inf HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip, deflate|0D 0A|User-Agent: Mozilla/"; fast_pattern:only; content:"|3B 20|MSIE|20|"; http_header; pcre:"/\)\r\nHost\x3a\x20[\d\x2e]{7,15}\r\nConnection\x3a\x20Keep\x2dAlive\r\n\r\n$/"; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/c77a679df3b74c622e39ab163fc876cc9d7719f2c2e8cf80beb36c813827d0c7/analysis/; classtype:trojan-activity; sid:31261; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.VBNA variant outbound connection"; flow:to_server,established; content:"/0.gif?"; depth:7; http_uri; content:" HTTP/1.1|0D 0A|Host: sstatic1.histats.com|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NWI5M2QwY2QxZWIwNDU4NDliYjU5NWJmMzc0MzQ2MDE/; reference:url,www.virustotal.com/en/file/0a777870b65d3dc80b56baf77f6d9e342d25a1c7d670077eca14a0f4309f9e26/analysis/; reference:url,www.virustotal.com/en/file/b5a01ce5e2b074f40d86ecca802658a5c998b5bf452f164b1a76f8fa27f53b15/analysis/; classtype:trojan-activity; sid:31262; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_server,established; content:"/publickey/ HTTP/1.1|0D 0A|User-Agent: Wget/1.9|0D 0A|Host: "; fast_pattern:only; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:31293; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"/workers.php?mac="; fast_pattern:only; http_uri; content:"&gpu="; http_uri; content:!"|0D 0A|User-Agent:"; http_header; content:!"|0D 0A|Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0f3243a4645ab4acb88e1e0ee4fa0cb254a88709ce00a193ad6e20faec3243dc/analysis/; classtype:trojan-activity; sid:31295; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSIL variant outbound connection"; flow:to_server,established; content:"/srv2.php?param=1 HTTP/1.1|0D 0A|Host: "; fast_pattern:only; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZDI5NTViMGI2MzZiNDU0MTlhMzNlZDhiZGUwNjFmOGY/; classtype:trojan-activity; sid:31315; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-APACHE Apache Chunked-Encoding worm attempt"; flow:to_server,established; content:"Transfer-Encoding: Chunked"; fast_pattern; nocase; content:"|0D 0A|"; distance:0 ; byte_test:8,>,2147483647,0,string,hex,relative; content:"|20|"; within:9; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,4474; reference:bugtraq,4485; reference:bugtraq,5033; reference:cve,2002-0071; reference:cve,2002-0079; reference:cve,2002-0392; reference:nessus,10932; classtype:web-application-attack; sid:31405; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Injector variant outbound connection"; flow:to_server,established; urilen:4; content:"/re/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; content:"|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/56939273f68158dacc58d4e8d5bb5b0c4c04be89e279651c8f19fa6392f3d837/analysis/; reference:url,www.virustotal.com/en/file/ad40cabf66001087c2e9f548811b17341f63f19f528a3c04a1c9ab9f10b5eff9/analysis/; classtype:trojan-activity; sid:31442; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall downloader attempt"; flow:to_server,established; urilen:<20; content:"User-Agent|3A 20|macrotest|0D 0A|"; fast_pattern:only; http_header; pcre:"/\x2f(css|upload)\x2f[a-z]{2}[0-9]{3}\x2eccs/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e370c1fc6e7e289523fdf2f090edb7885f8d0de1b99be0164dafffeca9914b10/analysis/; classtype:trojan-activity; sid:31449; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:<17; content:"HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Connection: Close|0D 0A|Content-Length: 100|0D 0A|User-Agent: "; fast_pattern:only; content:"="; depth:1; offset:1; http_client_body; pcre:"/[a-z]=[a-f0-9]{98}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a92ae8e80b0b70288a32c0455856453c5980021156132a540035e7ef5e0fa79e/analysis/; classtype:trojan-activity; sid:31450; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?chave=xchave&url|3D 20 3D 7C 3D 20|"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/08e670fd1f7141f219f0bb7f48c179485146e439847a68cdf52b85328b66dd22/analysis/; classtype:trojan-activity; sid:31452; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:" HTTP/1.1|0D 0A|User-Agent: Mozilla/5.0|0D 0A|"; content:"Service Pack "; fast_pattern:only; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31453; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ChoHeap variant outbound connection"; flow:to_server,established; content:".rar HTTP/1.1|0D 0A|Accept: text/*, application/*|0D 0A|User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; content:"|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/0423e10a674fb7e96557eac50b51207709a248df6e06aeeba401ded6157c1298/analysis/; classtype:trojan-activity; sid:31454; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Rig Exploit Kit Outbound DGA Request"; flow:established,to_server; urilen:25<>32; content:".html?0."; depth:11; offset:2; http_uri; pcre:"/\/[a-z]{1,4}\x2ehtml\x3f0\x2e[0-9]{15,}$/U"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.symantec.com/connect/blogs/rig-exploit-kit-used-recent-website-compromise; classtype:trojan-activity; sid:31455; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SDBot variant outbound connection"; flow:to_server,established; urilen:8; content:"/install"; http_uri; content:"argc="; depth:5; http_client_body; content:"&name="; distance:0; http_client_body; content:"&previous="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5682e096bad2d2e75fb09122af272572b23ca5defb70325ab7cdc4c534a68e7d/analysis; classtype:trojan-activity; sid:31458; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"/query?version="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:"&builddate="; distance:0; http_uri; content:"&q="; distance:0; http_uri; content:"&ref="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31465; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm Click Fraud Request"; flow:to_server,established; content:"|0D 0A|builddate:"; fast_pattern:only; http_header; content:"|0D 0A|aid: "; http_header; content:"|0D 0A|redirect: http://"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31466; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:9; content:"/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:31467; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Papras variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/viewforum.php?f="; fast_pattern:only; http_uri; content:"&sid="; http_uri; content:!"Referer:"; http_header; content:!"Cookie:"; http_header; pcre:"/sid=[0-9A-F]{32}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9e548d9a37c46423680e324b31204197babc45ddc05835afa772fde8627e72b2/analysis/; classtype:trojan-activity; sid:31468; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.HW32 variant spam attempt"; flow:to_server, established; content:"MAIL FROM: <Reademal.com>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/e69b310dff09830641d4b9682375ce3df503674d23c429bd7847979ea9250b2b/analysis/; classtype:trojan-activity; sid:31507; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/index.php?email=libpurple_XMPP"; fast_pattern:only; http_uri; content:"&method=post"; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b2b7571ffc6ee27fc716f308d72a3268ffa5f32330ca6349aacc92e6cecb2582/analysis/1406043461/; classtype:trojan-activity; sid:31530; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE MinerDeploy monitor request attempt"; flow:to_server,established; content:"/monitor.php?"; fast_pattern; http_uri; content:"myid="; distance:0; http_uri; content:"&ip="; distance:0; http_uri; content:"&cgminer="; distance:0; http_uri; content:"&operatingsystem="; distance:0; http_uri; content:!"Content-Length|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06033b08afd30b413cce3b9a169cb8396fe34865f3bacd436c652dbb469ced62/analysis/; classtype:trojan-activity; sid:31531; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.SMSSend outbound connection"; flow:to_server,established; content:"sms"; http_uri; content:".ashx?t="; fast_pattern:only; http_uri; content:!"User-Agent|3A 20|"; http_header; content:!"Accept|3A 20|"; http_header; content:!"Content-Type|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a70a62ac920e83bab5e3e38ac8853ca3f45b6022f4d4ca47c9ae5cb9049700bb/analysis/1406724303/; classtype:trojan-activity; sid:31593; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server HELLO request to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"HELLO|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31603; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READD command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READD|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31604; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba C&C server READY command to client"; flow:to_client,established; isdataat:5; isdataat:!6; content:"READY|0A|"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31605; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Glupteba payload download request"; flow:to_server,established; content:"/software.php?"; fast_pattern:only; http_uri; content:"Accept|3A| */*"; http_header; content:"User-Agent|3A| Mozilla/4.0 |28|compatible|3B| MSIE 7.0|3B| Windows NT 6.1|3B|"; http_header; pcre:"/\/software\x2ephp\x3f[0-9]{15,}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31606; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Glupteba client response/authenticate to C&C server"; flow:to_server,established; isdataat:14; isdataat:!18; content:"|3A|bpass|0A|"; fast_pattern:only; pcre:"/[0-9A-Z]{8}\x3abpass\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0bcc2bf3cf06952e18c3e1d9860698dbb3ff1644a0389a9756c1b82b66fb2b83/analysis/; classtype:trojan-activity; sid:31607; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; fast_pattern:only; http_header; content:"|0D 0A|Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; http_header; pcre:"/[^\x20-\x7e\r\n]{3}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31641; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Tinybanker variant outbound connection"; flow:to_server,established; urilen:4; content:"/de/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (compatible|3B| MSIE 9.0|3B| Windows NT 6.1|3B| Trident/5.0)|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|Host: "; http_header; content:"Content-Length: 13|0D 0A|Connection: Close|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2014/07/17/tinybanker-trojan-targets-banking-customers/; reference:url,www.virustotal.com/en/file/b88b978d00b9b3a011263f398fa6a21098aba714db14f7e71062ea4a6b2e974e/analysis/; classtype:trojan-activity; sid:31642; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Scarelocker outbound connection"; flow:to_server,established; content:"/api.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Apache-HttpClient|2F|UNAVAILABLE"; http_header; content:"method="; http_client_body; content:"&app_key="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/08/scarepackageknstant.html; reference:url,www.virustotal.com/en/file/ebed6a20738f68787e19eaafc725bc8c76fba6b104e468ddcfb05a4d88a11811/analysis/; classtype:trojan-activity; sid:31644; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; urilen:16; content:"/boydn/boye.html"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31649; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tirabot variant outbound connection"; flow:to_server,established; content:"&string="; fast_pattern:only; http_client_body; content:"key="; depth:4; http_client_body; content:"Content-Type: application/x-www-Form-urlencoded|0D 0A|"; http_header; content:".php"; http_uri; pcre:"/User\x2dAgent\x3a\x20([\x20-\x7e]{3,56})\r\n.*?\r\n\r\nkey\x3d\1\x26string\x3d/ms"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7ea920d297e23cf58e9f00fa3d48e02994253cb4a673bdd6db9a02fa5ab9ffb8/analysis/1407432311/; classtype:trojan-activity; sid:31680; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:12; content:"/support.exe"; fast_pattern:only; http_uri; content:".exe HTTP/1.1|0D 0A|Accept: */*|0D 0A|Accept-Encoding: gzip,deflate,sdch|0D 0A|Host: "; content:") Chrome/"; distance:0; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/adf5d662af390ad3a187a1991e0b463327fb8360fd55a27e6f9961c8a84a47c5/analysis/; classtype:trojan-activity; sid:31681; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur download attempt"; flow:to_server,established; urilen:9; content:"/tmps.exe"; fast_pattern:only; http_uri; content:"Proxy-Authorization: Basic |0D 0A|"; http_header; content:"__cfduid="; depth:9; http_cookie; content:") Chrome/"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31682; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Badur variant outbound connection"; flow:to_server,established; content:"/get/?data="; depth:11; http_uri; content:"User-Agent: win32|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/840b3b76030696b1ce9eccd5ee6d55dd79c0120871094cb9266769c09f03029c/analysis/; classtype:trojan-activity; sid:31683; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft Multiple Products JPEG parser heap overflow attempt"; flow:to_server,established; flowbits:isset,file.jpeg; file_data; content:"|00 10|JFIF"; depth:6; offset:4; pcre:"/^.{0,100}\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/s"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-user; sid:31719; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Banker.Delf variant outbound connection"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/notify.php"; http_uri; content:"Content-Length: 0|0D 0A|"; http_header; content:" HTTP/1.0|0D 0A|"; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/dce2799df1da1ad992d37c78ea586dfd0cf673642ecc56ac464fe7a81a6994ca/analysis/; classtype:trojan-activity; sid:31820; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"dados="; depth:6; http_client_body; content:"&ct="; distance:0; http_client_body; content:"/"; within:1; distance:2; http_client_body; content:"/201"; within:4; distance:2; http_client_body; content:"="; within:1; distance:1; http_client_body; content:"&windows="; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/53ac9c629cf0cc468cfaf77fe4b54f1da7576e0c0327650915b79f9340fa84ff/analysis/; classtype:trojan-activity; sid:31824; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Delf variant HTTP Response"; flow:to_client,established; content:"Content-Length: 201|0D 0A|"; file_data; content:"<meta name=|22|token|22| content=|22 A4|"; depth:29; content:"|A4 22|/>"; within:4; distance:168; pcre:"/^\x3cmeta\x20name\x3d\x22token\x22\x20content\x3d\x22\xa4[A-F\d]{168}\xa4\x22\x2f\x3e$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31826; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Delf variant outbound connection"; flow:to_server,established; content:"/token/token.html HTTP/1.1|0D 0A|User-Agent: "; fast_pattern:only; content:!"Accept"; http_header; content:!"Referer:"; http_header; pcre:"/\)\r\nHost\x3a\x20[a-z\d\x2e\x2d]{6,32}\r\nCache\x2dControl\x3a\x20no\x2dcache\r\n\r\n$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/59e721000aa38a91ed42799e955f9337482c627e0675520aa54dcad068e6e004/analysis/1409846457/; classtype:trojan-activity; sid:31827; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"PASS|20|images|0D 0A|"; flowbits:isset,qlogic_default_ftp; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31830; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"POLICY-OTHER QLogic Switch 5600/5800 default ftp login attempt"; flow:to_server,established; content:"USER|20|images|0D 0A|"; flowbits:set,qlogic_default_ftp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1078; reference:url,filedownloads.qlogic.com/files/Manual/81355/UserGuide_5800V_Series_QuickTools_v80_59264-02B.pdf; reference:url,filedownloads.qlogic.com/files/manual/67941/QuickTools_Guide_Sb5600_Series_v74_59235-03_%5BA%5D.pdf; classtype:default-login-attempt; sid:31831; rev:8;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY JPEG file magic detection"; flow:to_server,established; file_data; content:"|FF D8 FF|"; depth:3; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:31871; rev:11;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/trdpr/trde.html"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/61cbe9b94bca25503c884bb0c9363b95fac6203534e5b23c5887dde91fbd4951/analysis/1384873658/; classtype:trojan-activity; sid:31916; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant HTTP response attempt"; flow:to_client,established; file_data; content:"%set_intercepts%"; fast_pattern:only; content:"%ban_contact%"; content:"%ebaylive%"; content:"%dep_host%"; content:"%relay_soxid%"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31923; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:".php?method="; http_uri; content:"&mode=sox&v="; fast_pattern:only; http_uri; content:" HTTP/1.0|0D 0A|Accept: */*|0D 0A|Connection: close|0D 0A|Host: "; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4c0549384574ae91b68d58d92da3deacfcf714b27fb8d762ce9de8c58990ffb1/analysis/; classtype:trojan-activity; sid:31924; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banker variant outbound connection"; flow:to_server,established; content:"/notify.php"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bf40d710dda1a3ada127d68b34b837eca03a28699cd858cda7d4a3e36690628a/analysis/; classtype:trojan-activity; sid:31964; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit landing page"; flow:to_client,established; file_data; content:"{(new Image).src=|22|/"; content:"%72%6f%72%72%65%6e%6f"; distance:0; fast_pattern; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31965; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|D5 B1 F8 24 89 28 15 47|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31966; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|F2 F7 94 75 16 7E 8E 15|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31967; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit redirection attempt"; flow:to_server,established; urilen:>60,norm; content:"POST"; http_method; pcre:"/\x2f[\w\x2d]*\x2e+$/mU"; content:"Referer|3A 20|"; http_header; content:"x-req|3A 20|"; fast_pattern; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Pragma|3A 20|no-cache|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; metadata:policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31970; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Astrum exploit kit multiple exploit download request"; flow:to_server,established; urilen:>60,norm; content:"GET"; content:".. HTTP/1."; fast_pattern:only; pcre:"/\x2f[\w\x2d]*\x2e\x2e$/mU"; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; flowbits:set,file.exploit_kit.jar&file.exploit_kit.pdf&file.exploit_kit.flash&file.exploit_kit.silverlight; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31971; rev:9;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"EXPLOIT-KIT Astrum exploit kit payload delivery"; flow:to_client,established; flowbits:isset,file.exploit_kit.pe; file_data; content:"|DC C7 5E 47 A0 DB D2 51|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2014/09/astrum-ek.html; classtype:trojan-activity; sid:31972; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chebri variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.php HTTP/1.0|0D 0A|Host: google.com|0D 0A|User-Agent: "; fast_pattern:only; content:"0="; depth:2; http_client_body; content:"Accept-Encoding: none|0D 0A 0D 0A|"; http_header; pcre:"/User\x2dAgent\x3a\x20[A-F\d]{32}\r\n/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db94644fc351fb4a9117b68ab625494daa2ebe36117a8333577d857a7c2d1ec6/analysis/1409853252/; classtype:trojan-activity; sid:31973; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31975; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31976; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:5;)
|
|
alert udp $HOME_NET 67 -> $HOME_NET 68 (msg:"OS-OTHER Malicious DHCP server bash environment variable injection attempt"; flow:stateless; content:"() {"; fast_pattern:only; content:"|02 01 06 00|"; depth:4; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31985; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Install - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Install|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7f419e0093fd2d4892ea6920aaa2c12c95cede9c97cb0a1f096496d4ff93ea/analysis/; classtype:trojan-activity; sid:31990; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Treck - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: Treck|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e295922322324e048657a5b4c0c4c9717a1a127e39ba45a03dc5d4d4bb2e523f/analysis/; classtype:trojan-activity; sid:31991; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Fake Delta Ticket HTTP Response phishing attack"; flow:to_client,established; file_data; content:"PK"; depth:2; content:"DeltaTicket_ET-RM-"; distance:0; nocase; content:".exe"; distance:0; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1192; reference:url,www.satinfo.es/blog/tag/deltaticket_et-rm-0hj423891156-exe; classtype:trojan-activity; sid:32008; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder inbound connection attempt - command"; flow:to_client,established; isdataat:!14; content:"|21 2A 20|SCANNER ON"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32009; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 23 (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound telnet connection attempt"; flow:to_server,established; content:"/bin/busybox|3B|echo -e |27 5C|147|5C|141|5C|171|5C|146|5C|147|5C|164|27 0D 0A|"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service telnet; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32010; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Linux.Backdoor.Flooder outbound connection"; flow:to_server,established; isdataat:9; isdataat:!10; content:"BUILD X86|0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/73b0d95541c84965fa42c3e257bb349957b3be626dec9d55efcc6ebcba6fa489/analysis/; classtype:trojan-activity; sid:32011; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"MAIL"; nocase; content:"FROM|3A|"; distance:0; nocase; pcre:"/^\s*?MAIL\s+?FROM\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32038; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"RCPT"; nocase; content:"TO|3A|"; distance:0; nocase; pcre:"/^\s*?RCPT\s+?TO\x3a[^\r\n]*?\x28\x29\s\x7b/i"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32039; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:stateless; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32041; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $SIP_SERVERS $SIP_PORTS (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; sip_header; content:"() {"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service sip; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32042; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"USER "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32043; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Asprox inbound connection"; flow:to_client,established; content:"Content-Length: 30"; http_header; file_data; content:"|3C|html|3E 3C|body|3E|hi!|3C 2F|body|3E 3C 2F|html|3E|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32065; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:20<>23; content:"/b/pkg/T202"; depth:11; fast_pattern; http_uri; content:"UA-CPU: "; http_header; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; pcre:"/\x2fb\x2fpkg\x2fT202[0-9a-z]{10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32066; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Asprox outbound connection"; flow:to_server,established; urilen:46<>51; content:"/x/"; depth:3; fast_pattern; http_uri; content:"UA-CPU: "; content:"Connection: Keep-Alive|0D 0A 0D 0A|"; pcre:"/\x2fx\x2f[0-9a-z]{8,10}\x2f[0-9a-f]{32}\x2fAA\x2f0$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32067; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"PASS "; depth:5; content:"() {"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32069; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot configuration download attempt"; flow:to_server,established; content:"/mod_"; http_uri; content:"/soft"; http_uri; content:".dll"; fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\x2fsoft(64|32)\x2edll$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32072; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot outbound connection"; flow:to_server,established; content:"/b/shoe/"; fast_pattern:only; http_uri; content:"Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\x2fb\x2fshoe\x2f[0-9]{3,5}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32073; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zemot payload download attempt"; flow:to_server,established; content:"/mod_articles-auth-"; depth:19; fast_pattern; http_uri; content:"/jquery/"; within:8; distance:7; http_uri; content:"Accept: */*|0D 0A|Connection|3A 20|Close|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ba8292eaa47967618c2376afe524736f4fa7eec15ed9cca17abfca692d26fe4/analysis/; classtype:trojan-activity; sid:32074; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/beta/order.php"; fast_pattern:only; http_uri; content:" HTTP/1.1|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|User-Agent: Mozilla/"; content:"|3B 20|MSIE|20|"; distance:0; http_header; content:"|29 0D 0A|Host:"; distance:0; http_header; content:!"Accept"; http_header; content:!"|0D 0A|Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/51540d7c9a4bc2a430bc50c85cf9cec5c6f2bb755e800a3f3575ba34fe5f008c/analysis; classtype:trojan-activity; sid:32130; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [53,80,443,5432] (msg:"MALWARE-CNC WIN.Trojan.Plugx variant outbound connection"; flow:to_server,established; content:"HHV1:"; content:"HHV2:"; within:20; content:"HHV3: 61456"; within:20; fast_pattern; content:"HHV4:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service dns, service http, service ssl; reference:url,virustotal.com/en/file/4d464f9def2276dac15d19ccf049b7c68642290bc0e345e06d4b6e9103fde9e6/analysis/; classtype:trojan-activity; sid:32179; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection incoming attempt"; flow:to_client,established; isdataat:15; isdataat:!16; content:"|85 19 00 00 25 04 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32180; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.ZxShell connection outgoing attempt"; flow:to_server,established; isdataat:15; isdataat:!16; content:"|86 19 00 00 04 01 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/438ed90e1f69b5dcae2d30d241159aaed74f9d3125c60f1003915b2237978f7d/analysis/; classtype:trojan-activity; sid:32181; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Zxshell variant outbound connection"; flow:to_server,established; content:"|20|OS|3A 20|"; content:"|20|CPU|3A|"; distance:0; content:"Hz,RAM|3A|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/547044cb73f1c18ccd92cd28afded37756f749a9338ed7c04306c1de46889d6b/analysis/; classtype:trojan-activity; sid:32192; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Graftor variant outbound connection"; flow:to_server,established; content:"form-data|3B| name=|22|PLUG|22 0D 0A|"; fast_pattern:only; http_client_body; content:"form-data|3B| name=|22|PC|22 0D 0A|"; http_client_body; content:"form-data|3B| name=|22|SEG|22 0D 0A|"; distance:0; http_client_body; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f7215718184d5fa1a2057e5dd714d3cdbd00fe924334ecdd3cd5662c3c284d90/analysis/; classtype:trojan-activity; sid:32196; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Cryptowall variant outbound connection"; flow:to_server,established; urilen:27; content:"/blog-trabajos/n65dj17i1836"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f75b9ed535c3b33ead4da28854f3e8d6e805135679a2352463184acb06ffcaf0/analysis/; classtype:trojan-activity; sid:32225; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"BROWSER-FIREFOX Mozilla 1.0 Javascript arbitrary cookie access attempt"; flow:to_server,established; file_data; content:"javascript|3A|//"; fast_pattern:only; content:"document.cookie"; nocase; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,5293; reference:cve,2002-2314; classtype:attempted-user; sid:32244; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hydraq.variant outbound detected"; flow:to_server,established; content:"/info.xml"; http_uri; content:"Host:"; http_header; content:"update-adobe.com"; within:30; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32250; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-OTHER Sinkhole reply - irc-sinkhole.cert.pl"; flow:to_client,established; content:"|3A|irc|2D|sinkhole|2E|cert|2E|pl"; fast_pattern:only; content:"|3A|End of MOTD command|2E|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:32260; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:" () {"; depth:50; urilen:>0,norm; content:!"HTTP/"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32335; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; content:"() {"; http_cookie; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32336; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-OTHER Bash environment variable injection attempt"; flow:to_server,established; content:"() {"; content:"}"; within:25; pcre:"/^[\w\x2d\x5f]+?\x3a\s*?\x28\x29\s\x7b/mi"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:32366; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GameOverZeus variant outbound connection"; flow:to_server,established; urilen:<10; content:"/update"; http_uri; content:"POST"; http_method; content:"|0D 0A|Accept-Encoding:|0D 0A|Connection: close|0D 0A|Content-Length: "; fast_pattern:only; http_header; content:!"User-Agent:"; http_header; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d866214d1f921028f9001ae399e9f8dec32ec8998c84d20d60a992164888a6fc/analysis; classtype:trojan-activity; sid:32367; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SERVER-OTHER AOL Instant Messenger goaway message buffer overflow attempt"; flow:to_server,established; file_data; content:"aim|3A|goaway?message="; nocase; isdataat:500,relative; pcre:"/\x22aim\x3Agoaway\x3Fmessage\x3D[^\x22]{500}|\x27aim\x3Agoaway\x3Fmessage\x3D[^\x27]{500}|aim\x3Agoaway\x3Fmessage\x3D[^\s]{500}/i"; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:32370; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/and/gate.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/ZmE3ZWU2YTkyM2U0NGQ0MmI1NDcxMjUwZDE2NTM5MjQ/; classtype:trojan-activity; sid:32374; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY bmp file attachment detected"; flow:to_server,established; content:".bmp"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2ebmp/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32378; rev:12;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"FILE-IDENTIFY dib file attachment detected"; flow:to_server,established; content:".dib"; fast_pattern:only; content:"Content-Disposition: attachment|3B|"; content:"filename="; nocase; pcre:"/filename=[^\n]*\x2edib/i"; flowbits:set,file.bmp; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/BMP_file_format; classtype:misc-activity; sid:32380; rev:12;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"EXPLOIT-KIT Nuclear exploit kit outbound structure"; flow:to_server,established; content:"/f/"; depth:3; http_uri; pcre:"/^\/f(\/[^\x2f]+)?\/14\d{8}(\/\d{9,10})?(\/\d)+(\/x[a-f0-9]+(\x3b\d)+?)?$/U"; flowbits:set,file.exploit_kit.pe; metadata:policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:32386; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; urilen:16; content:"/cbrry/cbre.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7c110c2d125a4100322bd9c4328d0a01259cb00a4e3709815711b8b364a58bdd/analysis/1415285838/; classtype:trojan-activity; sid:32583; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"plug=NAO"; fast_pattern:only; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"Content-Length: 8"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malwr.com/analysis/NDUwYTczYzQ0YWMwNGM2Yjk5MDc5YmU4Yjg5MzY5OWY/; reference:url,www.virustotal.com/en/file/d34644047c451081e9332e18600dba25aed42ff76f96fc51cb3eada95ba57e59/analysis/; classtype:trojan-activity; sid:32584; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Geodo variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/4.0 (compatible|3B|MSIE 7.0|3B|Windows NT 6.0)|0D 0A|"; fast_pattern:only; http_header; content:!"Accept-Language:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/330b408173d45365dd6372bc659ebdd54b9eb18b323079da9552c4e3d8e62d1e/analysis/; classtype:trojan-activity; sid:32604; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Worm.Jenxcus variant outbound connection"; flow:to_server,established; content:"/seo.php?username=MAREYOLE&format=ptp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8538cbb2271f90c57f57150d714ec92e59869f52c7060bb2ab1f57ef6757321d/analysis/; classtype:trojan-activity; sid:32605; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sodebral variant outbound connection"; flow:to_server,established; content:"/verifica/index.php?id="; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32606; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"INTERNACIONAL"; depth:13; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32607; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Sodebral HTTP Response attempt"; flow:to_client,established; file_data; isdataat:!193; content:"BRASIL"; depth:6; content:!"Content-Length"; http_header; content:"Transfer-Encoding: chunked"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0290c3900445dc00ca24888924e37fa6ac17ecaddc60591e32b81536b9f5ef7/analysis/; classtype:trojan-activity; sid:32608; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string RUpdate"; flow:to_server,established; content:"User-Agent: RUpdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32645; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Potential malware download - _pdf.exe within .zip file"; flow:to_client,established; flowbits:isset,file.zip; file_data; content:"_pdf.exe"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d68f1d3855543a4732e551e9e4375a2cd85d9ab11a86334f67ad99c5f6990a0/analysis/; classtype:trojan-activity; sid:32646; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/search?btnG="; http_uri; content:"utm="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32665; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Chopstick variant outbound request"; flow:to_server,established; content:"/webhp?rel="; http_uri; content:"hl="; distance:0; http_uri; content:"ai="; distance:0; http_uri; content:!"."; depth:20; http_client_body; content:!"|22|"; depth:20; http_client_body; content:!"