Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules Fri Dec 2 00:40:36 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 2 | # $Id: bleeding-exploit.rules,v 1.623 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 3 | # Bleeding Snort exploit rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 40 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 41 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Buffer Overflow Exploit in Adobe Acrobat Reader"; flow: established; content:"URI/URI"; nocase; pcre:"/URI/URI\(mailto\:[^"]*"[^"]*"x[\d]{3}/i"; reference: url,www.securiteam.com/securitynews/5WP080AAKK.html; classtype: shellcode-detect; sid: 2001049; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 42 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 43 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 44 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference: url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference: url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference: cve,2004-0629; classtype: attempted-admin; sid: 2001217; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 44 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Adobe Acrobat Reader Malicious URL Null Byte"; flow: to_server,established; uricontent:".pdf|00|"; nocase; reference: url,idefense.com/application/poi/display?id=126&type=vulnerabilities; reference: url,www.securiteam.com/windowsntfocus/5BP0D20DPW.html; reference: cve,2004-0629; classtype: attempted-admin; sid: 2001217; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 45 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 46 | #From Bdoctor
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 47 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Arkeia full remote access without password or authentication"; flow: from_server,established; content:"|464F3A20596F75206861766520737563|"; content:"|6520636C69656E7420696E666F726D61|"; reference: url,metasploit.com/research/arkeia_agent; classtype: attempted-admin; sid: 2001742; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 48 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 49 | # Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 50 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference: url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference: url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference: url,awstats.sourceforge.net; reference: url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference: bugtraq,12298; reference: cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:10; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 50 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference: url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference: url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference: url,awstats.sourceforge.net; reference: url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference: bugtraq,12298; reference: cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:10; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 50 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference: url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference: url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference: url,awstats.sourceforge.net; reference: url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference: bugtraq,12298; reference: cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:10; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 50 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Awstats Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/awstats.pl?"; nocase; pcre:"/(configdir|update|pluginmode)=.*(\|.+\||system).*/Ui"; reference: url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference: url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference: url,awstats.sourceforge.net; reference: url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference: bugtraq,12298; reference: cve,CAN-2005-0116; classtype: web-application-attack; sid: 2001686; rev:10; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 51 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 52 | #Matt Jonkman and Frank Knobbe
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 53 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001667; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 53 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001667; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 54 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (to blahot.com)"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001671; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 54 | alert tcp $HOME_NET any - > $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Blahot Worm Infection Reporting in (to blahot.com)"; flow: to_server,established; uricontent:"/scr2/command.php?IP="; nocase; uricontent:"Port1="; nocase; content:"Host\: www.blahot.com"; nocase; classtype: trojan-activity; reference:url,www.vitalsecurity.org/2005/01/malware-spam.html; reference:url,www.blahot.com; sid: 2001671; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 55 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 56 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 57 | alert tcp any any - > $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Catalyst 3500 arbitrary command"; flow: to_server,established; uricontent:"/exec/show/config"; nocase; reference: url,www.securityfocus.com/archive/1/141471; classtype: attempted-admin; sid: 2000008; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 58 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 59 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 60 | alert tcp any any - > $HOME_NET 22 (msg: "BLEEDING-EDGE EXPLOIT Catalyst SSH protocol mismatch"; flow: to_server,established; content:"|61 25 61 25 61 25 61 25 61 25 61 25 61 25|"; reference: url,www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml; classtype: attempted-dos; sid: 2000007; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 61 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 62 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 63 | alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP server DoS"; flow: to_server,established; uricontent:"/TEST?/"; classtype: attempted-dos; sid: 2000013; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 64 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 65 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 66 | alert tcp any any - > $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco IOS HTTP DoS"; flow: to_server,established; uricontent:"/error?/"; nocase; reference: url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype: attempted-dos; sid: 2000009; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 67 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 68 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 69 | alert tcp any any - > $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Cisco Telnet Buffer Overflow"; flow: to_server,established; content:"|3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 3f 61 7e 20 25 25 25 25 25 58 58|"; threshold: type limit, track by_src, count 1, seconds 120; reference: url,www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml; classtype: attempted-dos; sid: 2000005; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 70 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 71 | #Submitted by Cody Hatch
