[Snort-sigs] snort-rules STABLE update @ Mon Dec 1 13:15:17 2003

bmc at ...95... bmc at ...95...
Mon Dec 1 10:16:06 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; reference:bugtraq,7667; reference:nessus,11742; classtype:attempted-admin; sid:2250; rev:1;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2178; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; content:"%"; distance:1;  content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2179; rev:1;)

     file -> backdoor.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; sid:2182; rev:1;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|04 00|"; distance:0; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2258; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2257; rev:1;)

  [///]       Modified active:     [///]

     file -> ddos.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(messagedetected)"; content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master message detected"; content:"l44";reference:arachnids,186; classtype:attempted-dos; sid:231; rev:2;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00\:MastertoDaemon(defaultpassdetected!)"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 27444 (msg:"DDOS Trin00 Master to Daemon default password attempt"; content:"l44adsl"; reference:arachnids,197; classtype:attempted-dos; sid:237; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00\:Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 27665 (msg:"DDOS Trin00 Attacker to Master default startup password"; flow:established,to_server; content:"betaalmostdone"; reference:arachnids,197; classtype:attempted-dos; sid:233; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(*HELLO*detected)"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master *HELLO* message detected"; content:"*HELLO*"; reference:arachnids,185; reference:url,www.sans.org/newlook/resources/IDFAQ/trinoo.htm; classtype:attempted-dos; sid:232; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00\:DaemontoMaster(PONGdetected)"; content:"PONG";reference:arachnids,187; classtype:attempted-recon; sid:223; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 31335 (msg:"DDOS Trin00 Daemon to Master PONG message detected"; content:"PONG";reference:arachnids,187; classtype:attempted-recon; sid:223; rev:2;)

     file -> finger.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command \; execution attempt"; flow:to_server,established; content:"|3b|"; reference:cve,CVE-1999-0150; reference:bugtraq,974; reference:arachnids,379; classtype:attempted-user; sid:326;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"FINGER remote command execution attempt"; flow:to_server,established; content:"|3b|"; reference:cve,CVE-1999-0150; reference:bugtraq,974; reference:arachnids,379; classtype:attempted-user; sid:326;  rev:6;)

     file -> dns.rules
     old: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with ttl\: 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|c0 0c 00 01 00 01 00 00 00 3c 00 04|"; classtype:bad-unknown; sid:254; rev:2;)
     new: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response with TTL of 1 min. and no authority"; content:"|81 80 00 01 00 01 00 00 00 00|"; content:"|c0 0c 00 01 00 01 00 00 00 3c 00 04|"; classtype:bad-unknown; sid:254; rev:3;)
     old: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL\: 1 min. and no authority"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:2;)
     new: alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"|85800001000100000000|"; content:"|c00c000c00010000003c000f|"; classtype:bad-unknown; sid:253; rev:3;)

     file -> scan.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy \(8080\) attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:5;)

     file -> oracle.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like \"%\" attempt"; flow:to_server,established; content:" where "; nocase; content:" like \"%\""; nocase; classtype:protocol-command-decode; sid:1678; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE select like '%' attempt backslash escaped"; flow:to_server,established; content:" where "; nocase; content:" like \"%\""; nocase; classtype:protocol-command-decode; sid:1678; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data\(command=version\) attempt"; flow:to_server,established; content:"connect_data\(command=version\)"; nocase; classtype:protocol-command-decode; sid:1674; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data\(command=version\)"; nocase; classtype:protocol-command-decode; sid:1674; rev:4;)





More information about the Snort-sigs mailing list