[Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38 2003

Michael.Advani at ...1221... Michael.Advani at ...1221...
Mon Feb 10 06:08:06 EST 2003


Someone formerly posted the rule for capturing SQL slammer as:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm 
Activity"; content:"|04 01 01 01 01 01 01 01|"; classtype:bad-unknown; 
sid:9998; rev:1;)

which differs from the one found in snort.org (snortrules-current.tar.gz):

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

Others suggest this rule:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Slammer Worm
Activity"; content:
"dllhel32hkernQhounthickChGetTf"; classtype:bad-unknown;)

How come there are so many versions ? Though the header part is identical,
the 'meat' is totally different !

Thanks,
Michael

-----Original Message-----
From: bmc at ...95... [mailto:bmc at ...95...]
Sent: Saturday, February 08, 2003 5:17 AM
To: snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs] snort-rules STABLE update @ Fri Feb 7 17:33:38
2003



This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> exploit.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT
IRC topic overflow"; flow:to_client,established; content:"|eb 4b 5b 53 32 e4
83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672;
reference:bugtraq,573; classtype:attempted-user; sid:307; rev:6;)
     alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap
parse overflow attempt"; flow:to_server,established; content:"PRIVMSG
nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150;
reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack;
sid:1382; rev:7;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP DELE overflow
attempt";flow:to_server,established; content:"DELE "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-2001-0826;
classtype:attempted-admin; sid:1975; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RMD overflow
attempt"; flow:to_server,established;  content:"RMD "; nocase;
content:!"|0a|"; within:100;reference:cve,CAN-2001-0826;
classtype:attempted-admin; sid:1976; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory
traversal attempt"; content:"LIST"; content:".."; distance:1; content:"..";
distance:1; reference:cve,CVE-2001-0680; reference:bugtraq,2618;
reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format
string attempt"; flow:to_server,established; content:"SITE"; nocase;
content:"EXEC "; nocase; distance:0; content:"%"; distance:1; content:"%";
distance:1; classtype:bad-unknown; sid:1971; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow
attempt"; flow:to_server,established,no_stream;  content:"PASS "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-2000-1035;
reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKD overflow
attempt";flow:to_server,established; content:"MKD "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-1999-0911;
reference:bugtraq,612; classtype:attempted-admin; sid:1973; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP REST overflow
attempt";flow:to_server,established; content:"REST "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-2001-0826;
classtype:attempted-admin; sid:1974; rev:1;)

     file -> sql.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm
propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B
81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310;
classtype:misc-attack; reference:bugtraq,5311;
reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
xp_regwrite attempt"; flow:to_server,established; content:"xp_regwrite";
nocase; classtype:web-application-activity; sid:1977; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
ion-p access"; flow:to_server,established; uricontent:"/ion-p"; nocase;
reference:bugtraq,6091; classtype:web-application-activity; sid:1969;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC
xp_regdeletekey attempt"; flow:to_server,established;
content:"xp_regdeletekey"; nocase; classtype:web-application-activity;
sid:1978; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-MISC
perl post attempt"; flow:to_server,established; content:"POST"; offset:0;
depth:4; uricontent:"/perl/"; reference:bugtraq,5520;
reference:nessus,11158; classtype:web-application-attack; sid:1979; rev:1;)

     file -> dns.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer
UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532;
reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC
Content-Type overflow attempt"; flow:to_server,established;
uricontent:"/msadcs.dll"; content:"Content-Type\:"; content:!"|0A|";
within:50; reference:cve,CAN-2002-1142;
reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=
337; classtype:web-application-attack; sid:1970; rev:1;)

