[Snort-sigs] New MS_SQL Rules

Matthew Jonkman matt at ...2436...
Tue Jul 13 21:53:02 EDT 2004


Moved these rules over from Stable-Side. Submitted by Joseph Gama. 
Thanks Joseph. These are now in the bleeding.rules set.

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL heap 
overflow attempt"; content:"|08 3A 31|"; depth:3; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-admin; sid:2000377; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08)"; content:"|08|"; depth:1; content:!"|3A|"; depth:1; 
offset:1; dsize:>1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-dos; sid:2000378; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
attempt (08) 1 byte"; content:"|08|"; depth:1; dsize:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-dos; sid:2000379; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL Spike 
buffer overflow"; content:"|12 01 00 34|"; depth:4; reference: 
url,http.www.securityfocus.com/bid/5411/exploit; 
classtype:attempted-admin; sid:2000380; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL DOS 
bouncing packets"; content:"|0A|"; depth:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:attempted-dos; sid:2000381; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL ping 
attempt (03)"; content:"|03|"; depth:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:misc-activity; sid:2000382; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL buffer 
overflow attempt (04)"; content:"|04|"; depth:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:misc-activity; sid:2000383; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL ping 
attempt (05)"; content:"|05|"; depth:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:misc-activity; sid:2000384; rev:1;)

alert udp any any -> $HOME_NET 1434 (msg:"BLEEDING-EDGE MS-SQL ping 
attempt (06)"; content:"|06|"; depth:1; reference: 
url,http.www.nextgenss.com/papers/tp-SQL2000.pdf; 
classtype:misc-activity; sid:2000385; rev:1;)




More information about the Snort-sigs mailing list