[Snort-sigs] snort-rules CURRENT update @ Mon Dec 22 13:15:21 2003

bmc at ...95... bmc at ...95...
Mon Dec 22 10:16:02 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [///]       Modified active:     [///]

     file -> ddos.rules
     old: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S,12; seq: 674711609; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:3;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET any (msg:"DDOS shaft synflood"; flags: S,12; seq: 674711609; stateless; reference:arachnids,253; classtype:attempted-dos; sid:241; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags: S,12; reference:arachnids,111; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 15104 (msg:"DDOS mstream client to handler"; flags: S,12; stateless; reference:arachnids,111; reference:cve,CAN-2000-0138; classtype:attempted-dos; sid:249; rev:3;)

     file -> smtp.rules
     old: alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:1;)
     new: alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2275; rev:2;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 DELE negative arguement attempt"; flow:to_server,established; content:"DELE"; nocase; pcre:"/^DELE\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,7445; reference:bugtraq,6053; sid:2121; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 UIDL negative arguement attempt"; flow:to_server,established; content:"UIDL"; nocase; pcre:"/^UIDL\s+-\d/smi"; classtype:misc-attack; reference:bugtraq,6053; sid:2122; rev:4;)

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:4;)

     file -> snmp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1420; rev:2; classtype:attempted-recon;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp"; stateless; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1420; rev:3; classtype:attempted-recon;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1418; rev:2; classtype:attempted-recon;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp"; stateless; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1418; rev:3; classtype:attempted-recon;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1421; rev:2; classtype:attempted-recon;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request"; stateless; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1421; rev:3; classtype:attempted-recon;)

     file -> dos.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg: "DOS Winnuke attack"; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153; classtype: attempted-dos; sid:1257; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg: "DOS Winnuke attack"; flags: U+; stateless; reference: bugtraq,2010; reference:cve,CVE-1999-0153; classtype: attempted-dos; sid:1257; rev:5;)
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flags:S; seq: 6060842; id: 413; reference:cve,CAN-2000-1039; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.asp; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:4;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; stateless; flags:S; seq: 6060842; id: 413; reference:cve,CAN-2000-1039; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.asp; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:5;)

     file -> scan.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS"; stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"SCAN SOCKS Proxy attempt"; stateless; flags:S,12; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:5;)
     old: alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:1;)
     new: alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan"; stateless; ttl: >220; ack: 0; flags: S;reference:arachnids,439; classtype:attempted-recon; sid:613; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; stateless; flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; content: "AAAAAAAAAAAAAAAA"; depth:16; flags: SFU12; ack: 0; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os SFU12 probe"; stateless; content: "AAAAAAAAAAAAAAAA"; depth:16; flags: SFU12; ack: 0; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN synscan portscan"; id: 39426; stateless; flags: SF;reference:arachnids,441; classtype:attempted-recon; sid:630; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; flags:S,12; classtype:attempted-recon; sid:618; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"SCAN Squid Proxy attempt"; stateless; flags:S,12; classtype:attempted-recon; sid:618; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; flags:S,12; classtype:attempted-recon; sid:620; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"SCAN Proxy Port 8080 attempt"; stateless; flags:S,12; classtype:attempted-recon; sid:620; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; content:"AAAAAAAAAAAAAAAA"; depth:16; flags:PA12; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN cybercop os PA12 attempt"; stateless; content:"AAAAAAAAAAAAAAAA"; depth:16; flags:PA12; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN ipEye SYN scan"; flags:S; stateless; seq:1958810375; reference:arachnids,236; classtype:attempted-recon; sid:622; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SCAN cybercop os probe"; stateless; content: "AAAAAAAAAAAAAAAA"; flags:SFP; ack: 0; depth: 16;reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; flags:A,12; ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap TCP"; stateless; flags:A,12; ack:0; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap fingerprint attempt"; stateless; flags:SFPU; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL"; stateless; flags:0; seq:0; ack:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe"; stateless; flags: SF12; dsize: 0; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN"; stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS"; stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:3;)

     file -> virus.rules
     old: alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flags:A; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732;  classtype:misc-activity; rev:3;)
     new: alert tcp any any -> any 139 (msg:"Virus - Possible QAZ Worm Infection"; flow:established; content: "|71 61 7a 77 73 78 2e 68 73 71|"; reference:MCAFEE,98775; sid:732;  classtype:misc-activity; rev:5;)