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 72 | alert tcp any any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Cisco %u IDS evasion"; flow: to_server,established; uricontent:"%u002F"; classtype: attempted-dos; sid: 2000012; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 73 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 74 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 75 | alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000048; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 76 | alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target BSD)"; flow: to_server,established; dsize: >512; content:"|45 6e 74 72 79 20 61 61 61 61 61 61 61 61 61 61 61 61|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000031; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 77 | alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg: "BLEEDING-EDGE EXPLOIT CVS server heap overflow attempt (target Solaris)"; flow: to_server,established; dsize: >512; content:"|41 72 67 75 6d 65 6e 74 20 62 62 62 62 62 62 62 62 62|"; offset: 0; depth: 18; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; sid: 2000049; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 78 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 79 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 80 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,CVE-2004-14562; classtype:web-application-attack; sid:2002697; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 81 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 82 | #By Mark Tombaugh
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 83 | alert tcp $EXTERNAL_NET any - > $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002315; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 83 | alert tcp $EXTERNAL_NET any - > $HOME_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Incoming Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002315; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 84 | alert tcp $HOME_NET any - > $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002316; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 84 | alert tcp $HOME_NET any - > $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE EXPLOIT Outgoing Electronic Mail for UNIX Expires Header Buffer Overflow Exploit"; content:"Expires\:"; content:"|40 60 6e 63|"; distance:52; within:300; content:"|2d 70|"; distance:2; within:20; reference:url,www.frsirt.com/exploits/20050822.elmexploit.c.php; reference:url,www.instinct.org/elm/; classtype:misc-attack; sid:2002316; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 85 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 86 | # Submitted by Evgeny Pinchuk, optimized by Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 87 | alert tcp any any - > any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-TCP)"; flow: to_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001915; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 88 | alert tcp any 5060 - > any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-TCP)"; flow: from_server,established; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001916; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 89 | alert udp any any - > any 5060 (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Request-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001917; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 90 | alert udp any 5060 - > any any (msg: "BLEEDING-EDGE EXPLOIT Ethereal SIP Dissector Overflow (Response-UDP)"; content:"CSeq"; pcre:"/CSeq\: [^a-zA-Z]*[^\x0a]{16,}/s"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5AP0F1FFPG.html; sid: 2001918; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 91 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 92 | #This set is a consolidation of all IE exploits. Too many to keep separate...
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 93 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 94 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE Local zone Shell execution of arbitrary code"; flow: from_server,established; content:" < script"; content:"ActiveXObject"; content:"NameSpace"; content:"ParseName"; content:"GetLink"; content:"Path"; content:"Arguments"; content:"Save"; content:"Open"; content:" < /script"; reference: url,www.securityfocus.com/archive/1/348688/2003-12-31/2004-01-06/0; classtype: misc-activity; sid: 2001093; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 95 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer URL parsing vulnerability"; flow: from_server,established; content:"location.href"; nocase; pcre:"/location\.href[\s]*=[\s]*unescape[\s]*\([\s]*['"]%01@['"]/iU"; reference: url,www.securityfocus.com/archive/1/346948; classtype: misc-activity; sid: 2001094; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 96 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Object Data Remote Execution Vulnerability"; flow: from_server,established; content:" < object"; content:"F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"; reference: url,www.securityfocus.com/bid/8456/solution/; classtype: misc-activity; sid: 2001097; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 97 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Attempt to execute VBScript code"; flow: from_server,established; content:"vbscript"; nocase; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*vbscript[\:]/i"; classtype: misc-attack; sid: 2001099; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 98 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute Javascript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*j[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*a[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"javascript\:"; nocase; classtype: misc-attack; sid: 2001101; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 99 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to execute VBScript code"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*v[\x09\x0a\x0b\x0c\x0d]*b[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*c[\x09\x0a\x0b\x0c\x0d]*r[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*p[\x09\x0a\x0b\x0c\x0d]*t[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"vbscript\:"; nocase; classtype: misc-attack; sid: 2001102; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 100 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Stealth attempt to access SHELL\:"; flow: from_server,established; pcre:"/(((URL|SRC|HREF|LOWSRC)[\s]*=)|(url[\s]*[\(]))[\s]*['"]*[\x09\x0a\x0b\x0c\x0d]*s[\x09\x0a\x0b\x0c\x0d]*h[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*[\:]/i"; content:"="; content:!"shell\:"; nocase; classtype: misc-attack; sid: 2001103; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 101 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval"; flow: from_server,established; content:"string.fromcharcode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*[\d]+[\s]*,){20}/i"; reference: url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001105; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 102 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Javascript execution with expression eval hex"; flow: from_server,established; content:"String.FromCharCode"; nocase; pcre:"/expression[\s]*\([\s]*eval[\s]*\([\s]*String\.fromCharCode[\s]*\(([\s]*0x[\da-fA-F]+[\s]*,){20}/i"; reference: url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001106; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 103 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE process injection iexplore.exe executable download"; flow: from_server,established; content:"|00|iexplore.exe|00|"; content:"|00|GetProcAddress|00|"; content:"|00|LoadLibraryA|00|"; classtype: misc-activity; sid: 2001048; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 104 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Internet Explorer Plugin.ocx Heap Overflow"; flow: from_server,established; content:"06DD38D0-D187-11CF-A80D-00C04FD74AD8"; nocase; content:".load("; nocase; reference: url,www.hnc3k.com/ievulnerabil.htm; classtype: misc-attack; sid: 2001181; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 105 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IE trojan Ants3set 1.exe - process injection"; flow: from_server,established; content:"|00|KERNEL32.DLL|00|GDI32.dll|00|MSVCRT.dll|00|USER32.dll|00||00|LoadLibraryA|00||00|GetProcAddress|00||00|ExitProcess|00|"; classtype: misc-attack; sid: 2001182; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 106 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 107 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 108 | alert tcp any $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE EXPLOIT IE IFRAME Exploit"; flow: from_server,established; pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im"; pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; classtype: misc-attack; sid: 2001401; rev:13; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 109 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 110 | #Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 111 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT IFRAME ExecCommand vulnerability"; flow: from_server,established; content:" < IFRAME"; nocase; pcre:"/SRC[\s]*=[\s]*["']*[\x09\x0a\x0b\x0c\x0d]*f[\x09\x0a\x0b\x0c\x0d]*i[\x09\x0a\x0b\x0c\x0d]*l[\x09\x0a\x0b\x0c\x0d]*e[\x09\x0a\x0b\x0c\x0d]*\:/Ri"; reference: url,www.securiteam.com/exploits/3D5Q4RFPPK.html; classtype: misc-activity; sid: 2001095; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 112 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 113 | #Submitted by Chris Keladis
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 114 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference: url,www.guninski.com/popspoof.html; reference: url,securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; classtype: trojan-activity; sid: 2001813; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 114 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MSIE Hidden Address Bar (Phish)"; flow: to_client,established; content:"window.createpopup"; nocase; content:"innerhtml"; nocase; content:"vuln_"; nocase; reference: url,www.guninski.com/popspoof.html; reference: url,securityresponse.symantec.com/avcenter/venc/data/js.trojan.blinder.html; classtype: trojan-activity; sid: 2001813; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 115 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 116 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 117 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset: >0; classtype: bad-unknown; sid: 2001022; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 118 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: bad-unknown; sid: 2001023; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 119 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: bad-unknown; sid: 2001024; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 120 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 121 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 122 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT JamMail Jammail.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/jammail.pl?"; nocase; pcre:"/(mail=\|.+\|)/"; reference: bugtraq,13937; classtype: web-application-attack; sid: 2001990; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 123 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 124 | # Submitted by Joel Ebrahimi
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 125 | alert tcp $EXTERNAL_NET ANY -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT Kali Tagboard Command Execution Attempt"; flow: to_server,established; uricontent:"/banned.php"; uricontent:"cmd="; classtype: web-application-attack; sid: 2001883; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 126 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 127 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 128 | alert tcp any any - > any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible NULL-pointer crash in png_handle_iCCP"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4, > =,0x80000000,0,relative,big,string,hex;reference: url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001190; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 129 | alert tcp any any - > any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Width exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4, > =,0x80000000,8,relative,big,string,hex;reference: url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001191; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 130 | alert tcp any any - > any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Height exceeds limit"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; byte_test:4, > =,0x80000000,12,relative,big,string,hex;reference: url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001192; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 131 | alert tcp any any - > any any (msg: "BLEEDING-EDGE EXPLOIT libPNG - Possible integer overflow in allocation in png_handle_sPLT"; flow: established; content:"|89 50 4E 47 0D 0A 1A 0A|"; offset: 0; depth: 8; content:"sPLT"; isdataat: 80,relative; content:!"|00|"; distance: 0; reference: url,www.securiteam.com/unixfocus/5ZP0C0KDPG.html; classtype: misc-activity; sid: 2001195; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 132 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 133 | #Submitted by Joe Stewart
