[Snort-sigs] snort-rules CURRENT update @ Tue Jan 21 17:12:16 2003

bmc at ...95... bmc at ...95...
Tue Jan 21 18:38:05 EST 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP edit_image.php access"; flow:established,to_server; uricontent:"/edit_image.php"; reference:nessus,11104; reference:cve,CVE-2001-1020; classtype:web-application-activity; sid:1999; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP external include path"; flow:established,to_server; uricontent:".php"; content:"path=http\://"; classtype:web-application-attack; sid:2002; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP read_body.php access attempt"; flow:established,to_server; uricontent:"/read_body.php"; reference:bugtraq,6302; classtype:web-application-activity; sid:1997; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP readmsg.php access"; flow:established,to_server; uricontent:"/readmsg.php"; reference:nessus,11073; classtype:web-application-activity; sid:2000; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:nessus,11179; reference:bugtraq,5820; classtype:web-application-activity; sid:1998; rev:1;)

     file -> backdoor.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 4120 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [4120]"; content:"00"; depth:2; classtype:misc-activity; sid:1983; rev:1;)
     alert udp $HOME_NET 4120 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [4120]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1984; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1094 (msg:"BACKDOOR Doly 1.5 server response"; flow:from_server,established; content:"Connected."; classtype:trojan-activity; sid:1985; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt"; content:"00"; depth:2; classtype:misc-activity; sid:1980; rev:1;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Connection attempt [3150]"; content:"00"; depth:2; classtype:misc-activity; sid:1981; rev:1;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response [3150]"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; classtype:misc-activity; sid:1982; rev:1;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; content:"{"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:1;)

     file -> deleted.rules
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";  reference:arachnids,106; sid:140;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";  reference:arachnids,106; sid:142;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS named iquery attempt"; content: "|0980 0000 0001 0000 0000|"; offset: 2; depth: 16; reference:arachnids,277; reference:cve,CVE-1999-0009; reference:bugtraq,134; reference:url,www.rfc-editor.org/rfc/rfc1035.txt; classtype:attempted-recon; sid:252; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";  reference:arachnids,106; sid:148;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64";  reference:arachnids,106; sid:180;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07";  reference:arachnids,106; sid:186; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38";  reference:arachnids,106; sid:188;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23";  reference:arachnids,106; sid:189; classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content: "GetInfo|0d|"; reference:arachnids,403; classtype:misc-activity; sid:111; rev:3;)
     alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-act ivity; rev:4;)
     alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:114;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";  reference:arachnids,399; sid:116;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network";  reference:arachnids,106; sid:151;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24";  reference:arachnids,106; sid:190; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26";  reference:arachnids,106; sid:192;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";  reference:arachnids,106; sid:196;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";  reference:arachnids,106; sid:125; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12";  reference:arachnids,106; sid:126;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - ";  reference:arachnids,106; sid:129;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";  reference:arachnids,106; sid:167; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hi de/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168 ;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";  reference:arachnids,106; sid:201;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100";  reference:arachnids,106; sid:202;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117";  reference:arachnids,106; sid:203;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118";  reference:arachnids,106; sid:204;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130";  reference:arachnids,106; sid:131;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199";  reference:arachnids,106; sid:205;  classtype:misc-activity; rev:4;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133; classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17";  reference:arachnids,106; sid:134;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911";  reference:arachnids,106; sid:137;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";  reference:arachnids,106; sid:170;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";  reference:arachnids,106; sid:171;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172;  classtype:misc-activity; rev:5;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";  reference:arachnids,106; sid:174;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";  reference:arachnids,106; sid:176;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";  reference:arachnids,106; sid:177;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21";  reference:arachnids,106; sid:179; classtype:misc-activity; rev:4;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"MISC xfs overflow attempt"; flow:to_server,established; content:"|42 00 02|"; depth:3; dsize:>512; reference:cve,CAN-2002-1317; reference:nessus,11188; classtype:misc-activity; sid:1987; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI vpasswd.cgi access"; flow:to_server,established; uricontent:"/vpasswd.cgi"; reference:nessus,11165; classtype:web-application-activity; sid:1994; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI alya.cgi access"; flow:to_server,established; uricontent:"/alya.cgi"; reference:nessus,11118;  classtype:web-application-activity; sid:1995; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI viralator.cgi access"; flow:to_server,established; uricontent:"/viralator.cgi"; reference:nessus,11107; reference:cve,CAN-2001-0849; classtype:web-application-activity; sid:1996; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI smartsearch.cgi access"; flow:to_server,established; uricontent:"/smartsearch.cgi"; classtype:web-application-activity; sid:2001; rev:1;)

     file -> chat.rules
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN login attempt"; flow:to_server,established; content:"USR "; depth:4; nocase; content:" TWN "; distance:1; nocase; classtype:policy-violation; sid:1991; rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer request"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; nocase; distance:0; content:"text/x-msmsgsinvite"; nocase; distance:0; content:"Application-Name\:"; content:"File Transfer"; nocase; distance:0; classtype:policy-violation; sid:1986; rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer accept"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"ACCEPT"; distance:1; classtype:policy-violation; sid:1988; rev:1;)
     alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN file transfer reject"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/x-msmsgsinvite"; distance:0; content:"Invitation-Command\:"; content:"CANCEL"; distance:0; content:"Cancel-Code\:"; nocase; content:"REJECT"; nocase; distance:0; classtype:policy-violation; sid:1989; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:1990; rev:1;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST directory traversal attempt"; content:"LIST"; content:".."; distance:1; content:".."; distance:1; reference:cve,CVE-2001-0680; reference:bugtraq,2618; reference:nessus,11112; classtype:protocol-command-decode; sid:1992; rev:1;)

