[Snort-sigs] snort-rules 2.1.* update @ Mon Mar 1 09:40:19 2004

bmc at ...95... bmc at ...95...
Mon Mar 1 07:45:10 EST 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC bsml.pl access"; flow:to_server,established; uricontent:"/bsml.pl"; nocase; reference:nessus,11973; reference:bugtraq,9311; classtype:web-application-activity; sid:2327; rev:1;)

     file -> web-iis.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization\: Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; reference:nessus,12055; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2386; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS sgdynamo.exe access"; flow:to_server,established; uricontent:"/sgdynamo.exe"; nocase; reference:nessus,11955; reference:bugtraq,4720; reference:cve,CAN-2002-0375; classtype:web-application-activity; sid:2326; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP ShopDisplayProducts.asp access"; flow:to_server,established; uricontent:"/ShopDisplayProducts.asp"; nocase; reference:nessus,11942; reference:bugtraq,9133; reference:bugtraq,9134; classtype:web-application-activity; sid:2325; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.dll access"; flow:to_server,established; uricontent:"/foxweb.dll"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2322; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS VP-ASP shopsearch.asp access"; flow:to_server,established; uricontent:"/shopsearch.asp"; nocase; reference:nessus,11942; reference:bugtraq,9133; reference:bugtraq,9134; classtype:web-application-activity; sid:2324; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS foxweb.exe access"; flow:to_server,established; uricontent:"/foxweb.exe"; nocase; reference:nessus,11939; classtype:web-application-activity; sid:2321; rev:1;)

     file -> tftp.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; offset:0; depth:2; classtype:bad-unknown; reference:bugtraq,7575; sid:2339; rev:1;)
     alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content: "|0002|"; offset:0; depth:2; content:!"|00|"; within:100; reference:bugtraq,7819; reference:cve,CAN-2003-0380; reference:bugtraq,8505; reference:bugtraq,7819; classtype:attempted-admin; sid:2337; rev:3;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2330; rev:1;)

     file -> web-cgi.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI quickstore.cgi access"; flow:to_server,established; uricontent:"/quickstore.cgi"; nocase; reference:nessus,11975; reference:bugtraq,9282; classtype:web-application-activity; sid:2323; rev:1;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2333; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; nocase; distance:0; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,9483; classtype:attempted-admin; sid:2340; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; classtype:attempted-admin; sid:2343; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; classtype:attempted-dos; reference:bugtraq,9159; sid:2335; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2332; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"FTP Yak! FTP server default account login attempt"; flow:to_server,established; content:"USER"; nocase; content:"y049575046"; nocase; pcre:"/^USER\s+y049575046/smi"; classtype:suspicious-login; reference:bugtraq,9072; sid:2334; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,8704; classtype:attempted-admin; sid:2344; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP LIST buffer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s[^\n]{100,}/smi"; classtype:misc-attack; reference:bugtraq,8486; sid:2338; rev:1;)

     file -> deleted.rules
     alert tcp any 110 -> any any (msg:"Virus - Possbile Zipped Files Trojan"; content:"|6E 61 6D 65 20 3D 22 5A 69 70 70 65 64 5F 46 69 6C 65 73 2E 45 58 45 22|"; reference:MCAFEE,10450; sid:802;  classtype:misc-activity; rev:4;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2254; rev:2;)

     file -> web-php.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/lib.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2342; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP PhpGedView search.php access"; flow:to_server,established; uricontent:"/search.php"; nocase; uricontent:"action=soundex"; nocase; uricontent:"firstname="; nocase; reference:bid,9369; classtype:web-application-activity; sid:2345; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke partner.php access"; flow:to_server,established; uricontent:"/partner.php"; nocase; reference:bid,6544; classtype:web-application-activity; sid:2347; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP MatrikzGB privilege escalation attempt"; flow:to_server,established; content:"new_rights=admin"; nocase; reference:bid,8430; classtype:web-application-activity; sid:2331; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP myPHPNuke chatheader.php access"; flow:to_server,established; uricontent:"/chatheader.php"; nocase; reference:bid,6544; classtype:web-application-activity; sid:2346; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP authentication_index.php access"; flow:to_server,established; uricontent:"/authentication_index.php"; nocase; reference:nessus,11982; classtype:web-application-activity; sid:2328; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP DCP-Portal remote file include attempt"; flow:to_server,established; uricontent:"/library/editor/editor.php"; nocase; content:"root="; reference:bugtraq,6525; classtype:web-application-attack; sid:2341; rev:1;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2385; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2383; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2382; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC ISystemActivator path overflow attempt little endian"; flow:to_server,established; content:"|05|"; distance:0; within:1; byte_test:1,&,16,3,relative; content:"|5c 00 5c 00|"; byte_test:4,>,256,-8,little,relative; reference:cve,CAN-2003-0352; classtype:attempted-admin; sid:2351; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2384; rev:3;)

