[Snort-sigs] new rules 9

Joseph Gama josephgama at ...144...
Wed Aug 11 17:20:17 EDT 2004


alert tcp $EXTERNAL_NET any -> $HOME_NET 25
(msg:"Internet explorer obfuscated URL - PHISHING with
special characters";
pcre:"/http\://[\w]+(\.[\w]+){1,2}(%[\d]+)+@(([\d]+\.*){4}|[\d]+)//i";
reference:url,http.www.rickconner.net/spamweb/tricks.html;
classtype:shellcode-detect; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any
(msg:"Internet Explorer Integer Overflow in Bitmap";
pcre:"/BM[\s\S]{12}\x28\x00\x00\x00[\s\S]{10}[\x01\x04\x08\x10\x18\x20]\x00[\x00\x01\x02\x03]\x00/i";
content:"BM";
byte_test:4,>,2147483648,8,relative,little;
reference:url,http.www.securitytracker.com/alerts/2004/Feb/1009067.html;
classtype:shellcode-detect; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS  (msg:"Internet Explorer XSS in Unparsable
XML Files"; flow:to_server,established;
uricontent:".xml?"; nocase;
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS  (msg:"Internet Explorer XSS to Custom
HTTP Errors in Local Zone";
flow:to_server,established; uricontent:"404.htm#";
nocase;
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"Internet Explorer Malicious htm Unicode DOS";
content:"|FF FE 0D 0D 0A|";
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"Internet Explorer Malicious htm Unhandled
exception DOS";
pcre:"/<input[\s\S]+value[\s]*=[\s]*['"]*[\da-fA-F]{32}/i";
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"Internet Explorer Object Type Property
Overflow";
pcre:"/<OBJECT[\s\S]+type[\s]*=[\s]*['"]([^\/'">]*\/){2}/i";
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any 
(msg:"Internet Explorer Plugin.ocx Heap Overflow";
content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8";
nocase; content:".load("; nocase;
reference:url,http.www.hnc3k.com/ievulnerabil.htm;
classtype:web-application-attack; sid:2000000; rev:1;)

#not sure about this one
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any 
(msg:"IE trojan Ants3set 1.exe - process injection";
content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|";
classtype:web-application-attack; sid:2000000; rev:1;)




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list