[Snort-sigs] snort-rules 2.1.* update @ Sat May 1 14:15:27 2004

bmc at ...95... bmc at ...95...
Mon May 3 04:55:14 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ServletManager access"; flow:to_server,established; uricontent:"/servlet/ServletManager"; nocase; reference:nessus,12122; reference:cve,CAN-2001-1195; classtype:web-application-activity; sid:2447; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC setinfo.hts access"; flow:to_server,established; uricontent:"/setinfo.hts"; nocase; reference:nessus,12120; reference:bugtraq,9973; classtype:web-application-activity; sid:2448; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC schema overflow attempt"; flow:to_server,established; uricontent:"|3a|//"; pcre:"/^[^\/]{14,}?\x3a\/\//U"; reference:cve,CAN-2004-0039; classtype:attempted-admin; sid:2381; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC source.jsp access"; flow:to_server,established; uricontent:"/source.jsp"; nocase; reference:nessus,12119; classtype:web-application-activity; sid:2484; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:1;)

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:3;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-disposition buffer overflow"; flow: to_server, established; content:"Content-Type|3a|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; content:"Content-Disposition|3a|"; nocase; pcre:"/name=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype: attempted-user; sid:2488; rev:2;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP WinZip MIME content-type buffer overflow"; flow: to_server, established; content:"Content-Type|3a|"; nocase; pcre:"/name=[^\r\n]*?\.(mim|uue|uu|b64|bhx|hqx|xxe)/smi"; pcre:"/(name|id|number|total|boundary)=\s*[^\r\n\x3b\s\x2c]{300}/smi"; reference:bugtraq,9758; classtype: attempted-user; sid:2487; rev:2;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:3;)

     file -> dos.rules
     alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt";  content:"|05|"; offset:16; depth:1; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; classtype:attempted-dos; sid:2486; rev:2;)
     alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; reference:cve,CAN-2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:2;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:3;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:1;)

     file -> chat.rules
     alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0001|"; offset:10; depth:2; classtype:policy-violation; sid:2450; rev:1;)
     alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0018|"; offset:10; depth:2; classtype:policy-violation; sid:2453; rev:1;)
     alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0019|"; offset:10; depth:2; classtype:policy-violation; sid:2454; rev:1;)
     alert tcp any any <> any 5101 (msg:"CHAT Yahoo IM message"; flow:established; content:"YMSG"; nocase; offset:0; depth:4; classtype:policy-violation; sid:2457; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"CHAT Yahoo IM webcam request"; flow:to_server,established; content:"|3c 52|"; offset: 0; depth:2; pcre:"/^\x3c(REQIMG|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:1;)
     alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|004a|"; offset:10; depth:2; classtype:policy-violation; sid:2451; rev:1;)
     alert tcp any any -> any 5050 (msg:"CHAT Yahoo IM file transfer request"; flow:established; content:"YMSG"; nocase; offset:0; depth:4; content:"|004d|"; offset:10; depth:2; classtype:policy-violation; sid:2456; rev:1;)
     alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0098|"; offset:10; depth:2; classtype:policy-violation; sid:2458; rev:1;)
     alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"CHAT Yahoo IM webcam watch"; flow:from_server,established; content: "|0d00 0500|"; offset:0; depth:4; classtype:policy-violation; sid:2461; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM webcam offer invitation"; flow:to_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0050|"; offset:10; depth:2; classtype:policy-violation; sid:2459; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|001d|"; offset:10; depth:2; classtype:policy-violation; sid:2455; rev:1;)
     alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; nocase; offset:0; depth:4; content:"|0012|"; offset:10; depth:2; classtype:policy-violation; sid:2452; rev:2;)

     file -> ftp.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,7909; classtype:attempted-admin; sid:2374; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; classtype:attempted-admin; sid:2373; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ALLO overflow attempt"; flow:to_server,established; content:"ALLO"; nocase; isdataat:100,relative; pcre:"/^ALLO\s[^\n]{100}/smi"; reference:bugtraq,9953; classtype:attempted-admin; sid:2449; rev:1;)