  [---]          Removed:          [---]

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2254; rev:1;)

  [///]       Modified active:     [///]

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2247; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS UploadScript11.asp access"; flow:to_server,established; uricontent:"/UploadScript11.asp"; nocase; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2247; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; reference:nessus,11785; reference:bugtraq,8103; classtype:web-application-activity; sid:2249; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS /pcadmin/login.asp access"; flow:to_server,established; uricontent:"/pcadmin/login.asp"; nocase; reference:nessus,11785; reference:bugtraq,8103; classtype:web-application-activity; sid:2249; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS register.asp access"; flow:to_server,established; uricontent:"/register.asp"; nocase; reference:nessus,11621; classtype:web-application-activity; sid:2134; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2248; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS DirectoryListing.asp access"; flow:to_server,established; uricontent:"/DirectoryListing.asp"; nocase; reference:cve,CAN-2001-0938; classtype:web-application-activity; sid:2248; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; reference:nessus,11638; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,CAN-2003-0117; reference:cve,CAN-2003-0118; classtype:web-application-activity; sid:2133; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS MS BizTalk server access"; flow:to_server,established; uricontent:"/biztalkhttpreceive.dll"; nocase; reference:nessus,11638; reference:bugtraq,7469; reference:bugtraq,7470; reference:cve,CAN-2003-0117; reference:cve,CAN-2003-0118; classtype:web-application-activity; sid:2133; rev:2;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~ attempt"; flow:to_server,established; content:"CWD"; pcre:"/^CWD\s+~/smi"; reference:cve,CAN-2001-0421; reference:bugtraq,2601; reference:bugtraq,9215; classtype:denial-of-service; sid:1672; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; classtype:bad-unknown; sid:1229; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; pcre:"/^CWD\s[^\n]*?.../smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; classtype:attempted-admin; sid:1972; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS overflow attempt"; flow:to_server,established,no_stream;  content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:cve,CAN-2000-1035; reference:cve,CAN-2002-0126; reference:bugtraq,9285; reference:bugtraq,8601; classtype:attempted-admin; sid:1972; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; content:"%"; distance:1; content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2178; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,7776; classtype:misc-attack; sid:2178; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; nocase; distance:0; content:"%"; distance:1; content:"%"; distance:1; classtype:bad-unknown; sid:1971; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE EXEC format string attempt"; flow:to_server,established; content:"SITE"; nocase; content:"EXEC"; nocase; distance:0; pcre:"/^SITE\s+EXEC\s[^\n]*?%[^\n]*?%/smi"; classtype:bad-unknown; sid:1971; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; content:"%"; distance:1;  content:"%"; distance:1; within:10; reference:bugtraq,7474; classtype:misc-attack; sid:2179; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; classtype:misc-attack; sid:2179; rev:3;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2264; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; classtype:misc-attack; sid:2264; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO\:"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2270; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO sendmail prescan too long addresses overflow"; flow:to_server,established; content:"RCPT TO\:"; nocase; pcre:"/^RCPT TO\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; classtype:attempted-admin; sid:2270; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM\:"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2266; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SOML FROM\:"; nocase; pcre:"/^SOML FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; classtype:misc-attack; sid:2266; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM\:"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2268; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"MAIL FROM\:"; nocase; pcre:"/^MAIL FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; classtype:attempted-admin; sid:2268; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM\:"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; sid:2262; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND FROM sendmail prescan too long addresses overflow"; flow:to_server,established; content:"SEND FROM\:"; nocase; pcre:"/^SEND FROM\x3a\s+[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}\x3b[\w\s@\.]{200,}/smi"; reference:bugtraq,7230; reference:cve,CAN-2003-0161; classtype:misc-attack; sid:2262; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2263; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML FROM sendmail prescan too many addresses overflow"; flow:to_server,established; content:"SAML FROM\:"; nocase; pcre:"/^SAML FROM\x3a\s*[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?<[^\n]*?</smi"; classtype:attempted-admin; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2263; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-"; distance:1; byte_test:1,>,0,0,relative,string; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2253; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2253; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding\:"; byte_test:1,<,256,100,relative; content:!"|0a|"; within:100; reference:cve,CAN-2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Transfer-Encoding overflow attempt"; flow:to_server,established; content:"Content-Transfer-Encoding\:"; isdataat:100,relative; content:!"|0a|"; within:100; reference:cve,CAN-2003-0161; reference:url,www.cert.org/advisories/CA-2003-12.html; classtype:attempted-admin; sid:2183; rev:2;)