     file -> backdoor.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat
3.1 Connection attempt [4120]"; content:"00"; depth:2;
classtype:misc-activity; sid:1983; rev:1;)
     alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat
3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open";
reference:arachnids,106; classtype:misc-activity; sid:1984; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1094 (msg:"BACKDOOR Doly 1.5
server response"; flow:from_server,established; content:"Connected.";
classtype:trojan-activity; sid:1985; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat
3.1 Connection attempt"; content:"00"; depth:2; classtype:misc-activity;
sid:1980; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat
3.1 Connection attempt [3150]"; content:"00"; depth:2;
classtype:misc-activity; sid:1981; rev:1;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat
3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open";
reference:arachnids,106; classtype:misc-activity; sid:1982; rev:1;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
phpbb quick-reply.php arbitrary command attempt";
flow:established,to_server; uricontent:"/quick-reply.php";
content:"phpbb_root_path="; distance:1; reference:bugtraq,6173;
classtype:web-application-attack; sid:1967; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
edit_image.php access"; flow:established,to_server;
uricontent:"/edit_image.php"; reference:nessus,11104;
reference:cve,CVE-2001-1020; classtype:web-application-activity; sid:1999;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
external include path"; flow:established,to_server; uricontent:".php";
content:"path=http\://"; classtype:web-application-attack; sid:2002; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
phpbb quick-reply.php access"; flow:established,to_server;
uricontent:"/quick-reply.php"; reference:bugtraq,6173;
classtype:web-application-activity; sid:1968; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
read_body.php access attempt"; flow:established,to_server;
uricontent:"/read_body.php"; reference:bugtraq,6302;
classtype:web-application-activity; sid:1997; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php";
reference:nessus,11073; classtype:web-application-activity; sid:2000;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP
calendar.php access"; flow:established,to_server;
uricontent:"/calendar.php"; reference:nessus,11179; reference:bugtraq,5820;
classtype:web-application-activity; sid:1998; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi";
reference:nessus,11165; classtype:web-application-activity; sid:1994;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi";
reference:nessus,11118;  classtype:web-application-activity; sid:1995;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
viralator.cgi access"; flow:to_server,established;
uricontent:"/viralator.cgi"; reference:nessus,11107;
reference:cve,CAN-2001-0849; classtype:web-application-activity; sid:1996;
rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI
smartsearch.cgi access"; flow:to_server,established;
uricontent:"/smartsearch.cgi"; classtype:web-application-activity; sid:2001;
rev:1;)

     file -> chat.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login
attempt"; flow:to_server,established; content:"USR "; depth:4; nocase;
content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991;
rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer request"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; nocase; distance:0; content:"text/x-msmsgsinvite";
nocase; distance:0; content:"Application-Name\:"; content:"File Transfer";
nocase; distance:0; classtype:policy-violation; sid:1986; rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer accept"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:"; content:"ACCEPT"; distance:1;
classtype:policy-violation; sid:1988; rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file
transfer reject"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0;
content:"Invitation-Command\:"; content:"CANCEL"; distance:0;
content:"Cancel-Code\:"; nocase; content:"REJECT"; nocase; distance:0;
classtype:policy-violation; sid:1989; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user
search"; flow:to_server,established; content:"CAL "; depth:4; nocase;
classtype:policy-violation; sid:1990; rev:1;)

     file -> policy.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / '
possible warez site"; flow:to_server,established; content:"CWD"; nocase;
content:"/ "; distance:1; classtype: misc-activity; sid:545; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD  '
possible warez site"; flow:to_server,established; content:"CWD  "; nocase;
depth: 5; classtype:misc-activity; sid:546; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / '
possible warez site"; flow:to_server,established; content:"MKD"; nocase;
content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP
file_id.diz access possible warez site";  flow:to_server,established;
content:"RETR"; nocase; content:"file_id.diz"; nocase; distance:1;
classtype:suspicious-filename-detect; sid:1445; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD  '
possible warez site"; flow:to_Server,established; content:"MKD  "; nocase;
depth: 5; classtype:misc-activity; sid:547; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .'
possible warez site"; flow:to_server,established; content:"MKD ."; nocase;
depth: 5; classtype:misc-activity; sid:548; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB'
possible warez site"; flow:to_server,established; content:"STOR"; nocase;
content:"1MB"; nocase; distance:1; classtype:misc-activity; sid:543; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB'
possible warez site"; flow:to_server,established; content:"RETR"; nocase;
content:"1MB"; nocase; distance:1; classtype:misc-activity; sid:544; rev:5;)

  [+++]          Enabled:          [+++]

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow
attempt"; flow:to_server,established,no_stream; dsize:>100;
reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; rev:4;)

