[Snort-sigs] snort-rules CURRENT update @ Wed Apr 28 04:15:29 2004

bmc at ...95... bmc at ...95...
Wed Apr 28 01:16:08 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> dos.rules
     alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:2;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; nocase; offset:4; depth:4; content:"|05|"; content:"|0b|"; distance:1; within:1; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:noalert; flowbits:set,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2525; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; nocase; offset:4; depth:4; content:"|05|"; content:"|0b|"; distance:1; within:1; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:noalert; flowbits:set,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2524; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS direct bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB"; nocase; offset:4; depth:4; content:"|05|"; content:"|0b|"; distance:1; within:1; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:noalert; flowbits:set,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2526; rev:1;)

  [---]          Removed:          [---]

     file -> misc.rules
     alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP Connection Reset Denial of Service"; flow:established; flags: RSF*; threshold: type both, track,  by_dst, count 10 , seconds 30 ; reference:cve,CAN-2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:1;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "WEB-MISC Client_Hello request DoS attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; flowbits:isset,sslv3.client_hello.request; flowbits:isset,sslv3.server_hello.request; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; flowbits:isset,sslv3.client_hello.request; flowbits:isset,sslv3.server_hello.request; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:2;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 LDAP PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:2;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP LDAP PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:2;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC LSASS bind attempt microsoft-ds"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,dce.lsass_ds.bind.call.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:2; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2512; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt netbios-ssn"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,ssn.lsass_ds.bind.call.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt netbios-ssn"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,ssn.lsass_ds.bind.call.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2510; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt netbios-ssn"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,ssn.lsass_ds.bind.call.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2509; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt microsoft-ds"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,dce.lsass_ds.bind.call.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC LSASS unicode bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,dce.lsass_ds.bind.call.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|6A 28 19 39 0C B1 D0 11 9B A8 00 C0 4F D9 2E F5|"; distance:29; within:16; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2513; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt netbios"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|00|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5|"; distance:29; within:16; flowbits:set,netbios.lsass_ds.bind.call.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|00|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|6a 28 19 39 0c b1 d0 11 9b a8 00 c0 4f d9 2e f5|"; distance:29; within:16; flowbits:set,netbios.lsass.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2507; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt netbios"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass_ds.bind.call.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC LSASS DsRolerUpgradeDownlevelServer Exploit attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2508; rev:2;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP LDAP PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:2;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:2;)





More information about the Snort-sigs mailing list