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 134 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng tRNS overflow attempt"; flow: established,to_client; content:"|89|PNG|0D 0A 1A 0A|"; content:!"PLTE"; content:"tRNS"; byte_test:4,>,256,-8,relative,big;reference: cve,CAN-2004-0597; classtype: attempted-admin; sid: 2001058; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 135 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 136 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 137 | alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (Win2k)"; flow: to_server,established; content:"|00 00 00 00 9A A8 40 00 01 00 00 00 00 00 00 00|"; content:"|01 0000 00 00 00 00 00 9A A8 40 00 01 00 00 00|"; classtype: misc-activity; sid: 2000046; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 138 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 139 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 140 | alert tcp any any -> any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04011 Lsasrv.dll RPC exploit (WinXP)"; flow: to_server,established; content:"|95 14 40 00 03 00 00 00 7C 70 40 00 01|"; content:"|78 85 13 00 AB5B A6 E9 31 31|"; classtype: misc-activity; sid: 2000033; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 141 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 142 | #By Mark Tombaugh
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 143 | alert tcp $HOME_NET 143 - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Vulnerable Mercury 4.01a IMAP Banner"; flow: from_server,established; content:"IMAP4rev1 Mercury/32 v4.01a server ready"; flowbits:set,mercury.imap.401a; classtype:successful-recon-limited; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:bugtraq,11775; sid:2002389; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 144 | alert tcp $EXTERNAL_NET any - > $HOME_NET 143 (msg:"BLEEDING-EDGE EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; classtype:misc-attack; reference:bugtraq,11775; sid:2002390; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 144 | alert tcp $EXTERNAL_NET any - > $HOME_NET 143 (msg:"BLEEDING-EDGE EXPLOIT Mercury v4.01a IMAP RENAME Buffer Overflow"; flow:established,to_server; flowbits:isset,mercury.imap.401a; content:"a001 RENAME"; pcre:"/[0-9A-Z]{240,}/smi"; reference:url,www.pmail.com/whatsnew/m32401.htm; reference:url,metasploit.com/projects/Framework/exploits.html#mercury_imap; classtype:misc-attack; reference:bugtraq,11775; sid:2002390; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 145 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 146 | #Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 147 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Meteor FTP Server Exploit"; content:"USER"; nocase; offset: 14; pcre:"/USER.{81,}/i"; classtype: misc-activity; reference:url,www.securiteam.com/exploits/5RP0Q2KFPC.html; sid: 2001954; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 148 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 149 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 150 | alert tcp any any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Microsoft MHTML URL Redirection Attempt"; flow: from_server,established; content:"mhtml|3A|file|3A|"; nocase; reference: cve,CAN-2004-0380; reference: url,www.microsoft.com/technet/security/bulletin/MS04-013.mspx; classtype: web-application-attack; sid: 2000004; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 151 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 152 | # From Syke@mantissecurity.net
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 153 | alert tcp $EXTERNAL_NET 6667 -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT mIRC <=6.12 DCC Buffer Overflow"; flow: to_client, established; content:"DCC SEND "; nocase; isdataat: 100, relative; reference: bugtraq,8880; classtype: attempted-dos; sid: 2000329; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 154 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 155 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 156 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Firefox Certificate Spoofing"; flow: from_server,established; content:"http-equiv"; nocase; pcre:"/META[\s]+HTTP-EQUIV[\s]*=[\s]*['"]*REFRESH['"]*[\s]+CONTENT[\s]*=[\s]*['"]*[\d]+[\s]*\;[\s]*URL[\s]*=[\s]*http[\s\S]+onunload[\s]*=[\s]*['"]+[\s\S]+document\.write[\s\S]+window\.location\.reload/i"; reference: url,www.securiteam.com/securitynews/5EP0L1PDFG.html; classtype: misc-activity; sid: 2001206; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 157 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla Cookie theft"; flow: from_server,established; content:"http|3a|//"; nocase; pcre:"/http\://[\w]+(\.[\w]+){1,2}%00(([\d]+\.*){4}|[\d]+|[\w]+(\.[\w]+){1,2})/i"; reference: url,www.securiteam.com/securitynews/5GP0T0U60M.html; classtype: misc-activity; sid: 2001207; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 158 | #alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Reading Local Files in Netscape 6 and Mozilla"; flow: from_server,established; content:"XMLHttpRequest"; nocase; pcre:"/([\w]+)[\s]*=[\s]*new[\s]+XMLHttpRequest[\s\S]+\1\.open[\s]*\([\s]*['"]GET['"][\s]*,/i"; reference: url,www.securiteam.com/securitynews/5JP000A76K.html; classtype: misc-activity; sid: 2001208; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 159 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Mozilla FTP View Cross-Site Scripting Vulnerability"; flow: from_server,established; content:"ftp\://"; nocase; content:" < TITLE"; content:" < SCRIPT"; content:" < /TITLE"; reference: url,www.securiteam.com/windowsntfocus/5MP0I0080A.html; classtype: misc-activity; sid: 2001209; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 160 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 161 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 162 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2005-0399 Gif Vuln via http"; flow: from_server,established; content:"GIF89a"; content:"|21 ff 0b|NETSCAPE2.0"; byte_test:1,!