  [---]          Removed:          [---]

     file -> dns.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery
attempt"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16;
reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134;
reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon;
sid:252; rev:3;)

     file -> exploit.rules
     #alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86
linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|";
reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798;
reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:1;)
     #alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86
bsd overflow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|";
classtype:attempted-admin; sid:318; rev:2; reference:bugtraq,324;
reference:cve,CVE-1999-0914;)

     file -> backdoor.rules
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";
reference:arachnids,106; sid:140;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";
reference:arachnids,106; sid:142;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Change Wallpaper Client Request"; content:"20";
reference:arachnids,106; sid:143;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Process List Client request"; content:"64";
reference:arachnids,106; sid:180;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled
On port";  reference:arachnids,106; sid:148;  classtype:misc-activity;
rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR
DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|";
reference:arachnids,106; sid:149;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Close Port Scan Client Request"; content:"121";
reference:arachnids,106; sid:181;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Registry Add Client Request"; content:"89";
reference:arachnids,106; sid:182;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Monitor on/off Client Request"; content:"07";
reference:arachnids,106; sid:186;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Delete File Client Request"; content:"41";
reference:arachnids,106; sid:187;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Kill Window Client Request"; content:"38";
reference:arachnids,106; sid:188;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Disable Window Client Request"; content:"23";
reference:arachnids,106; sid:189;  classtype:misc-activity; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus
getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403;
sid:111;  classtype:misc-activity; rev:3;)
     alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice
access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400;
sid:112;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat
access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;
classtype:misc-activity; rev:3;)
     alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus
active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:114;
classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR
BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";
reference:arachnids,399; sid:116;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Server Active on Network"; content:"|00 23|";
reference:arachnids,106; sid:150;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Client Sending Data to Server on Network";
reference:arachnids,106; sid:151;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Wrong Password"; content:"Wrong Password";
reference:arachnids,106; sid:154;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Visible Window List Client Request"; content:"37";
reference:arachnids,106; sid:156;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Enable Window Client Request"; content:"24";
reference:arachnids,106; sid:190;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Change Window Title Client Request"; content:"60";
reference:arachnids,106; sid:191;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide Window Client Request"; content:"26";
reference:arachnids,106; sid:192;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Show Window Client Request"; content:"25";
reference:arachnids,106; sid:193;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Send Text to Window Client Request"; content:"63";
reference:arachnids,106; sid:194;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";
reference:arachnids,106; sid:196;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Create Directory Client Request"; content:"39";
reference:arachnids,106; sid:197;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 All Window List Client Request"; content:"370";
reference:arachnids,106; sid:198;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Play Sound Client Request"; content:"36";
reference:arachnids,106; sid:199;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 System Info Client Request"; content:"13";
reference:arachnids,106; sid:122;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 FTP Status Client Request"; content:"09";
reference:arachnids,106; sid:124;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";
reference:arachnids,106; sid:125;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 E-Mail Info Client Request"; content:"12";
reference:arachnids,106; sid:126;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Server Status From Server"; content:"Host";
reference:arachnids,106; sid:127;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Server Status Client Request"; content:"10";
reference:arachnids,106; sid:128;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Drive Info From Server"; content:"C - ";
reference:arachnids,106; sid:129;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164;
classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On
port"; reference:arachnids,106; sid:165;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Show Picture Client Request"; content:"22";
reference:arachnids,106; sid:166;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";
reference:arachnids,106; sid:167;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";
reference:arachnids,106; sid:168;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34";
reference:arachnids,106; sid:169;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Run Program Normal Client Request"; content:"14";
reference:arachnids,106; sid:200;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";
reference:arachnids,106; sid:201;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Get NET File Client Request"; content:"100";
reference:arachnids,106; sid:202;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Find File Client Request"; content:"117";
reference:arachnids,106; sid:203;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 System Info From Server"; content:"Comp Name";
reference:arachnids,106; sid:130;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Find File Client Request"; content:"118";
reference:arachnids,106; sid:204;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Drive Info Client Request"; content:"130";
reference:arachnids,106; sid:131;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 HUP Modem Client Request"; content:"199";
reference:arachnids,106; sid:205;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR
DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server
changed to"; reference:arachnids,106; sid:132;  classtype:misc-activity;
rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 CD ROM Open Client Request"; content:"02";
reference:arachnids,106; sid:206;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Cached Passwords Client Request"; content:"16";
reference:arachnids,106; sid:133;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 CD ROM Close Client Request"; content:"03";
reference:arachnids,106; sid:207;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 RAS Passwords Client Request"; content:"17";
reference:arachnids,106; sid:134;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Server Password Change Client Request"; content:"91";
reference:arachnids,106; sid:135;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Server Password Remove Client Request"; content:"92";
reference:arachnids,106; sid:136;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Rehash Client Request"; content:"911";
reference:arachnids,106; sid:137;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";
reference:arachnids,106; sid:170;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR
DeepThroat 3.1 Server Rehash Client Request";
content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138;
classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";
reference:arachnids,106; sid:171;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Show Dialog Box Client Request"; content:"70";
reference:arachnids,106; sid:172;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71";
reference:arachnids,106; sid:173;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";
reference:arachnids,106; sid:174;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Resolution Change Client Request"; content:"125";
reference:arachnids,106; sid:175;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";
reference:arachnids,106; sid:176;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";
reference:arachnids,106; sid:177;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 FTP Server Port Client Request"; content:"21";
reference:arachnids,106; sid:179;  classtype:misc-activity; rev:3;)

