[Snort-sigs] snort-rules 2.1.* update @ Thu May 6 14:15:34 2004

bmc at ...95... bmc at ...95...
Thu May 6 11:16:11 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:3;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:4;)
     alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"TFTP NULL command attempt"; content:"|00 00|"; offset:0; depth:2; classtype:bad-unknown; reference:bugtraq,7575; sid:2336; rev:2;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665;  rev:5;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:3;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC ?open access"; flow:to_server,established; uricontent:"?open"; nocase; classtype:web-application-activity; sid:1561; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC mkilog.exe access"; flow:to_server,established; uricontent:"/mkilog.exe"; nocase; classtype:web-application-activity; sid:1665;  rev:4;)

     file -> pop3.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:1;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:1;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:1;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:3;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:5;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:5;)

     file -> deleted.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.asp; classtype:attempted-admin; sid:2254; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP XEXCH50 overflow with evasion attempt"; flow:to_server,established; content:"XEXCH50"; nocase; content:"-0"; distance:1; reference:url,www.microsoft.com/technet/security/bulletin/MS03-046.mspx; classtype:attempted-admin; sid:2254; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; uricontent:"/fp30reg.dll"; nocase; dsize: >258; flow:to_server,established; classtype:web-application-attack; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.asp; sid:1246;  rev:8;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-FRONTPAGE rad overflow attempt"; uricontent:"/fp30reg.dll"; nocase; dsize: >258; flow:to_server,established; classtype:web-application-attack; reference:arachnids,555; reference:bugtraq,2906; reference:cve,CAN-2001-0341; reference:url,www.microsoft.com/technet/security/bulletin/MS01-035.mspx; sid:1246;  rev:9;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.asp; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; offset:0; depth:1; content:"|FF 53 4D 42 25|"; offset:4; depth:5; content:"|00 00|"; offset:45; depth:2; reference:cve,CAN-2002-0724; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; reference:url,www.corest.com/common/showdoc.php?idx=262; classtype:denial-of-service; sid:2102; rev:4;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:5;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:2;)





More information about the Snort-sigs mailing list