|3A|"; depth:20; http_client_body; isdataat:500,relative; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7f6f9645499f5840b59fb59525343045abf91bc57183aae459dca98dc8216965/analysis/; classtype:trojan-activity; sid:32667; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Ch variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/tasks.php"; fast_pattern:only; http_uri; content:"Content-length:"; http_header; content:"Content-type:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/3d8f05f45f8335198e5488716be2a9c5cebead7d0321bc371fa475d689ffe658/analysis/; classtype:trojan-activity; sid:32670; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [8000,8080] (msg:"MALWARE-CNC Win.Trojan.Wiper variant outbound connection"; flow:to_server,established; isdataat:41; isdataat:!42; content:"(|00|"; depth:2; content:"|04 00 00 00|"; within:4; distance:36; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/e2ecec43da974db02f624ecadc94baf1d21fd1a5c4990c15863bb9929f781a0a/analysis/; classtype:trojan-activity; sid:32674; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC FIN4 VBA Macro credentials upload attempt"; flow:to_server, established; content:"POST"; http_method; content:"/report.php?msg="; fast_pattern:only; http_uri; content:"&uname="; http_uri; content:"&pword="; http_uri; content:"Content-Length|3A 20|0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/536ed7236769b9a5f09b2a31ab138fbad7331108cb65e1f4c77d129df7fb7764/analysis/; classtype:trojan-activity; sid:32776; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/images/view.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32823; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel variant outbound connection"; flow:to_server,established; content:"/txt/read.php"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; content:!"Accept|3A 20|"; http_header; content:!"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32824; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel outbound connection"; flow:to_server,established; content:"/bin/read_i.php?"; http_uri; content:"a1="; http_uri; content:"&a2=step2-down"; fast_pattern:only; http_uri; content:"&a3="; http_uri; content:"&a4="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32825; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Darkhotel data upload attempt"; flow:to_server,established; content:"POST"; http_method; content:"/html/docu.php"; http_uri; content:"User-Agent|3A 20|"; http_header; content:"Media Center PC 6.0"; within:175; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32826; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Darkhotel response connection attempt"; flow:to_client,established; file_data; content:"DEXT87"; pcre:"/DEXT87(no|up|\d+\x2e\d+\x2e\d+\x2e\d+)/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2014/11/darkhotel_kl_07.11.pdf; reference:url,securelist.com/files/2014/11/darkhotelappendixindicators_kl.pdf; classtype:trojan-activity; sid:32827; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - 209.53.113.223"; flow:to_server,established; content:"Host|3A| 209.53.113.223|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32845; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - absolute.com"; flow:to_server,established; content:".absolute.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; pcre:"/^m\d+\.absolute\.com$/Hi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32846; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - bh.namequery.com"; flow:to_server,established; content:"Host|3A| bh.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32847; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - namequery.nettrace.co.za"; flow:to_server,established; content:"Host|3A| namequery.nettrace.co.za|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32848; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search.us.namequery.com"; flow:to_server,established; content:"Host|3A| search.us.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32849; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search2.namequery.com"; flow:to_server,established; content:"Host|3A| search2.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32850; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Absolute Software Computrace outbound connection - search64.namequery.com"; flow:to_server,established; content:"Host|3A| search64.namequery.com|0D 0A|"; fast_pattern:only; http_header; content:"TagId: "; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,absolute.com/support/consumer/technology_computrace; reference:url,attack.mitre.org/techniques/T1014; reference:url,www.blackhat.com/docs/us-14/materials/us-14-Kamlyuk-Kamluk-Computrace-Backdoor-Revisited.pdf; reference:url,www.blackhat.com/presentations/bh-usa-09/ORTEGA/BHUSA09-Ortega-DeactivateRootkit-PAPER.pdf; classtype:misc-activity; sid:32851; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/form.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32852; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poolfiend variant outbound connection"; flow:to_server, established; content:"/11/feed.php"; fast_pattern:only; http_uri; content:"POST"; http_method; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100}/AGPi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/12a803cd2f67d2dbdc3fb1a6940b9a11b61f6d8455f139e6e90893d9a4eb455a/analysis/; classtype:trojan-activity; sid:32853; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Potential Redirect from Compromised WordPress site to Fedex - Spammed Malware Download attempt"; flow:to_server,established; urilen:1; content:"GET"; http_method; content:"/wp-admin/"; fast_pattern:only; http_header; content:"Host: www.fedex.com|0D 0A|"; http_header; pcre:"/Referer\x3a\x20[\x20-\x7E]*?\/wp\x2dadmin\/[a-z\d\x2d]+?\.php\r\n/Hi"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.hybrid-analysis.com/sample/a531bc62b0460eba5b0003b535a2e9cceae0b623aecfdc6f0331743fbee77e56/; classtype:trojan-activity; sid:32888; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft and libpng multiple products PNG large image width overflow attempt"; flow:to_server,established; flowbits:isset,file.png; file_data; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32767,0,relative; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:cve,2007-5503; reference:url,sourceforge.net/p/png-mng/mailman/message/33173462/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-009; classtype:attempted-user; sid:32889; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32911; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|60 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32912; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|4C 4C|"; depth:2; offset:16; content:"|75 14 2A 2A|"; within:4; distance:4; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32913; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 67 80 F2 24 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32914; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 488 -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32915; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 488 (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper outbound communication attempt"; flow:to_server,established; content:"|65 DB 37 37 37 37 37 37|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32916; rev:2;)
|
|
# alert tcp $EXTERNAL_NET [547,8080,133,117,189,159] -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper inbound communication attempt"; flow:to_client,established; content:"|7B 08 2A 2A|"; offset:17; content:"|08 2A 2A 01 00|"; distance:0; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32917; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-BACKDOOR Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32918; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|C9 06 D9 96 FC 37 23 5A FE F9 40 BA 4C 94 14 98|"; depth:16; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32919; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 64 BA F2 56|"; depth:50; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32920; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|AA 74 BA F2 B9 75|"; depth:74; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32921; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4D 5A 4C 4F 50 51 4C 5A 3F 2D 2F 2F 3F 50 54 3E 3E 3E|"; depth:22; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32922; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D3 C4 D2 D1 CE CF D2 C4 A1 B3 B1 B1 A1 CE CA A0 A0 A0|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32923; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32924; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20 1F|"; depth:23; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32925; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0C 66 66 66|"; depth:22; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32926; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|09 22 33 30 28 35 2C|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32927; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|13 2F 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32928; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32929; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4F 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4E 67 47 47|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32930; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|D1 CE D2 D5 A1 C9 D5 D5 D1 A1 D3 C4 D0 D4 C4 D2 D5 BE|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32931; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|17 08 14 13 67 0F 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32932; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper listener download attempt"; flow:to_client,established; file_data; content:"|0C 1F 1F 1F 4F 50 4C 4B 3F 57 4B 4B 4F 3F 4D 5A 4E 4A 5A 4C 4B 20|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32933; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 EA 62 80 F2 B4 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32934; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-OTHER Win.Trojan.Wiper download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 4E 80 F2 79 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32935; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tools download attempt"; flow:to_client,established; file_data; content:"|8A 10 80 C2 3A 80 F2 73 88 10|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32936; rev:2;)
|
|
# alert tcp any any -> any any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy communication attempt"; flow:established; content:!"HTTP/1"; content:"|E2 1D 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; within:4; distance:4; metadata:impact_flag red, policy max-detect-ips drop, ruleset community; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32937; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-TOOLS Win.Trojan.Wiper proxy tool download attempt"; flow:to_client,established; file_data; content:"|82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 D1 C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00|"; fast_pattern:only; metadata:impact_flag red, policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,us-cert.gov/ncas/alerts/TA14-353A; classtype:trojan-activity; sid:32938; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Android.CoolReaper.Trojan outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/dmp/api/"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|UAC/1.0.0 (Android "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/94b3d27488d10ec2dd73f39513a6d7845ab50b395d6b3adb614b94f8a8609f0e/analysis/; classtype:trojan-activity; sid:32956; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TinyZBot outbound SOAP connection attempt"; flow:to_server,established; content:"POST"; http_method; urilen:17; content:"/checkupdate.asmx"; fast_pattern:only; http_uri; content:"SOAPAction|3A 20|"; http_header; content:"User-Agent|3A 20|Mozilla/4.0|20 28|compatible|3B 20|MSIE 6.0|3B 20|MS Web Services Client Protocol"; pcre:"/SOAPAction\x3a[^\r\n]*Get(ServerTime|FileList|File)\x22/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32957; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TinyZBot response connection attempt"; flow:to_client, established; file_data; content:"<?xml"; content:"<soap:Body><GetFileListResponse xmlns=|22|http|3A 2F 2F|"; within:70; distance:200; content:"<GetFileListResult><string>[ALL]__"; within:75; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0d1f479842cd5bde4f18ab8c85a099da39e13a4051a7c21334e33d55b6f18d76/analysis/; classtype:trojan-activity; sid:32958; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/feed.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32976; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kuluos variant outbound connection"; flow:to_server, established; content:"POST"; http_method; content:"/w1/form.php"; fast_pattern:only; http_uri; urilen:12; content:!"Connection|3A 20|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/48936d3242ccd9decedf1057b08eacf5f952efeb1b7bb2f354bb02028a361ac2/analysis/; classtype:trojan-activity; sid:32977; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - realupdate - Win.Backdoor.Upatre"; flow:to_server,established; content:"/0/ HTTP/1."; content:"User-Agent: realupdate|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33047; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Medusa variant inbound connection"; flow:to_client,established; isdataat:!509; content:"|00|U|00|n|00|d|00|e|00|r|00 20 00|C|00|o|00|n|00|s|00|t|00|r|00|u|00|c|00|t|00|i|00|o|00|n|00|<|00|/"; content:"|00 22 00 3E 00|w|00|w|00|w|00|.|00|m|00|i|00|c|00|r|00|o|00|s|00|o|00|f|00|t|00 2E 00|c|00|o|00|m|00 3C|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33058; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/bbc_mirror/"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33059; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Medusa variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"CNN_Mirror/EN"; http_uri; content:"search?id="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33060; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Heur variant outbound connection"; flow:to_server, established; content:"GET"; http_method; urilen:17; content:"/01/WindowsUpdate"; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2fb5c3859df3b46cc7e2e2176654cb7e5f739f2bc9faf3e813736b37c6d3b6bc/analysis/; classtype:trojan-activity; sid:33153; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Mazilla/5.0 - Win.Backdoor.Upatre"; flow:to_server,established; content:"User-Agent: Mazilla/5.0|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33207; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"PUA-ADWARE SoftPulse variant HTTP response attempt"; flow:to_client,established; file_data; content:",|22|installerBehavior|22|:{|22|hideOnInstall|22|:"; fast_pattern:only; content:"{|22|time|22|:"; content:"|22|country|22|"; within:30; content:",|22|countryId|22|:"; within:20; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/7aa774bffa2eb38c691774c1cc59e0adf6186da62afc417baa6333670e1e3011/analysis/1421687954/; classtype:trojan-activity; sid:33212; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gamarue variant outbound connection"; flow:to_server,established; urilen:9; content:"POST"; http_method; content:"/2ldr.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/4.0|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/eefe5370b09a32a7b295c136073a8560958c4a58822a7da5b501a10543266c6e/analysis/1421697833/; classtype:trojan-activity; sid:33219; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"HawkEye Keylogger"; fast_pattern:only; content:"Subject: =?utf-8?B"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33220; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?"; fast_pattern; content:"=?=|0D 0A|"; within:150; flowbits:set,hawk.lgr; flowbits:noalert; metadata:policy balanced-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33221; rev:7;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"=0D=0AClipboard"; fast_pattern:only; content:"=0D=0AKeyboard"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33222; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye Keylogger exfiltration attempt - clipboard and screenshot"; flow:to_server,established; flowbits:isset,hawk.lgr; content:"name=screenshot"; fast_pattern:only; pcre:"/name\x3dscreenshot\d+\x2e/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:33223; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Win.Trojan.Blocker variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0 (Windows NT 6.3|3B| WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.114 Safari/537.36|0D 0A|Host: checkip.dyndns.org|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/79b75a8564e2e446789e1890f52c025792de919b63719e02630a70d6ae9a3ca4/analysis/1421439683/; classtype:misc-activity; sid:33224; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Agent.BHHK variant outbound connection"; flow:to_server,established; isdataat:135; isdataat:!136; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 6.0)|0D 0A|Host: windowsupdate.microsoft.com|0D 0A|Connection: Close|0D 0A 0D 0A|"; fast_pattern:only; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cab1fffe7a34b5bb7dab2cacd406cf15628d835ab63502d28df78c2faeaad366/analysis/1421677054/; classtype:trojan-activity; sid:33227; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/form2.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; pcre:"/[a-z\d\x2f\x2b\x3d]{100,300}/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/599dc4c4dae2d12f8c8ea00114c1cbddecbc171c552e7fbe5aba516ef11b08f0/analysis/; classtype:trojan-activity; sid:33228; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Upatre variant outbound connection"; flow:to_server,established; content:"/js/jquery-"; fast_pattern; http_uri; content:".js?"; within:15; distance:1; http_uri; pcre:"/\x2ejs\x3f[a-zA-Z0-9]{9,20}=Mozilla\x2f/UGi"; content:"Referer|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a06565bb9d49aa92084b5bc32cf59d04dc1d60d63827099ca7c14063f54967a/analysis/1421616162/; classtype:trojan-activity; sid:33282; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/r1xpr/r1xe.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4ca26daa7cfb81c8ee05c955f19ef527a9452f2dad3c63674afa7f6796d96f02/analysis/; classtype:trojan-activity; sid:33443; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"/m343ff4ufbnmm4uu4nf34m443frr/"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/66e69ff2c4881a1c95eccd287af3b8db692fd5c9df3caee464f8b4125d46c1a4/analysis/; classtype:trojan-activity; sid:33444; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder IP geolocation checkin attempt"; flow:to_server,established; isdataat:213; isdataat:!214; urilen:1; content:"GET / HTTP/1.1|0D 0A|User-Agent: Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1|3B| SV1|3B| .NET4.0C|3B| .NET4.0E|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.0.4506.2152|3B| .NET CLR 3.5.30729)|0D 0A|Host: ip-addr.es|0D 0A|Cache-Control: no-cache|0D 0A 0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33449; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FileEncoder variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"="; depth:2; http_client_body; content:"Content-Length: 128|0D 0A|"; fast_pattern:only; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; content:"|3B 20|MSIE|20|"; http_header; content:!"Accept-Language:"; http_header; pcre:"/[a-z]\x3d[a-f\d]{126}/P"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/17edf82c40df6c7268191def7cbff6e60e78d7388018408800d42581567f78cf/analysis/; classtype:trojan-activity; sid:33450; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-TOOLBARS Win.Toolbar.Crossrider variant outbound connection"; flow:to_server,established; content:".gif?action="; http_uri; content:"&browser="; distance:0; http_uri; content:"&osbuild="; distance:0; http_uri; content:"&osprod="; distance:0; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/06f3bd3df0326b5c3c5b03070d9d870507b868ee4e1acff62f0d301c43492709/analysis/; classtype:trojan-activity; sid:33452; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter variant outbound connection"; flow:to_server,established; urilen:13; content:"POST"; http_method; content:"/12/index.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| Trident/7.0|3B| rv:11.0) like Gecko|0D 0A|"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/db8952943708f4eefa72ad04ff01bdf9acb33fdd89a5ad98b0ec2649fb116a52/analysis/1422981882/; classtype:trojan-activity; sid:33453; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"GET"; http_method; content:"User-Agent: http://www.pershop.com.br/"; fast_pattern:only; http_header; content:".php"; http_uri; content:!"Referer:"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/609c2c8ab60a30822689a3955fb84f06b5c3962e0d2b894f4794ac8ee5eee2eb/analysis/; classtype:trojan-activity; sid:33457; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - ALIZER"; flow:to_server,established; content:"User-Agent|3A 20|ALIZER|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33519; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zusy inbound CNC response"; flow:to_client,established; file_data; content:"|0A|Array|0A 28 0A 20 20 20 20 5B|"; fast_pattern; content:"] => "; within:20; pcre:"/\x0aArray\x0a\x28\x0a\x20{4}\x5b[a-z\d]{11}\x5d\x20\x3d\x3e\x20\d{16}\x0a\x29/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33520; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zusy variant outbound connection"; flow:to_server,established; content:"&pcname="; fast_pattern:only; http_client_body; content:"hwid="; depth:5; http_client_body; content:"&mode="; within:50; http_client_body; content:"&system="; within:32; http_client_body; content:"&version="; within:60; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/958c004400ca2a736473c68d842cbea9038bde940d1e44fb08cf08c4352c5f55/analysis/; classtype:trojan-activity; sid:33521; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent - DNS Changer"; flow:to_server,established; content:"User-Agent|3A 20|DNS Check|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33522; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"/postinstall.php?"; http_uri; content:"src="; within:5; http_uri; content:"&medium="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33523; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DNSChanger variant outbound connection"; flow:to_server,established; content:"/updateb.xml?"; fast_pattern:only; http_uri; content:"rnd="; http_uri; content:"&spfail="; within:20; http_uri; content:"&guid="; within:15; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2b16bd74ed6cf86938a7108b6a6fa9343ac4f890f0228b964a98c45428cb4e3c/analysis/; reference:url,www.virustotal.com/en/file/e5cbca1c1cca4ce5ef8beddca38869bdb18e089b969171e5ba337aa756371c36/analysis/; classtype:trojan-activity; sid:33524; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Turla outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"?uid="; http_uri; content:"&context="; distance:0; http_uri; content:"&mode=text"; distance:0; fast_pattern; http_uri; content:"&data="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1065; reference:url,www.virustotal.com/en/file/1a488c6824bd39f3568346b2aaf3f6666f41b1d4961a2d77360c7c65c7978b5e/analysis/; classtype:trojan-activity; sid:33547; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check.action?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33646; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"POST"; http_method; content:"/submit.action?username="; http_uri; content:"&password="; within:30; http_uri; content:".tgz"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33647; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler.action?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e8cb63cc050c952c1168965f597105a128b56114835eb7d40bdec964a0e243dc/analysis/; classtype:trojan-activity; sid:33648; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - Google Omaha - Win.Trojan.ExtenBro"; flow:to_server,established; content:"User-Agent: Google Omaha|0D 0A|"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/34a3667846bbdea8dc92150e6766e3bac129a2b5fd4856c6f1512e794b90f23d/analysis/; classtype:trojan-activity; sid:33649; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Tinba outbound connection"; flow:to_server,established; content:"POST"; http_method; urilen:9; content:"/preview/"; http_uri; content:"Content-Length: 157|0D 0A|"; http_header; content:!"User-Agent|3A 20|"; http_header; content:"|00 80 00 00 00|"; depth:5; offset:24; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8eb2c85abe7acee219e344ae0592a2b1c159bdafa037be39ac062bdaeeb1f621/analysis/; classtype:trojan-activity; sid:33650; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Babar outbound connection"; flow:to_server,established; content:"/bb/index.php"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSI 6.0|3B|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c72a055b677cd9e5e2b2dcbba520425d023d906e6ee609b79c643d9034938ebf/analysis/; classtype:trojan-activity; sid:33677; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FannyWorm outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B|)|0D 0A|"; fast_pattern:only; http_header; content:"/ads/QueryRecord"; http_uri; content:".html"; within:25; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/003315b0aea2fcb9f77d29223dd8947d0e6792b3a0227e054be8eb2a11f443d9/analysis/; classtype:trojan-activity; sid:33678; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IMAGE Microsoft emf file download request"; flow:to_server,established; flowbits:isset,file.emf; file_data; content:" EMF"; depth:4; offset:40; metadata:policy max-detect-ips drop, ruleset community, service smtp; reference:bugtraq,10120; reference:bugtraq,28819; reference:bugtraq,9707; reference:cve,2003-0906; reference:cve,2007-5746; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-011; reference:url,technet.microsoft.com/en-us/security/bulletin/MS04-032; reference:url,technet.microsoft.com/en-us/security/bulletin/MS05-053; reference:url,technet.microsoft.com/en-us/security/bulletin/MS06-001; classtype:misc-activity; sid:33740; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/install.ashx?id="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33815; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Adware Goobzo/CrossRider variant outbound connection"; flow:to_server,established; content:"/ping.ashx?action="; fast_pattern:only; http_uri; content:"&usid="; http_uri; content:"&aff="; distance:0; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bace69ffe133e7693b3b77994a3c81e990288ca4b642cffe12938d705c7019df/analysis/; classtype:misc-activity; sid:33816; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Egamipload variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/service/related?sector="; fast_pattern:only; http_uri; content:"Mozilla|2F|4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 5.1|3B| Trident/4.0)"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/50d7dab7095d5b84a6ccb11769d82cc105b519d84ab7aef4d540ed3703ae3e45/analysis/; classtype:trojan-activity; sid:33822; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"OS-WINDOWS Microsoft Windows SMB NTLM NULL session attempt"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:9; offset:4; content:"|00 00|"; within:2; distance:13; content:"|FF|"; within:1; distance:9; content:"NTLMSSP|00 03 00 00 00|"; within:100; content:"|00 00 00 00 40 00 00 00|"; within:8; distance:24; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:bugtraq,1163; reference:cve,2000-0347; classtype:attempted-recon; sid:33825; rev:7;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla"; http_header; content:" Loader|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33833; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" Pi/3.1415926|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33834; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent adware OutBrowse/Amonitize"; flow:to_server,established; content:"User-Agent|3A 20|"; http_header; content:" in my heart of heart.|0D 0A|"; within:150; fast_pattern; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:trojan-activity; sid:33835; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; fast_pattern:only; http_header; content:"uid="; depth:4; http_client_body; content:"&uinfo="; within:26; http_client_body; content:"&win="; distance:0; http_client_body; content:"&bits="; within:6; distance:3; http_client_body; content:"&build="; within:20; distance:8; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33851; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Poseidon outbound connection"; flow:established,to_server; content:"Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Windows NT 6.1|3B| Trident/4.0|3B| SLCC2|3B| .NET CLR 2.0.50727|3B| .NET CLR 3.5.30729|3B| .NET CLR 3.0.30729|3B| Media Center PC 6.0)"; http_header; content:"oprat="; depth:6; http_client_body; content:"&uinfo="; within:10; distance:23; http_client_body; content:"&win="; distance:0; http_client_body; content:"&vers="; within:6; distance:3; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.cisco.com/security/talos/poseidon; classtype:trojan-activity; sid:33852; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Gh0st variant outbound connection"; flow:to_server,established; content:"KrisR"; depth:5; content:"|00 00 00|"; within:3; distance:1; content:"|00 00 78 9C|"; within:4; distance:2; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/a4fd37b8b9eabd0bfda7293acbb1b6c9f97f8cc3042f3f78ad2b11816e1f9a59/analysis/1425053730/; classtype:trojan-activity; sid:33885; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.VBPasswordStealer variant outbound connection"; flow:to_server,established; content:"/index.php?"; http_uri; content:"action=add"; fast_pattern; http_uri; content:"&username="; distance:0; http_uri; content:"&password="; distance:0; http_uri; content:"&app="; distance:0; http_uri; content:"&pcname="; distance:0; http_uri; content:"&sitename="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4f0988ac590d52b97b1a162f5ee098c38f6e640be783a511049d8e5006cac011/analysis/; classtype:trojan-activity; sid:34047; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix precheck stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=prechecking"; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34119; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix fetch offers stage outbound connection"; flow:to_server,established; content:"/installer_gate_client.php?"; fast_pattern:only; http_uri; content:"download_id="; http_uri; content:"&mode=getcombo"; distance:0; http_uri; content:"&offers="; distance:0; http_uri; content:!"Accept"; http_header; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34120; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting binary installation stage status"; flow:to_server,established; content:"POST"; http_method; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; offset:1; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|machine_ID|22|"; distance:0; http_client_body; content:"|22|result|22|"; distance:0; http_client_body; content:"|22|failure_reason|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34121; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE InstallMetrix reporting fetch offers stage status"; flow:to_server,established; content:"/report.php?"; http_uri; content:"download_id="; distance:0; http_uri; content:"&mode="; distance:0; http_uri; content:"&combo_id="; distance:0; http_uri; content:"&os_name="; distance:0; http_uri; content:"&os_add="; distance:0; http_uri; content:"&os_build="; distance:0; http_uri; content:"&proj_id="; distance:0; http_uri; content:"&offer_id="; distance:0; http_uri; content:!"Connection"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d99db4f7f047cbf672eb19ea2e492a45d948338c0f10ef4761db3b9e372ba90e/analysis/1426449298/; classtype:misc-activity; sid:34122; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE User-Agent Vitruvian"; flow:to_server,established; content:"User-Agent|3A 20|Vitruvian"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34125; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"hid="; http_uri; content:"&sid="; distance:0; http_uri; content:"&tr="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&adm="; distance:0; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34126; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Vitruvian outbound connection"; flow:to_server,established; content:"/inst?"; http_uri; content:"sid="; http_uri; content:"&st="; distance:0; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Win32|3B| WinHttp.WinHttpRequest."; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a59f0e717dc530814dea3fdf65597faaad90ed8bfe3c8b8f6cea0e708049a784/analysis/1426449345/; classtype:misc-activity; sid:34127; rev:2;)
|
|