=,3,0,relative;classtype: attempted-admin; sid: 2001807; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 163 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 164 | #By Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 165 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (img)"; flow:established,from_server; content:" < img "; nocase; pcre:"/ < img[^\ > ]+src[^ > =]*=(? > \s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002127; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 165 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (img)"; flow:established,from_server; content:" < img "; nocase; pcre:"/ < img[^\ > ]+src[^ > =]*=(? > \s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002127; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 166 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (input)"; flow:established,from_server; content:" < input "; nocase; pcre:"/ < input[^\ > ]+src[^ > =]*=(? > \s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002128; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 166 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Firefox Set Wallpaper Code Execution Attempt (input)"; flow:established,from_server; content:" < input "; nocase; pcre:"/ < input[^\ > ]+src[^ > =]*=(? > \s*)['"]?javascript\:(\s)?./i"; reference:url,secunia.com/advisories/16043/; reference:url,www.mozilla.org/security/announce/mfsa2005-47.html; classtype:misc-attack; sid:2002128; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 167 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 168 | #By Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 169 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Firefox Domain Name Buffer Overflow"; flow:established,from_server; content:"http"; pcre:"/(\xad|%ad|\;?){16,}/Ri"; reference:cve,2005-2871; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=307259; reference:url,www.milw0rm.com/id.php?id=1224; classtype:web-application-attack; sid:2002380; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 169 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE Firefox Domain Name Buffer Overflow"; flow:established,from_server; content:"http"; pcre:"/(\xad|%ad|\;?){16,}/Ri"; reference:cve,2005-2871; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=307259; reference:url,www.milw0rm.com/id.php?id=1224; classtype:web-application-attack; sid:2002380; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 170 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 171 | #Joe Stewart
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 172 | alert tcp any any - > any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference: url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference: url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference: cve,CAN-2003-0818; classtype: attempted-admin; sid: 2001944; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 172 | alert tcp any any - > any 445 (msg: "BLEEDING-EDGE EXPLOIT MS04-007 Kill-Bill ASN1 exploit attempt"; flow: established,to_server; content:"CCCC|20f0fd7f|SVWf"; reference: url,www.phreedom.org/solar/exploits/msasn1-bitstring/; reference: url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; reference: cve,CAN-2003-0818; classtype: attempted-admin; sid: 2001944; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 173 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 174 | #Submitted by Chris Norton and Woofz
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 175 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Exploit"; flow: established; content:"|45 4D 46|"; content:"|EB 12 90 90 90 90 90 90|"; content:"|9e 5c 05 78|"; nocase; reference: url,www.k-otik.com/exploits/20041020.HOD-ms04032-emf-expl2.c.php; classtype: shellcode-detect; sid: 2001369; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 176 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible MS04-032 Windows Metafile (.emf) Heap Overflow Portbind Attempt"; flow: established; content:"|45 4D 46|"; content:"|23 6A 75 4E|"; reference: url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001363; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 177 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Windows Metafile (.emf) Heap Overflow Connectback Attempt"; flow: established; content:"|45 4D 46|"; content:"|5E 79 72 63|"; content:"|48 4F 44 21|"; reference: url,www.microsoft.com/technet/security/bulletin/ms04-032.mspx; classtype: shellcode-detect; sid: 2001364; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 178 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 179 | #From Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 180 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS04-032 Bad EMF file"; flow: from_server,established; content:"|01 00 00 00|"; depth: 4; content:"|20 45 4d 46|"; offset: 40; depth: 44; byte_test:4, > , 256, 60, little;classtype: misc-activity; reference:url,www.sygate.com/alerts/SSR20041013-0001.htm; sid: 2001374; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 181 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 182 | #By Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 183 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Exploit MS05-002 Malformed .ANI stack overflow attack"; flow: to_client,established; content:"RIFF"; content:"ACON"; distance: 8; content:"anih"; distance: 160; byte_test:4,>,36,0,relative,little;classtype: misc-attack; sid: 2001668; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 184 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 185 | #By Shirkdog
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 186 | alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT MS05-005 Office XP Remote Code Attempt"; flow: established,to_server; pcre:"/(\x2ertf|\x2edoc)\x250a.{500,}?/mi"; classtype: attempted-admin; sid: 2001727; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 187 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 188 | #by Chris Ries of Vigilant Minds
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 189 | alert TCP any 445 - > any any (msg:"BLEEDING-EDGE EXPLOIT ms05-011 exploit"; flow:from_server,established; content:"|00|"; depth:1; content:"|FF|SMB|32|"; depth:9; offset:4; content: "|ff ff ff ff 00 00 00 00 ff|"; offset: 132; depth: 141; classtype:attempted-admin; reference:bugtraq,12484; reference:url,www.frsirt.com/exploits/20050623.mssmb_poc.c.php; sid:2002064; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 190 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 191 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 192 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT MS05-014 HTML OBJECT tag local zone exploit"; flow: to_client,established; content:"|3C|OBJECT "; nocase; pcre:"/codebase[ \t]*=[ \t]*[\x22\x27].*\?