     file -> exploit.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:"<SNAPQUOTE>"; nocase; isdataat:1024,relative; content:!"</SNAPQUOTE>"; nocase; within:1054; reference:bugtraq,9978; classtype:attempted-admin; sid:2490; rev:1;)
     alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:cve,CAN-2004-0176; reference:bugtraq,9952; classtype:attempted-admin; sid:2464; rev:1;)
     alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:cve,CAN-2004-0176; reference:bugtraq,9952; classtype:attempted-admin; sid:2463; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:"<STREAMQUOTE>"; nocase; isdataat:1024,relative; content:!"</STREAMQUOTE>"; nocase; within:1054; reference:bugtraq,9978; classtype:attempted-admin; sid:2489; rev:1;)
     alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:cve,CAN-2004-0176; reference:bugtraq,9952; classtype:attempted-admin; sid:2462; rev:1;)

     file -> web-client.rules
     alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Nortan antivirus sysmspam.dll load attempt"; flow:to_client,established; content:"clsid|3a|"; nocase; content:"0534CF61-83C5-4765-B19B-45F7A4E135D0"; nocase; reference:bugtraq,9916; classtype:attempted-admin; sid:2485; rev:1;)

     file -> netbios.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2474; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2475; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2465; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2468; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2469; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2472; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2471; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"D|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2467; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"A|00|D|00|M|00|I|00|N|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2473; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; classtype:protocol-command-decode; nocase; sid:2466; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:2470; rev:1;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3a|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:cve,CAN-2004-0169; classtype:web-application-attack; sid:2442; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000:8001 (msg:"WEB-MISC Quicktime User-Agent buffer overflow attempt"; flow:to_server,established; content:"User-Agent|3a|"; nocase; pcre:"/^User-Agent\x3a[^\n]{244,255}/smi"; reference:cve,CAN-2004-0169; reference:bugtraq,9735; classtype:web-application-attack; sid:2442; rev:3;)

     file -> web-iis.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.asp; classtype:web-application-activity; sid:2129; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS nsiislog.dll access"; flow:to_server,established; uricontent:"/nsiislog.dll"; nocase; reference:nessus,11664; reference:url,www.microsoft.com/technet/security/bulletin/ms03-018.mspx; classtype:web-application-activity; sid:2129; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; content:"Content-Type\:"; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"WEB-IIS MDAC Content-Type overflow attempt"; flow:to_server,established; uricontent:"/msadcs.dll"; nocase; content:"Content-Type\:"; nocase; content:!"|0A|"; within:50; reference:cve,CAN-2002-1142; reference:url,www.foundstone.com/knowledge/randd-advisories-display.html?id=337; classtype:web-application-attack; sid:1970; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.asp; classtype:web-application-activity; sid:1772; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS pbserver access"; flow:to_server,established; uricontent:"/pbserver/pbserver.dll"; nocase; reference:url,www.microsoft.com/technet/security/bulletin/ms00-094.mspx; classtype:web-application-activity; sid:1772; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0d0a|Host|3a|"; content:"|0d0a0d0a|"; within:255; reference:cve,CAN-2003-0109; reference:bugtraq,7116; reference:nessus,11412; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.asp; classtype:attempted-admin; sid:2091; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH / HTTP/1.1|0d0a|Host|3a|"; content:"|0d0a0d0a|"; within:255; reference:cve,CAN-2003-0109; reference:bugtraq,7116; reference:nessus,11412; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2091; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.asp; classtype:attempted-admin; sid:2090; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-IIS WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1|0a|Content-type|3a| text/xml|0a|HOST|3a|"; content:"Accept|3a| |2a|/|2a0a|Translate|3a| f|0a|Content-length|3a|5276|0a0a|"; distance:1; reference:cve,CAN-2003-0109; reference:bugtraq,7716; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2090; rev:4;)

     file -> sql.rules
     old: alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3b|"; distance:0; isdataat:512,relative; content:!"|3b|"; within:512; reference:cve,CAN-2003-0903; reference:bugtraq,9407; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.asp; classtype:attempted-user; sid:2329; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"MS-SQL probe response overflow attempt"; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3b|"; distance:0; isdataat:512,relative; content:!"|3b|"; within:512; reference:cve,CAN-2003-0903; reference:bugtraq,9407; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:3;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^PASS\s[^\n]{256}/smi"; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"POP3 APOP overflow attempt"; flow:to_server,established; content:"APOP"; nocase; isdataat:256,relative; pcre:"/^APOP\s[^\n]{256}/smi"; reference:cve,CAN-2000-0841; reference:bugtraq,1652; reference:nessus,10559; classtype:attempted-admin; sid:1635; rev:9;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; classtype:attempted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230; reference:cve,CAN-2003-0161; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2259; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPN overflow attempt"; flow:to_server,established; content:"EXPN"; nocase; pcre:"/^EXPN[^\n]{255,}/smi"; classtype:attempted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2259; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2253; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow attempt"; flow:to_server,established; content:"XEXCH50"; nocase; pcre:"/^XEXCH50\s+-\d/smi"; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2253; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; classtype:attempted-admin; reference:cve,CAN-2003-0161; reference:bugtraq,7230; reference:cve,CAN-2003-0161; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2260; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP VRFY overflow attempt"; flow:to_server,established; content:"VRFY"; nocase; pcre:"/^VRFY[^\n]{255,}/smi"; classtype:attempted-admin; reference:bugtraq,7230; reference:cve,CAN-2003-0161; reference:bugtraq,6991; reference:cve,CAN-2002-1337; sid:2260; rev:2;)