     file -> chat.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"CHAT IRC
EXPLOIT topic overflow"; flow:to_client,established; content:"|eb 4b 5b 53
32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672;
reference:bugtraq,573; classtype:attempted-user; sid:307; rev:5;)
     alert tcp any any -> any 6666:7000 (msg:"CHAT IRC EXPLOIT Ettercap
parse overflow attempt"; flow:to_server,established; content:"PRIVMSG
nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150;
reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack;
sid:1382; rev:6;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD /\"
possible warez site"; flow:to_server,established; content:"CWD / "; nocase;
depth: 6; classtype:misc-activity; sid:545;  rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD  \"
possible warez site"; flow:to_server,established; content:"CWD  "; nocase;
depth: 5; classtype:misc-activity; sid:546;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD / \"
possible warez site"; flow:to_server,established; content:"MKD / "; nocase;
depth: 6; classtype:misc-activity; sid:554;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD  \"
possible warez site"; flow:to_Server,established; content:"MKD  "; nocase;
depth: 5; classtype:misc-activity; sid:547;  rev:4;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz
access"; flow:to_server,established; content:"RETR "; nocase;
content:"file_id.diz"; nocase; classtype:suspicious-filename-detect;
sid:1445; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD . \"
possible warez site"; flow:to_server,established; content:"MKD ."; nocase;
depth: 5; classtype:misc-activity; sid:548;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT
overflow"; flow:to_server,established; content:"|5057 440A 2F69|";
classtype:attempted-admin; sid:340;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT
overflow"; flow:to_server,established; content:"|5858 5858 582F|";
classtype:attempted-admin; sid:341;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86
linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80
31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368;
classtype:attempted-admin; sid:350;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0 site exec format string overflow Solaris 2.8";
flow:to_server,established; content: "|901BC00F 82102017 91D02008|";
reference:bugtraq,1387; reference:cve,CAN-2000-0573;
reference:arachnids,451; classtype:attempted-user; sid:342;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86
linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80
eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368;
classtype:attempted-admin; sid:351;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established;
content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32;
reference:arachnids,228; reference:bugtraq,1387;
reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:5;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86
linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70
83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368;
classtype:attempted-admin; sid:352;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0 site exec format string overflow Linux"; flow:to_server,established;
content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387;
reference:cve,CAN-2000-0573; reference:arachnids,287;
classtype:attempted-admin; sid:344;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0 site exec format string overflow generic"; flow:to_server,established;
content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase;
reference:bugtraq,1387; reference:cve,CAN-2000-0573;
reference:arachnids,285; reference:nessus,10452; classtype:attempted-admin;
sid:345; rev:5;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format
string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C
25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573;
reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user;
sid:338;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0 site exec format string check"; flow:to_server,established;
content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286;
reference:bugtraq,1387; reference:cve,CAN-2000-0573;
classtype:attempted-recon; sid:346;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD
x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017
CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124;
reference:arachnids,446; classtype:attempted-user; sid:339;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd
2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@";
reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user;
sid:348;  rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"STOR 1MB\"
possible warez site"; flow:to_server,established; content:"STOR 1MB";
nocase; depth: 8; classtype:misc-activity; sid:543;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD
overflow"; flow:to_server,established; content:"MKD AAAAAA";
reference:bugtraq,113; reference:cve,CVE-1999-0368;
classtype:attempted-admin; sid:349;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"RETR 1MB\"
possible warez site"; flow:to_server,established; content:"RETR 1MB";
nocase; depth: 8; classtype:misc-activity; sid:544;  rev:4;)

