[Snort-sigs] more scan rules

Joseph Gama josephgama at ...144...
Tue Jul 20 18:26:30 EDT 2004


alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN PSH"; flags:SP,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN PSH"; flags:SFP,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN URG"; flags:SFU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN ACK PSH"; flags:SFAP,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN URG"; flags:SU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN ACK URG"; flags:AU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN URG"; flags:SFU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS SPU"; flags:SPU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN PSH URG"; flags:SPU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS variation"; flags:SFPU,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS variation 2"; flags:RFPU,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN FIN ACK URG"; flags:FAU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN ACK URG"; flags:SAU,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN ACK"; flags:SFA,12; flow:stateless;
reference:arachnids,198; classtype:attempted-recon;
sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN SYN FIN ACK URG"; flags:SFAU,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN RST FIN ACK URG"; flags:RFAU,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN RST SYN FIN ACK URG"; flags:RSFAU,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS simple"; flags:UAPF,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS variation 3"; flags:UAPS,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)

alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"SCAN XMAS variation 4"; flags:UAPSF,12;
flow:stateless; reference:arachnids,198;
classtype:attempted-recon; sid:9999; rev:1;)





	
		
__________________________________
Do you Yahoo!?
Vote for the stars of Yahoo!'s next ad campaign!
http://advision.webevents.yahoo.com/yahoo/votelifeengine/




More information about the Snort-sigs mailing list