     file -> dos.rules
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; stateless; flags:S; seq: 6060842; id: 413; reference:cve,CAN-2000-1039; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.asp; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:5;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; stateless; flags:S; seq: 6060842; id: 413; reference:cve,CAN-2000-1039; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:bugtraq,2022; classtype:attempted-dos; sid:275; rev:6;)

     file -> tftp.rules
     old: alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content: "|0002|"; offset:0; depth:2; content:!"|00|"; within:100; reference:bugtraq,7819; reference:cve,CAN-2003-0380; reference:bugtraq,8505; reference:bugtraq,7819; classtype:attempted-admin; sid:2337; rev:3;)
     new: alert udp any any -> any 69 (msg:"TFTP PUT filename overflow attempt"; content: "|0002|"; offset:0; depth:2; content:!"|00|"; within:100; reference:bugtraq,7819; reference:cve,CAN-2003-0380; reference:bugtraq,8505; classtype:attempted-admin; sid:2337; rev:4;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]*?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:1902; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:nessus,10374; reference:cve,CAN-2000-0284; classtype:misc-attack; sid:2106; rev:4;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type (0)"; flow:established; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1; stateless; classtype:bad-unknown; sid:2159; rev:4;)
     new: alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; content:"|ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff|"; offset:0; depth:16; content:"|00|"; distance:2; within:1; stateless; classtype:bad-unknown; sid:2159; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; offset:288; depth:1; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.asp; classtype:attempted-dos; sid:2418; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"MISC MS Terminal Server no encryption session initiation attmept"; flow:to_server,established; content:"|03 00 01|"; depth:3; content:"|00|"; offset:288; depth:1; reference:url,www.microsoft.com/technet/security/bulletin/MS01-052.mspx; classtype:attempted-dos; sid:2418; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2; content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtaq,5807; reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; content:"|00 01|"; offset:2; depth:2; content:"|00 01|"; offset:8; depth:2; dsize:>156; reference:bugtraq,5807; reference:cve,CAN-2002-1214; classtype:attempted-admin; sid:2126; rev:3;)

     file -> telnet.rules
     old: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; rawbytes; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:6;)
     new: alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET access"; flow:from_server,established; content:"|FF FD|"; rawbytes; content:"|FF FD|"; distance:0; rawbytes; content:"|FF FD|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:7;)

     file -> ftp.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9600; reference:bugtraq,7776; reference:bugtraq,9600; reference:bugtraq,9402; classtype:misc-attack; sid:2178; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]*?%[^\n]*?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9600; reference:bugtraq,7776; reference:bugtraq,9402; classtype:misc-attack; sid:2178; rev:8;)

     file -> web-cgi.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:cve,CVE-2001-0805; reference:bugtraq,2890; reference:nessus,10696; reference:bugtraq,2890; classtype:attempted-recon; sid:1480; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI ttawebtop.cgi access"; flow:to_server,established; uricontent:"/ttawebtop.cgi"; nocase; reference:cve,CVE-2001-0805; reference:bugtraq,2890; reference:nessus,10696; classtype:attempted-recon; sid:1480; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/csview2.cgi"; nocase; reference:cve,CAN-2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI cvsview2.cgi access"; flow:to_server,established; uricontent:"/cvsview2.cgi"; nocase; reference:cve,CAN-2003-0153; reference:nessus,11748; classtype:web-application-activity; sid:2197; rev:2;)

     file -> rpc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2024; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA getquota overflow attempt TCP"; flow:to_server,established; content:"|00 01 86 AB|"; offset:16; depth:4; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack;  content:"|00 00 00 00|"; offset:8; depth:4; sid:2024; rev:6;)