alert tcp $EXTERNAL_NET 1433 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Banload variant MSSQL response"; flow:to_client,established; content:"|0B|m|00|a|00|c|00|a|00|v|00|e|00|r|00|d|00|e|00|m|00|2|00 06|m|00|a|00|s|00|t|00|e|00|r|00|"; fast_pattern:only; content:"|08|D|00|B|00|S|00|Q|00|0|00|0|00|1|00|7|00|"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/22ccd94c7e99a17753218708cea1abe162d289b7a0105c3be9620bf224f36f3f/analysis/; classtype:trojan-activity; sid:34136; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SearchProtect user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|SearchProtect|3B|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/cbddccb934d302497ac60f924088034a1852c378cc51df20c2e53b401ffc4651/analysis/; classtype:misc-activity; sid:34137; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dyre publickey outbound connection"; flow:to_client,established; content:"|00 DE C5 45 99 14 1E F5 7E 56 78 DF 23 CE 8A 12|"; fast_pattern:only; content:"LvtfOWStYYHNbdiE15aNsOyg"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,phishme.com/project-dyre-new-rat-slurps-bank-credentials-bypasses-ssl; reference:url,www.virustotal.com/en/file/417c9cd7c8abbd7bbddfc313c9f153758fd11bda47f754b9c59bc308d808c486/analysis/; classtype:trojan-activity; sid:34140; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer installation status"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|event_type|22|"; depth:15; offset:1; http_client_body; content:"|22|installation_session_id|22|"; within:100; http_client_body; content:"|22|environment|22|"; distance:0; http_client_body; content:"|22|command_line|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34144; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer encrypted data transmission"; flow:to_server,established; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; fast_pattern:only; http_header; content:"|22|encryptedKey|22|"; depth:20; offset:1; http_client_body; content:"|22|encryptedData|22|"; distance:0; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34145; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE SuperOptimizer geolocation request"; flow:to_server,established; content:"/ip/?client=sp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|NSIS_Inetc (Mozilla)|0D 0A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1df4d1f316bd526e56b5fa0f84704bac365484c049e6a7c76145cb45e5e32049/analysis/1426449377/; classtype:misc-activity; sid:34146; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo outbound connection"; flow:to_server,established; urilen:30<>65; content:"/atJs/v"; fast_pattern; http_uri; content:"/Client/"; within:8; distance:1; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34236; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Eorezo get advertisement"; flow:to_server,established; content:"/cgi-bin/advert/getads.cgi?"; http_uri; content:"did="; distance:0; http_uri; content:"User-Agent|3A 20|mpck_"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a31d47e5d6885c32cad2fb5799033982e7f9d070ed350cd2025dd8594d067651/analysis/1426449407/; classtype:misc-activity; sid:34237; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/check?iid="; http_uri; content:"&kernel="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34261; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:>100; content:"/compiler?iid="; http_uri; content:"&username="; within:10; distance:32; http_uri; content:"&password="; within:30; distance:1; http_uri; content:"&kernel="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34262; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.XORDDoS outbound connection"; flow:to_server,established; urilen:<64; content:"/upload/module"; http_uri; content:"build.tgz"; within:9; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/92a260d856e00056469fb26f5305a37f6ab443d735d1476281b053b10b3c4f86/analysis/; classtype:trojan-activity; sid:34263; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"SERVER-WEBAPP vBulletin XSS redirect attempt"; flow:to_server,established; content:"/misc.php?v="; http_uri; content:"&js=js"; within:12; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/url/6a7664105f1f144930f51e71dd0fec728607b4c9e33037d376cd7bf8351273a9/analysis/1430224991/; classtype:web-application-attack; sid:34287; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kraken outbound connection"; flow:to_server,established; content:"/idcontact.php?"; http_uri; content:"&steam="; within:35; http_uri; content:"&origin="; within:10; http_uri; content:"&webnavig="; within:12; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,itsjack.cc/blog/2015/02/krakenhttp-not-sinking-my-ship-part-1; reference:url,www.virustotal.com/en/file/27fa65a3166def75feb75f8feb25dd9784b8f2518c73defcc4ed3e9f46868e76/analysis/; classtype:trojan-activity; sid:34292; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/get_status.php?name="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34307; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/products/fupdates.php?"; http_uri; content:"account="; distance:0; http_uri; content:"&name="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34308; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/products/file_order"; http_uri; content:".php?"; within:8; http_uri; content:"name="; distance:0; http_uri; content:"&path="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34309; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/add_user.php?name="; http_uri; content:"&user="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34310; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/"; http_uri; content:"_flash"; within:12; http_uri; content:".php?"; within:15; http_uri; content:"name="; distance:0; http_uri; content:"&serial="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34311; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/get_tree.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34312; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/add_tree.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&date="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34313; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/new/all_file_info1.php?"; http_uri; content:"name="; distance:0; http_uri; content:"&user="; distance:0; http_uri; content:"&file="; distance:0; http_uri; content:"&type="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34314; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/flupdate/"; http_uri; content:".html"; within:7; http_uri; pcre:"/\/flupdate\/\d\.html/iU"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34315; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/gget_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34316; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.DesertFalcon variant outbound connection"; flow:to_server,established; content:"/aadd_rtemp.php?n="; fast_pattern:only; http_uri; content:"User-Agent|3A 20|SK"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/015fbc0b216d197136df8692b354bf2fc7bd6eb243e73283d861a4dbbb81a751/analysis/; classtype:trojan-activity; sid:34317; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryptoWall variant outbound connection"; flow:to_server,established; urilen:<130; content:".php?"; nocase; http_uri; content:"|3D|"; within:1; distance:1; http_uri; content:"Cache-Control: no-cache|0D 0A 0D 0A|"; nocase; http_header; content:!"|0D 0A|Accept-"; http_header; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|"; fast_pattern:only; http_header; content:"|3D|"; depth:2; offset:1; http_client_body; pcre:"/^[a-z]\x3d[a-f\d]{80,140}$/Pi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d14f1d1e07bd116ed0faf5896438177f36a05adacf5af4f32910e313e9c1fd93/analysis/; classtype:trojan-activity; sid:34318; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magento remote code execution attempt"; flow:to_server,established; content:"/Adminhtml_"; http_uri; content:"forwarded="; distance:0; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2015-1398; classtype:attempted-admin; sid:34365; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Beebone outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B| SV1)|0D 0A|"; fast_pattern:only; content:"GET"; pcre:"/GET \/[a-z]{8,12}\?[a-z] HTTP\/1.1/i"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/b06c6ac1174a6992f423d935ccba6f34f107b6591768a743d44d66423312d33a/analysis/; classtype:trojan-activity; sid:34366; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:16; content:"/arquivo/vrs.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34367; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload variant outbound connection"; flow:to_server,established; urilen:19; content:"/arquivo/cookie.txt"; fast_pattern:only; http_uri; content:"Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/fc2cc624c2357bad23eaff951c4eac3a1f1c1c3ec5133665c7e101f4f4e3bbba/analysis/1430145774/; classtype:trojan-activity; sid:34368; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/poppxr/popi.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34452; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"sname="; depth:6; http_client_body; content:".php HTTP/1.0|0D 0A|"; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ca7047c377ad26b9db86c4028b59aa2f6600bfbdb74f1af3519ebf10314b3a6/analysis/; classtype:trojan-activity; sid:34453; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25] (msg:"MALWARE-CNC Linux.Trojan.Mumblehard variant outbound connection"; flow:to_server,established; content:"POST / HTTP/1.0|0D 0A|Host: "; depth:28; content:"Content-type: application/x-www-form-urlencoded|0D 0A|Content-Length: "; within:100; content:"|0D 0A 0D 0A 0F 0F 09|"; within:25; fast_pattern; content:!"User-Agent: "; nocase; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/9512cd72e901d7df95ddbcdfc42cdb16141ff155e0cb0f8321069212e0cd67a8/analysis/1430996623; classtype:trojan-activity; sid:34461; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Downloader.Mumblehard variant outbound connection"; flow:to_server,established; urilen:1; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| rv:7.0.1) Gecko/20100101 Firefox/7.0.1|0D 0A|"; fast_pattern:only; http_header; content:"Accept: text/html,application/xhtml+xml,application/xml|3B|q=0.8,*/*|3B|q=0.9|0D 0A|"; http_header; content:"Accept-Language: en-us,en|3B|q=0.5|0D 0A|"; distance:0; http_header; content:"Accept-Encoding: gzip, deflate|0D 0A|"; distance:0; http_header; content:"Accept-Charset: ISO-8859-1,utf-8|3B|q=0.7,*|3B|q=0.7|0D 0A|"; distance:0; http_header; content:"Connection: close|0D 0A 0D 0A|"; distance:0; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/file/84dfe2ac489ba41dfb25166a983ee2d664022bbcc01058c56a1b1de82f785a43/analysis/1430849540/; classtype:trojan-activity; sid:34462; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-BACKDOOR Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; isdataat:15; isdataat:!16; content:"|00 00 00 11 C8 00 00 00 00 00 00 00 00 00 00 00|"; depth:16; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34500; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Wekby Torn variant outbound connection"; flow:established, to_server; isdataat:15; isdataat:!16; content:"|00 00 00 11 D0 00 00 00|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/1D6BCF409C85887861D587C8AABFC8C8393EA692FE93C0A6836BE507A7F75985/analysis/; classtype:trojan-activity; sid:34501; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"/popkx3/popi.html"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d6beeae945d570d98784bdea68310ddef17f4a03534632dec48c691677c67402/analysis/; classtype:trojan-activity; sid:34622; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - EMERY - Win.Trojan.W97M"; flow:to_server,established; content:"User-Agent|3A 20|EMERY|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d0f0a446162c6dafc58e4034f4879275d3766f20336b6998cb5a5779d995a243/analysis/; classtype:trojan-activity; sid:34843; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 03|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:34864; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rovnix variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/vbulletin/post.php?qu="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a184775757cf30f9593977ee0344cd6c54deb4b14a012a7af8e3a2cdbb85a749/analysis/; classtype:trojan-activity; sid:34868; rev:1;)
|
|
alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Critroni certificate exchange"; flow:to_client,established; content:"|00 D3 62 47 DA 62 4A A1 34|"; content:"|3B 02 49 86 4B DF D7 D7 6C E2 2F 36 81 01 24 3F|"; within:400; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/af7a9f581653394955bec5cf10a7dbafbf64f42d09918807274b5d25849a1251/analysis/; classtype:trojan-activity; sid:34917; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bancos variant outbound connection"; flow:to_server,established; content:"ID_MAQUINA="; fast_pattern:only; http_client_body; content:"&VERSAO="; nocase; http_client_body; content:"&WIN="; within:50; nocase; http_client_body; content:"&NAVEGADOR="; within:200; nocase; http_client_body; content:"&PLUGIN="; within:50; nocase; http_client_body; content:"&AV="; within:50; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7816d2b6507950177cf1af596744abe523cad492f4d78e230962602b1b269044/analysis/; classtype:trojan-activity; sid:34931; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Prok variant outbound connection"; flow:to_server,established; content:"/prok/"; http_uri; content:"Content-Type: multipart/form-data, boundary=7DF051D"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ada4a63abae42266f9d472f1d4ebd0bd22702270f8b38ad7a824a16ce449ea2b/analysis/; classtype:trojan-activity; sid:34950; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Androm variant outbound connection"; flow:to_server,established; urilen:16; content:"POST"; http_method; content:"/forum/image.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/38c7d403660c98ceb0246192d7d89cd66e126c6721008f6b347d4d53b4dc063b/analysis/; classtype:trojan-activity; sid:34958; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SpyBanker variant outbound connection"; flow:to_server,established; content:"texto=%0D%0A"; depth:12; http_client_body; content:"/consulta"; http_uri; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)|0D 0A 0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33b598e185ba483c5c1571651a03b90359fb1f56b55e902c7038baf315c5dad9/analysis/; classtype:trojan-activity; sid:34959; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Sendori user-agent detection"; flow:to_server,established; content:"User-Agent|3A 20|Sendori-Client-Win32"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26ee215c531b6c50d28ef9b9a48db05b08139e460b997167de1813484beb7a9e/analysis/; classtype:misc-activity; sid:34964; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; urilen:43; content:"/imagens/nacional/new/1/2/3/br/contador.php"; fast_pattern:only; http_uri; content:"User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34994; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra HTTP Header Structure"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:".php HTTP/1.1|0D 0A|Content-Type: text/html|0D 0A|Host: "; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/078f4f7bbd0a7fc3f1934a4988997e9f3b69ca8b9dc1bfd37a6c85b44fb50b48/analysis/; classtype:trojan-activity; sid:34995; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent-ALPW variant outbound connection"; flow:to_server,established; content:"|0D 0A|Accept: text/html, */*|0D 0A|Accept-Encoding: identity|0D 0A|User-Agent: Mozilla/5.0 (Windows NT 6.1|3B| WOW64|3B| rv:12.0) Gecko/20100101 Firefox/12.0|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"A="; depth:2; http_client_body; content:".php"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6452bea82dbef796eaed8d2403ffa7141e4379bb052fdb7b63a21400c04b0334/analysis/; classtype:trojan-activity; sid:34996; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Graftor variant HTTP Response"; flow:to_client,established; isdataat:!53; content:"HTTP/1.1 200 OK|0D 0A|Content-Length: "; content:"|0D 0A 0D 0A|session:"; within:15; fast_pattern; pcre:"/\r\n\r\nsession\x3a\d{1,7}$/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1ed49a78ee46c4a0d2eeb3b9ab707b40d3c87448c6f399d7fceefc0c16c66d38/analysis/; classtype:trojan-activity; sid:34997; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:9; content:"/diff.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35030; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; urilen:21; content:"POST"; http_method; content:"/siganofi/rounder.php"; fast_pattern:only; http_uri; content:"Cache-Control: no-cache"; http_header; content:"Pragma|3A| no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.www.virustotal.com/en/file/857ae380e297f840b88146ec042286ef459a1c4dc53680b117a9677b189e6c68/analysis/; classtype:trojan-activity; sid:35076; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ursnif outbound connection"; flow:to_server,established; content:"/photoLibrary/?user="; http_uri; content:"&ver="; http_uri; content:"&os2="; fast_pattern:only; http_uri; content:"&type="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35312; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Cryptowall click fraud response"; flow:to_client,established; file_data; content:"2|7C|http://"; depth:9; content:"/search.php|7C|http://"; within:60; content:"|7C|Mozilla/4.0 "; within:100; content:"/r.php?key="; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/3b78dd891a81c18cffa5031e52f9c2329e2986ba83c5c75a67dc4ae3d1f0bec3/analysis/; classtype:trojan-activity; sid:35344; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Elise.B variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 8.0)"; fast_pattern:only; http_header; urilen:28; content:"/page_"; depth:6; offset:9; nocase; http_uri; content:".html"; within:5; distance:8; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9a226eeae1fc51a2bc2e72b098d5654238d0cc8eae29c0cdaacb49ae9d997d04/analysis/; classtype:trojan-activity; sid:35353; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bedep initial outbound connection"; flow:to_server,established; content:"protocolVersion|22|"; offset:2; http_client_body; content:"|22|rev|22|"; within:10; http_client_body; content:"|22|buildId|22|"; within:15; http_client_body; content:"|22|tags|22 3A|"; distance:0; http_client_body; content:"|22|type|22 3A 22|"; within:10; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35386; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Andromeda initial outbound connection"; flow:to_server,established; content:"/forum.php"; depth:10; http_uri; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35387; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Andromeda download request"; flow:to_server,established; content:".mod"; http_uri; pcre:"/[a-z]{2}_[a-z0-9]{8}\.mod/Ui"; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,malware.dontneedcoffee.com/2015/07/a-fileless-ursnif-doing-some-pos.html; classtype:trojan-activity; sid:35388; rev:1;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac self-signed certificate"; flow:to_client,established; ssl_state:server_hello; content:"|16 03 01 00 51 02|"; content:"|55 04 06 13 02|XX"; fast_pattern:only; content:"|55 04 07 0C 0C|Default City"; content:"|55 04 0A 0C 13|Default Company Ltd"; distance:6; metadata:impact_flag red, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35393; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TorrentLocker/Teerac payment page request"; flow:to_server,established; content:".php?user_code="; http_uri; content:"&user_pass="; fast_pattern:only; http_uri; content:"Referer|3A|"; http_header; content:"tor"; within:30; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/4072beeaf09fe6fef48365f1c14fd800e21b32cfa2af561f515bc45372dd590d/analysis/; classtype:trojan-activity; sid:35394; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:10; content:"/order.php"; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|0D 0A|Content-Type: application/octet-stream|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; fast_pattern; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/1433243075/; classtype:trojan-activity; sid:35549; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Potao outbound connection"; flow:to_server,established; content:"|3C|methodName|3E|10a7d030-1a61-11e3-beea-001c42e2a08b|3C 2F|methodName|3E|"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c66955f667e9045ea5591ebf9b59246ad86227f174ea817d1398815a292b8c88/analysis/; classtype:trojan-activity; sid:35733; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNDR4700 and R6200 admin interface authentication bypass attempt"; flow:to_server,established; content:"/BRS_03B_haveBackupFile_fileRestore.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,59406; reference:cve,2013-3071; classtype:attempted-admin; sid:35734; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Wild Neutron potential exploit attempt"; flow:to_server,established; urilen:>25; content:".swf?"; http_uri; content:"styleid="; distance:0; http_uri; content:"&langid="; distance:0; http_uri; content:"&sid="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/; classtype:trojan-activity; sid:35745; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; urilen:11; content:"/atomic.php"; fast_pattern:only; http_uri; content:"|0D 0A|User-Agent: Mozilla/4.0|0D 0A|"; http_header; content:"|A0 CD 37 A4 5B|"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a7009a6ed3ff0191e3c8e7f8b27b9b16afe2a82d1eb131ecd27d8f8a5b17e819/analysis/; classtype:trojan-activity; sid:35746; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/SNews.asp?HostID="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35749; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.IsSpace initial outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/STTip.asp"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,publicintelligence.net/fbi-hack-tools-opm/; classtype:trojan-activity; sid:35750; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"FILE-IDENTIFY JPEG file upload detected"; flow:to_server,established; file_data; content:"|FF D8 FF E1|"; depth:4; flowbits:set,file.jpeg; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:35852; rev:9;)
|
|
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"FILE-IDENTIFY OLE Document upload detected"; flow:to_server,established; file_data; content:"Content-Disposition|3A|"; nocase; content:"Form-data|3B|"; within:20; nocase; content:"|D0 CF 11 E0 A1 B1 1A E1|"; within:200; fast_pattern; flowbits:set,file.ole; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service http; classtype:misc-activity; sid:36058; rev:10;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/rp?v="; fast_pattern:only; http_uri; content:!"User-Agent:"; http_header; content:"&u="; http_uri; content:"&c="; within:3; distance:32; http_uri; content:"&f="; distance:0; http_uri; content:"&a="; distance:0; http_uri; content:"&d="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36064; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"/offers_new?v="; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:"&a="; http_uri; content:"&i="; distance:0; http_uri; content:"&f="; distance:0; http_uri; content:"&u="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/049bc9beeba4acd2a558dc695f65ad284b0ae1ff89f69a38f743510d6ab640c0/analysis; classtype:trojan-activity; sid:36065; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Bagsu variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MyApp)|0D 0A 0D 0A|"; fast_pattern:only; http_header; content:"windows="; depth:8; http_client_body; content:"&av="; within:50; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1fbe27602da7de2ce95254ffd409f70635179371354b4914997de273f6be9422/analysis/; classtype:trojan-activity; sid:36066; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FakeAV variant outbound connection"; flow:to_server,established; content:"/purchase.php?a="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&u="; distance:0; http_uri; content:"&bgload="; within:8; distance:32; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f4c10d33b8c46cc7922a6eebc9f14858a01b2f573ee99dd1dc02a4534b537e18/analysis; classtype:trojan-activity; sid:36107; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nimisi variant outbound connection"; flow:to_server,established; content:!"User-Agent"; http_header; content:"/logs.php?&prog="; fast_pattern:only; http_uri; content:"&url="; http_uri; content:"&user="; distance:0; http_uri; content:"&pass="; distance:0; http_uri; content:"&comp="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a1f8f8b509001e5bca811a168455a89517000a2534d271018c0c87c6210bd69f/analysis/; classtype:trojan-activity; sid:36108; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Yakes variant dropper"; flow:to_server,established; content:"/document.php?rnd="; fast_pattern:only; http_uri; content:"&id="; depth:4; offset:22; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ff0ae81f0dece17baf8480d866c9462c9f3d49be9adde8b16f105e244eb31d67/analysis/; classtype:trojan-activity; sid:36202; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30|"; within:1; distance:string_size; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; byte_extract:1,0,string_size,relative; content:"|30 82|"; within:2; distance:string_size; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36611; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Metasploit Meterpreter reverse HTTPS certificate"; flow:to_client,established; content:"|16 03 02|"; content:"|0B|"; within:1; distance:2; content:"|30 82|"; within:2; distance:9; content:"|30 82|"; within:2; distance:2; content:"|A0 03 02 01 02 02|"; within:6; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01|"; within:22; content:"|31|"; within:1; distance:5; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30|"; within:10; distance:3; content:"|17 0D|"; within:2; distance:1; content:"Z|17 0D|"; within:3; distance:12; content:"Z|30|"; within:2; distance:12; content:"|31|"; within:1; distance:1; content:"|30|"; within:1; distance:1; content:"|06 03 55 04 03 0C|"; within:6; distance:1; content:"|30 82|"; within:9; distance:2; content:"|30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 82|"; within:17; distance:2; content:"|30 82|"; within:2; distance:3; content:"|02 82|"; within:2; distance:2; content:"|02 03 01 00 01 A3 0D 30 0B 30 09 06 03 55 1D 13 04 02 30 00 30 0D 06 09 2A 86 48 86 F7 0D 01 01 0B 05 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; reference:url,blog.didierstevens.com; classtype:misc-activity; sid:36612; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site"; flow:to_server,established; content:"/wp-admin/"; http_uri; content:".exe|20|HTTP/1."; fast_pattern:only; pcre:"/\.exe$/U"; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:36914; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kovter outbound connection"; flow:to_server,established; content:"/counter/?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"MSIE 7.0|3B|"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/e3da9c7f20e7f24891e0dec594dad6d9deebee145153611a5c05c69593284a27/analysis/; reference:url,www.virustotal.com/en/file/9d6b1bd74848dd0549ad3883b7292d3ba0a4fa06d0aaf562032b0bf6dc198249/analysis/; classtype:trojan-activity; sid:37045; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(base64_decode($_POST"; fast_pattern:only; http_client_body; metadata:impact_flag red, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1001; reference:url,attack.mitre.org/techniques/T1100; reference:url,attack.mitre.org/techniques/T1132; reference:url,informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html; reference:url,www.virustotal.com/en/file/BE24561427D754C0C150272CAB5017D5A2DA64D41BEC74416B8AE363FB07FD77/analysis/; classtype:trojan-activity; sid:37245; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Vawtrak variant outbound connection"; flow:to_server,established; content:"/rss/feed/stream"; fast_pattern:only; http_uri; content:"|3F|"; depth:1; offset:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6ADFAFFEA064A9F89064FBA300CDFCD7634CFD06802BF250FA1B070CABFBEBF5/analysis/; classtype:trojan-activity; sid:37467; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Browser.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37521; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/Mail.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37522; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant outbound connection"; flow:to_server,established; content:"/Recoveries/OSKey.txt"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/84409422426933e6f1ea227f042ff56d1f6686873454959d2e3308b9f5daac61/analysis/; classtype:trojan-activity; sid:37523; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Engr variant outbound connection"; flow:to_server,established; urilen:7<>8; content:".php"; http_uri; content:"boundary=Xu02=$"; fast_pattern:only; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/54f6600db99fdab31453f3e23e8fb080438cd1ec36b6fc2868ff86cf88f14bb0/analysis/; classtype:trojan-activity; sid:37552; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Symmi variant dropper download connection"; flow:to_client,established; file_data; content:"|A6 4D AA E1 65 52 A5 E1 E3 58 76 E1 81 4D A5 E1 CE 48 9C E1 BB 4D A5 E1 CE 48 A9 E1 A1 4D A5 E1|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37646; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Symmi variant outbound connection"; flow:to_server,established; content:"/vip.jpg"; fast_pattern:only; http_uri; urilen:8; content:"User-Agent: Mozilla/4.0 (compatible)|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/881bb1538b4d077976cd9b27523cd5af9bd86c0ae3bce4edf453e74bba9f4c1b/analysis/; classtype:trojan-activity; sid:37647; rev:1;)
|
|
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo A record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 01 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37730; rev:5;)
|
|
# alert udp any 53 -> $HOME_NET any (msg:"PROTOCOL-DNS glibc getaddrinfo AAAA record stack buffer overflow attempt"; flow:to_client; dsize:>2000; byte_test:1,&,2,2; byte_test:1,&,0x80,2; byte_test:1,!&,0x78,2; content:"|00 01|"; depth:2; offset:4; content:"|00 00 1C 00 01|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:cve,2015-7547; reference:url,googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html; classtype:attempted-user; sid:37731; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dridex dropper variant outbound connection"; flow:to_server,established; content:"/gt.jpg?"; fast_pattern; http_uri; content:"="; within:1; distance:15; http_uri; content:"bytes=6433-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8a80760f60f42ce5574a8020c08123a6a8fc2a12d28e8802f3d5101f72c2ad0c/analysis/; classtype:trojan-activity; sid:37733; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08|"; distance:2; content:"|05|"; distance:4; content:"MERA RTU"; within:100; fast_pattern; metadata:policy max-detect-ips drop, ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37814; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"POLICY-OTHER Polycom Botnet inbound connection attempt"; flow:to_server,established; file_data; content:"|03 00|"; depth:2; content:"|08 02|"; within:2; distance:2; content:"EE|A8 C6|3"; within:80; content:"ooh323"; distance:6; fast_pattern; metadata:policy max-detect-ips drop, ruleset community; reference:url,support.polycom.com/global/documents/support/documentation/H_3_2_3_Botnet_Bulletin_v_1_2.pdf; classtype:trojan-activity; sid:37815; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kazy variant outbound connection"; flow:to_server,established; urilen:10; content:"post="; depth:5; fast_pattern; http_client_body; content:"/index.php"; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/522e5d4ea0771f5c0bc300c2d66a0445a66ae85bd4b50c21a502365db0a638d9/analysis/; classtype:trojan-activity; sid:37816; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/lockycrypt.rar"; fast_pattern:only; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37834; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/34gf5y/r34f3345g"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ee6abe4a9530b78e997d9c28394356216778eaf2d46aa3503999e7d6bfbefe90/analysis/; classtype:trojan-activity; sid:37835; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE malicious file download attempt"; flow:to_server,established; content:"|2F 70 6F 63|"; http_uri; pcre:"/\x2f\x70\x6f\x63(\d*|\x5f[\x61-\x7a]+)\x2e(\x68\x74\x6d\x6c|\x78(\x6c\x73|\x73\x6c|\x6d\x6c)|\x6a(\x73|\x61\x76a)|\x61\x73\x70|\x70(\x64f|\x70\x74|\x48\x70|\x73\x64)|\x66\x6c\x76|\x73\x77\x66|\x64\x6fc|\x74\x74\x66|\x62\x6d\x70|\x6d(\x70\x33|\x33\x75))/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:misc-activity; sid:37963; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"POST"; http_method; content:"/photos/photo.asp"; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38255; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"CONNECT"; http_method; content:"User-Agent|3A 20|Mozilla/4.0|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Proxy-Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept: */*"; http_header; content:"Accept-Encoding|3A| identity"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38256; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win-Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"GET"; http_method; content:"/Query.asp?loginid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38257; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win/Linux.Trojan.Derusbi variant outbound connection"; flow:to_server,established; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 6.0|3B| Windows NT 5.1)|0D 0A|"; fast_pattern:only; http_header; content:"Pragma|3A 20|no-cache"; http_header; content:"Cache-Control|3A 20|no-cache"; http_header; content:"POST"; http_method; content:"/login1.asp"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.fidelissecurity.com/sites/default/files/TA_Fidelis_Turbo_1602%283%29.pdf; classtype:trojan-activity; sid:38258; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:"/main.php"; fast_pattern:only; http_uri; urilen:9,norm; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length|3A 20|"; http_raw_header; byte_test:10,>,95,0,relative,string,dec; byte_test:10,<,115,0,relative,string,dec; content:"Connection|3A 20|Keep-Alive|0D 0A|Cache-Control|3A 20|no-cache"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/33ab0605b83356e065459559bb81ec5e7464be563059fce607760517fedaf603/analysis/; classtype:trojan-activity; sid:38331; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Linux.Trojan.Bifrose outbound connection"; flow:to_server; content:"|9B 4F B0 75 E2 76 96 04 5A F1 F9 43 D4 A2 6B|"; depth:15; offset:4; content:"|76 13 85 45 17 1B|"; within:6; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0a0d7bed3c8aa0e0e87e484a37e62b0bd0e97981b0bea55f6f3607316831ba5d/analysis/; classtype:trojan-activity; sid:38333; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|43 00 00 00 05|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38353; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant failed read logs"; flow:to_server,established; content:"|01 00 00 00 3C|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38354; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 01|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38355; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send credentials"; flow:to_server,established; content:"|01 00 00 00 3D|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38357; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant send mail credentials"; flow:to_server,established; content:"|01 00 00 00 41|"; depth:5; isdataat:!9; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,www.circl.lu/pub/tr-23/; classtype:trojan-activity; sid:38359; rev:2;)
|
|
