[Snort-sigs] rules to detect possible threats by the dll's called, Invalid fragment+TCP flags, Adobe Acrobat Reader XFDF possible buffer overflow

Joseph Gama josephgama at ...144...
Tue Jul 20 18:26:34 EDT 2004


#(create packets-DOS, tunneling, etc)
#libnetnt.dll
#libnet.dll
#libdnet.dll

#(read packets-sniffer, etc)
#wpcap.dll
#rpklib.dll

#(all purpose, Trojan, RAT, etc)
#socket.dll
#ws2_32.dll
#wsock32.dll
#packet32.dll
#packet.dll
#iphlpapi.dll
#wininet.dll

#(ShellCode, RAT)
#cmd.exe
#\cmd.exe
#explorer.exe
#shell32.dll

#(DOS, ping)
#icmp.dll

#local network(net send, enumerate)
#netapi32.dll 


alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - libnetnt.dll";
content:"|00|libnetnt.dll|00 00|"; nocase;
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - libnet.dll";
content:"|00|libnet.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - libdnet.dll";
content:"|00|libdnet.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - wpcap.dll";
content:"|00|wpcap.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - rpklib.dll";
content:"|00|rpklib.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - socket.dll";
content:"|00|socket.dll|00 00|";  nocase;
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - ws2_32.dll";
content:"|00|ws2_32.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - wsock32.dll";
content:"|00|wsock32.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - packet32.dll";
content:"|00|packet32.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - packet.dll";
content:"|00|packet.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - iphlpapi.dll";
content:"|00|iphlpapi.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - wininet.dll";
content:"|00|wininet.dll|00 00|"; nocase; 
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that opend
a shell - cmd.exe"; content:"|00|cmd.exe|00|"; 
classtype:bad-unknown;  nocase; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that opend
a shell - cmd.exe"; content:"|00|\cmd.exe|00|"; 
classtype:bad-unknown; nocase; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that opens
explorer - explorer.exe";
content:"|00|explorer.exe|00|";  nocase;
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - shell32.dll";
content:"|00|shell32.dll|00 00|";  nocase;
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - icmp.dll";
content:"|00|icmp.dll|00 00|";  nocase;
classtype:bad-unknown; sid:99999; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Probable download of executable file that calls
a communication DLL - netapi32.dll";
content:"|00|netapi32.dll|00 00|";  nocase;
classtype:bad-unknown; sid:99999; rev:1;)



alert tcp $EXTERNAL_NET any -> $HOME_NET any
(msg:"Invalid fragment+TCP flags"; dsize:0; ack:0;
fragbits:!M; flags:!AP,12; window:2048;
reference:arachnids,162; classtype:bad-unknown;
sid:99999; rev:1;)

alert tcp any any -> any any (msg:"Adobe Acrobat
Reader XFDF possible buffer overflow";
content:"application/vnd.adobe.xfdf"; reference: url,
http.www.nextgenss.com/advisories/adobexfdf.txt;
classtype:bad-unknown; sid:99999; rev:1;)




		
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail




More information about the Snort-sigs mailing list