  [---]          Removed:          [---]

     file -> backdoor.rules
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert OFF Client Request"; content:"88";  reference:arachnids,106; sid:140;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 ICQ Alert ON Client Request"; content: "40";  reference:arachnids,106; sid:142;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Wallpaper Client Request"; content:"20"; reference:arachnids,106; sid:143;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Process List Client request"; content:"64";  reference:arachnids,106; sid:180;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Keylogger Active on Network"; content:"KeyLogger Is Enabled On port";  reference:arachnids,106; sid:148;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network"; content:"|00 23|"; reference:arachnids,106; sid:149;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Close Port Scan Client Request"; content:"121"; reference:arachnids,106; sid:181;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Registry Add Client Request"; content:"89"; reference:arachnids,106; sid:182;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Monitor on/off Client Request"; content:"07";  reference:arachnids,106; sid:186;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Delete File Client Request"; content:"41"; reference:arachnids,106; sid:187;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Kill Window Client Request"; content:"38";  reference:arachnids,106; sid:188;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Disable Window Client Request"; content:"23";  reference:arachnids,106; sid:189;  classtype:misc-activity; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 12346 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:111;  classtype:misc-activity; rev:3;)
     alert tcp $HOME_NET 80 -> $EXTERNAL_NET any (msg:"BACKDOOR BackOrifice access"; flags: A+; content: "server|3a| BO|2f|"; reference:arachnids,400; sid:112;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 4120 -> $HOME_NET any (msg:"BACKDOOR DeepThroat access"; content: "--Ahhhhhhhhhh"; reference:arachnids,405; sid:113;  classtype:misc-activity; rev:3;)
     alert tcp $HOME_NET 12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:114;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";  reference:arachnids,399; sid:116;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 3150 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; content:"|00 23|"; reference:arachnids,106; sid:150;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Client Sending Data to Server on Network";  reference:arachnids,106; sid:151;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 3150 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Wrong Password"; content:"Wrong Password"; reference:arachnids,106; sid:154;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Visible Window List Client Request"; content:"37"; reference:arachnids,106; sid:156;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable Window Client Request"; content:"24";  reference:arachnids,106; sid:190;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Change Window Title Client Request"; content:"60"; reference:arachnids,106; sid:191;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide Window Client Request"; content:"26";  reference:arachnids,106; sid:192;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Window Client Request"; content:"25"; reference:arachnids,106; sid:193;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Send Text to Window Client Request"; content:"63"; reference:arachnids,106; sid:194;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Systray Client Request"; content:"30";  reference:arachnids,106; sid:196;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Create Directory Client Request"; content:"39"; reference:arachnids,106; sid:197;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 All Window List Client Request"; content:"370"; reference:arachnids,106; sid:198;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Play Sound Client Request"; content:"36"; reference:arachnids,106; sid:199;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 System Info Client Request"; content:"13"; reference:arachnids,106; sid:122;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Status Client Request"; content:"09"; reference:arachnids,106; sid:124;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info From Server"; content:"Retreaving";  reference:arachnids,106; sid:125;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 E-Mail Info Client Request"; content:"12";  reference:arachnids,106; sid:126;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Status From Server"; content:"Host"; reference:arachnids,106; sid:127;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Status Client Request"; content:"10"; reference:arachnids,106; sid:128;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Drive Info From Server"; content:"C - ";  reference:arachnids,106; sid:129;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 2140 -> $HOME_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Active on Network"; reference:arachnids,106; sid:164;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server ON"; content:"KeyLogger Is Enabled On port"; reference:arachnids,106; sid:165;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Picture Client Request"; content:"22"; reference:arachnids,106; sid:166;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Clock Client Request"; content:"32";  reference:arachnids,106; sid:167;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Desktop Client Request"; content:"33";  reference:arachnids,106; sid:168;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Swap Mouse Buttons Client Request"; content:"34"; reference:arachnids,106; sid:169;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Normal Client Request"; content:"14"; reference:arachnids,106; sid:200;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Run Program Hidden Client Request"; content:"15";  reference:arachnids,106; sid:201;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Get NET File Client Request"; content:"100";  reference:arachnids,106; sid:202;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"117";  reference:arachnids,106; sid:203;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 System Info From Server"; content:"Comp Name"; reference:arachnids,106; sid:130;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Find File Client Request"; content:"118";  reference:arachnids,106; sid:204;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Drive Info Client Request"; content:"130";  reference:arachnids,106; sid:131;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 HUP Modem Client Request"; content:"199";  reference:arachnids,106; sid:205;  classtype:misc-activity; rev:3;)
     alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server FTP Port Change From Server"; content:"FTP Server changed to"; reference:arachnids,106; sid:132;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Open Client Request"; content:"02"; reference:arachnids,106; sid:206;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Cached Passwords Client Request"; content:"16"; reference:arachnids,106; sid:133;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 CD ROM Close Client Request"; content:"03"; reference:arachnids,106; sid:207;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 RAS Passwords Client Request"; content:"17";  reference:arachnids,106; sid:134;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Change Client Request"; content:"91"; reference:arachnids,106; sid:135;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Server Password Remove Client Request"; content:"92"; reference:arachnids,106; sid:136;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Rehash Client Request"; content:"911";  reference:arachnids,106; sid:137;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Enable/Disable CTRL-ALT-DEL Client Request"; content:"110";  reference:arachnids,106; sid:170;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 3150 (msg:"BACKDOOR DeepThroat 3.1 Server Rehash Client Request"; content:"shutd0wnM0therF***eR"; reference:arachnids,106; sid:138;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Freeze Mouse Client Request"; content:"35";  reference:arachnids,106; sid:171;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Dialog Box Client Request"; content:"70"; reference:arachnids,106; sid:172;  classtype:misc-activity; rev:4;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Show Replyable Dialog Box Client Request"; content:"71"; reference:arachnids,106; sid:173;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"31";  reference:arachnids,106; sid:174;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Resolution Change Client Request"; content:"125"; reference:arachnids,106; sid:175;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Hide/Show Start Button Client Request"; content:"04";  reference:arachnids,106; sid:176;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 Keylogger on Server OFF"; content:"KeyLogger Shut Down";  reference:arachnids,106; sid:177;  classtype:misc-activity; rev:3;)
     alert udp $EXTERNAL_NET 60000 -> $HOME_NET 2140 (msg:"BACKDOOR DeepThroat 3.1 FTP Server Port Client Request"; content:"21";  reference:arachnids,106; sid:179;  classtype:misc-activity; rev:3;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, potentual worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bad HTTP/1.1 request, Potentially worm attack"; flow:to_server,established; content:"GET / HTTP/1.1|0d 0a 0d 0a|";  offset:0; depth:18; reference:url,securityresponse.symantec.com/avcenter/security/Content/2002.09.13.html; classtype:web-application-activity; sid:1881; rev:4;)