alert tcp $EXTERNAL_NET 4043 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 06|Lisbon"; content:"|55 04 0A 0C 10|Souppi Otiop SEM"; distance:6; content:"|55 04 03 0C 0E|wthcethesmw.ph"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38378; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_client,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38379; rev:1;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Dridex file download attempt"; flow:to_server,established; file_data; content:"FeintedEscalator"; fast_pattern:only; content:"InkingGrange"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f4bf52759270fa4fc4e5745d51dd8d73b49feae9de5bedfd8f4e0a865e8047c4/analysis/1459264179/; classtype:trojan-activity; sid:38380; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"USER obitex@benfoods.tk|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38385; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"PASS Goodman1986|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38386; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger outbound connection"; flow:to_server,established; content:"STOR Screenshot from|3A 20|"; fast_pattern; content:"|29|.png"; within:80; metadata:impact_flag red, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38387; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FTPKeyLogger geolocation check"; flow:to_server,established; urilen:16; content:"/geoip/geoip.php"; fast_pattern:only; http_uri; content:!"Accept"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/44f956d41f5aea97884f88f60c1e28dc246b4b7318a87b332367e7f0476ca8fc/analysis/1459279340/; classtype:trojan-activity; sid:38388; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Boaxxe variant outbound connection"; flow:to_server,established; content:"|7C 7C|CM01|7C|CM02|7C|CM03|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/efd9036e675507da76cd0946408aedb814aff9da62d23de4f0680a4e7186a75c/analysis/1460471360/; classtype:trojan-activity; sid:38509; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpySoft variant exfiltration attempt"; flow:to_server,established; urilen:11; content:"POST"; http_method; content:"/api?upload"; fast_pattern:only; http_uri; content:"Expect|3A 20|"; http_header; content:!"User-Agent"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.virustotal.com/en/file/146889acc9c4a5dbda2de339320159560567b14f846653df727284076f092e63/analysis/1460466642/; classtype:trojan-activity; sid:38510; rev:2;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:9; content:"hi00"; fast_pattern:only; pcre:"/hi00[0-9]{5}/"; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38514; rev:3;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|39 64 30 33 66 65 66 35 30 30 62 39 30 30 34 36 32 37 31 31 30 33 32 35|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38515; rev:3;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Sweeper outbound connection"; flow:to_server,no_stream; dsize:24; content:"|61 63 36 62 66 34 64 30 66 35 36 30 30 30 34 36 32 37 31 31 30 33 39 39|"; fast_pattern:only; detection_filter:track by_src, count 1000, seconds 1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38516; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC binary download while video expected"; flow:to_client,established; content:"Content-Type|3A 20|video/quicktime|0D 0A 0D 0A|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/38221267218184b17a78d8814d1bd06b12143be859488ae15ca0d754f32d60fc/analysis/1460472611/; classtype:trojan-activity; sid:38517; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"Connection|3A 20|Keep-Alive"; http_header; content:!"Accept"; http_header; content:!"Content-Type"; http_header; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38557; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection"; flow:to_server,established; content:"/News/gate.php"; fast_pattern:only; http_uri; content:"="; depth:4; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38558; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - keystorkes"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"<br><br><b><big>"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38559; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger outbound connection - screenshot"; flow:to_server,established; content:"/News/gate.php?"; fast_pattern:only; http_uri; content:"JFIF"; http_client_body; pcre:"/\/News\/gate\.php\x3f[a-f0-9]{32}\x3d\d/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38560; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger plugins download attempt"; flow:to_server,established; content:".p HTTP/1.1"; fast_pattern:only; content:"/plugins/"; http_uri; pcre:"/\/plugins\/[a-z]{3,10}\.p/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38561; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger initial exfiltration attempt"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; content:"pc="; nocase; http_client_body; content:"&admin="; distance:0; nocase; http_client_body; content:"&os="; distance:0; nocase; http_client_body; content:"&hid="; distance:0; nocase; http_client_body; content:"&arc="; distance:0; nocase; http_client_body; content:"User-Agent|3A 20|"; http_header; pcre:"/User-Agent\x3a\x20[A-F0-9]{32}\x0d\x0a/H"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38562; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.GateKeylogger fake 404 response"; flow:to_client,established; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:">404 Not Found<"; fast_pattern:only; content:" requested URL / was not found "; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38563; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.GateKeylogger keylog exfiltration attempt"; flow:to_server,established; content:"/post.php?"; fast_pattern:only; http_uri; content:"pl="; http_uri; content:"&education="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/77c802db1731fa8dae1b03d978f89b046309adfa1237b1497a69ccb9c2d82c16/analysis/1459520578/; classtype:trojan-activity; sid:38564; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper initial download attempt"; flow:to_server,established; content:"HEAD"; http_method; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:!"Content-Length"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38565; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sweeper variant dropper download attempt"; flow:to_server,established; content:".bin"; fast_pattern:only; content:"User-Agent|3A 20|Microsoft BITS"; http_header; content:"Accept-Encoding|3A 20|identity|0D 0A|"; content:"If-Unmodified-Since"; http_header; content:"Range"; http_header; pcre:"/\/[a-f0-9]{32}\/\w+\.bin/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,www.virustotal.com/en/file/70e6df66c76700afef596e2dd7c956f4f476acca5b935b3f067084241638d182/analysis/1460636221/; classtype:trojan-activity; sid:38566; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RFT document malformed header"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38580; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RFT document malformed header"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rtvpn"; depth:7; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:38581; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant JS dropper outbound connection"; flow:to_server,established; content:"/img/script.php?"; fast_pattern:only; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"UA-CPU|3A 20|"; http_header; content:!"Referer"; http_header; content:!"Accept-Language"; http_header; pcre:"/\/img\/script\.php\x3f.*\.mov$/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38584; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:139<>200,norm; content:"/wp-includes.php?d="; fast_pattern:only; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D 0A|"; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38585; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>180,norm; content:"/api.php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*|0D 0A|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38586; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant temporary redirect attempt"; flow:to_client,established; content:"307"; http_stat_code; content:"Temporary Redirect"; http_stat_msg; content:"Set-Cookie|3A 20|DFSCOOK="; fast_pattern:only; content:"Location: "; content:"/api.php?d="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38587; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.DFSCook variant outbound connection"; flow:to_server,established; urilen:>185,norm; content:".php?d="; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; pcre:"/\.php\x3fd=[A-F0-9]{174}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7a32e9d01e66f68461e410a29e38e147fb8a3d3695f1e55f4cf0d2ad789d5b2d/analysis/1460564508/; classtype:trojan-activity; sid:38588; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"APP-DETECT Bloomberg web crawler outbound connection"; flow:to_server,established; content:"User-Agent: BLP_bbot"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,irwebreport.com/20110223/bloomberg-bot-strikes-again-transocean-earnings-leaked; classtype:misc-activity; sid:38594; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UP007 variant outbound connection"; flow:to_server,established; urilen:10; content:"/index.asp"; fast_pattern:only; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| MSIE 7.0|3B| Windows NT 5.1|3B|)"; http_header; content:"Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"UP007"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,citizenlab.org/2016/04/between-hong-kong-and-burma/; classtype:trojan-activity; sid:38603; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant network speed test"; flow:to_server,established; content:"/random750x750.jpg?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38606; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qakbot variant outbound connection"; flow:to_server,established; urilen:30<>35,norm; content:"btst="; http_cookie; content:"snkz="; http_cookie; content:"Accept|3A 20|application/x-shockwave-flash, image/gif, image/jpeg, image/pjpeg, */*|0D 0A|"; fast_pattern:only; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/1826dba769dad9898acd95d6bd026a0b55d0a093a267b481695494f3ab547088/analysis/1461598351/; classtype:trojan-activity; sid:38607; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RockLoader variant outbound connection"; flow:to_server,established; urilen:5; content:"/api/"; fast_pattern:only; http_uri; content:"Content-Type|3A 20|octet-stream"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:!"User-Agent"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/d3cd3630b5709535f9bfa59c4ec75c8061262985919a43a175ec9d7e15c9419a/analysis/1461598531/; classtype:trojan-activity; sid:38608; rev:1;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Godzilla downloader successful base64 binary download"; flow:to_client,established; content:"GODZILLA="; fast_pattern:only; content:"GODZILLA="; http_cookie; metadata:impact_flag red, ruleset community, service http; reference:url,www.virustotal.com/en/file/f597634ff5e2623baff35d99bfdb2aac1725c9f49805b4903c13093c43172cb7/analysis/1461593386; classtype:trojan-activity; sid:38610; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type text/plain containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38619; rev:5;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 0B|Ouagadougou"; content:"|55 04 0A 0C 16|Tiongon Wledb A.M.B.A."; distance:6; content:"|55 04 03 0C 10|ina.themanyag.zm"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38620; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|0B|"; distance:3; content:"|55 04 07 0C 09|Bujumbura"; content:"|55 04 0A 0C 10|Wiqur Hitin ehf."; distance:6; content:"|55 04 03 0C 11|puppeitursilth.cz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/fc25709c4e05dbfbcc6ae0cf8a7c06e80156ae05179203021838259aeda9801a/analysis/1461600547/; classtype:trojan-activity; sid:38621; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bayrob variant outbound connection"; flow:to_server,established; isdataat:7; isdataat:!8; content:"|4C 48 42 80 71 C2 A5 DF|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/6b6b91cd104f4a6d32b5187131d9053911607672076e6ed26ed51369e5329cad/analysis/1462889491/; classtype:trojan-activity; sid:38886; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky JS dropper outbound connection"; flow:to_server,established; content:"/log.php?"; fast_pattern:only; http_uri; content:"UA-CPU"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Referer"; http_header; pcre:"/\/log\.php\x3f[a-z]\x3d\d{3}/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/11180a0ff4576e0dbbe48d77ed717e72678520516ff13f523cad832d1b9fa9ac/analysis/1462906326/; classtype:trojan-activity; sid:38887; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:13; content:"/userinfo.php"; fast_pattern:only; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; content:"Content-Type|3A 20|application/x-www-form-urlencoded|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2d766d57bc549b3ac7b87b604e2103318eaf41b526086ffe0201d5778521c1b6/analysis/1462906540/; classtype:trojan-activity; sid:38888; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kirts exfiltration attempt"; flow:to_server,established; content:".php?fname=Hawkeye_Keylogger"; fast_pattern:only; http_uri; content:"&data="; http_uri; content:!"User-Agent"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38890; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.Kirts initial registration"; flow:to_server,established; content:"Subject|3A 20|=?utf-8?B?SGF3a0V5ZSBMb2dnZXIg"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/en/file/f81128f3b9c0347f4ee5946ecf9a95a3d556e8e3a4742d01e5605f862e1d116d/analysis/1462888129/; classtype:trojan-activity; sid:38891; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.PassStealer passwords exfiltration attempt"; flow:to_server; file_data; content:"Passwords Recorded On "; fast_pattern; content:"Time of Recording:"; within:20; distance:22; content:"IP Address"; within:12; distance:15; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ftp; reference:url,attack.mitre.org/techniques/T1020; reference:url,virustotal.com/en/file/5780e8408c8d5c84d1fbe5c53eeb77832a6af54fd41fab7f720c89fc10989340/analysis/1463495191/; classtype:trojan-activity; sid:38950; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/installer.php?"; http_uri; content:"CODE="; fast_pattern:only; content:"UID="; http_uri; content:"action="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38951; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/optin.php?"; fast_pattern:only; http_uri; content:"f="; content:"quant="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38952; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.OpenSoftwareUpdater variant outbound connection attempt"; flow:to_server,established; content:"/info.php?"; http_uri; content:"quant="; fast_pattern:only; content:"f="; http_uri; content:"h="; http_uri; content:"size="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/829918eb3edb26deccd2d80c7ac8bc8ad58b4fb76a370c11731884b408a21a73/analysis/1463575824/; classtype:trojan-activity; sid:38953; rev:2;)
|
|
alert tcp any any -> any $HTTP_PORTS (msg:"SQL use of sleep function in HTTP header - likely SQL injection attempt"; flow:established,to_server; content:"User-Agent|3A| "; http_header; content:"sleep("; fast_pattern; nocase; http_header; pcre:"/User-Agent\x3A\x20[^\r\n]*sleep\x28/Hi"; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.cloudflare.com/the-sleepy-user-agent/; classtype:web-application-attack; sid:38993; rev:9;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Sinrin initial JS dropper outbound connection"; flow:to_server,established; urilen:<31; content:"Accept|3A 20|*/*|0D 0A|UA-CPU|3A 20|"; fast_pattern:only; http_header; content:"Connection|3A 20|Keep-Alive|0D 0A|"; http_header; content:"Accept-Encoding|3A 20|gzip, deflate|0D 0A|"; http_header; content:!"Referer"; http_header; pcre:"/\/[a-z0-9]{8,10}\x3f[A-Za-z]{7,10}\x3d[A-Za-z]{6,10}/U"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e0f8b6fd78c724b688f6467baf37f08c5ed198ea1b4224f31f50c8acbad49742/analysis/; classtype:trojan-activity; sid:39064; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant connection setup"; flow:to_server,established; content:"|3B 00 00 00 05|"; depth:5; isdataat:!64; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/5db3b9ce06e334cb61279dd936a40be75df6732228bb692a7a84b1299eb09071/analysis/1464362377/; classtype:trojan-activity; sid:39080; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant outbound connection"; flow:to_server,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39106; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.LuminosityLink RAT variant inbound connection"; flow:to_client,established; content:"=P4CK3T="; depth:32; content:"8_=_8"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/0a6ee066b27f5f8dfeedb8e5f19659e47b70296a49a627e2ce9d3d9456287051/analysis/; classtype:trojan-activity; sid:39107; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|FR"; content:"|55 04 0A 13 0C|assylias.Inc"; distance:6; content:"|55 04 03 13 08|assylias"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/45e8df88b177cec3972f36284290eab652fb21806ef7e9575be853fb30528f28/analysis/; classtype:trojan-activity; sid:39159; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.JRat inbound self-signed SSL certificate"; flow:to_client,established; content:"|16 03 01|"; content:"|02|"; distance:2; content:"|03 01|"; distance:3; content:"|55 04 06 13 02|US"; content:"|55 04 08 13 0A|California"; distance:6; content:"|55 04 07 13 0E|Redwood Shores"; distance:6; content:"|55 04 0A 13 14|Oracle America, Inc."; distance:6; content:"|55 04 0B 13 13|Code Signing Bureau"; distance:6; content:"|55 04 03 13 14|Oracle America, Inc."; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/9d54565f8fb7cf50df11bf9745f7efd04a49abb03e85a3aafbf9a5b5fcd065c9/analysis/; classtype:trojan-activity; sid:39160; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|BN"; content:"|55 04 07 0C 13|Bandar Seri Begawan"; distance:6; content:"|55 04 0A 0C 12|Cowchi Aromep LTD."; distance:6; content:"|55 04 03 0C 17|tsre131.eollaieefi.jprs"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39163; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dridex self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|59|"; distance:3; content:"|55 04 06 13 02|PW"; content:"|55 04 07 0C 08|Melekeok"; distance:6; content:"|55 04 0A 0C 0E|Merwh Whena NL"; distance:6; content:"|55 04 03 0C 16|pepa634.omeewengreq.mz"; distance:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,www.virustotal.com/en/file/6467418eea0564f77c66844e30a17c8561089f2b8301a7d306a71a34e4fef693/analysis/; classtype:trojan-activity; sid:39164; rev:1;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant initial outbound connection"; flow:to_server,established; content:"=0D=0A=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"Computer Information"; content:"Username:"; within:30; content:"Installed"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39409; rev:2;)
|
|
alert tcp $HOME_NET any -> $SMTP_SERVERS [25,587] (msg:"MALWARE-CNC Win.Trojan.iSpy variant exfiltration outbound connection"; flow:to_server,established; content:"=0D=0A"; fast_pattern:only; content:"iSpy Keylogger"; content:"=0D=0ABrowser"; content:"=0D=0AWebsite"; within:70; content:"=0D=0AUsername"; within:70; content:"=0D=0APassword"; within:70; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4e902c1c2647e79167262bf948fe41368bab4d3876255eb3d9edb5ae02097b7/analysis/; classtype:trojan-activity; sid:39410; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Qbot variant outbound connection"; flow:to_server,established; content:"zwlviewforumogaf.php"; fast_pattern:only; http_uri; content:"Host|3A| a.topgunnphoto.com"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/020356457e95f7607c1941e03294b4c16e23daa402d7e79cfd2ba91b23969480/analysis/1463667519/; classtype:trojan-activity; sid:39411; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39526; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE RTF document incorrect file magic attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"|7B 5C|rt|0D 3C|"; depth:6; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39527; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_client,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39528; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-OFFICE Microsoft Office RTF WRAssembly ASLR bypass download attempt"; flow:to_server,established; flowbits:isset,file.rtf; file_data; content:"WRAssembly"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2015-1641; reference:url,technet.microsoft.com/en-us/security/bulletin/ms15-033; classtype:attempted-user; sid:39529; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 27 C7 CC 6B C2 FD 13 0E|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39573; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 D7 75 FF F7 C7 62 B9 82|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39574; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39575; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 AD|"; depth:5; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/d74fcf6b8f2f1c3a1ed742feb3f323f7826e9fc79a3d642082cee46770a4697a/analysis/1461003042/; classtype:trojan-activity; sid:39576; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:11; isdataat:!12; content:"|08 00 00 00 86 CC 02 89 8F F7 A6 67|"; depth:12; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39577; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant inbound connection"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39578; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39579; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.NanoBot variant outbound connection"; flow:to_server,established; isdataat:67; isdataat:!68; content:"|40 00 00 00 FE A5 0D 55 BB 10 A4 09 7A D9 86 FF 6C 81 E6 97 7C 91 BC DA EE 89 08 2A|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/0a19499dec07ca2ade3aefdf910e13231d63d7a2e238776272b4fffd0ff3a527/analysis/1467727738/; classtype:trojan-activity; sid:39580; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus initial outbound connection"; flow:to_server,established; isdataat:59; isdataat:!60; content:"|38 00 00 00 F5 13 89 53|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39581; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus server heartbeat request attempt"; flow:to_client,established; isdataat:35; isdataat:!36; content:"|20 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39582; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NanoBot/Perseus client heartbeat response attempt"; flow:to_server,established; isdataat:51; isdataat:!52; content:"|30 00 00 00 2B FF 4B F4|"; depth:8; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/4b16d1e205f198222bd2b2bb8dbd55886a9e2b79de484eec0d8cce5db376d3c8/analysis/; classtype:trojan-activity; sid:39583; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Zeus variant inbound connection"; flow:to_client,established; content:"attachment|3B|"; http_header; content:"filename="; http_header; content:"/us.xml"; within:20; fast_pattern; http_header; content:"Content-Type|3A 20|application/octet-stream|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/292c12a4c9cf8724c7bfa9ec73e1b703bd51720ea18cd4528e9be516d05b5628/analysis/1468961317/; classtype:trojan-activity; sid:39705; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE Content-Type image containing Portable Executable data"; flow:to_client,established; content:"Content-Type|3A 20|image/"; fast_pattern:only; http_header; file_data; content:"MZ"; depth:2; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/en/file/2dc752d12baa8c8441b82dd52abfd51c25abd28ba42344b22869ba7ae5a9a877/analysis/1469197722/; classtype:trojan-activity; sid:39729; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP HttpOxy CGI application vulnerability potential man-in-the-middle attempt"; flow:to_server,established; content:"|0A|Proxy|3A|"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2016-5385; reference:cve,2016-5386; reference:cve,2016-5387; reference:cve,2016-5388; reference:url,httpoxy.org; classtype:web-application-attack; sid:39737; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Trans variant outbound connection"; flow:to_server,established; content:"/site/images/banners/casecor21.gif"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a4c1234bb748f9bcabeb9ab990614fd4c1035135c5f5068fd42bace4b75fff0e/analysis/; classtype:trojan-activity; sid:39738; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Hancitor variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"GUID="; depth:122; http_client_body; content:"BUILD="; depth:122; http_client_body; content:"INFO="; depth:122; http_client_body; content:"IP="; depth:122; http_client_body; content:"TYPE="; depth:122; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5ec4ba1a97500e664af6896f4c02846ca6777e671bb600103dc8d49224e38f48/analysis/1469201551/; classtype:trojan-activity; sid:39800; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 900 (msg:"MALWARE-CNC Win.Trojan.Spyrat variant outbound connection"; flow:to_server,established; content:"myversion|7C|2.5.2."; depth:19; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/e64f536556739d50a673a952da7f110f1156fad0f7360d401794e5a8d65ce63a/analysis/; classtype:trojan-activity; sid:39801; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"FILE-OFFICE Microsoft Windows RTF file with embedded object package SMTP upload attempt"; flow:to_server,established; file_data; content:"{|5C|rt"; nocase; content:"{|5C|object|5C|objemb{|5C|*|5C|objclass Package}"; distance:0; nocase; flowbits:set,file.rtf.embed; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; reference:url,en.wikipedia.org/wiki/Rich_Text_Format; classtype:misc-activity; sid:39903; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"MALWARE-CNC Win.Trojan.HawkEye keylogger exfiltration attempt"; flow:to_server,established; content:"Subject: HawkEye Keylogger |7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/f4499928a6fee5d37fb711ed6d68708bf116cfc7f284d3295dd30ded7ecf64b2/analysis/; classtype:trojan-activity; sid:39911; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:14; content:"/data/info.php"; fast_pattern:only; http_uri; content:"x-requested-with: XMLHttpRequest"; http_header; content:"Referer|3A| http|3A|"; http_header; content:"/data"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f29ce76169727ff5a43ef7baa5c4e04f7d3302189e3d2a31cfc9dec39e84ad03/analysis/; classtype:trojan-activity; sid:40011; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox about field spoofing attempt"; flow:to_client,established; file_data; content:"about:"; fast_pattern; nocase; content:"?"; within:15; content:"<"; within:100; content:"location"; nocase; pcre:"/\babout:[a-z]+?\?[^\n]+?\</i"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2016-5268; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=1253673; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-83/; classtype:attempted-user; sid:40015; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_client,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:40035; rev:10;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY XLSB file magic detected"; flow:to_server,established; file_data; content:"PK|03 04|"; depth:4; flowbits:set,file.zip; flowbits:set,file.xlsb; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:40036; rev:10;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"OS-LINUX Linux Kernel Challenge ACK provocation attempt"; flow:to_server,no_stream; flags:R; detection_filter:track by_src, count 200, seconds 1; metadata:policy max-detect-ips drop, ruleset community; reference:bugtraq,91704; reference:cve,2016-5696; reference:cve,2017-7285; classtype:attempted-admin; sid:40063; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"EXPLOIT-KIT Phoenix Exploit Kit inbound geoip.php bdr exploit attempt"; flow:to_server,established; content:"/geoip.php?bdr="; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/phoenix_exec.rb; classtype:web-application-activity; sid:40184; rev:2;)
|
|
alert udp $HOME_NET [500,848,4500,4848] -> $EXTERNAL_NET any (msg:"SERVER-OTHER Cisco IOS Group-Prime memory disclosure exfiltration attempt"; flow:to_client; dsize:>2000; content:"|0B 10 05 00|"; depth:8; offset:16; byte_test:4,>,2000,4,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,attack.mitre.org/techniques/T1020; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40220; rev:6;)
|
|
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime MD5 memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 01 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40221; rev:5;)
|
|
alert udp $EXTERNAL_NET any -> $HOME_NET [500,848,4500,4848] (msg:"SERVER-OTHER Cisco IOS Group-Prime SHA memory disclosure attempt"; flow:to_server; dsize:>2000; content:"|00 00 00 00 00 00 00 00|"; depth:8; offset:8; content:"|00 00 00 01 00 00 00 01|"; depth:8; offset:32; content:"|01 01 04 01|"; within:4; distance:4; content:"|80 02 00 02 80 04 00 01 00 06|"; distance:0; fast_pattern; byte_test:2,>,2000,0,relative; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2016-6415; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1; classtype:attempted-recon; sid:40222; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Win.Trojan.Perseus"; flow:to_server,established; content:"User-Agent|3A| bUQ8QmvUpI57udWFxQHPkuyKDfc3T8u5"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40251; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Perseus variant outbound connection"; flow:to_server,established; content:"mashine="; fast_pattern:only; http_client_body; content:"publickey="; http_client_body; content:"user="; http_client_body; content:"os="; http_client_body; content:"processor="; http_client_body; content:"mac="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/e88709501e6c8923c7c9bf112f7a824f241f86b001dd824eb12a4284778c8137/analysis/; classtype:trojan-activity; sid:40252; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Keydnap variant initial backdoor download attempt"; flow:to_server,established; content:"/icloudsyncd"; fast_pattern:only; http_uri; content:"Accept|3A 20|*/*"; http_header; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.malwarebytes.com/cybercrime/2016/07/mac-malware-osx-keydnap-steals-keychain/; reference:url,www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/; classtype:trojan-activity; sid:40260; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Satana ransomware outbound connection"; flow:to_server,established; content:"/add.php"; fast_pattern:only; http_uri; content:"id="; http_client_body; content:"code="; http_client_body; content:"sdata="; http_client_body; content:"name="; http_client_body; content:"md5="; http_client_body; content:"dlen="; http_client_body; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96/analysis/1477327210/; classtype:trojan-activity; sid:40541; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.CryPy ransomware variant outbound connection"; flow:to_server,established; content:"/victim.php?info="; fast_pattern:only; http_uri; content:"&ip="; http_uri; content:"info="; http_uri; content:"User-Agent|3A 20|Python-urllib/"; http_header; content:!"Accept"; http_header; content:!"Connection"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de6da70478e7f84cd06ace1a0934cc9d5732f35aa20e960dc121fd8cf2388d6e/analysis/1477329470/; classtype:trojan-activity; sid:40549; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant second stage download attempt"; flow:to_server,established; content:"/images/"; fast_pattern:only; http_uri; content:".rar"; http_uri; content:"User-Agent|3A 20|Mozilla/4.0 (compatible|3B| Synapse)|0D 0A|"; http_header; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40550; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dexter Banker variant successful installation report attempt"; flow:to_server,established; content:"/LetsGo.php?A="; fast_pattern:only; http_uri; content:"Sytem="; http_uri; content:"qual="; http_uri; content:!"Accept"; http_header; content:!"referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/25657a5b4e65add11d42c59aa854834977ddb3fe969f10efa2fa637b0329b3bb/analysis/1477407128/; classtype:trojan-activity; sid:40551; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.iSpy variant outbound connection"; flow:to_server,established; content:"iSpyKelogger"; fast_pattern:only; http_uri; content:"gate="; http_client_body; content:"token="; distance:0; http_client_body; content:"name="; distance:0; http_client_body; content:!"User-Agent"; http_header; content:!"Connection"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/11e611585bfb6ff1f823e3c035ef6cfae39dfe2209e15ed01a8db8b3f9526519/analysis/1477417828/; classtype:trojan-activity; sid:40559; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant inbound connection"; flow:to_client,established; content:"Server Prent <please>|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40762; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getSMS command response"; flow:to_server,established; content:"|7C|ge|7C|t|7C|SM|7C|S|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40763; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Android.Trojan.SpyNote RAT variant getContacts command response"; flow:to_server,established; content:"send|7C|G|7C 7C|Cont|7C|acts|7C|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/14eb51b26fa4932fc660daf7e803600bf29a8a46fe3f1d652194bc48e9617bd9/analysis/1478720273/; classtype:trojan-activity; sid:40764; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/message.php"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|XMLHttpRequest|0D 0A|"; http_header; content:"Referer|3A 20|"; http_header; content:"Accept|3A 20|*/*|0D 0A|Accept-Language|3A 20|en-us|0D 0A|"; http_header; content:"Cache-Control|3A 20|no-cache|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ab082d6047fb73b9de7ebc59fb12fa1f8c2d547949d4add3b7a573d48172889b/analysis/1479147777/; classtype:trojan-activity; sid:40816; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE MindSpark framework installer attempt"; flow:to_server,established; content:"User-Agent|3A 20|Mindspark MIP "; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/9f2cc1688bee96849ced91ade04d4d51e6fd18fa47ab1dc2c12a029aa672f7ce/analysis/; classtype:trojan-activity; sid:40827; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_houdini|0D 0A|"; depth:13; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40831; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant keylogger inbound init command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"silence_keylogger|0D 0A|"; depth:19; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; classtype:trojan-activity; sid:40832; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound init command attempt"; flow:to_client; content:"screenshot_init|0D 0A|"; depth:17; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40833; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screenshot inbound silence command attempt"; flow:to_client; isdataat:23; isdataat:!24; content:"silence_screenshot|0D 0A|"; depth:20; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40834; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant screen_thumb inbound init command attempt"; flow:to_client,established; content:"screen_thumb|0D 0A|"; depth:14; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40835; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Backdoor.Houdini variant file enumeration inbound init/root/faf command attempt"; flow:to_client,established; isdataat:22; isdataat:!23; content:"file_manager_"; depth:13; offset:4; pcre:"/file_manager_(init|root|faf)\x0d\x0a/"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:40836; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Sokuxuan outbound connection attempt"; flow:to_server,established; content:"/UpgSvr/"; fast_pattern:only; http_uri; content:".xml"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:trojan-activity; sid:40839; rev:2;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining subscribe Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40840; rev:2;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining authorize Stratum protocol client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.authorize|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40841; rev:2;)
|
|
# alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"PUA-OTHER Bitcoin Mining extranonce Stratum protocol subscribe client request attempt"; flow:to_server,established; content:"|7B 22|id|22 3A|"; content:"|22|method|22 3A 22|mining.extranonce.subscribe|22|"; content:"|22|params|22 3A|"; distance:1; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/f35b65743142090ecf031731cb0bd77b15055e36dcdaa7a4ab09c5b2add13d15/analysis/1479759162/; classtype:policy-violation; sid:40842; rev:2;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP SET_CONFIG type buffer overflow attempt"; flow:to_server; dsize:>336; content:"|01 01 00|"; depth:3; byte_test:4,>=,0x0264,4,big; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-user; sid:40866; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".createElementNS"; content:"svg"; within:10; content:".setAttribute"; content:"begin"; within:15; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".setAttribute"; distance:0; content:"end"; within:10; content:".end"; within:20; content:".pauseAnimations"; fast_pattern:only; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40888; rev:3;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BROWSER-FIREFOX Mozilla Firefox ESR NotifyTimeChange use after free attempt"; flow:to_client,established; file_data; content:".pauseAnimations"; fast_pattern:only; content:"svg"; nocase; content:"animate"; nocase; content:"begin"; within:50; nocase; content:"end"; within:50; nocase; content:".end"; within:30; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-9079; reference:url,www.mozilla.org/en-US/security/advisories/mfsa2016-92/; classtype:attempted-user; sid:40896; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1040 (msg:"PROTOCOL-OTHER TP-Link TDDP Get_config configuration leak attempt"; flow:to_server; content:"|01 02 00|"; depth:3; content:"|00 00|"; within:2; distance:7; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.coresecurity.com/advisories/tp-link-tddp-multiple-vulnerabilities; classtype:attempted-recon; sid:40907; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Rootkit.Sednit variant outbound connection"; flow:to_server,established; urilen:11; content:"/search.php"; fast_pattern:only; http_uri; content:"as_ft="; http_client_body; content:"as_q="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1014; reference:url,virustotal.com/en/file/471fbdc52b501dfe6275a32f89a8a6b02a2aa9a0e70937f5de610b4185334668/analysis/1480953133/; classtype:trojan-activity; sid:40911; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 31337 (msg:"MALWARE-CNC Linux.DDoS.D93 outbound connection"; flow:to_server; content:"|4E 0F 42 07 27|"; depth:5; isdataat:24; isdataat:!25; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2c017c94d9f40cba9a20e92c7c636e98de15c599bf004fa06508d701ab9e3068/analysis/; classtype:trojan-activity; sid:40991; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 authentication bypass attempt"; flow:to_server,established; content:"/apply_noauth.cgi"; depth:17; nocase; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10176; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41095; rev:5;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 hidden_lang_avi stack buffer overflow attempt"; flow:to_server,established; content:"/lang_check"; nocase; http_uri; content:"hidden_lang_avi="; nocase; http_client_body; isdataat:36,relative; content:!"&"; within:36; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10174; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-admin; sid:41096; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; content:"/admin.php?f="; fast_pattern:only; http_uri; content:"UA-CPU|3A 20|"; http_header; content:"MSIE 7.0|3B|"; http_header; content:"Accept|3A 20|*/*"; http_header; content:!"Accept-Language"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41334; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Locky variant outbound connection"; flow:to_server,established; urilen:12; content:"/checkupdate"; fast_pattern:only; http_uri; content:"x-requested-with|3A 20|"; http_header; content:"Referer"; http_header; content:"="; depth:15; http_client_body; content:"%"; within:2; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/b9cf176ddb51fa60c7512cdbafc5a598929ac3d0b3d0443a80a7f33259aa70f2/analysis/1484673198/; classtype:trojan-activity; sid:41335; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"time|3A 20|"; fast_pattern:only; http_header; content:"User-Agent|3A 20|HttpEngine"; http_header; content:".do"; http_uri; pcre:"/\.(do|jar)$/Umi"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41336; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Sysch variant outbound connection"; flow:to_server,established; content:"GZIPOK|3A 20|"; fast_pattern:only; http_header; content:"CompGZ|3A 20|"; http_header; content:"ReqType|3A 20|"; http_header; content:".do"; http_uri; content:!"Accept"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/5a0bb7bba9153801fa88ef1bedfad564d95d2d61a23de8cb87af8b589207277f/analysis/1484684079/; reference:url,virustotal.com/en/file/82da35ab3b0a47fe8de8b0cc24d53711e17960f5887a16769e76650d9556b399/analysis/1484684069/; classtype:trojan-activity; sid:41337; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_uri; content:"arg="; nocase; http_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?([\x60\x3b\x7c]|\x24\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41346; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_raw_uri; content:"arg="; nocase; http_raw_uri; content:"%26"; distance:0; http_raw_uri; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/[?&]arg=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41347; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg="; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/(^|&)arg=[^&]*?([\x60\x3b\x7c]|\x24\x28|%60|%3b|%7c|%26|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41348; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Western Digital MyCloud command injection attempt"; flow:to_server,established; content:"/web/google_analytics.php"; fast_pattern:only; http_uri; content:"cmd=set"; nocase; http_client_body; content:"arg"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; content:"isAdmin=1"; nocase; http_cookie; content:"username=admin"; nocase; http_cookie; content:"local_login=1"; nocase; http_cookie; pcre:"/name\s*=\s*[\x22\x27]?arg((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|\x24\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10108; classtype:web-application-attack; sid:41349; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant registration message"; flow:to_server,established; content:"|41 00 00 00 83|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41374; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant check logs"; flow:to_server,established; content:"|38 00 00 00 85|"; depth:5; isdataat:!79; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41375; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NetWiredRC variant keepalive"; flow:to_server,established; content:"|01 00 00 00 81|"; depth:5; isdataat:4; isdataat:!5; metadata:impact_flag red, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/6f179a4dc1c0393b6f2dac5aaa9c20b120ced4e82ba257bb45e693472c56a88b/analysis/1484683135/; classtype:trojan-activity; sid:41376; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco Webex explicit use of web plugin detected"; flow:to_server,established; content:"cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-3823; reference:cve,2017-6753; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170717-webex; classtype:policy-violation; sid:41409; rev:6;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC User-Agent known malicious user-agent string - X-Mas"; flow:to_server,established; content:"User-Agent|3A 20|Useragents"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41441; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Ransomware.X-Mas outbound connection"; flow:to_server,established; content:"WebKitFormBoundary"; content:"|20|form-data|3B 20|name=|22|uid|22|"; fast_pattern; content:"|20|form-data|3B 20|name=|22|uname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|cname|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|ltime|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|uright|22|"; distance:0; content:"|20|form-data|3B 20|name=|22|sysinfo|22|"; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/2aa91ed4e591da10499708bde44b1f9d0000eaee9a81018cb0f36bd44844df7a/analysis/1484847335/; reference:url,virustotal.com/en/file/83a2b429b969fc5cd38b6c5072391c3513b3b914f54ea80e245b243dbd5377be/analysis/1484847306/; classtype:trojan-activity; sid:41442; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"163="; http_client_body; content:"&x="; distance:0; http_client_body; content:"&z="; distance:0; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41443; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.X-Mas variant keylogger outbound connection"; flow:to_server,established; content:"/gate.php?"; fast_pattern:only; http_uri; content:"|3C|br|3E 3C|br|3E 3C|b|3E 3C|big|3E 3C|font color=|22|"; http_client_body; content:"|22 3E 20 5B|"; within:12; http_client_body; content:!"Accept-"; http_header; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1056; reference:url,virustotal.com/en/file/b49d2b3c6978584408f3c668863cc88e892bd333a9db9c3de14964d59fc3298f/analysis/1484847208/; classtype:trojan-activity; sid:41444; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP remote buffer overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; http_uri; content:"p="; http_uri; isdataat:263,relative; content:!"&"; within:263; http_uri; content:!"|0D 0A|"; within:263; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/bugtraq/2017/Jan/5; classtype:attempted-admin; sid:41445; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_uri; pcre:"/[?&]id=[^&]*?[^\d&]/Ui"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41495; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"id="; nocase; http_client_body; pcre:"/[?&]id=[^&]*?[^\d&]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41496; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP WordPress get_post authentication bypass attempt"; flow:to_server,established; content:"/wp-json/"; fast_pattern:only; http_uri; content:"|22|id|22|"; nocase; http_client_body; pcre:"/\x22id\x22\s*\x3A\s*\x22[^\x22]*?[^\d\x22]/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,wordpress.org/news/2017/01/wordpress-4-7-2-security-release/; classtype:web-application-attack; sid:41497; rev:2;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.CryptoLocker binary download response attempt"; flow:to_client,established; content:"Set-Cookie|3A 20|mediaplanBAK|3D|"; fast_pattern:only; content:"Set-Cookie|3A 20|mediaplan|3D|"; content:"Content-Type|3A 20|text/plain"; http_header; file_data; content:"MZ"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/571a7014d1ee4e359e7eb5d2c7b3e6c527f4fcef322781f1c56a1b5bf28c8eb2/analysis/1485884599/; classtype:trojan-activity; sid:41498; rev:1;)
|
|
alert tcp $EXTERNAL_NET [139,445] -> $HOME_NET any (msg:"SERVER-SAMBA Microsoft Windows SMBv2/SMBv3 Buffer Overflow attempt"; flow:to_client,established; content:"|FE|SMB|40 00|"; depth:6; offset:4; content:"|03 00|"; within:2; distance:6; byte_test:3, >, 200, 1; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2017-0016; classtype:attempted-dos; sid:41499; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear passwordrecovered.cgi insecure admin password disclosure attempt"; flow:to_server,established; content:"/passwordrecovered.cgi"; fast_pattern:only; http_uri; content:"id="; nocase; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,95457; reference:cve,2017-5521; reference:url,kb.netgear.com/30632/Web-GUI-Password-Recovery-and-Exposure-Security-Vulnerability; classtype:attempted-recon; sid:41504; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Downloader.MacDownloader variant outbound connection"; flow:to_server,established; urilen:14; content:"/Servermac.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/7a9cdb9d608b88bd7afce001cb285c2bb2ae76f5027977e8635aa04bd064ffb7/analysis/; classtype:trojan-activity; sid:41663; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_client_body; pcre:"/(^|&)ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41698; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping_IPAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41699; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 ping.cgi command injection attempt"; flow:to_server,established; content:"/ping.cgi"; nocase; http_uri; content:"ping_IPAddr="; fast_pattern:only; http_uri; pcre:"/[?&]ping_IPAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6077; reference:url,seclists.org/fulldisclosure/2017/Feb/50; classtype:web-application-attack; sid:41700; rev:3;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Binary file download request from internationalized domain name using Microsoft BITS"; flow:to_server,established; content:"User-Agent|3A| Microsoft BITS"; http_header; content:"Host|3A 20|xn--"; fast_pattern:only; http_header; pcre:"/(\x2ebat|\x2eexe)$/smiU"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:41710; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Houdini variant initial outbound connection"; flow:to_server,established; content:"new_slave|0D 0A|"; depth:11; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41711; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Houdini backdoor file download request"; flow:to_server,established; content:"/ChromeSetup.bat"; fast_pattern:only; http_uri; content:"User-Agent|3A| Microsoft BITS"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1197; reference:url,virustotal.com/en/file/8d75e47c04bb2cc0f4c2e973475d4ff1fc8f32039794e3ea5ca2494c66d80d3f/analysis/; classtype:trojan-activity; sid:41712; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke installation attempt detected"; flow:to_server,established; content:"/Install/InstallWizard.aspx"; fast_pattern:only; http_uri; content:"executeinstall"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2015-2794; reference:url,www.exploit-db.com/exploits/39777; classtype:attempted-admin; sid:41713; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol backup config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 08|"; depth:12; content:"://"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41722; rev:4;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download config command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 03|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41723; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol download image command attempt"; flow:to_server,established; content:"|00 00 00 01 00 00 00 01 00 00 00 02|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41724; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET 4786 (msg:"SERVER-OTHER Cisco IOS Smart Install protocol version command attempt"; flow:to_server,established; content:"|00 00 00 02 00 00 00 01 00 00 00 05|"; depth:12; content:"tftp://"; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:cve,2018-0156; reference:url,tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-smi; reference:url,tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20170214-smi; classtype:attempted-admin; sid:41725; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?host_name((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41748; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_client_body; pcre:"/(^|&)host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41749; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]host_name=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41750; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200 dnslookup.cgi command injection attempt"; flow:to_server,established; content:"/dnslookup.cgi"; fast_pattern:only; http_uri; content:"host_name="; nocase; http_uri; pcre:"/[?&]host_name=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-6334; classtype:web-application-attack; sid:41751; rev:3;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB3|00 00 00 00|"; depth:9; offset:4; byte_extract:2,26,TotalDataCount,relative,little; byte_test:2,>,TotalDataCount,20,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,blog.talosintelligence.com/2017/05/wannacry.html; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:41978; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string - Andr.Trojan.Agent"; flow:to_server,established; content:"User-Agent|3A| Ray-Downer|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42019; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/wroot/v3"; fast_pattern:only; http_uri; content:".do"; http_uri; content:"uuid="; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/a3a849ef491a40c0fc1cb4c5e4769447da27ca02552a5fd270b9c2b8dbc0ff70/analysis/; classtype:trojan-activity; sid:42021; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Sage variant outbound connection"; flow:to_server,established; content:"Host: mbfce24rgn65bx3g."; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/c1c31129a39441607c060a7da57855d3969cf47ce4119cda9beaf65b63faca60/analysis/; classtype:trojan-activity; sid:42059; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"User-Agent|3A| WinHttpClient"; fast_pattern:only; http_header; content:"//Home/"; http_raw_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42128; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ismdoor variant outbound connection"; flow:to_server,established; content:"commandId="; fast_pattern:only; http_uri; content:"/Home/"; depth:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.vectranetworks.com/blog/an-analysis-of-the-shamoon-2-malware-attack; classtype:trojan-activity; sid:42129; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:established,to_server; isdataat:11; isdataat:!12; content:"|7A 8D 9B DC|"; depth:4; offset:4; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42225; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows empty RDP cookie negotiation attempt"; flow:to_server,established; content:"|08 E0 00 00 00 00|"; depth:6; offset:4; content:"|0D 0A|"; within:2; distance:1; isdataat:!1,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service rdp; reference:cve,2017-0176; reference:cve,2017-9073; reference:url,www.securitytracker.com/id/1038264; classtype:policy-violation; sid:42255; rev:4;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous user session setup request detected"; flow:to_server,established; content:"|FF|SMB|73 00 00 00 00|"; depth:13; offset:4; content:"|01 00 00 00 00 00 00 00|"; within:8; distance:38; content:"|00 00 00 00 00|"; within:5; distance:6; flowbits:set,smb.null_session; flowbits:noalert; metadata:policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441638.aspx; classtype:policy-violation; sid:42256; rev:7;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant process injection command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|42 00|"; within:2; distance:21; content:"|0E 00|"; within:2; distance:29; content:!"|00 00|"; within:2; flowbits:set,smb.trans2.mid66; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips alert, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1055; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42331; rev:4;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"MALWARE-CNC Win.Trojan.Doublepulsar variant ping command"; flow:to_server,established; content:"|FF|SMB|32 00 00 00 00|"; depth:9; offset:4; content:"|41 00|"; within:2; distance:21; content:"|0E 00 0D 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; within:17; distance:29; flowbits:set,smb.trans2.mid65; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,countercept.com/our-thinking/analyzing-the-doublepulsar-kernel-dll-injection-technique/; reference:url,www.virustotal.com/file/15ffbb8d382cd2ff7b0bd4c87a7c0bffd1541c2fe86865af445123bc0b770d13/analysis/; classtype:trojan-activity; sid:42332; rev:7;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB large NT RENAME transaction request memory leak attempt"; flow:to_server,established; content:"|FF|SMB|A0|"; depth:5; offset:4; content:"|05 00|"; within:2; distance:64; byte_test:2,>,1024,0,relative,little; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42338; rev:3;)
|
|
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB possible leak of kernel heap memory"; flow:to_client,established; content:"Frag"; fast_pattern; content:"Free"; content:"|FA FF FF|"; content:"|F8 FF FF|"; within:3; distance:5; content:"|F8 FF FF|"; within:3; distance:5; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42339; rev:3;)
|
|
# alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt"; flow:to_server,established; flowbits:isset,smb.null_session; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"|00 5C 00|I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; reference:url,msdn.microsoft.com/en-us/library/ee441910.aspx; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:42340; rev:4;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [995,80,53,443] (msg:"MALWARE-CNC Win.Trojan.RedLeaves outbound connection"; flow:to_server,established; content:"856"; depth:3; offset:1; content:"856|9A F3 EC 89|"; within:7; distance:1; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Red%20Leaves%20technical%20note%20v1.0.pdf; classtype:trojan-activity; sid:42398; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_client,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42820; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"OS-WINDOWS Microsoft Malware Protection Engine type confusion attempt"; flow:to_server,established; file_data; content:"Error"; content:".toString.call"; within:50; fast_pattern; content:"message"; within:25; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:cve,2017-0290; reference:url,technet.microsoft.com/en-us/library/security/4022344.aspx; classtype:attempted-admin; sid:42821; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"z9=base64%5fdecode"; fast_pattern:only; http_client_body; content:"=%40eval"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42834; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"X-Forwarded-For"; nocase; http_header; content:"=edoced_46esab"; fast_pattern:only; http_client_body; content:"z0="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42835; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.Chopper web shell connection"; flow:to_server,established; content:"=@eval(get_magic_quotes_gpc()?stripslashes($_POST["; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1100; reference:url,www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-ii.html; classtype:trojan-activity; sid:42836; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MVPower DVR Shell arbitrary command execution attempt"; flow:to_server,established; content:"/shell?"; fast_pattern:only; http_uri; urilen:>16,norm; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.pentestpartners.com/blog/pwning-cctv-cameras/; classtype:attempted-admin; sid:42857; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:established,to_server; content:"Connect.php?id="; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42880; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Deputy Dog implant outbound connection"; flow:to_server,established; content:"/JP-ja/js?"; fast_pattern:only; http_uri; content:"SessionID:"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42881; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC ZoxPNG initial outbound connection"; flow:established, to_server; content:"/search?q=Google&go=&qs=n&form="; fast_pattern:only; http_uri; content:"pq=google&sc=8-1&sp=-1&sk="; http_uri; content:"Cookie|3A 20|SESSIONID="; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42882; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection attempt"; flow:established,to_server; content:"/mm.jpg"; depth:7; fast_pattern; http_uri; content:"User-Agent|3A 20|Mozilla/5.0 (compatible"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42883; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MadMax implant outbound connection"; flow:established,to_server; content:"/logon.aspx?Id="; fast_pattern:only; http_uri; content:"Cookie|3A 20|SessionData="; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42884; rev:2;)
|
|
alert tcp $HOME_NET any <> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC WashingTon ssl certificate negotiation attempt"; flow:to_server,established; content:"WashingTon"; fast_pattern:only; content:"WebMaster@Microsoft.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42885; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent Win.Trojan.Agent malicious user agent"; flow:to_server,established; content:"User-Agent|3A| HttpBrowser/1.0"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:42886; rev:2;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"OS-WINDOWS Microsoft Windows SMB remote code execution attempt"; flow:to_server,established; content:"|FF|SMB|A0 00 00 00 00|"; depth:9; offset:4; content:"|01 00 00 00 00|"; within:5; distance:59; byte_test:4,>,0x8150,-33,relative,little; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0144; reference:cve,2017-0146; reference:url,isc.sans.edu/forums/diary/ETERNALBLUE+Possible+Window+SMB+Buffer+Overflow+0Day/22304/; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-admin; sid:42944; rev:2;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"IPC$|00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43002; rev:8;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"PROTOCOL-OTHER NETBIOS SMB IPC share access attempt"; flow:to_server,established; content:"|FF|SMB|75 00 00 00 00|"; depth:9; offset:4; content:"I|00|P|00|C|00|$|00 00 00|"; fast_pattern:only; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; metadata:policy balanced-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service netbios-ssn; reference:url,attack.mitre.org/techniques/T1077; classtype:misc-activity; sid:43003; rev:8;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,0,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:1; content:"/"; within:len; distance:1; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:43004; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kabob outbound connection"; flow:to_server,established; content:"@|E9 03 00 00 00 00 00 00 00 00 64|"; fast_pattern:only; http_client_body; pcre:"/\/\d{8}\/\w{4}\/[A-F0-9]{4}\/[A-F0-9]{4}\/[A-Z0-9\-_~]{12}\.[aj]sp/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:43063; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|18 17 E9 E9 E9 E9|"; fast_pattern:only; isdataat:!7; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43193; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.HiddenCobra variant outbound connection"; flow:to_server,established; content:"|1B 17 E9 E9 E9 E9|"; depth:6; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community; reference:url,www.us-cert.gov/ncas/alerts/TA17-164A; classtype:trojan-activity; sid:43194; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /.svn/entries file access attempt"; flow:to_server,established; content:"/.svn/entries"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43285; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /cgi-bin/sh file access attempt"; flow:to_server,established; content:"/cgi-bin/sh"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43286; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/inetd.conf file access attempt"; flow:to_server,established; content:"/etc/inetd.conf"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43287; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/motd file access attempt"; flow:to_server,established; content:"/etc/motd"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43288; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /etc/shadow file access attempt"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1087; classtype:attempted-recon; sid:43289; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP /ws_ftp.log file access attempt"; flow:to_server,established; content:"/ws_ftp.log"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:attempted-recon; sid:43290; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Oracle Application Server 9i unauthenticated application deployment attempt"; flow:to_server,established; content:"/soap/soaplet/soaprouter"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2001-1371; classtype:attempted-recon; sid:43291; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM database information request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/GetOneTenant"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43562; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user credentials request detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/Users"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-recon; sid:43563; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Teleopti WFM administrative user creation detected"; flow:to_server,established; content:"/TeleoptiWFM/Administration/AddFirstUser"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Feb/13; classtype:attempted-admin; sid:43564; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"SERVER-OTHER WSFTP IpSwitch custom SITE command execution attempt"; flow:to_server,established; content:"SITE SETC"; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:cve,2004-1885; classtype:attempted-admin; sid:43663; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site request forgery attempt"; flow:to_server,established; content:"/cgi-bin/cgictl?action=setTaskSettings"; fast_pattern:only; http_uri; content:"settings={|22|"; nocase; http_client_body; content:"taskId="; http_client_body; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9810; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43809; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9080 (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]reportId=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43810; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId="; nocase; http_client_body; pcre:"/(^|&)reportId=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43811; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"reportId"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?reportId((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9812; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:web-application-attack; sid:43812; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Kaspersky Linux File Server WMC cross site scripting attempt"; flow:to_server,established; content:"/cgi-bin/cgictl"; fast_pattern:only; http_uri; content:"scriptName="; nocase; http_uri; pcre:"/[?&]scriptName=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,99330; reference:cve,2017-9813; reference:url,coresecurity.com/advisories/Kaspersky-Anti-Virus-File-Server-Multiple-Vulnerabilities; classtype:attempted-user; sid:43813; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.XAgent outbound connection"; flow:to_server,established; content:"(unknown version)"; http_header; content:"Darwin/"; within:30; http_header; content:"Accept|3A 20|*/*|0D 0A|"; http_header; pcre:"/\/(search|find|results|open|search|close|watch)\/\x3f[a-zA-Z0-9]{2,8}\x3d/Ui"; content:!"Referer"; http_header; metadata:impact_flag red, ruleset community, service http; reference:url,contagiodump.blogspot.com/2017/02/russian-apt-apt28-collection-of-samples.html; reference:url,download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf; classtype:trojan-activity; sid:43825; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Ubiquiti Networks UniFi Cloud Key Firm v0.6.1 Host Remote Command Execution attempt"; flow:to_server,established; urilen:11,norm; content:"/api/status"; fast_pattern:only; http_uri; pcre:"/^Host\x3A[^\x0a]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Him"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,cxsecurity.com/issue/WLB-2017080038; classtype:web-application-attack; sid:43957; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/gate.php"; fast_pattern:only; http_uri; content:"WebKitFormBoundary"; http_header; content:"name=|22|getconfig|22|"; content:"Referer|3A 20|"; http_header; content:"Connection|3A 20|close|0D 0A|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/01092ea6b5eb749254cf61a58c7c8fe5f6700197643271202fe420ac7cc68d1f/detection; classtype:trojan-activity; sid:43972; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/update/upfolder/updatefun.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43981; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.Femas variant outbound connection"; flow:to_server,established; content:"did="; http_client_body; content:"/pockemon/squirtle/functions.php"; fast_pattern:only; http_uri; content:"Dalvik/"; http_header; content:"Android"; within:25; http_header; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/; reference:url,securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/; classtype:trojan-activity; sid:43982; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY-OTHER Cisco DDR2200 ASDL gateway file download detected"; flow:to_server,established; content:"download.conf"; fast_pattern:only; http_uri; content:"filename="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-11587; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44004; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; pcre:"/[?&]pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44005; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]pingAddr=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44006; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr="; nocase; http_client_body; pcre:"/(^|&)pingAddr=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-11588; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44007; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Cisco DDR2200 ADSL gateway command injection attempt"; flow:to_server,established; content:"waitPingqry"; fast_pattern:only; http_uri; content:"pingAddr"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?pingAddr((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,seclists.org/fulldisclosure/2017/Jul/26; classtype:web-application-attack; sid:44008; rev:2;)
|
|
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"3t2t3rgeg"; content:"fg2eq34df"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44399; rev:1;)
|
|
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"f2tee4"; content:"rvgvtfdf"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/604bd405cf8edd910b25c52b63ab7e4b6c2242bc6eaf6eca4cccb718e1d291e2; classtype:trojan-activity; sid:44400; rev:1;)
|
|
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 92 93 45 3A 42 8B 15 4C|"; fast_pattern:only; content:"London"; content:"example.com"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,malware-traffic-analysis.net/2017/08/12/index.html; classtype:trojan-activity; sid:44401; rev:1;)
|
|
alert tcp $EXTERNAL_NET [443,447,449] -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Trickbot self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; distance:13; content:"|00 DC 5E AE E6 3E EC 78 EC|"; content:"Alaska"; content:"John_Alaska@gmail.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/en/file/70041c335a374d84f64c6c31d59ff09bd8473fd049cfcb46fe085d1eb92ac0b8/analysis/1502073944/; classtype:trojan-activity; sid:44402; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-admin"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44469; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Potential hostile executable served from compromised or malicious WordPress site attempt"; flow:to_server,established; content:"/wp-includes"; fast_pattern:only; http_uri; pcre:"/(exe|dll|scr|rar|ps1|bat)$/Ui"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; reference:url,blog.avast.com/2013/05/03/regents-of-louisiana-spreading-sirefef-malware; classtype:trojan-activity; sid:44470; rev:1;)
|
|
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus malicious certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"Let's Encrypt"; content:"gloverkentok.us"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/220a2b2d7353a697496abcabf1b4c1990b8c9b7143e6dada17782ddd9ee2c232; classtype:trojan-activity; sid:44591; rev:1;)
|
|
alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.PandaZeus self-signed certificate exchange"; flow:to_client,established; content:"|16 03|"; content:"|30 82|"; within:2; distance:13; content:"My Company Name LTD."; content:"domain.com"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/#/file/00fa65c8fced0abfab3f544801014a349f7d960819d8d79c47abe090bd75ccfc; classtype:trojan-activity; sid:44592; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8291 (msg:"SERVER-OTHER Mikrotik RouterOS denial of service attempt"; flow:to_server,established; content:"|12 02|"; depth:2; content:"|FF ED 00 00 00 00|"; distance:0; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2012-6050; classtype:denial-of-service; sid:44643; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Zusy variant outbound connection"; flow:to_server,established; content:"/QualityCheck/ni6.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/5dea4247e021eeeb1347ff269a357dee77e8ac1837383b0ef37fb123339639a1/analysis/; classtype:trojan-activity; sid:44652; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"POLICY-OTHER NetSupport Manager RAT outbound connection detected"; flow:to_server,established; content:"User-Agent|3A| NetSupport Manager/"; fast_pattern:only; content:"CMD="; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b87ef28981defd135496e25233cc7a47a376a75ddea97fcd4c0927995dd22e47/detection; classtype:trojan-activity; sid:44678; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers authentication bypass attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"currentsetting.htm"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44687; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN1000 series routers arbitrary command execution attempt"; flow:to_server,established; content:"/setup.cgi"; nocase; http_uri; content:"todo=syscmd"; fast_pattern:only; content:"cmd="; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:bugtraq,60281; reference:url,www.exploit-db.com/exploits/25978/; classtype:attempted-admin; sid:44688; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound connection"; flow:established,to_server; content:"/aspnet_client/system_web/4_0_30319/update/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:44689; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"$IFS"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:44698; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Internal field separator use in HTTP URI attempt"; flow:to_server,established; content:"${IFS}"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:44699; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER libupnp command buffer overflow attempt"; flow:to_server; content:"NOTIFY "; depth:7; content:"|3A|device|3A|"; isdataat:180,relative; content:!"|3A|"; within:180; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssdp; reference:cve,2012-5958; reference:cve,2012-5962; classtype:attempted-admin; sid:44743; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"User-Agent|3A|"; http_header; content:"Mozilla/5.0 (Windows NT 6.1|3B| Win64|3B| x64)|3B| "; distance:0; fast_pattern; http_header; pcre:"/Win64\x3B\sx64\x29\x3B\s[0-9]{16}\w{16}\x0D\x0A/iH"; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/; classtype:trojan-activity; sid:44762; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.KopiLuwak variant outbound request detected"; flow:to_server,established; content:"%D0%8BTl%DC"; depth:11; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack; classtype:trojan-activity; sid:44763; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS cross site request forgery attempt"; flow:to_server,established; content:"/cfg"; fast_pattern:only; http_uri; content:"process=password"; nocase; http_uri; content:"password1="; nocase; http_uri; content:"password2="; nocase; http_uri; content:"button="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,73013; reference:cve,2015-2350; classtype:policy-violation; sid:44790; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 9251 (msg:"SERVER-OTHER QNAP transcode server command injection attempt"; flow:to_server,established; content:"|01 00 00 00|"; depth:4; content:"|7C|"; distance:0; content:"|09|"; within:50; metadata:policy max-detect-ips drop, ruleset community; reference:url,www.qnap.com/en-us/; classtype:attempted-admin; sid:44971; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information leak attempt"; flow:to_server,established; content:"/BRS_netgear_success.html"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-10175; reference:url,seclists.org/fulldisclosure/2016/Dec/72; classtype:attempted-recon; sid:45001; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45062; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/ews/exchange/"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45063; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45064; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Neuron variant inbound service request detected"; flow:to_server,established; content:"/W3SVC"; fast_pattern:only; http_uri; content:"cadata="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.ncsc.gov.uk/alerts/turla-group-malware; classtype:trojan-activity; sid:45065; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill server selection outbound connection"; flow:to_server,established; content:"public/Check_Exist.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45090; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill login outbound connection"; flow:to_server,established; content:"username=MD5Sum"; fast_pattern:only; http_client_body; content:"password=MD5Sum"; http_client_body; content:"button=Login"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45091; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Backdoor.StoneDrill get commands outbound connection"; flow:to_server,established; content:"/insert/index?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"hst="; http_uri; content:"ttype="; http_uri; content:"state="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,securelist.com/files/2017/03/Report_Shamoon_StoneDrill_final.pdf; classtype:trojan-activity; sid:45092; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"SERVER-OTHER SSDP M-SEARCH ssdp-all potential amplified distributed denial-of-service attempt"; flow:to_server,no_stream; content:"M-SEARCH"; depth:9; content:"ssdp:all"; fast_pattern:only; detection_filter:track by_src,count 50,seconds 1; metadata:policy max-detect-ips drop, ruleset community, service ssdp; reference:cve,2013-5211; reference:url,www.us-cert.gov/ncas/alerts/TA14-017A; classtype:attempted-dos; sid:45157; rev:4;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; content:"/report/?application="; fast_pattern:only; http_uri; content:"guid="; http_uri; content:"details="; http_uri; content:"action="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45397; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.SurfBuyer adware outbound connection detected"; flow:to_server,established; urilen:>1000; content:"/click?h="; fast_pattern:only; http_uri; content:"subid="; http_uri; content:"data_fb="; http_uri; content:"data_rtt="; http_uri; content:"data_proto="; http_uri; content:"data_ic="; http_uri; content:"data_ss="; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/baed00c6e6b157f3a53c76a200de84927f5c9d448cf76438c55d62c18033ba1b/analysis/; classtype:trojan-activity; sid:45398; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.OceanLotus outbound connection attempt"; flow:to_server,established; content:"/sigstore.db?"; fast_pattern:only; content:"k="; http_uri; content:"?q="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update; classtype:trojan-activity; sid:45400; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY-OTHER TrendMicro ServerProtect server configuration file download detected"; flow:to_server,established; content:"/activeupdate/ini_xml.zip"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2017-9035; reference:url,www.coresecurity.com/advisories/trend-micro-serverprotect-multiple-vulnerabilities; classtype:attempted-recon; sid:45411; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Asus RT-AC88U deleteOfflineClients memory corruption attempt"; flow:to_server,established; urilen:>64; content:"/deleteOfflineClient.cgi"; fast_pattern:only; http_uri; content:"delete_offline_client="; http_uri; pcre:"/[?&]delete_offline_client=[^&]{14}/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-12754; classtype:attempted-admin; sid:45412; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.SHLayer variant outbound connection"; flow:to_server,established; content:"/screens/"; nocase; http_uri; content:"/"; within:1; distance:8; http_uri; content:"=="; within:2; distance:6; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,objective-see.com/blog/blog_0x20.html; reference:url,www.virustotal.com/gui/file/f5d76324cb8fcae7f00b6825e4c110ddfd6b32db452f1eca0f4cff958316869c/detection; classtype:trojan-activity; sid:45545; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP MikroTik RouterOS jsproxy readPostData memory corruption attempt"; flow:to_server,established; content:"/jsproxy"; depth:8; fast_pattern; nocase; http_uri; content:"|0D 0A|Content-Length: "; nocase; byte_test:10,>,0x20000,0,relative,string,dec; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,forum.mikrotik.com/viewtopic.php?t=119308; classtype:attempted-admin; sid:45555; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/6.1 (compatible|3B| MSIE 9.0|3B| Windows NT 5.3|3B| Trident/5.0)|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45563; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant outbound connection attempt"; flow:to_server,established; content:"User-Agent: Mozilla/5.0|0D 0A|Host: "; fast_pattern:only; http_header; content:"Accept: */*|0D 0A|Content-Type: application/x-www-form-urlencoded|0D 0A 0D 0A|"; http_header; content:!"Cookie:"; http_header; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:45564; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Rokrat variant outbound connection detected"; flow:to_server,established; content:".php?id="; http_uri; content:"fp_vs="; fast_pattern:only; http_uri; content:"os_vs="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3004196da6055c6f062c94a9aae8dc357fa19b953b071049083e69e840083cf9/detection; classtype:trojan-activity; sid:45607; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent outbound connection"; flow:to_server,established; content:"Content-Length: 0"; fast_pattern:only; content:"User-Agent"; content:"|2D 7C 2D|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45642; rev:2;)
|
|
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s0|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s0|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45643; rev:3;)
|
|
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s1|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s1|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45644; rev:3;)
|
|
alert tcp $EXTERNAL_NET 1025: -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Trojan.Agent inbound payload download"; flow:to_client,established; content:"s2|2D 7C 2D|"; fast_pattern:only; content:"Content-Length"; content:"s3|2D 7C 2D|"; within:200; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45645; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 1025: (msg:"MALWARE-CNC Vbs.Trojan.Agent outbound system information disclosure"; flow:to_server,established; content:"POST /is-return "; depth:16; fast_pattern; content:"User-Agent"; content:"|2D 7C 2D|"; within:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html; reference:url,virustotal.com/en/file/15f5aaa71bfa3d62fd558a3e88dd5ba26f7638bf2ac653b8d6b8d54dc7e5926b/analysis/; classtype:trojan-activity; sid:45646; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Silverstar outbound connection"; flow:to_server,established; content:"response=fallback"; fast_pattern:only; http_uri; content:"/api.php?"; depth:9; http_uri; content:"gpu="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3f751799a501532f43ca5f12fe80aa0bad78f9f5d57e76bf49b401bb99f355df/detection; classtype:trojan-activity; sid:45960; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT initial outbound connection"; flow:to_server,established; content:"Information"; depth:11; content:"false|2A 2D 5D|NK|5B 2D 2A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45961; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Revenge RAT inbound heartbeat check"; flow:to_client,established; content:"PNC|2A 2D 5D|NK|5B 2D 2A|"; depth:11; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/518f7803ad1b8e630f50719d7cb3638ea5d67fa4d4387a55f44ddca4ef55a3ee/analysis/; reference:url,www.virustotal.com/en/file/79bdbf9ec639d5ccf3992e9c9fe9eeba21d191dc168194a80b50f3aa8068892a/analysis/; reference:url,www.virustotal.com/en/file/edb115dd5ca7c7f9dd069746daa0a4ee6298bf94de62510d3f8bebfa5f5a8bcd/analysis/; classtype:trojan-activity; sid:45962; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound command and control IP address check"; flow:to_server,established; content:"/index.php?udpool="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45963; rev:1;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound system information disclousre"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|bin"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45964; rev:1;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound heartbeat"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|ping"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45966; rev:1;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|03|trp"; within:4; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45967; rev:2;)
|
|
alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"MALWARE-CNC Win.Trojan.UDPOS outbound data exfiltration"; flow:to_server; isdataat:150; content:"|0F|"; content:"|04|note"; within:5; distance:15; fast_pattern; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/techniques/T1020; reference:url,blogs.forcepoint.com/security-labs/udpos-exfiltrating-credit-card-data-dns; reference:url,www.virustotal.com/#/file/62688903adfc719c5514f25a17563547aac4801959852f5d49faa93967ce86cf/detection; classtype:trojan-activity; sid:45968; rev:2;)
|
|
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:127; content:"|FF FF FF FF|"; within:4; distance:123; byte_extract:4,28,ids; byte_test:4,=,ids,174,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,172,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45977; rev:1;)
|
|
alert tcp $HOME_NET 445 -> any any (msg:"OS-WINDOWS Microsoft Windows SMB kernel heap memory leak attempt"; flow:to_client,established; content:"|FF|SMB|A0|"; depth:5; offset:4; isdataat:111; content:"|FA FF FF|"; within:3; distance:108; content:"|FA FF FF|"; distance:0; byte_extract:4,28,ids; byte_test:4,=,ids,242,relative; byte_extract:2,0,uid,relative; byte_test:2,=,uid,240,relative; metadata:policy balanced-ips alert, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-0143; reference:cve,2017-0146; reference:cve,2017-0147; reference:url,technet.microsoft.com/en-us/security/bulletin/MS17-010; classtype:attempted-recon; sid:45978; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant outbound connection"; flow:to_server,established; content:"|72 00 17|com.net.LoginDataPacket"; fast_pattern:only; content:"|74 00 13|Lcom/net/LoginData"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45979; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC MultiOS.Trojan.OSCelestial variant inbound connection"; flow:to_client,established; content:"|74 00 29|net.oscp.client.keylogger.KeystrokeLogger"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/9b4843ff0181af15a6c8478ca00aafd4296592a2985a480575810f4f64442742/analysis/; classtype:trojan-activity; sid:45980; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY-OTHER Sandvine PacketLogic http redirection attempt"; flow:to_client,established; content:"Temporary Redirect"; fast_pattern:only; id:13330; fragbits:!MDR; flags:FA; content:"307"; depth:3; http_stat_code; content:"Temporary Redirect"; nocase; http_stat_msg; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria; reference:url,github.com/citizenlab/badtraffic; classtype:misc-activity; sid:45983; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Gen variant outbound communication"; flow:established,to_server; content:"/A56WY"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,us-cert.gov/ncas/alerts/TA17-293A; classtype:trojan-activity; sid:46048; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.CrossRAT outbound connection attempt"; flow:to_server,established; content:"[^8]&&&"; fast_pattern:only; content:"[^8]&&&"; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46050; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Bandook/Anbacas outbound connection attempt"; flow:to_server,established; content:"QDAwMD"; depth:6; fast_pattern; content:"&&&"; within:200; isdataat:!0,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf; reference:url,www.virustotal.com/#/file/bf600e7b27bdd9e396e5c396aba7f079c244bfb92ee45c721c2294aa36586206/detection; classtype:trojan-activity; sid:46051; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user-agent string Uploador - Win.Trojan.CrossRAT"; flow:to_server,established; content:"User-Agent|3A| Uploador|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/da81aec00b563123d2fbd14fb6a76619c90f81e83c5bd8aa0676922cae96b9ad/detection; classtype:trojan-activity; sid:46052; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty second stage downloader initial outbound connection"; flow:to_server,established; content:"/football/goal"; fast_pattern:only; http_uri; content:"ball="; http_client_body; content:"score="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46066; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty plugin downloader initial outbound connection"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"pc="; http_client_body; content:"pc_data="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1176; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46067; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module download request"; flow:to_server,established; content:"/football/download/"; depth:19; http_uri; content:!"User-Agent|3A|"; nocase; http_header; content:!"Accept|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46068; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty module request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"cnumber="; http_uri; content:"orname="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46069; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.yty file exfiltration outbound request"; flow:to_server,established; content:"Expect: 100-continue"; fast_pattern:only; http_header; content:"id="; depth:3; http_client_body; content:"&pc="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/; classtype:trojan-activity; sid:46070; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET [139,445] (msg:"NETBIOS MikroTik RouterOS buffer overflow attempt"; flow:to_server,established; content:"|81 00|"; depth:2; byte_test:2,>,75,0,relative; byte_extract:2,0,len,relative; isdataat:!len,relative; isdataat:len; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:bugtraq,103427; reference:cve,2018-7445; classtype:attempted-user; sid:46076; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; http_uri; content:"action="; distance:0; http_uri; pcre:"/[?&](wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46080; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi cross site scripting attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"action="; http_client_body; pcre:"/(^|&)(wait_time|ping_ip|ping_size|submit_type|traceroute_ip)=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:attempted-user; sid:46081; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46082; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_client_body; pcre:"/(^|&)next_page=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46083; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi directory traversal attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"next_page="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]next_page=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,s3cur1ty.de/m1adv2013-004; classtype:web-application-attack; sid:46084; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; pcre:"/[?&]ping_(ip|size|times)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46085; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E-Series apply.cgi ping function command injection attempt"; flow:to_server,established; content:"apply.cgi"; fast_pattern:only; http_uri; content:"ping_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)(ip|size|times)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-3307; classtype:web-application-attack; sid:46086; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"MMcS"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46121; rev:3;)
|
|
# alert tcp $EXTERNAL_NET 32764 -> $HOME_NET any (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_client,established; isdataat:6; content:"ScMM"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46122; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"MMcS"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46123; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 32764 (msg:"PROTOCOL-OTHER use of undocumented ScMM test interface in Cisco small business devices detected"; flow:to_server,established; isdataat:6; content:"ScMM"; depth:4; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2014-0659; classtype:misc-activity; sid:46124; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.HW32 variant outbound connection"; flow:to_server,established; content:"Cpa=+EXEC+"; depth:10; http_client_body; content:"%27%2C%27"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0b2e8a9413d3b34d532d553922bd402830c1784302fc8ecaeeee17e826798d46/analysis/; classtype:trojan-activity; sid:46129; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banbra variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/3.0 (compatible|3B| Indy Library)"; http_header; content:"remetente="; depth:10; fast_pattern; http_client_body; content:"&destinatario"; distance:0; http_client_body; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46136; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Cidox variant outbound connection attempt"; flow:to_server,established; content:"POST /b/req/"; depth:12; content:" HTTP/1.1|0D 0A|Accept: */*|0D 0A|Content-Type: application/octet-stream|0D 0A|Connection: Close|0D 0A|User-Agent: Mozilla/"; within:103; distance:24; content:")|0D 0A|Host: "; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; classtype:trojan-activity; sid:46137; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Linksys E series denial of service attempt"; flow:to_server,established; content:"mfgtst.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:denial-of-service; sid:46287; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; pcre:"/[?&]ping_ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46297; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]ping(\x5f|%5f)ip=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46298; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping"; nocase; http_client_body; pcre:"/(^|&)ping(\x5f|%5f)ip=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46299; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP VioStor NVR and QNAP NAS command injection attempt"; flow:to_server,established; content:"/cgi-bin/pingping.cgi"; fast_pattern:only; http_uri; content:"ping_ip"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?ping_ip((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2013-0143; classtype:web-application-attack; sid:46300; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP QTS X-Forwarded-For buffer overflow"; flow:to_server,established; content:"/cgi-bin/filemanager/wfm2Login.cgi"; fast_pattern:only; http_uri; content:"X-Forwarded-For"; nocase; http_raw_header; isdataat:90,relative; pcre:"/X-Forwarded-For:[^\n\r]{90}/Hsmi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.qnap.com/en/security-advisory/nas-201712-15; classtype:web-application-attack; sid:46301; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; pcre:"/[?&]SMB_(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46305; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46306; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB"; nocase; http_client_body; pcre:"/(^|&)SMB(\x5f|%5f)(LOCATION|USERNAME)=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46307; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP QNAP WTS 4.2.1 command injection attempt"; flow:to_server,established; content:"/cgi-bin/wizReq.cgi"; fast_pattern:only; http_uri; content:"SMB_"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?SMB_(LOCATION|USERNAME)((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46308; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; content:"p="; nocase; http_uri; isdataat:260,relative; pcre:"/[?&]p=[^&\s]{260}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46309; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER QNAP NVR/NAS Heap/Stack Overflow attempt"; flow:to_server,established; content:"/cgi-bin/cgi.cgi"; fast_pattern:only; http_uri; content:"u="; nocase; http_uri; isdataat:35,relative; pcre:"/[?&]u=[^&\s]{35}/smi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-admin; sid:46310; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/NETGEAR_WNR2000.cfg"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46312; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/cgi-bin/upg_restore.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46313; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear WNR2000 information disclosure attempt"; flow:to_server,established; content:"/router-info.htm"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/wifi-routers/WNR2000.aspx; classtype:attempted-recon; sid:46314; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla restore.php PHP object injection attempt"; flow:to_server,established; content:"/administrator/components/com_joomlaupdate/restore.php"; fast_pattern:only; http_uri; content:"factory="; nocase; http_uri; content:"OjI2OiJraWNrc3RhcnQuc2V0dXAuc291cmNlZmlsZSI7"; content:"aHR0cDovL"; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-7228; classtype:web-application-attack; sid:46315; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Drupal 8 remote code execution attempt"; flow:to_server,established; content:"element_parents="; fast_pattern:only; http_uri; content:"#value"; http_uri; content:"drupal_ajax"; http_uri; pcre:"/(%23|#)(submit|validate|access_callback|pre_render|post_render|lazy_builder|%6c%61%7a%79%5f%62%75%69%6c%64%65%72)/Pi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-7600; reference:url,www.drupal.org/sa-core-2018-002; classtype:attempted-admin; sid:46316; rev:4;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server,established; content:"|C0 F3 AC 2A 40 79 49 0C A3 6E 89 64 73 66 0F 0B|"; content:"|5D FC 67 3A 16 DC 00 56 A3 6E 89 64 73 66 0F 0B|"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:46317; rev:3;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"SERVER-OTHER NETGEAR TelnetEnable attempt"; flow:to_server; content:"|59 0D B1 E7 67 23 51 BA 5B 5D 52 33 91 0D 09 7F|"; content:"|09 44 80 0E DE B6 FA 3B 5B 5D 52 33 91 0D 09 7F|"; metadata:policy max-detect-ips drop, ruleset community; classtype:attempted-admin; sid:46318; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/wlg_sec_profile_main.cgi"; fast_pattern:only; http_uri; content:"ssid="; nocase; http_client_body; pcre:"/ssid=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46322; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Netgear DGN2200B stored cross-site scripting attempt"; flow:to_server,established; content:"/fw_serv_add.cgi"; fast_pattern:only; http_uri; content:"userdefined="; nocase; http_client_body; pcre:"/userdefined=[^&]*?([\x22\x27\x3c\x3e\x28\x29]|script|onload|src)/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.netgear.com/home/products/networking/dsl-modems-routers/dgn2200.aspx; classtype:attempted-user; sid:46323; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $FTP_PORTS (msg:"SERVER-OTHER QNAP QTS hard coded credential access attempt"; flow:to_server,established; content:"PASS joxu06wj/|0D 0A|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ftp; reference:cve,2015-7261; classtype:default-login-attempt; sid:46335; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Matrix outbound connection"; flow:to_server,established; content:"add.php?apikey="; http_uri; content:"&compuser="; http_uri; content:"&sid="; http_uri; content:"&phase="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,"www.virustotal.com/#/file/996ea85f12a17e8267dcc32eae9ad20cff44115182e707153006162711fbe3c9/detection"; classtype:trojan-activity; sid:46339; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Akeeba Kickstart restoration.php reconnaissance attempt"; flow:to_server,established; content:"administrator/components/com_joomlaupdate/restoration.php"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2014-7229; classtype:web-application-attack; sid:46340; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-WEBAPP Akeeba Kickstart cross site request forgery attempt"; flow:to_client,established; file_data; content:"administrator/index.php"; fast_pattern:only; content:"option=com_joomlaupdate"; nocase; content:"task=update.install"; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2014-7229; classtype:web-application-attack; sid:46341; rev:3;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"SERVER-OTHER QNAP QTS cross site request forgery attempt"; flow:to_client,established; file_data; content:"cgi-bin/create_user.cgi"; fast_pattern:only; content:"function="; nocase; content:"subfun="; nocase; content:"NAME="; nocase; content:"PASSWD="; nocase; content:"VERIFY="; nocase; metadata:policy max-detect-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:cve,2013-0144; classtype:attempted-admin; sid:46342; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,16,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46376; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER libgd heap-overflow attempt"; flow:to_server,established; content:"gd2|00 00 02|"; fast_pattern; content:"|02|"; within:1; distance:7; byte_test:1,>,128,8,relative; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2016-3074; classtype:web-application-attack; sid:46377; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper variant outbound connection"; flow:established,to_server; content:"IHkoeWRrcnkpIikqNy95ZCB5LSl5ZCB5"; depth:40; fast_pattern; http_client_body; content:!"Referer|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/fd08f6bc823cbfa495f0568ba4284e02f1cad57e56bd04ef0a0b948ea9dddee4/details; classtype:trojan-activity; sid:46378; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spyware.Autoit outbound connection"; flow:to_server,established; content:"win32=FFD8FFE000104A464946"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/8ac4e164b463c313af059760ce1f830c19b0d5a280ec80554e8f77939143e24e; classtype:trojan-activity; sid:46416; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:["; fast_pattern:only; content:"RES_OK"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46421; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.Kraens delivery attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"{|22|i|22|:|22|%s|22|,|22|l|22|:["; fast_pattern:only; content:"RES_OK"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46422; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Kraens initial outbound request"; flow:to_server,established; content:"/up_d.php"; fast_pattern:only; http_uri; content:"{|22|i|22|:"; depth:5; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/426d7bb2f4b362c6ff6b982565aa2bdb47e70320da0f60ba6c9bf04049e08829; classtype:trojan-activity; sid:46423; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Doyo initial connection"; flow:established, to_server; content:"data=85702b2fccafcb2f"; depth:21; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46433; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Adware.Doyo client outbound connection"; flow:established,to_server; content:"|01 00 00 00 01 01 00 00 01 00 00 00 00 00 04 00 03 00 00 00 00 00 00 00 00 00 00 00|"; depth:28; metadata:impact_flag red, policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/0692bfe17754036b12b862cd5618051d8b2def85aca2a910188a12baa1ed0060; classtype:trojan-activity; sid:46434; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Vbs.Downloader.Kryptik known malicious user-agent string "; flow:to_server,established; content:"User-Agent|3A| USR-KL"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46435; rev:2;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A"; fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46436; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"3832D640-CF90-11CF-8E43-00A0C911005A"; fast_pattern:only; content:"Workbook_Open"; nocase; content:"Document_Open"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46437; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound connection"; flow:to_client,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46438; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Vbs.Downloader.Agent inbound delivery attempt"; flow:to_server,established; flowbits:isset,file.ole; file_data; content:"Shell"; nocase; content:"vbHide"; within:100; fast_pattern; content:"Chr"; nocase; content:"Asc"; within:100; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/7975cbaa5657d89b45126bf739fd84acd5bbe724f372a20360bd4fc038b67541; classtype:trojan-activity; sid:46439; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Installation Keylogger Osx.Trojan.Mokes data exfiltration"; flow:established,to_server,only_stream; content:"GET /v1 HTTP/1.1"; depth:16; fast_pattern; content:"Connection: "; http_header; content:"User-Agent: "; http_header; content:"Accept-Encoding: "; http_header; content:"Accept-Language: "; http_header; content:"Host: "; http_header; detection_filter:track by_src,count 3,seconds 6; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,attack.mitre.org/techniques/T1020; reference:url,attack.mitre.org/techniques/T1056; reference:url,www.virustotal.com/en/file/664e0a048f61a76145b55d1f1a5714606953d69edccec5228017eb546049dc8c/analysis/; classtype:trojan-activity; sid:46482; rev:6;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP TwonkyMedia server directory listing attempt"; flow:to_server,established; content:"/rpc/dir"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-7171; classtype:web-application-attack; sid:46485; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Ammy heartbeat"; flow:to_server,established; content:"id="; depth:3; offset:5; content:"&os="; within:4; distance:8; content:"&priv="; distance:0; content:"&cred="; distance:0; content:"&pcname="; distance:0; content:"&build_time="; distance:0; fast_pattern; content:"&card="; distance:0; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46487; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Ammy download attempt"; flow:to_server,established; content:"/q2/index.php?"; fast_pattern:only; http_uri; content:"id="; http_uri; content:"&c="; http_uri; content:"&mk="; http_uri; content:"&il="; http_uri; content:"&vr="; http_uri; content:"&bt="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46488; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?&1001="; fast_pattern:only; http_uri; content:"99="; http_uri; content:"f1="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46501; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent outbound request"; flow:to_server,established; content:".php?