[Snort-sigs] snort-rules CURRENT update @ Mon Jan 27 06:25:07 2003

bmc at ...95... bmc at ...95...
Mon Jan 27 03:25:02 EST 2003


This rule update was brought to you by Oinkmaster.
Written by Andreas Östling <andreaso at ...58...>


[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> exploit.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; sid:307; rev:6;)
     alert tcp any any -> any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:7;)

  [---]          Removed:          [---]

     file -> chat.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"CHAT IRC EXPLOIT topic overflow"; flow:to_client,established; content:"|eb 4b 5b 53 32 e4 83 c3 0b 4b 88 23 b8 50 77|"; reference:cve,CVE-1999-0672; reference:bugtraq,573; classtype:attempted-user; sid:307; rev:5;)
     alert tcp any any -> any 6666:7000 (msg:"CHAT IRC EXPLOIT Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG nickserv IDENTIFY"; nocase; offset:0; content:!"|0a|"; within:150; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:6;)

     file -> ftp.rules
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:5;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established;  content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:5;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339;  rev:4;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348;  rev:3;)
     #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:4;)

  [///]       Modified active:     [///]

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt";flow:to_server,established; content:"sam._"; nocase; classtype:web-application-attack; sid:988;  rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS SAM Attempt";flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:6;)

     file -> rservices.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,386; classtype:attempted-admin; sid:604;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"RSERVICES rsh froot"; flow:to_server,established; content:"-froot|00|"; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:5;)

     file -> oracle.rules
     old: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"drop table"; nocase; classtype:protocol-command-decode; sid:1693; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"ORACLE create table attempt"; flow:to_server,established; content:"create table"; nocase; classtype:protocol-command-decode; sid:1693; rev:4;)

     file -> attack-responses.rules
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; classtype:attempted-recon; sid:1200; rev:6;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.asp; classtype:attempted-recon; sid:1200; rev:7;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .eml"; content:"|00|.|00|E|00|M|00|L"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1293; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|N|00|W|00|S"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS nimda .nws"; content:"|00|.|00|N|00|W|00|S"; flow:to_server,established; classtype:bad-unknown; reference:url,www.datafellows.com/v-descs/nimda.shtml; sid:1294; rev:7;)

[*] Non-rule changes: [*]

  [---]      Removed lines:      [---]
    -> File "ftp.rules":
       # The following rules look for specific exploits, which are not needed now
       # that initial protocol decoding is available.





More information about the Snort-sigs mailing list