     file -> backdoor.rules
     old: alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; flags:SA,12; content:"|B4 B4|";  reference:arachnids,36; sid:163;  classtype:misc-activity; rev:4;)
     new: alert tcp $HOME_NET 5714 -> $EXTERNAL_NET any (msg:"BACKDOOR WinCrash 1.0 Server Active" ; stateless; flags:SA,12; content:"|B4 B4|";  reference:arachnids,36; sid:163;  classtype:misc-activity; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808; sid:2182; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; stateless; flags:S,12; window:55808; sid:2182; rev:2;)
     old: alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; flags: A,12;reference:arachnids,445; sid:106;  classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET 80 -> $HOME_NET 1054 (msg:"BACKDOOR ACKcmdC trojan scan"; seq: 101058054; ack: 101058054; stateless; flags: A,12;reference:arachnids,445; sid:106;  classtype:misc-activity; rev:5;)
     old: alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:3;)
     new: alert tcp any any -> 212.146.0.34 1963 (msg:"BACKDOOR TCPDUMP/PCAP trojan traffic"; stateless; reference:url,hlug.fscker.com; classtype:trojan-activity; sid:1929; rev:4;)
     old: alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; content: "A"; depth: 1; reference:arachnids,314; flags:A+; classtype:attempted-recon; sid:614; rev:2;)
     new: alert tcp $EXTERNAL_NET 31790 -> $HOME_NET 31789 (msg:"BACKDOOR hack-a-tack attempt"; stateless; content: "A"; depth: 1; reference:arachnids,314; flags:A+; classtype:attempted-recon; sid:614; rev:3;)
     old: alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flags:A+; dsize: >1;  reference:arachnids,203; sid:184;  classtype:misc-activity; rev:3;)
     new: alert tcp 255.255.255.0/24 any -> $HOME_NET any (msg:"BACKDOOR Q access"; flags:A+; dsize: >1;  stateless; reference:arachnids,203; sid:184;  classtype:misc-activity; rev:4;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:cve,CVE-2001-0680; reference:bugtraq,2618; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:cve,CVE-2001-0680; reference:bugtraq,2618; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:2;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2298; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates.php access"; flow:to_server,established; uricontent:"/admin_templates.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2298; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2295; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_settings.php access"; flow:to_server,established; uricontent:"/admin_settings.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2295; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2293; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_password.php access"; flow:to_server,established; uricontent:"/admin_password.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2293; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront arbitrary command execution attempt"; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:nessus,11873; reference:bugtraq,8791; classtype:web-application-attack; sid:2307; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PayPal Storefront arbitrary command execution attempt"; flow:to_server,established; content:"page="; pcre:"/page=(http|https|ftp)/i"; reference:nessus,11873; reference:bugtraq,8791; classtype:web-application-attack; sid:2307; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP chatbox.php access"; flow:to_server,established; uricontent:"/chatbox.php"; nocase; reference:bugtraq,8930; classtype:web-application-activity; sid:2305; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2297; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_templates_misc.php access"; flow:to_server,established; uricontent:"/admin_templates_misc.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2297; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2290; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_help.php access"; flow:to_server,established; uricontent:"/admin_help.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2290; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2296; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_stats.php access"; flow:to_server,established; uricontent:"/admin_stats.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2296; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2300; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_new.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2300; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2287; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_comment.php access"; flow:to_server,established; uricontent:"/admin_comment.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2287; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2291; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_license.php access"; flow:to_server,established; uricontent:"/admin_license.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2291; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2303; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll popup.php access"; flow:to_server,established; uricontent:"/popup.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2303; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery arbitrary command execution attempt"; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:nessus,11876; reference:bugtraq,8814; classtype:web-application-attack; sid:2306; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP gallery arbitrary command execution attempt"; flow:to_server,established; uricontent:"/setup/"; content:"GALLERY_BASEDIR="; pcre:"/GALLERY_BASEDIR=(http|https|ftp)/i"; reference:nessus,11876; reference:bugtraq,8814; classtype:web-application-attack; sid:2306; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2301; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll booth.php access"; flow:to_server,established; uricontent:"/booth.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2301; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2292; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_logout.php access"; flow:to_server,established; uricontent:"/admin_logout.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2292; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2302; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll poll_ssi.php access"; flow:to_server,established; uricontent:"/poll_ssi.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2302; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2299; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_tpl_misc_new.php access"; flow:to_server,established; uricontent:"/admin_tpl_misc_new.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2299; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2289; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_embed.php access"; flow:to_server,established; uricontent:"/admin_embed.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2289; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2294; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_preview.php access"; flow:to_server,established; uricontent:"/admin_preview.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2294; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP files.inc.php access"; flow:to_server,established; uricontent:"/files.inc.php"; nocase; reference:bugtraq,8910; classtype:web-application-activity; sid:2304; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2288; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP Advanced Poll admin_edit.php access"; flow:to_server,established; uricontent:"/admin_edit.php"; nocase; reference:bugtraq,8890; classtype:web-application-activity; sid:2288; rev:2;)

     file -> bad-traffic.rules
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; classtype:misc-activity; sid:524; rev:6;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0 traffic"; stateless; classtype:misc-activity; sid:524; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flags:S,12; dsize:>6; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC data in TCP SYN packet"; flags:S,12; dsize:>6; stateless; reference:url,www.cert.org/incident_notes/IN-99-07.html; sid:526;  classtype:misc-activity; rev:7;)
     old: alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; classtype:bad-unknown; sid:1431; rev:5;)
     new: alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to multicast address"; flags:S+; stateless; classtype:bad-unknown; sid:1431; rev:6;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;  classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2251; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;  classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2251; rev:4;)

  [///]      Modified inactive:    [///]

     file -> backdoor.rules
     old: #alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags: A+;  reference:arachnids,79; classtype:misc-activity; sid:160; rev:2;)
     new: #alert tcp $EXTERNAL_NET 5031 -> $HOME_NET !53:80 (msg:"BACKDOOR NetMetro Incoming Traffic"; flags: A+;  stateless; reference:arachnids,79; classtype:misc-activity; sid:160; rev:3;)





More information about the Snort-sigs mailing list