&1001="; fast_pattern:only; http_uri; content:"1="; http_client_body; content:"2="; http_client_body; pcre:"/(^|&)\d{1,2}=[^&]*?\d{4}/Pm"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/123275cc76ef377986715c98abb0fec50cbd53f01dc3976080009dc7cdafbe86/analysis/; classtype:trojan-activity; sid:46502; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; pcre:"/[?&]path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46510; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]path=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46511; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path="; nocase; http_client_body; pcre:"/(^|&)path=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46512; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/twonky_cmd.cgi"; fast_pattern:only; http_uri; content:"path"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?path((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1143; classtype:web-application-attack; sid:46513; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; pcre:"/[?&]url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46514; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]url=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46515; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url="; nocase; http_client_body; pcre:"/(^|&)url=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46516; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router command injection attempt"; flow:to_server,established; content:"/proxy.cgi"; fast_pattern:only; http_uri; content:"url"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?url((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-1144; classtype:web-application-attack; sid:46517; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_uri; content:"v=1"; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46518; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Belkin N750 F9K1103 wireless router remote telnet enable attempt"; flow:to_server,established; content:"/set.cgi"; fast_pattern:only; http_uri; content:"n=TLNET_EN"; nocase; http_client_body; content:"v=1"; nocase; http_client_body; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-1146; classtype:policy-violation; sid:46519; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Banload second stage download request"; flow:established,to_server; isdataat:!100; content:!"Referer|3A|"; http_header; content:!"Accept"; http_header; content:!"User-Agent|3A 20|http"; http_header; content:".zip HTTP/1.1|0D 0A|Host|3A 20|"; fast_pattern:only; pcre:"/GET \/\w*.zip HTTP\/1.1\r\nHost\x3a\x20\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}(?:\x3a\d{1,5})?\r\n/i"; metadata:impact_flag red, ruleset community, service http; classtype:trojan-activity; sid:46611; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Unruy outbound callout"; flow:to_server,established; content:".php?q="; fast_pattern:only; http_uri; content:"Accept-Language: en-us"; http_header; content:"Accept-Encoding: gzip, deflate"; http_header; content:"Connection: Keep-Alive"; http_header; content:"Referer: http://www.google.com"; http_header; pcre:"/.php\?q=\d{1,4}\.\d{2,4}\.\d{1,3}\.\d{1,3}\.\d{1,3}\.[0-9a-f]{64}\.1.\d{4,6}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:46612; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; content:"/DigitalGuardian/Management/ServerSettingsPDFTemplates.aspx"; fast_pattern:only; http_uri; content:"inputFilePath"; nocase; http_client_body; content:".asp"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]inputFilePath[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-10173; classtype:web-application-attack; sid:46665; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Digital Guardian Management Console arbitrary file upload attempt"; flow:to_server,established; content:"/DigitalGuardian/Policies/PromptSkin.aspx"; fast_pattern:only; http_uri; content:"skinFile"; nocase; http_client_body; content:".asp"; distance:0; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]skinFile[\x22\x27]\x3b((?!^--).)*?filename\s*=\s*[\x22\x27]\S+?\x2easpx?[\x22\x27][\r\n]{2,}/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-10173; classtype:web-application-attack; sid:46666; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper malicious script download attempt"; flow:to_client,established; file_data; content:"<script"; nocase; content:"ActiveXObject"; nocase; content:"WScript.Shell"; fast_pattern; nocase; content:"p o w e r s h e l l"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46742; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $FILE_DATA_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper initial outbound connection attempt"; flow:to_server,established; content:".php?utma"; fast_pattern:only; http_uri; content:!"Referer:"; nocase; http_header; pcre:"/(stem|slick)\.php\?utma/iU"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46743; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Dropper malicious executable download attempt"; flow:to_client,established; content:"Content-Type:"; nocase; http_header; content:"application/java-vm"; within:50; fast_pattern; http_header; file_data; content:"MZ"; depth:2; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,virustotal.com/#/file/76afa767b0374bde95d9a93074aceaec88228ba234caa13dd01313076baf02ee/detection; classtype:trojan-activity; sid:46744; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:established,to_server; content:"|00 07|nemesis"; depth:10; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46747; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Qarallax outbound connection"; flow:established,to_server; content:"|00 05|child|01 00 16|"; depth:11; content:"|22|magic|22|"; within:100; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/658f67dbf509fc017ace6db7ed38b3591fe72b9ba950a59054869cd718b4da2b/analysis; classtype:trojan-activity; sid:46748; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI SQL injection attempt"; flow:to_server,established; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; nocase; http_uri; pcre:"/[?&]selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46773; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP NagiosXI SQL injection attempt"; flow:to_server,established; content:"/nagiosql/admin/helpedit.php"; fast_pattern:only; http_uri; content:"selInfoKey1="; nocase; http_client_body; pcre:"/(^|&)selInfoKey1=[^&]*?([\x27\x22\x3b\x23]|\x2f\x2a|\x2d\x2d|%27|%22|%3b|%23|%2f%2a|%2d%2d)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46774; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data="; nocase; http_uri; pcre:"/[?&]command_data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46775; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data="; nocase; http_uri; content:"%26"; http_raw_uri; pcre:"/[?&]command(\x5f|%5f)data=[^&]*?%26/Ii"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46776; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command"; nocase; http_client_body; pcre:"/(^|&)command(\x5f|%5f)data=[^&]*?([\x60\x3b\x7c]|[\x3c\x3e\x24]\x28|%60|%3b|%7c|%26|%3c%28|%3e%28|%24%28)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46777; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI command injection attempt"; flow:to_server,established; content:"/nagiosxi/backend/index.php"; fast_pattern:only; http_uri; content:"command_data"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?command_data((?!^--).)*?[\r\n]{2,}((?!^--).)*?([\x60\x3b\x7c\x26]|[\x3c\x3e\x24]\x28)/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46778; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Nagios XI database settings modification attempt"; flow:to_server,established; content:"/nagiosql/admin/settings.php"; fast_pattern:only; http_uri; content:"txtDBname=nagiosql"; nocase; metadata:policy max-detect-ips drop, ruleset community, service http; reference:cve,2018-8734; classtype:web-application-attack; sid:46779; rev:2;)
|
|
alert tcp $EXTERNAL_NET [443,8443] -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_client,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46782; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [443,8443] (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter variant SSL connection attempt"; flow:to_server,established; content:"|09 4D 69 63 72 6F 73 6F 66 74 31 10 30 0E 06 03 55 04 0B 13 07 53 75 70 70 6F 72 74 31 0B 30 09 06 03 55 04 03 13 02 63 61|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:46783; rev:5;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Zebrocy known malicious user-agent string"; flow:to_server,established; content:"User-Agent|3A| Mozilla v5.1"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46785; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.Zebrocy initial outbound request"; flow:to_server,established; content:"?fort="; fast_pattern:only; http_uri; content:"pol="; depth:4; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5fab4d08348b4ef080ba91bdb0d769d31797f5092bff3b24b3c23d091fccc8a7; classtype:trojan-activity; sid:46786; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/telg/sv/sv.php"; fast_pattern:only; http_uri; content:"id"; http_client_body; content:"data"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46787; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/telg/index.php?set=show"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46788; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/get/index.php"; http_uri; content:"id=Z29nbw=="; fast_pattern:only; http_uri; content:"user="; http_uri; content:"pass="; http_uri; content:"data="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46789; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.ZooPark outbound connection attempt"; flow:to_server,established; content:"/spyMobile/upload.php"; fast_pattern:only; http_uri; content:"iemi="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/76fa36d35e0e16b0ea416726b0da2a66dfe7d7b35504cf6c475eac4cfa95fe3a/analysis; classtype:trojan-activity; sid:46790; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase; http_client_body; pcre:"/(^|&)template=[^&]*?(\x2e|%2e){2}([\x2f\x5c]|%2f|%5c)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46802; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template="; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]template=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46803; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Anti-Web directory traversal attempt"; flow:to_server,established; content:"/cgi-bin/write.cgi"; fast_pattern:only; http_uri; content:"template"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?template((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-9097; classtype:web-application-attack; sid:46804; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"/isc/get_sid.aspx"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-17974; classtype:attempted-user; sid:46805; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP BA Systems BAS Web information disclosure attempt"; flow:to_server,established; content:"/isc/get_sid_js.aspx"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2017-17974; classtype:attempted-user; sid:46806; rev:1;)
|
|
alert udp $HOME_NET any -> any 53 (msg:"MALWARE-OTHER DNS request for known malware domain toknowall.com - Unix.Trojan.Vpnfilter"; flow:to_server; byte_test:1,!&,0xF8,2; content:"|09|toknowall|03|com|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service dns; reference:url,www.virustotal.com/en/domain/toknowall.com/information/; classtype:trojan-activity; sid:46807; rev:3;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP FLIR Breakstream 2300 unauthenticated information disclosure attempt"; flow:to_server,established; content:"/getConfigExportFile.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-3813; classtype:attempted-user; sid:46817; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Ransomware.Satan outbound connection"; flow:to_server,established; content:"/data/token.php"; fast_pattern:only; http_uri; content:"status="; nocase; http_uri; content:"code="; nocase; http_uri; content:"Winnet Client"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46818; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Win.Ransomware.Satan payload download"; flow:to_server,established; content:"/cab/sts.exe"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/b686cba1894f8ab5cec0ce5db195022def00204f6cd143a325608ec93e8b74ee/analysis/; classtype:trojan-activity; sid:46819; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP DotNetNuke DreamSlider arbitrary file download attempt"; flow:to_server,established; content:"/DesktopModules/DreamSlider/DownloadProvider.aspx"; fast_pattern:only; nocase; http_uri; content:"file="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; classtype:web-application-attack; sid:46824; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Dunihi outbound connection"; flow:to_server,established; content:"|00 00 A2 30 81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81 89 02 81 81 00|"; depth:32; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/en/file/be442a5f8be3bf720236f71a613a534b8aa82b16b0daf8ff84a59bcb92e19e7d/analysis/; classtype:trojan-activity; sid:46827; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.RedLeaves variant outbound connection"; flow:to_server,established; content:".NET CLR 3.0.30729|3B| .NET4.0C|3B| .NET4.0E)|0D 0A|Content-Length"; fast_pattern:only; http_header; urilen:<20; content:"/index.php"; http_uri; content:"POST"; http_method; content:"Connection: Keep-Alive|0D 0A|Accept: */*|0D 0A|"; http_header; content:!"Content-Type"; http_header; content:!"Referer"; http_header; content:!"Accept-"; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f6449e255bc1a9d4a02391be35d0dd37def19b7e20cfcc274427a0b39cb21b7b/analysis/; classtype:trojan-activity; sid:46839; rev:1;)
|
|
# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63 35|"; content:"|FC|"; within:50; pcre:"/([\xfc]).{0,50}([\x27])([\x20\x26\x3b\x7c]|[\x3c\x3e\x24]\x28)+/i"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:46847; rev:1;)
|
|
alert tcp $EXTERNAL_NET 20480 -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.CowerSnail command and control response detected"; flow:to_client,established; content:"pk"; depth:2; content:"R|00|e|00|q|00|u|00|e|00|s|00|t|00|"; fast_pattern:only; content:"|00|a|00|r|00|g|00|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46872; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 20480 (msg:"MALWARE-CNC Win.Trojan.CowerSnail initial outbound connection attempt"; flow:to_server,established; content:"+CHANNEL|0B|"; fast_pattern:only; content:"line-client"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service irc; reference:url,www.virustotal.com/#/file/3fb8a4d2ed4f662a4cb4270bb5f488b79c8758aa6fc5c8b119c78fba38d6b7d1/detection; classtype:trojan-activity; sid:46873; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"MALWARE-CNC Win.Trojan.Joanap variant outbound connection"; flow:to_server,established; content:"TO: Joana <xiake722@gmail.com>"; fast_pattern:only; content:"SUBJECT: |5B|T|5D|"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/077d9e0e12357d27f7f0c336239e961a7049971446f7a3f10268d9439ef67885/detection; reference:url,www.virustotal.com/#/file/4c5b8c3e0369eb738686c8a111dfe460e26eb3700837c941ea2e9afd3255981e/detection; classtype:trojan-activity; sid:46885; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Nocturnal outbound connection"; flow:to_server,established; content:"/server/gate.php"; fast_pattern:only; http_uri; content:"name=|22|hwid|22|"; http_client_body; content:"name=|22|platform|22|"; http_client_body; content:"name=|22|pcount|22|"; http_client_body; content:"name=|22|cccount|22|"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/ae7e5a7b34dc216e9da384fcf9868ab2c1a1d731f583f893b2d2d4009da15a4e/analysis/; classtype:trojan-activity; sid:46895; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fareit variant outbound connection"; flow:to_server,established; content:"/panel/logout.php"; depth:17; http_uri; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/6de535e8d4b82e5554a138ec1d6c6b530943ff08d5e04308d695f473e74f9600/analysis/; classtype:trojan-activity; sid:46922; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Dropper outbound connection"; flow:to_server,established; content:"User-Agent: HTTPREAD|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/782cc4188618cf0c4815f85ea7873a004464095f5ed459b8d1579fa27ce5810e/analysis/; classtype:trojan-activity; sid:46936; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=S&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46966; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=F&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46967; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Danabot outbound connection"; flow:to_server,established; content:"/index.php?m=T&"; fast_pattern:only; http_uri; content:"&a="; http_uri; content:"&b="; http_uri; content:"&d="; http_uri; content:"&e="; http_uri; content:!"Referer"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/f60c6c45ff27d1733d8ab03393ab88e3a2d7c75c7d9fce3169417e8c9fd3df12/analysis; classtype:trojan-activity; sid:46968; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte dropper variant outbound connection"; flow:to_server,established; urilen:10; content:"/mainls.cs"; fast_pattern:only; http_uri; content:"Content-Type: application/octet-stream"; nocase; http_header; content:!"User-Agent"; nocase; http_header; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/086a50476f5ceee4b10871c1a8b0a794e96a337966382248a8289598b732bd47/detection; classtype:trojan-activity; sid:46969; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Autophyte RAT variant outbound connection"; flow:to_server,established; content:"Content-Disposition: form-data|3B| name=|22|board_id|22|"; fast_pattern:only; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|user_id|22|"; http_client_body; content:"Content-Disposition: form-data|3B| name=|22|file1|22|"; http_client_body; content:!"Referer"; http_header; metadata:ruleset community, service http; reference:url,www.virustotal.com/#/file/c10363059c57c52501c01f85e3bb43533ccc639f0ea57f43bae5736a8e7a9bc8/detection; reference:url,www.virustotal.com/#/file/e98991cdd9ddd30adf490673c67a4f8241993f26810da09b52d8748c6160a292/detection; classtype:trojan-activity; sid:46970; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"OPTIONS"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46979; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"INDICATOR-COMPROMISE Microsoft Office Discovery User-Agent to a potential URL shortener service"; flow:to_server,established; urilen:<10; content:"Host: "; http_header; content:"|0D 0A|"; within:14; http_header; content:"HEAD"; http_method; content:"User-Agent: Microsoft Office "; http_header; content:"Discovery|0D 0A|"; within:25; http_header; content:!"Accept"; http_header; content:!"Content-"; http_header; content:!"Referer|3A|"; http_header; content:!"Cookie|3A|"; http_header; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/d615a205d92898896b0f553a027ffd9b7b7cde0c29ebe0b1f9364e1cf2831236/analysis/; classtype:misc-activity; sid:46980; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.Orcus RAT inbound SSL certificate"; flow:to_client,established; content:"|16 03|"; depth:2; content:"|02|"; within:1; distance:3; content:"|0C|Orcus Server"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ssl; reference:url,virustotal.com/en/file/8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a/analysis/; classtype:trojan-activity; sid:46981; rev:1;)
|
|
# alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"INDICATOR-COMPROMISE Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows"; depth:18; content:"Microsoft Corp"; within:250; metadata:policy max-detect-ips drop, ruleset community; reference:nessus,11633; classtype:successful-admin; sid:46983; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,3000,5156,7218] (msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"POST /cl/uplod/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47005; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,1337,5156] (msg:"MALWARE-CNC Win.Trojan.SocketPlayer outbound connection"; flow:to_server,established; content:"/uploads/excutbls/h/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/de38e74b2cd493d0f014fc6ca5d2834cea213778c2e056a7c84e9547fe275889/analysis/; classtype:trojan-activity; sid:47006; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Spyware.Invisimole CnC outbound connection"; flow:to_server,established; content:"/www/"; depth:5; fast_pattern; http_uri; content:"/00"; distance:0; http_uri; content:!"Accept|3A|"; http_header; pcre:"/\/www\/(%[A-F0-9]{2}){5,}\/00/I"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/be554e706f6b8ab8f4bbea209b669e9dca98bf647faa55c46756f322dadab32f/analysis/; classtype:trojan-activity; sid:47016; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/show_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47067; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/register.php?"; fast_pattern:only; http_uri; content:"p="; nocase; http_uri; content:"&code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47068; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TechSupportScam installed binary outbound connection"; flow:to_server,established; content:"/update_new.php?"; fast_pattern:only; http_uri; content:"code="; nocase; http_uri; content:!"User-Agent"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c9adabc7516e38ce611cbde5856fbe6b06e8afee4422d754aa810aec59ecd8d8/detection; classtype:trojan-activity; sid:47069; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installstarted"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47093; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/collect.php"; fast_pattern:only; http_uri; content:"pid="; http_uri; content:"cid="; http_uri; content:"sid="; http_uri; content:"act="; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47094; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Win.Adware.Pbot variant outbound connection"; flow:to_server,established; content:"/installended"; fast_pattern:only; http_uri; content:"de="; nocase; http_uri; content:"_v="; nocase; http_uri; content:"_s="; nocase; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5e3dc49c1f4b57ab27000befd128fad77eba9a6e07f8766c7e1393cae890fdf6/detection; classtype:misc-activity; sid:47095; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound communication"; flow:to_server,established; content:"|B0 00 B0 00 B0 00 B0 00 26 00 26 00 26 00|"; depth:15; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47177; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET [9000:] (msg:"MALWARE-CNC Win.Trojan.NukeSped RAT variant outbound connection"; flow:to_server,established; content:"|50 00 00 00|"; depth:4; byte_test:1,>,2,0,relative; content:!"|0A|"; within:1; distance:1; isdataat:79,relative; metadata:impact_flag red, ruleset community; reference:url,www.virustotal.com/#/file/4a740227eeb82c20286d9c112ef95f0c1380d0e90ffb39fc75c8456db4f60756/; classtype:trojan-activity; sid:47178; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent JS Sniffer beacon connection"; flow:established,to_server; content:".php?"; http_uri; content:"=WyJ1cmw"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:47320; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ARS VBS loader outbound connection"; flow:to_server,established; content:"?os="; http_uri; content:"&user="; http_uri; content:"&av="; http_uri; content:"&fw="; http_uri; content:"&hwid="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/meet-ars-vbs-loader/; classtype:trojan-activity; sid:47338; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Unix.Trojan.Vpnfilter plugin variant connection attempt"; flow:to_client,established; content:"|00 AC D3 62 78 26 76 31 E5 E7 E5 1D C2 3C 15 40 25 2F 90 BD 1F 7F 0E 5E 33 77 EC 0C 1E 6B 61 47|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,attack.mitre.org/techniques/T1176; reference:url,blog.talosintelligence.com/2018/05/VPNFilter.html; classtype:trojan-activity; sid:47377; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server unauthenticated modified JSP access attempt"; flow:to_server,established; content:"/ws_utc/css/config/keystore/"; fast_pattern:only; http_uri; content:".jsp"; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47386; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential unauthenticated reconnaissance attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/options/general"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47387; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 7001 (msg:"SERVER-WEBAPP Oracle WebLogic Server potential precursor to keystore attack attempt"; flow:to_server,established; content:"/ws_utc/resources/setting/keystore"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, ruleset community, service http; reference:bugtraq,104763; reference:cve,2018-2894; reference:url,www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html; classtype:attempted-recon; sid:47388; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47414; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Calisto outbound connection"; flow:to_server,established; content:"/calisto/listenyee.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/81c127c3cceaf44df10bb3ceb20ce1774f6a9ead0db4bd991abf39db828661cc/analysis/; classtype:trojan-activity; sid:47415; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.Mapoyun variant outbound connection attempt"; flow:to_server,established; content:"Connection:Close|3B|"; fast_pattern:only; http_header; content:"X-CA-"; nocase; http_header; content:!"User-Agent|3A|"; nocase; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/en/file/34cbcbbbc4b538f30bc3d57dd587f1b604d29f113c149bf1ab53898464ad9c80/analysis/; classtype:trojan-activity; sid:47427; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /logo.png HTTP/1.1|0D 0A|"; depth:24; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0)|0D 0A|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47556; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.PLEAD downloader outbound connection"; flow:to_server,established; content:"GET /index.php?id="; depth:18; content:"HTTP/1.1|0D 0A|"; within:10; distance:11; nocase; content:"Cookie:"; isdataat:50,relative; content:!"="; within:50; content:!"|3B|"; within:50; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html; classtype:trojan-activity; sid:47557; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.Zegost variant outbound connection"; flow:to_server,established; content:"|2A 00 00 00|"; depth:4; isdataat:37,relative; isdataat:!38,relative; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/#/file/108bbc4ff7b7da4f0de1225094964d03b19fc38b93933f739c475f08ae17915e/detection; classtype:trojan-activity; sid:47567; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SERVER-WEBAPP Joomla Proclaim biblestudy backup access attempt"; flow:to_server,established; content:"/media/com_biblestudy/backup/"; fast_pattern:only; http_uri; content:".sql"; http_uri; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:attempted-recon; sid:47613; rev:1;)
|
|
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.KeyPass variant inbound connection attempt"; flow:to_client,established; file_data; content:"|7B 22|line1|22 3A 22|"; depth:10; fast_pattern; content:"|22|line2|22 3A 22|"; within:30; distance:30; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/901d893f665c6f9741aa940e5f275952/detection; classtype:trojan-activity; sid:47627; rev:1;)
|
|
# alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"INDICATOR-OBFUSCATION DNS TXT response record tunneling"; flow:to_client; dsize:>300; content:"|00 10 00 01 00 00 00 00 01 00 FF|"; fast_pattern:only; detection_filter:track by_src, count 25, seconds 1; metadata:policy max-detect-ips drop, ruleset community, service dns; reference:url,attack.mitre.org/wiki/Technique/T1048; classtype:misc-activity; sid:47639; rev:2;)
|
|
# alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"SERVER-WEBAPP SSL certificate with null issuer rdnSequence fields detected"; flow:to_client,established; ssl_state:server_hello; content:"|30 07 06 03 55 04 06 13 00 31 09 30 07 06 03 55 04 08 13 00 31 09 30 07 06 03 55 04 07 13 00 31 09 30 07 06 03 55 04 0A 13 00 31 09 30 07 06 03 55 04 0B 13 00 31 09 30 07 06 03 55 04 03 13 00|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community, service ssl; classtype:misc-activity; sid:47640; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Marap outbound beacon detected"; flow:to_server,established; content:"/dot.php"; fast_pattern:only; http_uri; content:"param="; depth:6; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/bc1fc69f9747dc034ece7d9bb795c5e596d9be6ca71efe75c6c0fd18f3cbfbf5/analysis/; classtype:trojan-activity; sid:47650; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.MysteryBot outbound connection"; flow:to_server,established; content:"/site/gate.php?i=eyAiYWN0aW9uIjog"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/334f1efd0b347d54a418d1724d51f8451b7d0bebbd05f648383d05c00726a7ae/analysis/; classtype:trojan-activity; sid:47723; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/"; fast_pattern; http_uri; content:".php"; distance:0; http_uri; content:"p="; http_client_body; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47876; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Andr.Trojan.AnubisCrypt variant outbound post detected"; flow:to_server, established; content:"/private/checkPanel.php"; fast_pattern:only; http_uri; content:"User-Agent:"; http_header; content:"Android"; within:100; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/d27034b9f58aa71f08f3c57d893fe07cdd395c9b4e494fbcca2a1d1ca3dce88e/detection; classtype:trojan-activity; sid:47877; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /tahw?"; fast_pattern:only; pcre:"/\x2ftahw\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47898; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /khc?"; fast_pattern:only; pcre:"/\x2fkhc\x3f[A-F0-9]{3,84}$/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47899; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.OilRig variant outbound connection"; flow:to_server,established; content:"GET /pser?"; fast_pattern:only; pcre:"/\x2fpser\x3f[A-F0-9]{3,84}(BBZ|BBY)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/055b7607848777634b2b17a5c51da7949829ff88084c3cb30bcb3e58aae5d8e9; classtype:attempted-user; sid:47900; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant outbound connection"; flow:to_server,established; content:"MS_D0wnl0ad3r"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47934; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_client,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47935; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Trojan.MSDownloader variant download"; flow:to_server,established; file_data; content:"Content-Type|3A 20|multipart/form-data|3B| boundary=MS_D0wnl0ad3r"; fast_pattern:44,13; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,www.virustotal.com/#/file/c3c5d7961381c202c98badc7ff0739b4f381c10b4e76d153ad2a978118a4b505/detection; classtype:trojan-activity; sid:47936; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"browser/Vivaldi.txtPK"; fast_pattern:only; http_client_body; content:"/Upload/"; http_uri; urilen:8; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48035; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.AcridRain outbound connection"; flow:to_server,established; content:"/Libs.zip"; fast_pattern:only; http_uri; urilen:9; content:!"User-Agent|3A 20|"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/3d28392d2dc1292a95b6d8f394c982844a9da0cdd84101039cf6ca3cf9874c1c/analysis/; classtype:trojan-activity; sid:48036; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/image_download.php?uid="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/016948ec7743b09e41b6968b42dfade5480774df3baf915e4c8753f5f90d1734/analysis; classtype:trojan-activity; sid:48092; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.MirageFox variant outbound connection"; flow:to_server,established; content:"/search?gid="; fast_pattern:only; http_uri; content:"Accept:*/*"; http_header; content:"POST"; http_method; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/97813e76564aa829a359c2d12c9c6b824c532de0fc15f43765cf6b106a32b9a5/analysis; classtype:trojan-activity; sid:48093; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/dl.itranslator.info/"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48115; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/gl.php?uid="; fast_pattern:only; http_uri; content:"&v="; http_uri; content:"&x="; within:20; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48116; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/ufiles/"; fast_pattern:only; http_uri; content:".dll"; http_uri; content:"UID: "; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48117; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"User-Agent: ITRANSLATOR|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48118; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"UID: P002|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48119; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ITranslator variant outbound connection"; flow:to_server,established; content:"/cfg?cb="; fast_pattern:only; http_uri; content:"&guid="; http_uri; content:"&uid="; distance:0; http_uri; content:"&ua="; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b73d436d7741f50d29764367cbecc4ee67412230ff0d66b7d1d0e4d26983824d/analysis; classtype:trojan-activity; sid:48120; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.XAgent variant outbound connection"; flow:to_server,established; content:"&itwm="; fast_pattern:only; http_uri; pcre:"/&itwm=([a-z0-9\-\=]{1,50})/Ui"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/b814fdbb7cfe6e5192fe1126835b903354d75bfb15a6c262ccc2caf13a8ce4b6; classtype:trojan-activity; sid:48140; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/technet-support/library/online-service-description.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48764; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/advance/portable_version/service.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/93680d34d798a22c618c96dec724517829ec3aad71215213a2dcb1eb190ff9fa; classtype:trojan-activity; sid:48765; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/pkg/image/do.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/50d610226aa646dd643fab350b48219626918305aaa86f9dbd356c78a19204cc; classtype:trojan-activity; sid:48766; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant payload download attempt"; flow:to_server,established; content:"/Templates/NormalOld.dotm"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/07646dc0a8c8946bb78be9b96147d4327705c1a3c3bd3fbcedab32c43d914305; classtype:trojan-activity; sid:48767; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,8880] (msg:"MALWARE-CNC Js.Trojan.Agent variant outbound connection"; flow:established,to_server; content:"User-Agent|3A| xmsSofts_1.0.0_"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48818; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.Agent variant inbound payload download"; flow:established,to_server; content:"/blogs/enc7.js"; fast_pattern:only; http_uri; urilen:14; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48819; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/company-device-support/values/correlate-sec.