[Snort-sigs] snort-rules STABLE update @ Mon Feb 10 11:01:01 2003

bmc at ...95... bmc at ...95...
Mon Feb 10 08:03:07 EST 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> deleted.rules
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";  reference:arachnids,106; sid:140;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";  reference:arachnids,106; sid:142;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16; reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";  reference:arachnids,106; sid:148;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64";  reference:arachnids,106; sid:180;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07";  reference:arachnids,106; sid:186; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38";  reference:arachnids,106; sid:188;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23";  reference:arachnids,106; sid:189; classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content: "GetInfo|0d|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:3;)
     alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-act ivity; rev:4;)
     alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:114;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";  reference:arachnids,399; sid:116;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network";  reference:arachnids,106; sid:151;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24";  reference:arachnids,106; sid:190; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338;  rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26";  reference:arachnids,106; sid:192;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339;  rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";  reference:arachnids,106; sid:196;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";  reference:arachnids,106; sid:125; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12";  reference:arachnids,106; sid:126;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - ";  reference:arachnids,106; sid:129;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342;  rev:5;)
     alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:6;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344;  rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established;  content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:6;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";  reference:arachnids,106; sid:167; classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346;  rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hi de/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168 ;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348;  rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";  reference:arachnids,106; sid:201;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100";  reference:arachnids,106; sid:202;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117";  reference:arachnids,106; sid:203;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118";  reference:arachnids,106; sid:204;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130";  reference:arachnids,106; sid:131;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199";  reference:arachnids,106; sid:205;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; flow:to_server,established; content:" x PARTIAL 1 BODY["; dsize:>1092; reference:bugtraq,4713; classtype:misc-attack; sid:1780; rev:5;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17";  reference:arachnids,106; sid:134;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911";  reference:arachnids,106; sid:137;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";  reference:arachnids,106; sid:170;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";  reference:arachnids,106; sid:171;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172;  classtype:misc-activity; rev:5;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 bsd overfow"; content:"|6563 686f 206e 6574 726a 7320 7374 7265|"; classtype:attempted-admin; sid:318; rev:3; reference:bugtraq,324; reference:cve,CVE-1999-0914;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350;  rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"EXPLOIT bootp x86 linux overflow"; content:"|4139 30c0 a801 012f 6269 6e2f 7368 00|"; reference:cve,CVE-1999-0799; reference:cve,CAN-1999-0798; reference:cve,CAN-1999-0389; classtype:attempted-admin; sid:319; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351;  rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";  reference:arachnids,106; sid:174;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352;  rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";  reference:arachnids,106; sid:176;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";  reference:arachnids,106; sid:177;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21";  reference:arachnids,106; sid:179; classtype:misc-activity; rev:4;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; content:"|42 00 02|"; depth:3; dsize:>512; reference:cve,CAN-2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 27155 (msg:"MISC GlobalSunTech Access Point Information Discolsure attempt"; content:"gstsearch"; reference:bugtraq,6100; classtype:misc-activity; sid:1966; rev:1;)

     file -> rpc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS TCP"; flow:to_server,established; content:"|01 86 A3 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1960; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA UDP"; content:"|01 86 AB 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1961; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA TCP"; flow:to_server,established; content:"|01 86 AB 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1962; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_sever,established; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS UDP"; content:"|01 86 A3 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1959; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:1;)

  [---]          Removed:          [---]

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT partial body overflow attempt"; flow:to_server,established; content:" x PARTIAL 1 BODY["; dsize:>1092; reference:bugtraq,4713; classtype:misc-attack; sid:1780; rev:4;)

