[Snort-sigs] snort-rules CURRENT update @ Sat May 1 14:15:27 2004

bmc at ...95... bmc at ...95...
Sat May 1 14:47:02 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|01|"; distance:2; within:1; content:"|02|"; distance:0; within:1; content:!"|00 00|"; distance:0; within:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:"|8F|"; distance:7; within:1; byte_test:2,>,32768,0,relative; flowbits:isset,starttls.attempt; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS|0d 0a|"; distance:0; within:10; flowbits:set,starttls.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2527; rev:1;)

  [///]       Modified active:     [///]

     file -> telnet.rules
     old: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; rawbytes; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:6;)
     new: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:7;)

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; content:"Content-Type\:"; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type\:"; nocase; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:2;)

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:2;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:3;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:3;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:3;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2004-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:3;)





More information about the Snort-sigs mailing list