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dcbc770aeea8ad4c3f45b89535b4cb3592d6c627d6cf92ec7dfe2f8b41cda998; classtype:trojan-activity; sid:48844; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:".php?very="; fast_pattern:only; http_uri; content:"&xnvk="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48845; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"User-Agent: usrnode/"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48846; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.WindTail outbound connection"; flow:to_server,established; content:"/qgHUDRZiYhOqQiN/kESklNvxsNZQcPl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/ad282e5ba2bc06a128eb20da753350278a2e47ab545fdab808e94a2ff7b4061e; classtype:trojan-activity; sid:48847; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Agent variant outbound connection"; flow:to_server,established; content:"/foth1018/go.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:48872; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/js/drv"; fast_pattern:only; http_uri; urilen:7; content:!"Referer:"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/7d1e26a031db514dd8258de071b96dc57ebc31baf394129c020dd65b8acfc517; classtype:trojan-activity; sid:48873; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/dwnack.php?cId="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f5afe24061226630faa0f1a125e011819627cee3254060bdf2691bad65ff1d1c; classtype:trojan-activity; sid:48874; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/MarkQuality455/developerbuild.php?b="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/5716509e4cdbf8ffa5fbce02b8881320cb852d98e590215455986a5604a453f7; classtype:trojan-activity; sid:48875; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/purchase61dfdusfdsu/costnbenifit8889.php?p="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/705487b3deaf5f2ffa3240208044015e836cf4b32ef817154e23cb9f5859993f; classtype:trojan-activity; sid:48876; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/ourtyaz/qwe.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/172fb23460f34d174baa359c23d46d139fe30cd2d97b11b733aae496ab609c25; classtype:trojan-activity; sid:48877; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.BitterRAT variant outbound connection"; flow:to_server,established; content:"/winter/zxd.php?TIe="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/121a0e5e66cc7bdc78387b2e67222eb0349ca038e5aced3ed0eccb167106a40e; classtype:trojan-activity; sid:48878; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/software-apptication/help-support-apl/getidpolapl.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/fcf03bf5ef4babce577dd13483391344e957fd2c855624c9f0573880b8cba62e; classtype:trojan-activity; sid:48904; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Identification ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48984; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Init Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCI"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:48985; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48986; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48987; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48988; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48989; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48990; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48991; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48992; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNL"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48993; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48994; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48995; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RNH"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48996; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48997; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48998; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:48999; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Stop Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCS"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49000; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Start Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCR"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49001; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write System Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNH"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49002; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49003; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49004; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Reset Device ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"CCE"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-dos; sid:49005; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Longs ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SNL"; depth:3; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49006; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII request "; flow:to_server,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:9; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49007; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Operands binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|4D|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49008; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"US"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49009; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RC"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49010; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Identification ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"ID"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49011; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Write Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|44|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49012; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get UnitID ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"UG"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49013; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Read Data Table binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|04|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49014; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET 20256 (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary request"; flow:to_server,established; byte_test:1,=,102,2; content:"|0C|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49015; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Set RTC ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SC"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49016; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Inputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RE"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49017; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GS"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49018; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RN"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49019; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"GF"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49020; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RA"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49021; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RB"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49022; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"RW"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49023; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SB"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49024; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SF"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49025; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write System Bits ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SS"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49026; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Ouputs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SA"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49027; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Memory Integers ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SW"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49028; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Longs ASCII reply"; flow:to_client,established; byte_test:1,=,101,2; content:"SN"; depth:2; offset:10; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49029; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Operands binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|CD|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49030; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Get PLC Name binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|8C|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49031; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Write Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|C4|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49032; rev:2;)
|
|
# alert tcp $HOME_NET 20256 -> $EXTERNAL_NET any (msg:"PROTOCOL-SCADA PCOM Read Data Table binary reply"; flow:to_client,established; byte_test:1,=,102,2; content:"|84|"; depth:1; offset:18; metadata:policy max-detect-ips drop, ruleset community; reference:url,unitronicsplc.com; classtype:attempted-recon; sid:49033; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.FairyTail variant outbound connection detected"; flow:to_server,established; content:"User-Agent: SpellingChecker/22"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/a9a7a1c48cd1232249336749f4252c845ce68fd9e7da85b6da6ccbcdc21bcf66; classtype:trojan-activity; sid:49042; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.Genieo variant outbound connection detected"; flow:to_server,established; content:"User-Agent: LinqurySearch"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/850b4f620e874ed6117c7e1d15dd1c502d7e38cd4dd872753d502f39e3a5c8d8; classtype:trojan-activity; sid:49043; rev:1;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"PUA-ADWARE Osx.Adware.MacSearch variant outbound connection detected"; flow:to_server,established; content:"User-Agent: macsearch/1 CFNetwork/"; fast_pattern:only; http_header; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f54bb130f750f77546aebf690ba4b89f0ddb3c27a5e297383d0a30bcaa5f9cb4; classtype:trojan-activity; sid:49044; rev:1;)
|
|
alert tcp any any -> $HOME_NET 445 (msg:"SERVER-SAMBA Samba is_known_pipe arbitrary module load code execution attempt"; flow:to_server,established; flowbits:isset,smb.tree.connect.ipc; content:"|FF|SMB|A2 00 00 00 00|"; depth:9; offset:4; byte_test:2,=,1,1,relative,little,bitmask 0x8000; byte_extract:2,72,len,relative,little; content:"/"; within:2; content:"/"; within:len; distance:2; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:cve,2017-7494; reference:url,www.samba.org/samba/security/CVE-2017-7494.html; classtype:attempted-user; sid:49090; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Magecart inbound scan for vulnerable plugin attempt"; flow:to_server,established; content:"?misc="; fast_pattern:only; http_uri; content:"&dl="; http_uri; content:"/index.php/"; http_uri; content:!"Referer"; http_header; content:"POST"; http_method; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:web-application-attack; sid:49282; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/help-desk/remote-assistant-service/PostId.php?q="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/dc64fec5e951acf298184be89cf89128550b318d719dcc8e2c3194ec3bdb340b; classtype:trojan-activity; sid:49396; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"/ministerstvo-energetiki/seminars/2019/06/Seminar.rtf"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/f617e805ccd0b1451e1f448d1328201d79cb846ba8b5b97221c26188fd1a1836; classtype:trojan-activity; sid:49397; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [139,445] (msg:"MALWARE-CNC Win.Trojan.Zebrocy variant outbound connection"; flow:to_server,established; content:"S|00|e|00|m|00|i|00|n|00|a|00|r|00|_|00|2|00|0|00|1|00|8|00|_|00|1|00|.|00|A|00|O|00|-|00|A|00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service netbios-ssn; reference:url,virustotal.com/#/file/573ea78afb50100f896185164da3b8519e2e0f609a34a7c70460eca5b4ae640d; classtype:trojan-activity; sid:49398; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Orange LiveBox unauthorized credentials access attempt"; flow:to_server,established; urilen:23; content:"/get_getnetworkconf.cgi"; fast_pattern:only; http_uri; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-20377; reference:url,badpackets.net/over-19000-orange-livebox-adsl-modems-are-leaking-their-wifi-credentials/; classtype:attempted-recon; sid:49418; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".png?ID="; fast_pattern:only; http_uri; content:"&MAC="; http_uri; content:"&OS="; http_uri; content:"&BIT="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49571; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Fakewmi variant outbound connection attempt"; flow:to_server,established; content:".exez?ID="; fast_pattern:only; http_uri; content:"&GUID="; http_uri; content:"&_T="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc/detection; classtype:trojan-activity; sid:49572; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/bbs/data/tmp/ping.php"; fast_pattern:only; http_uri; content:"word="; nocase; http_uri; content:"note="; nocase; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49592; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; urilen:<50; content:"/indox.php?v="; fast_pattern:only; http_uri; pcre:"/\/indox\.php\x3fv=(pp|pe|s)/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49593; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:".php?file=Cobra_"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49594; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.SectorA05 outbound connection attempt"; flow:to_server,established; content:"/board.php"; fast_pattern:only; http_uri; pcre:"/\/board\.php\?(m=[0-9A-F]{0,12}&)?(v=([abcef]|\d+\.\d+))/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,threatrecon.nshc.net/2019/01/30/operation-kitty-phishing/; classtype:trojan-activity; sid:49595; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"MALWARE-CNC Win.Trojan.TSCookie variant outbound connection"; flow:to_server,established; content:"User-Agent: Mozilla/4.0 (compatible|3B| MSIE 8.0|3B| Win32)|0D 0A|"; fast_pattern:only; content:"|20|/t"; depth:4; offset:3; content:".aspx?m="; within:20; content:!"Referer"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,blogs.jpcert.or.jp/en/2018/11/tscookie2.html; classtype:trojan-activity; sid:49664; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|00 00 00 00 73 63 61 6E 6E 69 6E 67 2E 2E 2E 00 20 3A 20 00 73 63 61 6E 20 66 69 6E 69 73 65 64 00 00 00 00 63 3A 2F 2E 6C 6F 67 00 77 61 72 6D 69 6E 67 20 75 70 2E 2E 2E 00 00 00|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49676; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49677; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"AVBlockTransformation"; fast_pattern:only; content:"boost"; content:"BlockCipher"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49678; rev:1;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_client,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service ftp-data, service http, service imap, service pop3; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49679; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"MALWARE-CNC Win.Ransomware.Lockergoga binary download attempt"; flow:to_server,established; flowbits:isset,file.exe; file_data; content:"|40 74 6B 85 FF 7C 65 7F 04 85 F6 74 5F 8B 03 8B 40 04 8B 4C 18 38 0F B7 54 18 40 89 55 EC 8B 41|"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service smtp; reference:url,bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/; classtype:trojan-activity; sid:49680; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/feedbackinfo/production/"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/entry/feedbackinfo/production/"; within:100; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49788; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/updaterinfo.bin"; fast_pattern:only; http_uri; content:"User-Agent: wget|0D 0A|"; http_header; content:"Referer:"; http_header; content:"/updater/"; within:50; http_header; content:!"Accept-Encoding"; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49789; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zacinlo outbound connection"; flow:to_server,established; content:"/entry/exe/runinfo"; fast_pattern:only; http_uri; content:"&mac="; http_uri; content:"User-Agent: wget"; http_header; content:"Referer:"; http_header; content:"/entry/"; within:50; http_header; content:!"Accept-"; http_header; content:!"Content-"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,labs.bitdefender.com/2018/06/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/; classtype:trojan-activity; sid:49790; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_client_body; pcre:"/(^|&)down_url=[^&]*?(http|ftp)/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49837; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Tpshop remote file include attempt"; flow:to_server,established; content:"/vendor/phpdocumentor/reflection-docblock/tests/phpDocumentor/Reflection/DocBlock/Tag/LinkTagTeet.php"; fast_pattern:only; http_uri; content:"down_url="; nocase; http_uri; content:"|3A|/"; http_uri; pcre:"/[?&]down_url=[^&]*?(http|ftp)/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-9919; reference:url,seclists.org/fulldisclosure/2018/May/11; classtype:web-application-attack; sid:49838; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; pcre:"/(^|&)file(name|path)=[^&]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49839; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_uri; content:"../"; http_uri; pcre:"/[?&]file(name|path)=[^&]*?\x2e\x2e\x2f/Ui"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49840; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"Content-Disposition"; nocase; http_client_body; content:"filename"; nocase; http_client_body; pcre:"/filename\s*=\s*[^\r\n]*?(\x2e|%(25)?2e){2}([\x2f\x5c]|%(25)?(2f|5c))/Pi"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49841; rev:1;)
|
|
# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP LG-Ericsson iPECS NMS 30M directory traversal attempt"; flow:to_server,established; content:"/ipecs-cm/download"; fast_pattern:only; http_uri; content:"file"; nocase; http_client_body; content:"Content-Disposition"; nocase; http_client_body; pcre:"/name\s*=\s*[\x22\x27]?file(name|path)((?!^--).)*?\x2e\x2e[\x2f\x5c]/Psim"; metadata:policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2018-15138; reference:url,www.exploit-db.com/exploits/45167; classtype:web-application-attack; sid:49842; rev:1;)
|
|
alert tcp any any -> $HOME_NET 3389 (msg:"OS-WINDOWS Microsoft Windows RDP MS_T120 channel bind attempt"; flow:to_server,established; content:"MS_T120|00|"; fast_pattern:only; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service rdp; reference:cve,2019-0708; reference:url,portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-0708; classtype:attempted-admin; sid:50137; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/7773/index.php"; fast_pattern:only; http_uri; urilen:15; content:"&string="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/91637c3b2fdb9fe50e80dd872580856275eb0275e885fec4b47ffcbe7d724b61; classtype:trojan-activity; sid:50258; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"/php/gate.php"; fast_pattern:only; http_uri; content:"key="; nocase; http_client_body; content:"&string="; distance:0; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50259; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:"/7773/plug/"; fast_pattern:only; http_uri; content:".ahk"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/efe51c2453821310c7a34dca3054021d0f6d453b7133c381d75e3140901efd12; classtype:trojan-activity; sid:50260; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"/?gate&hwid="; fast_pattern:only; http_uri; content:"&pwd="; http_uri; content:"pcuser"; distance:0; http_uri; content:"admin"; distance:0; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50261; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:"/7773/plug/htv/tv.dll"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/f64792324839f660b9bdfda95501a568c076641cf08ce63c1ddbe29b45623ac0; classtype:trojan-activity; sid:50262; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.TeamBot outbound cnc connection"; flow:to_server,established; content:"logincreds="; fast_pattern:only; http_client_body; content:"isAdmin="; http_client_body; content:"antivirus="; http_client_body; content:"commentary="; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/5ef40f982016085ed58e0088eaa4be6e8c32cfa6526a5e681116b0914427ee21; classtype:trojan-activity; sid:50263; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/7773/uploads/upload.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/43fbda74a65668333727c6512562db4f9e712cf1d5ad9dca8f06ae51bb937ba2; classtype:trojan-activity; sid:50264; rev:2;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; content:"/temporary_listen_addresses/smsservice"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50276; rev:3;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Chopper webshell inbound request attempt"; flow:to_server,established; content:"/temporary_listen_addresses/wsman"; fast_pattern:only; http_uri; content:"_reguestguid"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,cybersecurity.att.com/blogs/labs-research/sharepoint-vulnerability-exploited-in-the-wild; reference:url,isc.sans.edu/diary/CVE-2019-0604+Attack/24952; classtype:trojan-activity; sid:50277; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC User-Agent known malicious user agent - BURAN - Win.Trojan.Buran"; flow:to_server,established; content:"User-Agent|3A 20|BURAN|0D 0A|"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/0bed6711e6db24563a66ee99928864e8cf3f8cff0636c1efca1b14ef15941603/analysis/; classtype:trojan-activity; sid:50424; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot additional payload download attempt"; flow:to_server,established; content:".exe"; fast_pattern:only; http_uri; urilen:6; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50445; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Downloader.TeamBot outbound cnc connection"; flow:to_server,established; content:"/get.php?pid="; fast_pattern:only; http_uri; content:"User-Agent: Microsoft Internet Explorer|0D 0A|"; http_header; content:!"Connection"; http_header; content:!"Accept"; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/#/file/3024ca140830e8eaf6634c1fd00bdfbd3968c3e96886ff9ec7d1b105c946e5c8; classtype:trojan-activity; sid:50446; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET 65314 (msg:"MALWARE-CNC Unix.Backdoor.Godlua variant outbound connection"; flow:to_server,established; content:"|01 00 10|"; depth:3; content:"|00 12 5C|"; within:3; distance:9; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,virustotal.com/gui/file/bd8b1bd06817772af89d93a1789d5df13e15136e53a6af60be0900986c56234f/detection; classtype:trojan-activity; sid:50811; rev:1;)
|
|
# alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"SERVER-OTHER OpenBSD ISAKMP denial of service attempt"; flow:to_server; content:"|6C 6A CD CF B8 41 3F F8 00 00 00 00 00 00 00 00 01 10 04 01 00 00 00 00 00 00 00 1C|"; fast_pattern:only; metadata:policy max-detect-ips drop, ruleset community; reference:cve,2004-0222; classtype:denial-of-service; sid:50901; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Dropper.Clipbanker variant outbound connection"; flow:to_server,established; content:"/wp-content/plugins/WPSecurity/load.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2922662802eed0d2300c3646a7a9ae73209f71b37ab94b25e6df57f6aed7f23e/analysis/; classtype:trojan-activity; sid:50989; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"MALWARE-BACKDOOR Win.Backdoor.Agent webshell inbound request attempt"; flow:to_server,established; content:"Response.Write(|22|UAshell|22|)|3B 0D 0A|"; fast_pattern:only; http_header; content:"/ua.aspx"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-0604; reference:url,portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0604; classtype:trojan-activity; sid:51368; rev:2;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER ANDR.Trojan.Agent outbound connection attempt"; flow:to_server,established; content:"/recv_android.php"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/2bbd16a5c6e8f59cc221500b680af434785611de1194216d47ef10c52b2032e1/analysis/; classtype:trojan-activity; sid:51484; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRAT variant outbound connection"; flow:to_server,established; content:"ProClient.Data"; fast_pattern:only; content:"Clientx|2C 20|Version="; nocase; content:"data|05|bytes"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51532; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.BlackRAT variant inbound connection"; flow:to_client,established; content:"BlackRAT.Data"; fast_pattern:only; content:"|2C 20|Version="; nocase; content:"data|05|bytes"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/6610e632758a0ae2ab9b259fe1f83236aff6b5bd485c3d4e3fd4995be68535bf/detection; classtype:trojan-activity; sid:51533; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"User-Agent|3A 20|Installer/23"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51541; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/webkit_login_records"; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51542; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"PATCH"; http_method; content:"/installers/"; http_uri; content:"X-Installer-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51543; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/upload_files"; http_uri; content:"X-File-Name:"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51544; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/tasks"; http_uri; content:"X-Finder-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51545; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.ModularInstaller variant outbound connection detected"; flow:to_server,established; content:"/webkit_cookies"; http_uri; content:"X-Finder-"; fast_pattern:only; http_header; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.flashpoint-intel.com/blog/newly-discovered-malware-framework-cashing-in-on-ad-fraud/; classtype:trojan-activity; sid:51546; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Amadey botnet outbound connection"; flow:to_server,established; content:"bi="; fast_pattern:only; http_client_body; content:"/index.php"; nocase; http_uri; content:"id="; nocase; http_client_body; content:"sd="; nocase; http_client_body; content:"vs="; nocase; http_client_body; content:"ar="; nocase; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/ea09fb5b9c31bbf5817f22634f0ad837605a3352df099690d5e3a948bb719e83; classtype:trojan-activity; sid:51636; rev:3;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Osx.Trojan.Gmera variant outbound connection"; flow:to_server,established; content:"/link.php?"; depth:13; fast_pattern; http_uri; content:"User-Agent: curl/"; http_header; content:!"Referer"; nocase; http_header; pcre:"/^\/link\.php\?.{4,20}&\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/18e1db7c37a63d987a5448b4dd25103c8053799b0deea5f45f00ca094afe2fe7/analysis/; classtype:trojan-activity; sid:51642; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; content:"/showthread.php?"; fast_pattern:only; http_uri; content:"alphayz="; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51670; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Silence variant outbound connection detected"; flow:to_server,established; content:"/showthread.php?yz="; fast_pattern:only; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/gui/file/793b0dea13a1934f3a81d348ca8cb033da908a74feed5a37a3ccc9cb08cf31f1/detection; classtype:trojan-activity; sid:51671; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,10011] (msg:"MALWARE-CNC Andr.Trojan.Moonshine outbound connection"; flow:established,to_server; content:"User-Agent: hots scot"; fast_pattern:only; content:"/ws?"; nocase; content:"whisky_id="; nocase; content:"device_id="; nocase; content:"Upgrade: websocket"; nocase; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/6977e6098815cd91016be9d76f194ed4622640d03c6cdd66b1032306a2190af7/analysis/; classtype:trojan-activity; sid:51672; rev:1;)
|
|
# alert udp any 67 -> $HOME_NET 68 (msg:"OS-LINUX Red Hat NetworkManager DHCP client command injection attempt"; content:"|63 82 53 63|"; content:"|27|"; distance:0; content:"|23|"; within:254; pcre:"/\x63\x82\x53\x63.+?[\x0c-\xfe][\x05-\xff][\x20-\x7f]{0,250}\x27[\x20-\x7f]{3,250}\x23/s"; metadata:policy max-detect-ips drop, ruleset community, service dhcp; reference:cve,2018-1111; reference:url,access.redhat.com/security/cve/cve-2018-1111; classtype:attempted-user; sid:52022; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; content:"_spacertoofee="; fast_pattern:only; http_uri; content:"hondacbrheavy"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/26f541b6e334574311c168af5d84b2d6887115bbff33ae5b45d28b0f66901b87/analysis/; classtype:misc-activity; sid:52026; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER Xml.Phishing.Evernote outbound connection"; flow:to_server,established; content:"_truthcolor="; fast_pattern:only; http_uri; content:"dramafrine"; http_uri; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/en/file/50d0c853da4e7d2226d70e136d6e88e8e3841cc67a85df976d1bdf7084571a60/analysis/; classtype:misc-activity; sid:52027; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_server,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy balanced-ips alert, policy connectivity-ips alert, policy max-detect-ips alert, policy security-ips alert, ruleset community, service smtp; classtype:misc-activity; sid:52056; rev:3;)
|
|
alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"FILE-IDENTIFY Portable Executable binary file magic detected"; flow:to_client,established; file_data; content:"ZM"; byte_jump:4,58,relative,little; content:"PE|00 00|"; within:4; distance:-64; flowbits:set,file.exe; flowbits:noalert; metadata:policy max-detect-ips alert, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:misc-activity; sid:52057; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Js.Trojan.FakeUpdate outbound connection"; flow:to_server,established; content:"POST /1x1.png HTTP/"; fast_pattern:only; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,www.virustotal.com/#/file/8035806fc7109137ab55d39046ad9e010597bf5390b2e82740add8d1749edaf3; classtype:trojan-activity; sid:52259; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT inbound connection"; flow:to_client,established; isdataat:!12; content:"|7C 30 7C A1 40 23 40 21|"; depth:8; offset:3; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52548; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"MALWARE-CNC Win.Trojan.XpertRAT outbound connection"; flow:to_server,established; isdataat:!11; content:"|7C|root|7C|"; depth:6; offset:3; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community; reference:url,www.virustotal.com/gui/file/064d1d9a20f737679bb7ce912854c7ab29f78a0716ee8bc8dc69ade02acdca5a/detection; classtype:trojan-activity; sid:52549; rev:1;)
|
|
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-WEBAPP Citrix ADC and Gateway arbitrary code execution attempt"; flow:to_server,established; content:"/vpns/"; fast_pattern:only; content:"NSC_USER:"; http_raw_header; content:"../"; within:10; http_raw_header; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2019-19781; reference:url,support.citrix.com/article/CTX267027; classtype:web-application-attack; sid:52620; rev:1;)
|
|
alert tcp any any -> $HOME_NET 8009 (msg:"SERVER-APACHE Apache Tomcat AJP connector arbitrary file access attempt"; flow:to_server,established; content:"|12 34|"; depth:2; content:"|02|"; within:1; distance:2; byte_test:1,!&,0xF9,0,relative; byte_extract:2,1,protocol_len,relative; content:"HTTP"; within:protocol_len; nocase; content:"javax.servlet.include.request_uri|00|"; fast_pattern:only; content:"javax.servlet.include.servlet_path|00|"; nocase; metadata:policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2020-1938; classtype:attempted-user; sid:53341; rev:2;)
|
|
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_server,established; flowbits:isset,file.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; fast_pattern:only; content:"6269747361646d696e"; nocase; metadata:impact_flag red, ruleset community, service smtp; classtype:trojan-activity; sid:53582; rev:2;)
|
|
# alert tcp $EXTERNAL_NET $FILE_DATA_PORTS -> $HOME_NET any (msg:"INDICATOR-COMPROMISE RTF document with Equation and BITSAdmin download attempt"; flow:to_client,established; flowbits:isset,file.rtf|file.doc; file_data; content:"0200000002CE020000000000C000000000000046"; fast_pattern:only; content:"6269747361646d696e"; nocase; metadata:impact_flag red, ruleset community, service ftp-data, service http, service imap, service pop3; classtype:trojan-activity; sid:53583; rev:2;)
|
|
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.FormBook variant outbound connection"; flow:to_server,established; content:"Content-Type: application/x-www-form-urlencoded|0D 0A|Accept: */*|0D 0A|Referer:"; fast_pattern:only; http_header; urilen:<6; content:"Connection: close|0D 0A|Content-Length:"; http_header; content:"Cache-Control: no-cache|0D 0A|Origin:"; http_header; content:"POST"; http_method; content:"="; depth:10; http_client_body; isdataat:300,relative; content:!"="; distance:0; http_client_body; pcre:"/\x2f[a-z0-9]{2,3}\x2f/U"; metadata:impact_flag red, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:53584; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"*dJU!*JE&!M@UNQ@"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/d8af45210bf931bc5b03215ed30fb731e067e91f25eda02a404bd55169e3e3c3/detection; classtype:trojan-activity; sid:54053; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"t34kjfdla45l"; fast_pattern:only; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/b4bf6322c67a23553d5a9af6fcd9510eb613ffac963a21e32a9ced83132a09ba/detection; classtype:trojan-activity; sid:54054; rev:1;)
|
|
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Copperhedge outbound connection"; flow:to_server,established; content:"_webident_f"; fast_pattern:only; http_client_body; content:"_webident_s"; http_client_body; metadata:impact_flag red, policy balanced-ips drop, policy max-detect-ips drop, policy security-ips drop, ruleset community, service http; reference:url,virustotal.com/gui/file/0a763da26a67cb2b09a3ae6e1ac07828065eb980e452ce7d3354347976038e7e/detection; classtype:trojan-activity; sid:54055; rev:1;)
|
|
|