  [///]       Modified active:     [///]

     file -> dns.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728; reference:arachnids,480; classtype:attempted-recon; sid:1435; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS named authors attempt"; flow:to_server,established; content:"|07|authors"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728; reference:arachnids,480; classtype:attempted-recon; sid:1435; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10028; reference:arachnids,278; classtype:attempted-recon; sid:1616; rev:4;)
     new: alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS named version attempt"; content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10028; reference:arachnids,278; classtype:attempted-recon; sid:1616; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; flow:to_server,established; content:"|AB CD 09 80 00 00 00 01 00 00 00 00 00 00 01 00 01 20 20 20 20 02 61|"; reference:cve,CVE-2001-0010; reference:bugtraq,2302; reference:arachnids,482; classtype:attempted-admin; sid:303; rev:8;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|"; classtype:attempted-admin; sid:314; rev:6; reference:cve,CVE-2001-0010; reference:bugtraq,2303;)
     new: alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named tsig overflow attempt"; content:"|80 00 07 00 00 00 00 00 01 3F 00 01 02|"; classtype:attempted-admin; sid:314; rev:6; reference:cve,CVE-2001-0010; reference:bugtraq,2303;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS zone transfer UDP"; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:1948; rev:1;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow (ADMROCKS)"; flow:to_server,established; content:"ADMROCKS"; reference:cve,CVE-1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; reference:bugtraq,788; classtype:attempted-admin; sid:260; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named overflow (ADMROCKS)"; flow:to_server,established; content:"ADMROCKS"; reference:cve,CVE-1999-0833; reference:url,www.cert.org/advisories/CA-1999-14.html; reference:bugtraq,788; classtype:attempted-admin; sid:260; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD80 E8D7 FFFF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"|CD80 E8D7 FFFF FF|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31c0 b03f 31db b3ff 31c9 cd80 31c0|"; classtype:attempted-admin; sid:262;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS zone transfer TCP"; flow:to_server,established; content: "|00 00 FC|"; offset:14; reference:cve,CAN-1999-0532; reference:arachnids,212; classtype:attempted-recon; sid:255; rev:7;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named authors attempt"; content:"|07|authors"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728; reference:arachnids,480; classtype:attempted-recon; sid:256; rev:3;)
     new: alert udp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS named authors attempt"; content:"|07|authors"; nocase; offset:12; content:"|04|bind"; nocase; offset: 12; reference:nessus,10728; reference:arachnids,480; classtype:attempted-recon; sid:256; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT x86 linux overflow attempt"; flow:to_server,established; content:"|31 c0 b0 02 cd 80 85 c0 75 4c eb 4c 5e b0|"; classtype:attempted-admin; sid:264;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase; nocase; offset:12; reference:nessus,10028; reference:arachnids,278; classtype:attempted-recon; sid:257; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS named version attempt"; flow:to_server,established; content:"|07|version"; nocase; offset:12; content:"|04|bind"; nocase; nocase; offset:12; reference:nessus,10028; reference:arachnids,278; classtype:attempted-recon; sid:257; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)"; flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT x86 linux overflow attempt (ADMv2)"; flow:to_server,established; content:"|89f7 29c7 89f3 89f9 89f2 ac3c fe|"; classtype:attempted-admin; sid:265;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:258;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:258;  rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT x86 freebsd overflow attempt"; flow:to_server,established; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT x86 freebsd overflow attempt"; flow:to_server,established; content:"|eb6e 5ec6 069a 31c9 894e 01c6 4605|"; classtype:attempted-admin; sid:266;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|"; classtype:attempted-admin; sid:267;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT sparc overflow attempt"; flow:to_server,established; content:"|90 1a c0 0f 90 02 20 08 92 02 20 0f d0 23 bf f8|"; classtype:attempted-admin; sid:267;  rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named overflow (ADM)"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:259;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $DNS_SERVERS 53 (msg:"DNS EXPLOIT named overflow (ADM)"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:cve,CVE-1999-0833; reference:bugtraq,788; classtype:attempted-admin; sid:259;  rev:4;)

     file -> rpc.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content: "|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flow:to_server,established; sid:1266;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flow:to_server,established; sid:1266; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771: (msg:"RPC NFS Showmount"; flow:to_server,established; content: "|00 01 86 A5 00 00 00 01 00 00 00 05 00 00 00 01|"; offset: 16; depth: 32; reference:arachnids,26; classtype:attempted-recon; sid:574;  rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; content: "|00 01 86 A0 00 00 00 02 00 00 00 04|"; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:7;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # duplicate of 1755
       # duplicate of 109
       # duplicate of 110
       # we have a backorifice preprocessor
       # we have a backorifice preprocessor
       # The following ftp rules look for specific exploits, which are not needed now
       # that initial protocol decoding is available.





More information about the Snort-sigs mailing list