     file -> web-frontpage.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; uricontent:"/fp30reg.dll"; nocase; flow:to_server,established; classtype:web-application-activity; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.asp; sid:1248;  rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad fp30reg.dll access"; uricontent:"/fp30reg.dll"; nocase; flow:to_server,established; classtype:web-application-activity; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; sid:1248;  rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent: "/dvwssr.dll"; nocase; reference:bugtraq,1108; reference:cve,CVE-2000-0260; reference:arachnids,271; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.asp; classtype:web-application-activity; sid:967;  rev:6;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE dvwssr.dll access"; flow:to_server,established; uricontent: "/dvwssr.dll"; nocase; reference:bugtraq,1108; reference:cve,CVE-2000-0260; reference:arachnids,271; reference:url,www.microsoft.com/technet/security/bulletin/ms00-025.mspx; classtype:web-application-activity; sid:967;  rev:7;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; content:"|5c00|I|00|P|00|C|00|$|00|"; nocase; reference:arachnids,334; classtype:attempted-recon; sid:538; rev:7;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share unicode access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,>,127,6,relative; content:"I|00|P|00|C|00 24 00 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:538; rev:8;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\winreg|00|"; offset:85; nocase; classtype:attempted-recon; sid:2174; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\winreg|00|"; offset:85; nocase; classtype:protocol-command-decode; sid:2174; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"Documents and Settings\\All Users\\Start Menu\\Programs\\Startup|00|"; classtype:attempted-recon; sid:2176; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"Documents and Settings\\All Users\\Start Menu\\Programs\\Startup|00|"; distance:0; nocase; classtype:attempted-recon; sid:2176; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|04 00|"; distance:0; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2258; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|04 00|"; distance:0; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2258; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2308; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2308; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0b|"; offset:0; depth:3; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2315; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"|05 00 0b|"; offset:0; depth:3; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2315; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;  classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2251; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605;  classtype:attempted-admin; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; sid:2251; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB Data Service Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|ff|SMB|73|"; offset:4; depth:5; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; classtype:attempted-admin; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; reference:bugtraq,9752; sid:2404; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|ff|SMB|73|"; offset:4; depth:5; nocase; byte_test:1,&,128,6,relative; byte_test:2,>,255,54,relative,little; content:"|00|"; distance:56; content:"|00 00|"; distance:255; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; content:"|00 00|"; distance:0; classtype:attempted-admin; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; reference:bugtraq,9752; sid:2404; rev:3;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.asp; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2257; rev:1;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; reference:bugtraq,8826; reference:cve,CAN-2003-0717; classtype:attempted-admin; sid:2257; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; content:"\\IPC$|00|"; nocase; classtype:attempted-recon; sid:537;  rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB IPC$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"IPC|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:537; rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB Startup Folder access attempt (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"\\|00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00|\\|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|\\|00|S|00|t|00|a|00|r|00|t|00|u|00|p"; classtype:attempted-recon; sid:2177; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|32|"; offset:4; depth:5; content:"\\|00|S|00|t|00|a|00|r|00|t|00| |00|M|00|e|00|n|00|u|00|\\|00|P|00|r|00|o|00|g|00|r|00|a|00|m|00|s|00|\\|00|S|00|t|00|a|00|r|00|t|00|u|00|p"; distance:0; nocase; classtype:attempted-recon; sid:2177; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Workstation Service unicode bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2310; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service unicode bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,&,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00 05 00 0b|"; distance:4; within:15; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2310; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2385; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|00 00 00 62 06 83 00 00 06 2B 06 01 05 05 02|"; distance:1; within:15; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|A3 3E 30 3C A0 30|"; distance:0; reference:nessus,12054; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2385; rev:4;)
     old: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,&,16,2,relative; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:22; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2316; rev:2;)