     file -> icmp-info.rules
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING (Undefined Code!)"; itype:8; classtype:misc-activity; sid:365; rev:5;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING (Undefined Code!)"; itype:8; icode:>0;classtype:misc-activity; sid:365; rev:6;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address (Undefined Code!)"; itype: 6; sid:391;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host Address (Undefined Code!)"; itype:6; icode:>0; sid:391;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here (Undefined Code!"; itype: 34; sid:412;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here (Undefined Code!"; itype:34; icode:>0; sid:412;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18; sid:387;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype:18; icode:>0; sid:387;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP (Undefined Code!"; itype: 39; sid:446;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP (Undefined Code!"; itype:39; icode:>0; sid:446;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply (Undefined Code!)"; itype: 14; sid:452;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply (Undefined Code!)"; itype: 14; icode:>0; sid:452;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Undefined Code!)"; itype: 12; sid:428;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem (Undefined Code!)"; itype: 12; icode:>2; sid:428; classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request (Undefined Code!)"; itype: 17; sid:389;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask Request (Undefined Code!)"; itype:17; icode:>0; sid:389;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect (Undefined Code!)"; itype: 32; sid:420;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host Redirect (Undefined Code!)"; itype:32; icode:>0; sid:420;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect (Undefined Code!)"; itype: 5; sid:438;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect (Undefined Code!)"; itype:5; icode:>3; sid:438; classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Undefined Code!)"; itype: 3; sid:407;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination Unreachable (Undefined Code!)"; itype: 3; icode:>15; sid:407;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute (Undefined Code!)"; itype: 30; sid:457;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute (Undefined Code!)"; itype:30; icode:>0; sid:457;  classtype:misc-activity; rev:5;)
     old: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply (Undefined Code!)"; itype: 16; sid:416;  classtype:misc-activity; rev:4;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply (Undefined Code!)"; itype:16; icode:>0; sid:416;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Undefined Code!)"; itype: 40; sid:433;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris (Undefined Code!)"; itype: 40; icode:>3; sid:433;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply (Undefined Code!)"; itype: 36; sid:422;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Reply (Undefined Code!)"; itype:36; icode:>0; sid:422;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security (Type 19) (Undefined Code!)"; itype: 19; sid:440;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for Security (Type 19) (Undefined Code!)"; itype:19; icode:>0; sid:440;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request (Undefined Code!)"; itype: 15; sid:418;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request (Undefined Code!)"; itype:15; icode:>0; sid:418;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request (Undefined Code!"; itype: 35; sid:424;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration Request (Undefined Code!"; itype:35; icode:>0; sid:424;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request (Undefined Code!)"; itype: 13; sid:454;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request (Undefined Code!)"; itype:13; icode:>0;sid:454;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench (Undefined Code!)"; itype: 4; sid:448;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench (Undefined Code!)"; itype:4; icode:>0; sid:448;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Time-To-Live Exceeded in Transit (Undefined Code!)"; itype: 11; sid:450;  classtype:misc-activity; rev:4;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit (Undefined Code!)"; itype:11; icode:>1; sid:450; classtype:misc-activity; rev:6;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error (Undefined Code!)"; itype: 31; sid:393;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram Conversion Error (Undefined Code!)"; itype:31; icode:>0; sid:393;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply (Undefined Code!)"; itype: 0; sid:409;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply (Undefined Code!)"; itype:0; icode:>0; sid:409;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You (Undefined Code!)"; itype: 33; sid:414;  classtype:misc-activity; rev:4;)
     new: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-Are-You (Undefined Code!)"; itype:33; icode:>0; sid:414;  classtype:misc-activity; rev:5;)
     old: alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; itype: 11; icode: 0; sid:449;  classtype:misc-activity; rev:4;)
     new: alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live Exceeded in Transit"; itype: 11; icode: 0; sid:449;  classtype:misc-activity; rev:5;)