  [///]       Modified active:     [///]

     file -> dos.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS Winnuke
attack"; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153;
classtype: attempted-dos; sid:1257; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg: "DOS
Winnuke attack"; flags: U+; reference: bugtraq,2010;
reference:cve,CVE-1999-0153; classtype: attempted-dos; sid:1257; rev:4;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow
attempt"; flow:to_server,established; content:"CWD "; nocase;
content:!"|0a|"; within:100; classtype:attempted-admin; sid:1919; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD overflow
attempt"; flow:to_server,established; content:"CWD "; nocase;
content:!"|0a|"; within:100; reference:cve,CAN-2000-1035;
reference:cve,CAN-2000-1194; reference:cve,CAN-2002-0126;
classtype:attempted-admin; sid:1919; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad
file completion attempt ["; flow:to_server,established; content:"~";
content:"["; reference:cve,CVE-2001-0550; reference:cve,CAN-2001-0886;
reference:bugtraq,3581; classtype:misc-attack; sid:1377; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad
file completion attempt ["; flow:to_server,established; content:"~";
content:"["; distance:1;reference:cve,CVE-2001-0550;
reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack;
sid:1377; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER
overflow attempt"; flow:to_server,established,no_stream;  content:"USER ";
nocase; content:!"|0a|"; within:100; reference:bugtraq,4638;
reference:cve,CAN-2000-0479; classtype:attempted-admin; sid:1734; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER
overflow attempt"; flow:to_server,established,no_stream;  content:"USER ";
nocase; content:!"|0a|"; within:100; reference:bugtraq,4638;
reference:cve,CAN-2000-0479; reference:cve,CAN-2000-0656;
reference:cve,CAN-2000-1035; reference:cve,CAN-2000-1194;
reference:cve,CAN-2001-0794; reference:cve,CAN-2001-0826;
reference:cve,CAN-2002-0126; reference:cve,CVE-2000-0943;
classtype:attempted-admin; sid:1734; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad
file completion attempt {"; flow:to_server,established; content:"~";
content:"{"; reference:cve,CVE-2001-0550; reference:cve,CAN-2001-0886;
reference:bugtraq,3581; classtype:misc-attack; sid:1378; rev:9;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp bad
file completion attempt {"; flow:to_server,established; content:"~";
content:"{"; distance:1; reference:cve,CVE-2001-0550;
reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack;
sid:1378; rev:10;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec";
flow:to_server,established; content:"site "; nocase; content:" exec ";
offset:4; nocase; reference:bugtraq,2241; reference:arachnids,317;
classtype:bad-unknown; sid:361;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec";
flow:to_server,established; content:"SITE "; nocase; content:"EXEC ";
distance:0; nocase; reference:bugtraq,2241; reference:arachnids,317;
classtype:bad-unknown; sid:361;  rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar
parameters"; flow:to_server,established; content:"RETR "; nocase; content:"
--use-compress-program"; nocase; reference:bugtraq,2240;
reference:arachnids,134; reference:cve,CVE-1999-0202; classtype:bad-unknown;
sid:362;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar
parameters"; flow:to_server,established; content:" --use-compress-program" ;
nocase; reference:bugtraq,2240; reference:arachnids,134;
reference:cve,CVE-1999-0202; classtype:bad-unknown; sid:362; rev:7;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO
overflow attempt"; flow:to_server,established,no_stream; dsize:>500;
content:"HELO "; offset:0; depth:5; reference:cve,CVE-2000-0042;
reference:nessus,10324; classtype:attempted-admin; sid:1549; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO
overflow attempt"; flow:to_server,established; content:"HELO "; offset:0;
depth:5; content:!"|0a|"; within:500; reference:cve,CVE-2000-0042;
reference:nessus,10324; classtype:attempted-admin; sid:1549; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN
overflow attempt"; flow:to_server,established,no_stream; dsize:>500;
content:"ETRN "; offset:0; depth:5; reference:cve,CAN-2000-0490;
classtype:attempted-admin; sid:1550; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ETRN
overflow attempt"; flow:to_server,established; content:"ETRN "; offset:0;
depth:5; content:!"|0A|"; within:500; reference:cve,CAN-2000-0490;
classtype:attempted-admin; sid:1550; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
sendmail 5.6.4 exploit"; flow:to_server,established; content:"rcpt to|3a|
decode"; nocase; reference:arachnids,121; classtype:attempted-admin;
sid:664; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO
decode attempt"; flow:to_server,established; content:"rcpt to|3a| decode";
nocase; reference:arachnids,121; reference:cve,CVE-1999-0203;
classtype:attempted-admin; sid:664; rev:7;)