\.exe/isR"; classtype: misc-attack; reference:url,www.microsoft.com/technet/security/bulletin/ms05-014.mspx; sid: 2001725; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 193 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 194 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 195 | alert tcp $EXTERNAL_NET any - > $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001848; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 195 | alert tcp $EXTERNAL_NET any - > $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (1)"; flow: to_server,established; content:"X-LINK2STATE"; nocase; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001848; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 196 | alert tcp $EXTERNAL_NET any - > $HOME_NET 691 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001849; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 196 | alert tcp $EXTERNAL_NET any - > $HOME_NET 691 (msg: "BLEEDING-EDGE EXPLOIT MS05-021 Exchange Link State - Possible Attack (2)"; flow: to_server,established; content:"X-LSA-2"; nocase; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001849; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 197 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 198 | alert tcp any any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001873; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 198 | alert tcp any any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT MS Exchange Link State Routing Chunk (maybe MS05-021)"; flow: to_server, established; content:"X-LINK2STATE"; nocase; content:"CHUNK="; nocase; threshold: type limit, track by_src, count 1, seconds 60; flowbits:set,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001873; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 199 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 200 | # since this could be variable length chunks, we can't tell if we had
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 201 | # enough data to blow the server up or not, so we have to read the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 202 | # chicken bones to see if it looks like exchange sh!t the bed or not.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 203 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 204 | alert tcp any 25 - > $EXTERNAL_NET any (msg: "BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001874; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 204 | alert tcp any 25 - > $EXTERNAL_NET any (msg: "BLEEDING-EDGE EXPLOIT TCP Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R; flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001874; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 205 | pass tcp $SMTP_SERVERS 25 - > any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; flowbits:isset,msxlsa; flow: from_server,established; content:"200 DONE"; nocase; flowbits:unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001875; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 205 | pass tcp $SMTP_SERVERS 25 - > any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange chunks accepted"; flowbits:isset,msxlsa; flow: from_server,established; content:"200 DONE"; nocase; flowbits:unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001875; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 206 | alert tcp $SMTP_SERVERS 25 - > any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; flowbits:isset,msxlsa; flow: from_server,established; content:"500 DROP"; nocase; flowbits:unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001876; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 206 | alert tcp $SMTP_SERVERS 25 - > any any (msg: "BLEEDING-EDGE EXPLOIT MS Exchange disliked link state chunk, but didn't die (MS05-021)"; flowbits:isset,msxlsa; flow: from_server,established; content:"500 DROP"; nocase; flowbits:unset,msxlsa; reference: cve,CAN-2005-0560; reference: url,isc.sans.org/diary.php?date=2005-04-12; reference: url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype: misc-activity; sid: 2001876; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 207 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 208 | # Submitted by Erik Fichtner, July 18, 2005
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 209 | # MS05-036 has a pile of vectors into the system. These are just some of them.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 210 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 211 | # False negative warning: JPEG ICC can be fragged into multiple chunks.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 212 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Profile Size"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4, > ,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002120; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 213 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- JPEG with embedded ICC - Excessive Tag Count"; flow:established; content:"ICC_PROFILE|0001|"; byte_test:4, > ,1024,127,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002121; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 214 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 215 | # False negative warning: GIF ICC can be fragged into multiple chunks.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 216 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Profile Size"; flow:established; content:"ICCRGBG1012"; byte_test:4, > ,1048576,1,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002122; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 217 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- GIF with embedded ICC - Excessive Tag Count"; flow:established; content:"ICCRGBG1012"; byte_test:4, > ,1024,129,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002123; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 218 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 219 | # iCCP profiles are all compressed with zlib deflate. That's annoying. A preprocessor would do this work better.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 220 | # This is disabled by default because it hits on any PNG. It is a good sig, but you must understand more than average to use it
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 221 | #alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Potential MS05-036 exploit -- PNG with embedded ICC document"; flow:established; content:"|89|PNG|0D 0A 1A 0A|"; content:"iCCP"; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002124; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 222 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 223 | # The following are based on a working exploit
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 224 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit -- JPEG ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICC_PROFILE|00|"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002134; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 225 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT MS05-036 exploit -- GIF ICC r/b/g/XYZ GetColorProfileElement overflow"; flow:established; content:"ICCRGBG1012"; pcre:"/[rbg]XYZ/"; byte_test:4,!=,20,4,relative,big; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-036.mspx; reference:cve,CVE-2005-1219; classtype:misc-attack; sid:2002137; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 226 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 227 | #By Blake Harstein at Demarc