     file -> snmp.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1413; rev:2; classtype:attempted-recon;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP private access udp"; content:"private"; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; reference:bugtraq,7212; sid:1413; rev:3; classtype:attempted-recon;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:cve,CAN-1999-0517; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; sid:1412; classtype:attempted-recon; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP public access tcp"; flow:to_server,established; content:"public"; reference:cve,CAN-1999-0517; reference:cve,CAN-2002-0012; reference:cve,CAN-2002-0013; reference:bugtraq,7212; sid:1412; classtype:attempted-recon; rev:6;)

     file -> web-php.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,7532; reference:bugtraq,3361; classtype:attempted-recon; sid:1301; rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP admin.php access"; flow:to_server,established; uricontent:"/admin.php"; nocase; reference:bugtraq,7532; reference:bugtraq,3361; reference:bugtraq,9270; classtype:attempted-recon; sid:1301; rev:7;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:nessus,11179; reference:bugtraq,5820; classtype:web-application-activity; sid:1998; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-PHP calendar.php access"; flow:established,to_server; uricontent:"/calendar.php"; reference:nessus,11179; reference:bugtraq,5820; reference:bugtraq,9353; classtype:web-application-activity; sid:1998; rev:2;)

     file -> tftp.rules
     old: alert udp any any -> any 69 (msg:"TFTP filename overflow attempt"; content: "|0001|"; offset:0; depth:2; content:!"|00|"; within:100; reference:cve,CAN-2002-0813; reference:bugtraq,5328; classtype:bad-unknown; sid:1941; rev:2;)
     new: alert udp any any -> any 69 (msg:"TFTP GET filename overflow attempt"; content: "|0001|"; offset:0; depth:2; content:!"|00|"; within:100; reference:cve,CAN-2002-0813; reference:bugtraq,5328; classtype:attempted-admin; sid:1941; rev:4;)

     file -> backdoor.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; stateless; flags:S,12; window:55808; sid:2182; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BACKDOOR typot trojan traffic"; stateless; flags:S,12; window:55808; classtype:trojan-activity; sid:2182; rev:3;)

     file -> netbios.rules
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,&,16,2,relative; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:22; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2316; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,&,16,2,relative; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:22; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2316; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> any 445 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2311; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> any 445 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2311; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2308; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2308; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0b|"; offset:0; depth:3; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2315; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0b|"; offset:0; depth:3; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2315; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2309; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2309; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; sid:2310; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2310; rev:2;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:" AUTHENTICATE "; nocase; content:"{"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:2105; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP authenticate literal overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10292; reference:cve,CVE-1999-0042; classtype:misc-attack; sid:2105; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; content:" LSUB |22|"; content:"|22| {"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:" LOGIN "; content:" {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:1993; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:" LIST |22|"; content:"|22| {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:11;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1845; rev:12;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:" CREATE"; content:" {"; distance:0; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; pcre:"/\sCREATE\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2120; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth overflow attempt"; flow:established,to_server; content:" AUTH"; nocase; content:"{"; byte_test:5,>,256,0,string,dec,relative; reference:cve,CVE-1999-0005; classtype:misc-attack; sid:1930; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP auth literal overflow attempt"; flow:established,to_server; content:" AUTH"; nocase; content:"{"; byte_test:5,>,256,0,string,dec,relative; reference:cve,CVE-1999-0005; classtype:misc-attack; sid:1930; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:" RENAME |22|"; content:"|22| {"; distance:0; nocase; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2119; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; pcre:"/\sRENAME\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2119; rev:2;)

     file -> rpc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; offset:16; depth:5; content:"|00 00 00 01|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; offset:8; depth:4; sid:2184; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount path overflow attempt"; flow:to_server,established; content:"|00 01 86 A5 00|"; offset:16; depth:5; content:"|00 00 00 01|"; distance:3; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1023,0,relative; content:"|00 00 00 00|"; offset:8; depth:4; classtype:misc-attack; sid:2184; rev:3;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # pcre makes this not needed
       # historical reference... this used to be here...
    -> File "snort.conf":
       # In snort 2.0.1 and above, this only alerts when a TCP option is detected
           iis_unicode_map unicode.map 1252 
           profile all ports { 80 8080 8180 } oversize_dir_length 500
       #    oversize_dir_length 300 \
       # suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)

  [---]      Removed lines:      [---]
    -> File "snort.conf":
       # In snort 2.0.1 and above, this only alerts when the a TCP option is detected
           iis_unicode_map unicode.map 1252
           profile all \
           ports { 80 8080 }
       # suspicious $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)





More information about the Snort-sigs mailing list