     new: alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"NETBIOS DCERPC Workstation Service direct service access attempt"; content:"|04 00|"; offset:0; depth:2; byte_test:1,&,16,2,relative; content:"|98 d0 ff 6b 12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:22; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2316; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg access (unicode)"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\|00|w|00|i|00|n|00|r|00|e|00|g|00|"; nocase; offset:85; classtype:attempted-recon; sid:2175; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB winreg unicode access"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|a2|"; offset:4; depth:5; content:"\\|00|w|00|i|00|n|00|r|00|e|00|g|00|"; nocase; offset:85; classtype:protocol-command-decode; sid:2175; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$access"; flow:to_server,established; content:"\\ADMIN$|00 41 3a 00|"; reference:arachnids,340; classtype:attempted-admin; sid:532;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB ADMIN$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"ADMIN|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:532; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2309; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2309; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ access"; flow:to_server,established; content: "|5c|C$|00 41 3a 00|";reference:arachnids,339; classtype:attempted-recon; sid:533; rev:5;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB C$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"C|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:533; rev:6;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCE/RPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2383; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC NTLMSSP invalid mechtype attempt"; flow:to_server,established; content:"|FF|SMB|73|"; nocase; offset:4; depth:5; content:"|60|"; offset:63; depth:1; content:"|06 06 2b 06 01 05 05 02|"; distance:1; within:8; content:"|06 0a 2b 06 01 04 01 82 37 02 02 0a|"; distance:0; content:"|a1 05 23 03 03 01 07|"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; classtype:attempted-dos; sid:2383; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> any 445 (msg:"NETBIOS SMB DCERPC Workstation Service bind attempt microsoft-ds"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.asp; classtype:misc-attack; sid:2311; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Workstation Service bind attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; byte_test:2,^,1,5,relative; content:"|26 00|"; distance:56; within:2; content:"|5c|PIPE|5c 00 05 00 0b|"; distance:4; within:10; byte_test:1,&,16,1,relative; content:"|98 d0 ff 6b  12 a1 10 36 98 33 46 c3 f8 7e 34 5a|"; distance:29; within:16; reference:cve,CAN-2003-0812; reference:bugtraq,9011; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2311; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; classtype:attempted-admin; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.asp; sid:2252; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"|FF|SMB|25|"; nocase; offset:4; depth:5; content:"|26 00|"; distance:56; within:2; content:"|5c 00|P|00|I|00|P|00|E|00 5c 00|"; nocase; distance:5; within:12; content:"|05|"; distance:0; within:1; content:"|0b|"; distance:1; within:1; byte_test:1,&,1,0,relative; content:"|B8 4A 9F 4D 1C 7D CF 11 86 1E 00 20 AF 6E 7C 57|"; distance:29; within:16; tag:session,5,packets; classtype:attempted-admin; reference:cve,CAN-2003-0715; reference:cve,CAN-2003-0528; reference:cve,CAN-2003-0605; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; sid:2252; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$access"; flow:to_server,established; content:"\\D$|00 41 3a 00|"; reference:arachnids,336; classtype:attempted-recon; sid:536;  rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB D$ share access"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB|75|"; offset:4; depth:5; byte_test:1,<,128,6,relative; content:"D|24 00|"; distance:32; nocase; classtype:protocol-command-decode; sid:536; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; offset:4; depth:5; content:"|00 00 00 00|"; offset:43; depth:4; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:4;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Parameter and Max Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF|SMB|25|"; offset:4; depth:5; content:"|00 00 00 00|"; offset:43; depth:4; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2101; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB Data Service Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|ff|SMB|73|"; offset:4; depth:5; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; distance:42; within:4; byte_test:2,>,255,8,relative,little; content:!"|00|"; distance:10; within:255; classtype:attempted-admin; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; reference:bugtraq,9752; sid:2402; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"|00|"; depth:1; byte_test:2,>,322,2; content:"|ff|SMB|73|"; offset:4; depth:5; nocase; byte_test:1,<,128,6,relative; content:"|00 00 00 00|"; distance:42; within:4; byte_test:2,>,255,8,relative,little; content:!"|00|"; distance:10; within:255; classtype:attempted-admin; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; reference:bugtraq,9752; sid:2402; rev:3;)

     file -> rservices.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec password overflow attempt"; flow:to_server,established; content:"|00|"; content:"|00|"; distance:33; content:"|00|"; distance:0; classtype:attempted-admin; sid:2114; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"RSERVICES rexec username overflow attempt"; flow:to_server,established; content:"|00|"; offset:9; content:"|00|"; distance:0; content:"|00|"; distance:0; classtype:attempted-admin; sid:2113; rev:3;)

     file -> attack-responses.rules
     old: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.asp; classtype:attempted-recon; sid:1200; rev:8;)
     new: alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Invalid URL"; content:"Invalid URL"; nocase; flow:from_server,established; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:1200; rev:9;)





More information about the Snort-sigs mailing list