[Snort-sigs] Tons of rule mods..

Kreimendahl, Chad J Chad.Kreimendahl at ...361...
Mon Jun 3 12:12:15 EDT 2002


For the most part, I just changed flags:A+ to flow:established.  However,
there are several rules where I added to_client or to_server, based on the
actual flow of the data.   These should be the last of the lot so far as
converting flags A+ to flow established goes.   I've also come up with a few
attack responses for these, and hope to publish them to you all soon.   I
think I changed the class for an attack response in here to be
successful-admin instead of attempted-admin.

Yes, I did increment the rev on all of these.

Enjoy:

alert tcp $HOME_NET 666 -> $EXTERNAL_NET 1024: (msg:"BACKDOOR
SatansBackdoor.2.0.Beta"; content: "Remote|3A| You are connected to me.";
flow:established;  reference:arachnids,316; sid:118;
classtype:misc-activity; rev:4;)
alert tcp $HOME_NET 146 -> $EXTERNAL_NET 1000:1300 (msg:"BACKDOOR Infector
1.6 Server to Client"; content:"|57 48 41 54 49 53 49 54|";
flow:established; sid:120;  classtype:misc-activity; rev:4;)
alert tcp $EXTERNAL_NET 1000:1300 -> $HOME_NET 146 (msg:"BACKDOOR Infector
1.6 Client to Server Connection Request"; content:"|46 43 20|";
flow:established; sid:121;  classtype:misc-activity; rev:4;)
alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access";
flow:established; dsize: >1;  reference:arachnids,203; sid:184;
classtype:misc-activity; rev:4;)
alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack
attempt"; content: "A"; depth: 1; reference:arachnids,314; flow:established;
classtype:attempted-recon; sid:614; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow
(ADMROCKS)"; flow:to_server,established; content:"ADMROCKS";
reference:cve,CVE-1999-0833;
reference:url,www.cert.org/advisories/CA-1999-14.html;
reference:bugtraq,788; classtype:attempted-admin; sid:260; rev:5;)
alert tcp $HOME_NET any -> 64.245.58.0/23 any (msg:"EXPERIMENTAL audio
galaxy keepalive"; content: "|45 5F 00 03 05|"; offset:0; depth:5;
flow:established; classtype:misc-activity; sid:1428; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"EXPLOIT named tsig
overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00
00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|";
reference:cve,CVE-2001-0010; reference:bugtraq,2302;
reference:arachnids,482; classtype:attempted-admin; sid:303; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow";
flow:established; content:"|0131 DBCD 80E8 5BFF FFFF|";
reference:bugtraq,1252; reference:cve,CVE-2000-0446;
classtype:attempted-admin; sid:1240; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous login
attempt"; content:"USER"; nocase; content:" anonymous|0D0A|"; nocase;
flow:to_server,established; classtype:misc-activity; sid:553; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP anonymous (ftp)
login attempt"; content:"USER"; nocase; content:" ftp|0D0A|"; nocase;
flow:to_server,established; classtype:misc-activity; sid:1449; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9100 (msg:"POLICY HP JetDirect LCD
modification attempt"; flow:to_server,established; content:"@PJL RDYMSG
DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245;
reference:arachnids,302; sid:568; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 9000:9002 (msg:"POLICY HP JetDirect
LCD modification attempt"; flow:to_server,established; content:"@PJL RDYMSG
DISPLAY ="; classtype:misc-activity; reference:bugtraq,2245;
reference:arachnids,302; sid:510; rev:5;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit
response"; flow:from_server,established; content: "|0D0A|[Yes]|0D0A FFFE
08FF FD26|"; classtype: successful-admin; sid:1252; rev:7; reference:
bugtraq,3064; reference:cve,CAN-2001-0554;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
sp_start_job - program execution"; content:
"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase;
flow:to_server,established; offset: 32; depth: 32; classtype:attempted-user;
sid:676; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job -
program execution"; content:
"s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|b|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:673; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_displayparamstmt possible buffer overflow"; content:
"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|
s|00|t|00|m|00|t"; nocase; flow:to_server,established;
reference:bugtraq,2030; reference:cve,CAN-2000-1081;
classtype:attempted-user; sid:674; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_setsqlsecurity possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|
t|00|y|00|"; nocase; flow:to_server,established; reference:bugtraq,2043;
classtype:attempted-user; sid:675; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_password
password change"; content:
"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:677; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
sp_delete_alert log file deletion"; content:
"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:678; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB sp_adduser
database user creation"; content:
"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase;
flow:to_server,established; offset:32; depth:32; classtype:attempted-user;
sid:679; rev:4;)
alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL/SMB sa login
failed"; content: "Login failed for user |27|sa|27|";
flow:to_client,established; offset:83; classtype:attempted-user; sid:680;
rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_cmdshell
program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase;
flow:to_server,established; offset:32; classtype:attempted-user; sid:681;
rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_enumresultset possible buffer overflow"; content:
"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|
t|00|"; nocase; flow:to_server,established; classtype:attempted-user;
sid:682; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password -
password change"; content:
"s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:683; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
sp_delete_alert log file deletion"; content:
"s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|r|00|t|00|
"; nocase; flow:to_server,established; classtype:attempted-user; sid:684;
rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser -
database user creation"; content:
"s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:685; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* -
registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:686; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell -
program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase;
flow:to_server,established; classtype:attempted-user; sid:687; rev:4;)
alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa login
failed"; content: "Login failed for user |27|sa|27|";
flow:to_server,established; classtype:unsuccessful-user; sid:688; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_reg*
registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase;
flow:to_server,established; offset:32; depth:32; classtype:attempted-user;
sid:689; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_printstatements possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|
n|00|t|00|s|00|"; nocase; flow:to_server,established; offset:32;
reference:bugtraq,2041; reference:cve,CAN-2000-1086;
classtype:attempted-user; sid:690; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode
attempt"; content: "|3920d0009201c200520055003920ec00|";
flow:to_server,established; classtype:shellcode-detect; sid:691; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode
attempt"; content: "|3920d0009201c200520055003920ec00|";
flow:to_server,established; classtype:shellcode-detect; sid:692; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL shellcode
attempt"; content:
"|4800250078007700900090009000900090003300c000500068002e00|";
flow:to_server,established; classtype:shellcode-detect; sid:693; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB shellcode
attempt"; content:
"|4800250078007700900090009000900090003300c000500068002e00|";
flow:to_server,established; classtype:attempted-user; sid:694; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_sprintf
possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase;
flow:to_server,established; offset: 32; reference:bugtraq,1204;
classtype:attempted-user; sid:695; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB xp_showcolv
possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase;
flow:to_server,established; offset:32; reference:bugtraq,2038;
classtype:attempted-user; sid:696; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_peekqueue possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase;
flow:to_server,established; offset:32; reference:bugtraq,2040;
reference:cve,CAN-2000-1085; classtype:attempted-user; sid:697; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_proxiedmetadata possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|
a|00|t|00|a|00|"; nocase; flow:to_server,established; offset:32;
reference:bugtraq,2042; reference:cve,CAN-2000-1087;
classtype:attempted-user; sid:698; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_printstatements possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|
n|00|t|00|s|00|"; nocase; flow:to_server,established;
reference:bugtraq,2041; reference:cve,CAN-2000-1086;
classtype:attempted-user; sid:699; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_updatecolvbm possible buffer overflow"; content:
"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|
"; nocase; flow:to_server,established; offset:32; reference:bugtraq,2039;
reference:cve,CAN-2000-1084; classtype:attempted-user; sid:700; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_updatecolvbm possible buffer overflow"; content:
"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|
"; nocase; flow:to_server,established; reference:bugtraq,2039;
reference:cve,CAN-2000-1084; classtype:attempted-user; sid:701; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_displayparamstmt possible buffer overflow"; content:
"x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|
s|00|t|00|m|00|t|00|"; nocase; flow:to_server,established; offset:32;
reference:bugtraq,2030; reference:cve,CAN-2000-1081;
classtype:attempted-user; sid:702; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_setsqlsecurity possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|
t|00|y|00|"; nocase; flow:to_server,established; offset:32;
classtype:attempted-user; reference:bugtraq,2043; sid:703; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_sprintf
possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase;
flow:to_server,established; reference:bugtraq,1204;
classtype:attempted-user; sid:704; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_showcolv
possible buffer overflow"; content:
"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase;
flow:to_server,established; reference:bugtraq,2038;
reference:cve,CAN-2000-1083; classtype:attempted-user; sid:705; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_peekqueue
possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase;
flow:to_server,established; reference:bugtraq,2040;
reference:cve,CAN-2000-1085; classtype:attempted-user; sid:706; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL
xp_proxiedmetadata possible buffer overflow"; content:
"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|
a|00|t|00|a|00|"; nocase; flow:to_server,established;
reference:bugtraq,2024; reference:cve,CAN-2000-1087;
classtype:attempted-user; sid:707; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB
xp_enumresultset possible buffer overflow"; content:
"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|
t|00|"; nocase; flow:to_server,established; offset:32;
reference:bugtraq,2031; reference:cve,CAN-2000-1082;
classtype:attempted-user; sid:708; rev:5;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL/SMB raiserror
possible buffer overflow";
content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase;
flow:to_server,established; offset: 32; reference:bugtraq,3733;
classtype:attempted-user; sid:1386; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL raiserror
possible buffer overflow";
content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase;
flow:to_server,established; reference:bugtraq,3733;
classtype:attempted-user; sid:1387; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO Outbound GNUTella
client request"; flow:established; content:"GNUTELLA OK"; depth:40;
classtype:misc-activity; sid:558; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"P2P Inbound GNUTella
client request"; flow:established; content:"GNUTELLA CONNECT"; depth:40;
classtype:misc-activity; sid:559; rev:4;)




More information about the Snort-sigs mailing list