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS SAM Attempt";flow:to_server,established; content:"sam._";
nocase; classtype:web-application-attack; sid:988;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-IIS SAM Attempt";flow:to_server,established; content:"sam._";
nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml;
classtype:web-application-attack; sid:988; rev:6;)

     file -> oracle.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS
(msg:"ORACLE create table attempt"; flow:to_server,established;
content:"drop table"; nocase; classtype:protocol-command-decode; sid:1693;
rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS
(msg:"ORACLE create table attempt"; flow:to_server,established;
content:"create table"; nocase; classtype:protocol-command-decode; sid:1693;
rev:4;)

     file -> ddos.rules
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN
server response"; content: "|73 68 65 6C 6C 20 62 6F 75 6E 64 20 74 6F 20 70
6F 72 74|"; itype: 0; icmp_id: 123; icmp_seq: 0; reference:arachnids,182;
classtype:attempted-dos; sid:238; rev:1;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"DDOS TFN
server response"; itype:0; icmp_id:123; icmp_seq:0; content: "|73 68 65 6C
6C 20 62 6F 75 6E 64 20 74 6F 20 70 6F 72 74|"; reference:arachnids,182;
classtype:attempted-dos; sid:238; rev:3;)

     file -> tftp.rules
     old: alert udp any any -> any 69 (msg:"TFTP filename overflow attempt";
content: "|0001|"; offset:0; depth:2; content:!"|00|"; within:500;
reference:cve,CAN-2002-0813; reference:bugtraq,5328; classtype:bad-unknown;
sid:1941; rev:1;)
     new: alert udp any any -> any 69 (msg:"TFTP filename overflow attempt";
content: "|0001|"; offset:0; depth:2; content:!"|00|"; within:100;
reference:cve,CAN-2002-0813; reference:bugtraq,5328; classtype:bad-unknown;
sid:1941; rev:2;)

     file -> bad-traffic.rules
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC tcp
port 0 traffic"; reference:cve,CVE-1999-0675; reference:nessus,10074;
classtype:misc-activity; sid:524; rev:4;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD TRAFFIC tcp
port 0 traffic"; classtype:misc-activity; sid:524; rev:5;)

     file -> info.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No
Password"; content: "pass |0d|"; nocase; reference:arachnids,322;
flow:from_client,established; classtype:unknown; sid:489;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No
Password"; content: "PASS"; nocase; offset:0; depth:4; content:"|0a|";
within:3; reference:arachnids,322; flow:from_client,established;
classtype:unknown; sid:489; rev:5;)
     old: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login";
content:"530 Login "; nocase; flow:to_server,established;
classtype:bad-unknown; sid:491;  rev:4;)
     new: alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login";
content:"530 Login "; nocase; flow:from_server,established;
classtype:bad-unknown; sid:491; rev:5;)

