[Snort-sigs] snort-rules CURRENT update @ Mon Feb 16 15:11:48 2004

bmc at ...95... bmc at ...95...
Mon Feb 16 12:16:07 EST 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization\: Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:nessus,12055; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2386; rev:1;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt big endian"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,<,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,relative; flowbits:isset,dce.isystemactivator.bind; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2352; rev:1;)
     alert tcp $HOME_NET 135 -> $EXTERNAL_NET any (msg:"NETBIOS DCERPC ISystemActivator bind accept"; flow:from_server,established; content:"|05|"; distance:0; within:1; content:"|0c|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|00 00|"; distance:33; within:2; flowbits:isset,dce.isystemactivator.bind.attempt; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2350; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2385; rev:3;)
     alert tcp any any -> any 445 (msg:"NETBIOS DCE/RPC enumerate printers request attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:1; content:"|00|"; distance:1; within:1; byte_test:1,&,3,0,relative; content:"|00 00|"; distance:19; within:2; flowbits:isset,dce.printer.bind; classtype:attempted-recon; sid:2349; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2383; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2382; rev:3;)
     alert tcp any any -> any 445 (msg:"NETBIOS SMB DCERPC print spool bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00 50 00 49 00 50 00 45 00 5c 00 00 00 05 00 0b|"; distance:5; within:17; byte_test:1,&,16,1,relative; content:"|78 56 34 12 34 12 cd ab ef 00 01 23 45 67 89 ab|"; distance:29; within:16; flowbits:set,dce.printer.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2348; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2384; rev:3;)

  [///]       Modified active:     [///]

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2192; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00 46|"; distance:29; within:16; flowbits:set,dce.isystemactivator.bind.attempt; flowbits:noalert; reference:cve,CAN-2003-0352; classtype:protocol-command-decode; sid:2192; rev:2;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "snort.conf":
       # In snort 2.0.1 and above, this only alerts when a TCP option is detected
       preprocessor flow: stats_interval 0 hash 2
           iis_unicode_map unicode.map 1252 
           profile all ports { 80 8080 8180 } oversize_dir_length 500
       #    oversize_dir_length 300 \

  [---]      Removed lines:      [---]
    -> File "snort.conf":
       # In snort 2.0.1 and above, this only alerts when the a TCP option is detected
       # preprocessor flow: stats_interval 0 hash 2
           iis_unicode_map unicode.map 1252
           profile all \
           ports { 80 8080 }





More information about the Snort-sigs mailing list