[Snort-sigs] a few more rules

Joseph Gama josephgama at ...144...
Mon Jul 19 20:09:06 EDT 2004


alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Hotmail LINK CSS Vulnerability"; content:"<";
content:"LINK"; content:"REL"; content:"="; 

content:"STYLESHEET"; content:"TYPE"; content:"=";
content:"text/javascript"; content:"SRC"; content:"=";
content:".js"; content:">"; reference:url, 

www.securiteam.com/securitynews/5YP0M1555A.html;
classtype:attempted-recon; sid:10084; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
(msg:"Remote desktop connection attempt"; dsize:0;
ack:0; window:64240; flags:S; flow:stateless;
reference:url, 

www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
classtype:attempted-recon; sid:99999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3389
(msg:"Remote desktop connection active"; dsize:>7;
content:"|03 00|"; depth:2; reference:url, 

www.microsoft.com/windowsxp/using/mobility/rdfaq.mspx;
classtype:attempted-recon; sid:99999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Adobe Acrobat Reader PDF possible buffer
overflow"; content:"application\/vnd.adobe.xfdf";
reference:url, 

www.securityfocus.com/bid/9802;
classtype:attempted-user; sid:99999; rev:1;)


	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/




More information about the Snort-sigs mailing list