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC bad HTTP/1.1 request, potentual worm attack";
flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";
offset:0; depth:18;
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.0
9.13.html; classtype:web-application-activity; sid:1881; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack";
flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";
offset:0; depth:18;
reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.0
9.13.html; classtype:web-application-activity; sid:1881; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC apache ?M=A directory list attempt";
flow:to_server,established; uricontent:"/?M=A";
classtype:web-application-activity; reference:cve,CAN-2001-0731; sid:1519;
rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC apache ?M=D directory list attempt";
flow:to_server,established; uricontent:"/?M=D";
classtype:web-application-activity; reference:cve,CVE-2001-0731;
reference:bugtraq,3009; sid:1519; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC regread attempt"; flow:to_server,established;
content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069;
rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"WEB-MISC xp_regread attempt"; flow:to_server,established;
content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069;
rev:6;)

     file -> dns.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone
transfer"; flow:to_server,established; content: "|00 00 FC|"; offset:13;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone
transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14;
reference:cve,CAN-1999-0532; reference:arachnids,212;
classtype:attempted-recon; sid:255; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
authors attempt"; flow:to_server,established; content:"|07|authors";
offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728;
reference:arachnids,480; classtype:attempted-recon; sid:1435; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
authors attempt"; flow:to_server,established; content:"|07|authors"; nocase;
offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728;
reference:arachnids,480; classtype:attempted-recon; sid:1435; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
authors attempt"; content:"|07|authors"; offset:12; content:"|04|bind";
nocase; offset: 12; reference:nessus,10728; reference:arachnids,480;
classtype:attempted-recon; sid:256; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
authors attempt"; content:"|07|authors"; nocase; offset:12;
content:"|04|bind"; nocase; offset: 12; reference:nessus,10728;
reference:arachnids,480; classtype:attempted-recon; sid:256; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
version attempt"; flow:to_server,established; content:"|07|version";
offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10028;
reference:arachnids,278; classtype:attempted-recon; sid:257; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
version attempt"; flow:to_server,established; content:"|07|version"; nocase;
offset:12; content:"|04|bind"; nocase; nocase; offset:12;
reference:nessus,10028; reference:arachnids,278; classtype:attempted-recon;
sid:257; rev:6;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
version attempt"; content:"|07|version"; offset:12; content:"|04|bind";
nocase; offset: 12; reference:nessus,10028; reference:arachnids,278;
classtype:attempted-recon; sid:1616; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named
version attempt"; content:"|07|version"; nocase; offset:12;
content:"|04|bind"; nocase; offset: 12; reference:nessus,10028;
reference:arachnids,278; classtype:attempted-recon; sid:1616; rev:4;)

     file -> rservices.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh
froot"; flow:to_server,established; content:"-froot|00|";
reference:arachnids,386; classtype:attempted-admin; sid:604;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh
froot"; flow:to_server,established; content:"-froot|00|";
reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)

     file -> backdoor.rules
     old: alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR
netbus active"; flow:from_server,established; content:"NetBus";
reference:arachnids,401; classtype:misc-activity;  sid:109; rev:3;)
     new: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any
(msg:"BACKDOOR netbus active"; flow:from_server,established;
content:"NetBus"; reference:arachnids,401; classtype:misc-activity;
sid:109; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR
netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403;
sid:110;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346
(msg:"BACKDOOR netbus getinfo"; flow:to_server,established;
content:"GetInfo|0d|"; reference:arachnids,403; classtype:misc-activity;
sid:110; rev:3;)
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 5032 (msg:"BACKDOOR
NetMetro File List"; flags: A+; content:"|2D 2D|";  reference:arachnids,79;
sid:159;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 5032 (msg:"BACKDOOR
NetMetro File List"; flow:to_server,established; content:"|2D 2D|";
reference:arachnids,79; sid:159;  classtype:misc-activity; rev:4;)
     old: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|";
reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103;
classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR
subseven 22"; flow:to_server,established;
content:"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485;
reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103;
rev:5;)
     old: alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR
DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";
reference:arachnids,106; sid:195;  classtype:misc-activity; rev:3;)
     new: alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR
DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open";
reference:arachnids,106; sid:195;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR
netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401;
sid:115;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR
netbus active"; flow:to_server,established; content:"NetBus";
reference:arachnids,401; classtype:misc-activity; sid:115; rev:4;)
     old: alert tcp $EXTERNAL_NET 16959 -> $HOME_NET any (msg:"BACKDOOR
subseven DEFCON8 2.1 access"; content: "PWD"; content:"acidphreak"; nocase;
flags: A+; sid:107;  classtype:misc-activity; rev:4;)
     new: alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR
subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD";
classtype:trojan-activity; sid:107; rev:6;)