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 228 | #These rules are separated for compatibility with Snort 2.3.3 (>850 characters per line), If you are using Snort >2.4.0 you can safely combine these into a single rule
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 229 | alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT CLSID Pattern Matched"; flowbits:isnotset,CLSID_DETECTED; flow:established,from_server; content:"CLSID"; nocase; pcre:"/CLSID\s*\:(?=[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})/i"; flowbits:noalert; flowbits:set,CLSID_DETECTED; classtype:not-suspicious; sid:2002174; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 230 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 231 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/03D9F3F2-B0E3-11D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1-CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD43-00A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0-BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE-11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270-D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19A-DE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419E-A3D6-5D28C0B0B50C/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002171; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 232 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/01E04581-4EEE-11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A-48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E-409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D0-8D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C-11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D0-8BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE57-00AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CE-BE57-00AA0051FE20/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002172; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 233 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/EEED4C20-7F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C-00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF-7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-9342-0000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000-C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A-11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43-F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i"; classtype:web-application-attack; reference:cve,2005-1990; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002173; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 234 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 235 | #This is for the new IE Exploit. It will be moved to it's own file shortly. It is staying put to make sure it's after the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 236 | # clsid flowbits set above.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 237 | #By Blake Harstein of Demarc
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 238 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT Internet Explorer Vulnerable CLSID (Msdds.dll)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; content:"EC444CB6-3E7E-4865-B1C3-0DE72EF39B3F"; nocase; classtype:web-application-attack; reference:url,www.frsirt.com/exploits/20050817.IE-Msddsdll-0day.php; sid:2002308; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 239 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 240 | #By Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 241 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 1)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/BC5F1E51-5110-11D1-AFF5-006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1-B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C60-11D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D4453-1F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F9-8615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2-A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD78-4366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002491; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 242 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 2)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/4FAAB301-CEF6-477C-9F58-F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1-B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E88-11D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602-D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD2-00805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000-C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D6-88A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002492; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 243 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT COM Object MS05-052 (group 3)"; flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/6E227101-F799-11CF-9227-00AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1-AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E7-42A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A3-2BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-8773-92E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14-B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE-5C7F-11D2-8B74-00104B2AFB41/i"; classtype:web-application-attack; reference:cve,2005-2127; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002493; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 244 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 245 | # Added 2005/08/14 as found on SANS ISC web site, by AlertLogic
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 246 | #Replaced by sigs below
