[Snort-sigs] snort-rules CURRENT update @ Sat Jan 25 21:26:07 2003

bmc at ...95... bmc at ...95...
Sat Jan 25 18:26:01 EST 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established;  content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:5;)

     file -> policy.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD / ' possible warez site"; flow:to_server,established; content:"CWD"; nocase; content:"/ "; distance:1; classtype: misc-activity; sid:545; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'CWD  ' possible warez site"; flow:to_server,established; content:"CWD  "; nocase; depth: 5; classtype:misc-activity; sid:546; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD / ' possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:6;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP file_id.diz access possible warez site";  flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; nocase; distance:1; classtype:suspicious-filename-detect; sid:1445; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD  ' possible warez site"; flow:to_Server,established; content:"MKD  "; nocase; depth: 5; classtype:misc-activity; sid:547; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; nocase; depth: 5; classtype:misc-activity; sid:548; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity; sid:543; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"POLICY FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; nocase; distance:1; classtype:misc-activity; sid:544; rev:5;)

     file -> sql.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:2003; rev:2;)

  [---]          Removed:          [---]

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD /\" possible warez site"; flow:to_server,established; content:"CWD / "; nocase; depth: 6; classtype:misc-activity; sid:545;  rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD / \" possible warez site"; flow:to_server,established; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD  \" possible warez site"; flow:to_server,established; content:"CWD  "; nocase; depth: 5; classtype:misc-activity; sid:546;  rev:4;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access"; flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz"; nocase; classtype:suspicious-filename-detect; sid:1445; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD  \" possible warez site"; flow:to_Server,established; content:"MKD  "; nocase; depth: 5; classtype:misc-activity; sid:547;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD . \" possible warez site"; flow:to_server,established; content:"MKD ."; nocase; depth: 5; classtype:misc-activity; sid:548;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"STOR 1MB\" possible warez site"; flow:to_server,established; content:"STOR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:543;  rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"RETR 1MB\" possible warez site"; flow:to_server,established; content:"RETR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:544;  rev:4;)

  [///]       Modified active:     [///]

     file -> policy.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"EXPERIMENTAL POLICY vncviewer java applet download attempt"; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"POLICY vncviewer java applet download attempt"; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:1846; rev:2;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # The following ftp rules look for specific exploits, which are not needed now
       # that initial protocol decoding is available.

  [---]      Removed lines:      [---]
    -> File "ftp.rules":
       # warez kiddies





More information about the Snort-sigs mailing list