     file -> attack-responses.rules
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase;
flow:from_server,established; classtype:attempted-recon; sid:1200; rev:6;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any
(msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase;
flow:from_server,established;
reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.asp;
classtype:attempted-recon; sid:1200; rev:7;)

     file -> chat.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat
access"; flow:to_server,established; content:"text/plain"; depth:100;
classtype:misc-activity; sid:540;  rev:6;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN
message"; flow:established; content:"MSG "; depth:4;
content:"Content-Type\:"; content:"text/plain"; distance:1;
classtype:misc-activity; sid:540; rev:8;)

     file -> nntp.rules
     old: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return
code buffer overflow attempt"; flow:to_server,established,no_stream;
content:"200 "; offset:0; depth:4; dsize:>100; reference:bugtraq,4900;
classtype:protocol-command-decode; sid:1792; rev:4;)
     new: alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"NNTP return
code buffer overflow attempt"; flow:to_server,established,no_stream;
content:"200 "; offset:0; depth:4; content:!"|0a|"; within:64;
reference:bugtraq,4900; reference:cve,CAN-2002-0909;
classtype:protocol-command-decode; sid:1792; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO
USER overflow attempt"; flow:to_server,established; dsize:>500;
content:"AUTHINFO USER "; nocase; reference:cve,CAN-2000-0341;
classtype:attempted-admin; sid:1538; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"NNTP AUTHINFO
USER overflow attempt"; flow:to_server,established; content:"AUTHINFO USER
"; nocase; depth:14; content:!"|0a|"; within:500;
reference:cve,CAN-2000-0341; reference:arachnids,274;
classtype:attempted-admin; sid:1538; rev:5;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
.eml"; content:"|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
.eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
.nws"; content:"|00|N|00|W|00|S"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda
.nws"; content:"|00|.|00|N|00|W|00|S"; flow:to_server,established;
classtype:bad-unknown;
reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:7;)

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802
(msg:"EXPERIMENTAL POLICY vncviewer java applet download attempt";
content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity;
sid:1846; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY
vncviewer java applet download attempt"; content:"/vncviewer.jar";
reference:nessus,10758; classtype:misc-activity; sid:1846; rev:2;)

  [///]      Modified inactive:    [///]

     file -> smtp.rules
     old: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
chameleon overflow"; content: "HELP "; nocase;
flow:to_server,established,no_stream; dsize: >500; depth: 5;
reference:bugtraq,2387; reference:arachnids,266;
reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:6;)
     new: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP
chameleon overflow"; flow:to_server,established,no_stream; content: "HELP ";
nocase; depth:5; content:!"|0a|"; within:500; reference:bugtraq,2387;
reference:arachnids,266; reference:cve,CAN-1999-0261;
classtype:attempted-admin; sid:657; rev:7;)
     old: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT
TO overflow"; flow:to_server,established,no_stream; content:"rcpt to|3a|";
nocase; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283;
classtype:attempted-admin; sid:654; rev:6;)
     new: #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT
TO overflow"; flow:to_server,established; content:"rcpt to|3a|"; nocase;
content:!"|0a|"; within:800; reference:cve,CAN-2001-0260;
reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:7;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "backdoor.rules":
       # 3150, 4120

  [---]      Removed lines:      [---]
    -> File "ftp.rules":
       # warez kiddies
       # The following rules look for specific exploits, which are not
needed now
       # that initial protocol decoding is available.



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs


-----------------------------------------------------------------------------
Email Address Change Notice:

   Please note that my email address has changed to "Michael.Advani at ...1274......".

-----------------------------------------------------------------------------
The information in this Internet email is confidential and may be legally
privileged. It is intended solely for the addressee. Access to this Internet
email by anyone else is unauthorised.

If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this Internet email are subject to the terms and conditions
expressed in any applicable governing ING's terms of business or
client engagement letter.

Visit us at www.ing.com
-----------------------------------------------------------------------------





More information about the Snort-sigs mailing list