[Snort-sigs] snortrules-current bug patches

Snort user snort at ...1427...
Thu Apr 3 23:35:16 EST 2003


--- idsrules.orig	Fri Mar 28 22:16:29 2003
+++ idsrules	Fri Mar 28 22:24:05 2003
@@ -174,7 +174,7 @@
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; uricontent:"/fp4areg.dll"; nocase; dsize: >259; flow:to_server,established; reference:cve,CAN-2001-0341; reference:bugtraq,2906; classtype:web-application-attack; sid:1247; rev:7;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; flow:to_server,established; content:" x PARTIAL 1 BODY["; dsize:>1092; reference:bugtraq,4713; classtype:misc-attack; sid:1780; rev:5;)
 alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP Cassandra Overflow"; flow:to_server,established; content: "AUTHINFO USER"; nocase; dsize: >512; depth:16; reference:cve,CAN-2000-0341; reference:arachnids,274; classtype:attempted-user; sid:291;  rev:6;)
-alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:3;)
+#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!6; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:3;)
 alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI w3-msql solaris x86  access"; flow:to_server,established; uricontent: "/bin/shA-cA/usr/openwin"; nocase; reference:cve,CVE-1999-0276; reference:arachnids,211;classtype:attempted-recon; sid:874;  rev:4;)
 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:3; reference:bugtraq,324; reference:cve,CVE-1999-0914;)
 alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:2;)
@@ -223,7 +223,7 @@
 alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network";  reference:arachnids,106; sid:151;  classtype:misc-activity; rev:4;)
 alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154;  classtype:misc-activity; rev:4;)
 alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156;  classtype:misc-activity; rev:4;)
-alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-act ivity; rev:4;)
+alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-activity; rev:4;)
 alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07";  reference:arachnids,106; sid:186; classtype:misc-activity; rev:4;)
 alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187;  classtype:misc-activity; rev:4;)
 alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38";  reference:arachnids,106; sid:188;  classtype:misc-activity; rev:4;)




More information about the Snort-sigs mailing list