     file -> backdoor.rules
     old: alert tcp $HOME_NET 12345 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity;  sid:109; rev:3;)
     new: alert tcp $HOME_NET 12345:12346 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:from_server,established; content:"NetBus"; reference:arachnids,401; classtype:misc-activity;  sid:109; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 12345 (msg:"BACKDOOR netbus getinfo"; flags: A+; content: "GetInfo|0d|"; reference:arachnids,403; sid:110;  classtype:misc-activity; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"BACKDOOR netbus getinfo"; flow:to_server,established; content:"GetInfo|0d|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:3;)
     old: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flags: A+; content: "|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; sid:103; classtype:misc-activity; rev:4;)
     new: alert tcp $EXTERNAL_NET 27374 -> $HOME_NET any (msg:"BACKDOOR subseven 22"; flow:to_server,established; content:"|0d0a5b52504c5d3030320d0a|"; reference:arachnids,485; reference:url,www.hackfix.org/subseven/; classtype:misc-activity; sid:103; rev:5;)
     old: alert udp $HOME_NET 2140 -> $EXTERNAL_NET 60000 (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; sid:195;  classtype:misc-activity; rev:4;)
     new: alert udp $HOME_NET 2140 -> $EXTERNAL_NET any (msg:"BACKDOOR DeepThroat 3.1 Server Response"; content:"Ahhhh My Mouth Is Open"; reference:arachnids,106; sid:195;  classtype:misc-activity; rev:4;)
     old: alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flags: A+; content: "NetBus";  reference:arachnids,401; sid:115;  classtype:misc-activity; rev:3;)
     new: alert tcp $HOME_NET 20034 -> $EXTERNAL_NET any (msg:"BACKDOOR netbus active"; flow:to_server,established; content:"NetBus";  reference:arachnids,401; classtype:misc-activity; sid:115; rev:4;)
     old: alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content: "PWD"; classtype:trojan-activity; sid:107; rev:5;)
     new: alert tcp $HOME_NET 16959 -> $EXTERNAL_NET any (msg:"BACKDOOR subseven DEFCON8 2.1 access"; flow:from_server,established; content:"PWD"; classtype:trojan-activity; sid:107; rev:6;)

     file -> chat.rules
     old: alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"CHAT MSN chat access"; flow:to_server,established; content:"text/plain"; depth:100; classtype:misc-activity; sid:540;  rev:6;)
     new: alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\:"; content:"text/plain"; distance:1; classtype:misc-activity; sid:540; rev:8;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "backdoor.rules":
       # 3150, 4120
    -> File "deleted.rules":
       # duplicate of 109
       # duplicate of 110
       # we have a backorifice preprocessor
       # we have a backorifice preprocessor





More information about the Snort-sigs mailing list