Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules Fri Dec 2 00:57:33 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 2 | # $Id: bleeding-dos.rules,v 1.591 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 3 | # Bleeding Snort dos rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 40 | #from Nicholas Nachefski
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 41 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS HTTP GET with newline appended"; flowbits:noalert; flow: to_server,established; content:"GET / HTTP/1.0|0a|"; offset: 0; depth: 15; flowbits:set,http.get; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001635; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 42 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS squ1rt Apache DoS"; flow: to_server,established; flowbits:isset,http.get; dsize: 1448; content:"|20202020|"; depth: 4; content:"|20202020|"; offset: 1436; depth: 4; reference:cve,2004-0942; classtype: attempted-dos; sid: 2001636; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 43 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 44 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 45 | alert udp any any - > $HOME_NET 514 (msg: "BLEEDING-EDGE DOS Cisco 514 UDP flood DoS"; content:"|25 25 25 25 25 58 58 25 25 25 25 25|"; reference: url,www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml; classtype: attempted-dos; sid: 2000010; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 46 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 47 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 48 | alert tcp any any - > $HOME_NET 23 (msg: "BLEEDING-EDGE DOS Catalyst memory leak attack"; flow: to_server,established; content:"|41 41 41 0a|"; depth: 20; classtype: attempted-dos; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a00800b138e.shtml; sid: 2000011; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 49 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 50 | #submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 51 | alert tcp any any - > $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE DOS Cisco Router HTTP DoS"; flow: to_server,established; uricontent:"/%%"; reference: url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000006; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 52 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 53 | #Submitted by Joseph Gama, Tweaks by Owen Crowe
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 54 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE DOS Internet Explorer Memory Corruption Bug"; flow: from_server,established; content:" < style"; nocase; pcre:"/ < STYLE > @\;\/\*/i"; reference: url,www.securiteam.com/windowsntfocus/5XP051FDFM.html; classtype: misc-activity; sid: 2001205; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 55 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 56 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 57 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE DOS Excessive SMTP MAIL-FROM DDoS"; flow: to_server, established; content:"MAIL FROM|2a|"; nocase; window: 0; threshold: type limit, track by_src, count 300, seconds 60; classtype: denial-of-service; sid: 2001795; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 58 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 59 | #Submitted by Chris Norton
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 60 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE DOS MS04-030 Attempted DoS"; flow: to_server; flowbits:isnotset,tagged; content:"xmlns\:z"; content:"xml\:"; nocase; tag: host,10,packets,src; flowbits:set,tagged; reference: url,isc.sans.org/diary.php?date=2004-10-20; classtype: attempted-dos; sid: 2001362; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 61 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 62 | #From Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 63 | # NOTE: If you can, put in a check on offset 20 through 23, as these
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 64 | # are the source IP of the packet that is supposedly generating
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 65 | # the traffic that caused the icmp unreach (EG: YOU.) example, if you
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 66 | # have 192.168.0.0/24, you could put:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 67 | # byte_test: 1,=,192,20; byte_test:1,=,168,21; byte_test:1,=,0,22;
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 68 | # or (even faster) content:"|C0A800|"; offset: 20; depth:23;
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 69 | # You get the idea. This may well be unnecessary overkill. YMMV.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 70 | alert icmp any any - > $HOME_NET any (msg: "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt"; itype: 3; icode: > 1 < 5; byte_test:1,=,6,17;threshold: type threshold, track by_dst, count 30, seconds 300; reference: cve,can-2004-0790; reference: url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference: url,isc.sans.org/diary.php?date=2005-04-12; classtype: attempted-dos; sid: 2001846; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 70 | alert icmp any any - > $HOME_NET any (msg: "BLEEDING-EDGE DOS -ISC- ICMP blind TCP reset DoS guessing attempt"; itype: 3; icode: > 1 < 5; byte_test:1,=,6,17;threshold: type threshold, track by_dst, count 30, seconds 300; reference: cve,can-2004-0790; reference: url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference: url,isc.sans.org/diary.php?date=2005-04-12; classtype: attempted-dos; sid: 2001846; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 71 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 72 | # From Erik Fichtner:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 73 | # alert on pmtu frames with next-hop mtu not 0 (old RFC shortcut) and (added this so the sig wouldn't trigger missing reference:url, search errors)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 74 | # below a sane value, eg 576 bytes. Adjust to taste.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 75 | # true RFC791 min = 68, true end-to-end pmtu compatble min = 132.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 76 | # real world might even go as high as 1100 bytes min. YMMV.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 77 | alert icmp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2, < ,576,7;byte_test:2,!=,0,7;reference: cve,CAN-2004-1060; reference: url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference: url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid: 2001882; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 77 | alert icmp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE DOS ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4; byte_test:2, < ,576,7;byte_test:2,!=,0,7;reference: cve,CAN-2004-1060; reference: url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx; reference: url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid: 2001882; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 78 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 79 | #Submitted by Johnathan Norman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 80 | alert tcp any any - > $HOME_NET 2702 (msg: "BLEEDING-EDGE DOS Microsoft SMS dos attempt"; flow: to_server,established; content:"RCH0"; nocase; pcre:"/RCH0####RCHE.{130,}/smi"; reference: url,www.securityfocus.com/archive/1/368911/2004-07-12/2004-07-18/0; classtype: attempted-dos; sid: 2000496; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 81 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 82 | #Submitted by Chris Norton
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 83 | alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE DOS Possible Microsoft SQL Server Remote Denial Of Service Attempt"; flowbits:isnotset,tagged; flow: established,to_server; content:"|10 00 00 10 cc|"; offset: 0; depth: 5; tag: host,3,packets,src; flowbits:set,tagged; reference: bugtraq,11265; classtype: attempted-dos; sid: 2001366; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 84 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 85 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 86 | alert tcp any any - > $HOME_NET 443 (msg: "BLEEDING-EDGE DOS SSL Bomb DoS Attempt"; flow: to_server,established; content:"|16 03 00|"; offset: 0; depth: 3; content:"|01|"; within: 1; distance: 2; byte_jump:1,37,relative,align;byte_test:2, > ,255,0,relative;reference: cve,CAN-2004-0120; reference: url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype: attempted-dos; sid: 2000016; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-dos.rules : 87 |
|