[Snort-sigs] snort-rules CURRENT update @ Thu May 6 14:15:34 2004

bmc at ...95... bmc at ...95...
Thu May 6 11:16:15 EDT 2004


This rule update was brought to you by Oinkmaster.

[*] Rule modifications: [*]

  [+++]           Added:           [+++]

     file -> pop3.rules
     alert tcp $HOME_NET 995 -> $EXTERNAL_NET any (msg:"POP3 SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2536; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2535; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"POP3 SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2537; rev:1;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2544; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2538; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 invalid data version attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2541; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isset,starttls.attempt; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2542; rev:1;)
     alert tcp $SMTP_SERVERS 465 -> $EXTERNAL_NET any (msg:"SMTP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2539; rev:1;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2540; rev:1;)
     alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLS SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2543; rev:1;)

     file -> deleted.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:3;)
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:4;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid timestamp attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:3;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2531; rev:1;)
     alert tcp $HOME_NET 993 -> $EXTERNAL_NET any (msg:"IMAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2530; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2529; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2534; rev:1;)
     alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2532; rev:1;)
     alert tcp $HOME_NET 639 -> $EXTERNAL_NET any (msg:"MISC LDAP SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2533; rev:3;)

  [---]          Removed:          [---]

     file -> web-misc.rules
     alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2506; rev:1;)

     file -> smtp.rules
     alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2503; rev:1;)

     file -> imap.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2498; rev:1;)

     file -> misc.rules
     alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2499; rev:1;)

  [///]       Modified active:     [///]

     file -> web-misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; flowbits:isset,sslv3.client_hello.request; flowbits:isset,sslv3.server_hello.request; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid Client_Hello attempt"; flow:to_server,established; flowbits:isset,sslv3.server_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2522; rev:5;)
     old: alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg: "WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|02|"; distance:3; within:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2521; rev:1;)
     new: alert tcp $HTTP_SERVERS 443 -> $EXTERNAL_NET any (msg:"WEB-MISC SSLv3 Server_Hello request"; flow:to_client,established; flowbits:isset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|02|"; offset:5; depth:1; flowbits:set,sslv3.server_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2521; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2515; rev:4;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2520; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv3.client_hello.request; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; flowbits:set,sslv3.client_hello.request; flowbits:noalert; reference:cve,2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2520; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"WEB-MISC SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2505; rev:3;)

     file -> pop3.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2518; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 timestamp attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid timestamp attempt"; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; byte_test:4,>,2147483647,5,relative; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2501; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 995 (msg:"POP3 SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2502; rev:3;)

     file -> smtp.rules
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Long Client_Hello message exploit attempt"; flow:to_server,established; content:"|01|"; distance:2; within:1; content:"|02|"; distance:0; within:1; content:!"|00 00|"; distance:0; within:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:"|8F|"; distance:7; within:1; byte_test:2,>,32768,0,relative; flowbits:isset,starttls.attempt; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLS PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isset,starttls.attempt; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2528; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2504; rev:2;)
     old: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2519; rev:5;)

     file -> netbios.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; nocase; offset:4; depth:4; content:"|05|"; distance:59; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2514; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; content:"|FF|SMB|2F|"; nocase; offset:4; depth:5; content:"|05|"; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; flowbits:isset,netbios.lsass.bind.attempt; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:2;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"|FF|SMB"; nocase; offset:4; depth:4; content:"|05|"; distance:59; content:"|00|"; distance:1; within:1; content:"|09 00|"; distance:19; within:2; reference:cve,CAN-2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2511; rev:5;)

     file -> imap.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2517; rev:5;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 993 (msg:"IMAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2497; rev:2;)

     file -> misc.rules
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP invalid SSLv3 data version attempt"; flow:to_server,established; content:"|16|"; distance:0; within:1; content:"|03|"; distance:0; within:1; content:"|01|"; distance:3; within:1; content:!"|03|"; distance:3; within:1; reference:cve,CAN-2004-0120; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:1;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 636 (msg:"MISC LDAP SSLv3 invalid data version attempt"; flow:to_server,established; content:"|16 03|"; depth:2; content:"|01|"; offset:5; depth:1; content:!"|03|"; offset:9; depth:1; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-dos; sid:2500; rev:3;)
     old: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|80|"; distance:0; within:1; content:"|01|"; distance:1; within:1; byte_jump:1,-2,relative; isdataat:1,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:3;)
     new: alert tcp $EXTERNAL_NET any -> $HOME_NET 639 (msg:"MISC LDAP PCT Client_Hello overflow attempt"; flow:to_server,established; content:"|01 02|"; offset:2; depth:2; byte_test:2,>,0,3,relative; byte_test:2,<,16,3,relative; byte_test:2,>,20,5,relative; content:!"|00 00|"; offset:4; depth:2; content:"|8F|"; offset:11; depth:1; byte_test:2,>,32768,0,relative; reference:cve,CAN-2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2516; rev:5;)

[*] Non-rule changes: [*]

  [+++]       Added lines:       [+++]

    -> File "deleted.rules":
       # these happen.  more research = more better rules





More information about the Snort-sigs mailing list