Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules Fri Dec 2 00:51:44 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 2 | # $Id: bleeding-attack_response.rules,v 1.596 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 3 | # Bleeding Snort attack response rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 40 | # Access to backdoor created by some SSL exploit
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 41 | alert tcp any any -> $HOME_NET 31337 (msg: "BLEEDING-EDGE ATTACK RESPONSE Potential root shell connection detected!"; flow: established,to_server; tag: session, 20, packets; classtype: bad-unknown; sid: 2001545; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 42 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 43 | #by atomic-penguin
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 44 | alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"BLEEDING-EDGE ATTACK RESPONSE Potential FTP Brute-Force attempt"; flow:from_server,established; content:"530 "; pcre:"/^530s+(Login|User)/smi"; classtype:unsuccessful-user; threshold: type threshold, track by_dst, count 5, seconds 120; sid:2002383; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 45 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 46 | #by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 47 | alert tcp $HOME_NET $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE ATTACK RESPONSE Possible /etc/passwd via HTTP"; content:"root\:x\:0\:0\:root\:/root\:/"; nocase; classtype:misc-activity; sid: 2002034; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 48 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 49 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 50 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM1"; flow: established; content:"/COM1/"; nocase; classtype: string-detect; sid: 2000499; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 51 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM2"; flow: established; content:"/COM2/"; nocase; classtype: string-detect; sid: 2000500; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 52 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM3"; flow: established; content:"/COM3/"; nocase; classtype: string-detect; sid: 2000501; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 53 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access COM4"; flow: established; content:"/COM4/"; nocase; classtype: string-detect; sid: 2000502; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 54 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT1"; flow: established; content:"/LPT1/"; nocase; classtype: string-detect; sid: 2000503; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 55 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT2"; flow: established; content:"/LPT2/"; nocase; classtype: string-detect; sid: 2000504; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 56 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT3"; flow: established; content:"/LPT3/"; nocase; classtype: string-detect; sid: 2000505; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 57 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access LPT4"; flow: established; content:"/LPT4/"; nocase; classtype: string-detect; sid: 2000506; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 58 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access AUX"; flow: established; content:"/AUX/"; nocase; classtype: string-detect; sid: 2000507; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 59 | alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE ATTACK RESPONSE FTP inaccessible directory access NULL"; flow: established; content:"/NULL/"; nocase; classtype: string-detect; sid: 2000508; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 60 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 61 | #Submitted by Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 62 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Nick change on non-std port"; flow: to_server,established; dsize: <64; content:"NICK "; nocase; offset: 0; depth: 5; tag: session,300,seconds; classtype: trojan-activity; sid: 2000345; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 63 | alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Name response on non-std port"; flow: to_client,established; dsize: <128; content:"\:"; offset: 0; depth: 1; content:" 302 "; content:"=+"; content:"@"; tag: session,300,seconds; classtype: trojan-activity; sid: 2000346; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 64 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Private message on non-std port"; flow: to_server,established; dsize: <128; content:"PRIVMSG "; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: trojan-activity; sid: 2000347; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 65 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - Channel JOIN on non-std port"; flow: to_server,established; dsize: <64; content:"JOIN "; nocase; offset: 0; depth: 5; tag: session,300,seconds; pcre:"/&|#|\+|!/R"; classtype: trojan-activity; sid: 2000348; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 66 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - DCC file transfer request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC SEND"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000349; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 67 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - DCC chat request on non-std port"; flow: to_server,established; content:"PRIVMSG "; nocase; offset: 0; depth: 8; content:" \:.DCC CHAT chat"; nocase; tag: session,300,seconds; classtype: policy-violation; sid: 2000350; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 68 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - channel join on non-std port"; flow: to_server,established; content:"JOIN \: #"; nocase; offset: 0; depth: 8; tag: session,300,seconds; classtype: policy-violation; sid: 2000351; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 69 | alert tcp $HOME_NET any -> $EXTERNAL_NET !6661:6668 (msg: "BLEEDING-EDGE ATTACK RESPONSE IRC - dns request on non-std port"; flow: to_server,established; content:"USERHOST "; nocase; offset: 0; depth: 9; tag: session,300,seconds; classtype: policy-violation; sid: 2000352; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 70 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 71 | alert tcp $HOME_NET any -> any 6667 (msg: "BLEEDING-EDGE ATTACK RESPONSE Likely Botnet Activity"; flow: to_server,established; content:"PRIVMSG"; nocase; tag: session,50,packets; pcre:"/(cheguei gazelas|meh que tao|Status|Tempo|Total pacotes|Total bytes|M?dia de envio|portas? aberta)/i"; classtype: string-detect; sid: 2001620; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 72 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 73 | #By Chris Norton
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 74 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE ATTACK RESPONSE Outbound PHP Connection"; flow: established,to_server; content:"From\: anon@anon.com"; nocase; offset: 0; depth: 19; content:"User-Agent\: PHP"; nocase; classtype: web-application-activity; sid: 2001628; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 75 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 76 | #By Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 77 | # Still doesn't work, but we hope to figure out a way in the future...
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 78 | #alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE ATTACK RESPONSE Successful user connection AFTER Brute Force Attack"; dsize: 52; flags: AP; flowbits: isset,ssh.brute.attempt; threshold: type both, track by_src, count 2, seconds 60; classtype: successful-user; sid: 2001717; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 79 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 80 | #By Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 81 | alert tcp $HOME_NET any -> 213.219.122.11/32 $HTTP_PORTS (msg: "BLEEDING-EDGE ATTACK RESPONSE Zone-H.org defacement notification"; flow: established,to_server; content:"notify_"; nocase; pcre:"/notify_(defacer|domain|hackmode|reason)=/i"; classtype: trojan-activity; sid: 2001616; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-attack_response.rules : 82 |
|