[Snort-sigs] snort-rules CURRENT update @ Thu Nov 6 13:15:19 2003

bmc at ...95... bmc at ...95...
Thu Nov 6 10:16:09 EST 2003


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> rpc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"|00 01 87 88|"; offset:16; depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0; within:4; classtype:misc-attack; sid:2255; rev:2;)
     alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC sadmind query with root credentials attempt UDP"; content:"|00 01 87 88|"; offset:12; depth:4; content:"|00 00 00 01 00 00 00 01|"; distance:4; within:8; byte_jump:4,8,relative,align; content:"|00 00 00 00|"; distance:0; within:4; classtype:misc-attack; sid:2256; rev:2;)

[*] Non-rule changes: [*]

  [---]      Removed lines:      [---]
    -> File "experimental.rules":
       alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; flags:S,12; window:55808;)





More information about the Snort-sigs mailing list