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 247 | #alert tcp any any - > any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002186; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 247 | #alert tcp any any - > any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS Microsoft Windows 2000 Plug and Play Vulnerability"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|67157a76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002186; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 248 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 249 | #alert tcp any any - > any 139 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002187; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 249 | #alert tcp any any - > any 139 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset:4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002187; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 250 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 251 | #alert tcp any any - > any 445 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002188; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 251 | #alert tcp any any - > any 445 (msg:"BLEEDING-EDGE EXPLOIT NETBIOS SMB-DS Microsoft Windows 2000 PNP Vuln"; flow:to_server,established; content:"|FF|SMB%"; depth:5;offset: 4; nocase; content:"|2600|"; depth:2; offset:65; content:"|3600|"; offset:110; within:5; content:"|F6387A76|";reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; reference:url,isc.sans.org/diary.php?date=2005-08-14; classtype:attempted-admin; sid:2002188; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 252 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 253 | #All related to UPnP Exploit, MS05-039
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 254 | #Thanks to the Alert Logic team
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 255 | alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP HOD bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:4; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002199; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 256 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 257 | alert tcp any any -> any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP bind attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|05|"; within:1; distance:2; content:"|0B|"; within:1; distance:1; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002200; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 258 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 259 | alert tcp any any - > any 445 (msg:"BLEEDING-EDGE EXPLOIT SMB-DS DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|FF|SMB%"; depth:5; offset:4; nocase; content:"&|00|"; within:2; distance:56; content:"|5C 00|P|00|I|00|P|00|E|00 5C 00|"; within:12; distance:5; nocase; content:"|36 00|"; within:2; distance:26; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002201; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 260 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 261 | alert tcp any any -> any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP bind attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 0B|"; within:10; distance:4; byte_test:1,&,16,1,relative; content:"|40 4E 9F 8D 3D A0 CE 11 8F 69 08 00 3E 30 05 1B|"; flowbits:set,netbios.pnp.bind.attempt; flowbits:noalert; classtype:protocol-command-decode; sid:2002202; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 262 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 263 | alert tcp any any - > any 139 (msg:"BLEEDING-EDGE EXPLOIT SMB DCERPC PnP QueryResConfList exploit attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; nocase; byte_test:2,^,1,5,relative; content:"&|00|"; within:2; distance:56; content:"|5C|PIPE|5C 00 05 00 00|"; within:10; distance:4; nocase; content:"|36 00|"; within:2; distance:19; pcre:"/(\x00\\\x00.*?){2}\x00{2}\xFF{2}.{128,}[\x04-\xFF][\x00-\xFF]{3}\x00{4}$/Rs"; flowbits:isset,netbios.pnp.bind.attempt; reference:cve,CAN-2005-1983; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-039.mspx; classtype:attempted-admin; sid:2002203; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 264 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 265 | #Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 266 | log tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with indexed color"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:1,=,3,10,relative; flowbits:set,icolor_png; classtype: misc-attack; sid: 2001720; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 267 | alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big PLTE"; flow: to_client,established; flowbits:isset,icolor_png; content:"PLTE"; byte_test:4,>,768,-8,relative; classtype: misc-attack; sid: 2001721; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 268 | alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-0597 PNG with too big hIST"; flow: to_client,established; flowbits:isset,icolor_png; content:"hIST"; byte_test:4,>,512,-8,relative; classtype: misc-attack; sid: 2001722; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 269 | #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT ATmaCA PoC for CORE-2004-0819 -- bad PNG"; flow: to_client,established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,256,17,relative;content:"tRNS"; distance: 4; classtype: misc-attack; sid: 2001723; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 270 | #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad width"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,0,relative;classtype: misc-attack; sid: 2001718; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 271 | #alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT CAN-2004-1244 PNG with bad height"; flow: to_client, established; content:"|8950 4e47 0d0a 1a0a 0000 000d 4948 4452|"; byte_test:4,>,10000,4,relative;classtype: misc-attack; sid: 2001719; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 272 | #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT libpng CAN-2004-1244 overflow attempt"; flow: to_client,established; content:"|89|PNG|0D 0A 1A 0A 00 00 00 0D|IHDR"; byte_test:1,=,3,10,relative;content:"tRNS"; byte_test:4,>,256,-8,relative;pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference: cve,2004-0597; reference: bugtraq,10872; classtype: attempted-admin; sid: 2001724; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 273 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 274 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 275 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000488; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 275 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection closing string plus line comment"; flow: to_server,established; content:"'|00|"; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000488; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 276 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000372; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 276 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection running SQL statements line comment"; flow: to_server,established; content:"\;|00|"; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000372; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 277 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000373; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 277 | alert tcp $EXTERNAL_NET any - > $SQL_SERVERS 1433 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL SQL Injection line comment"; flow: to_server,established; content:"-|00|-|00|"; reference: url,www.nextgenss.com/papers/more_advanced_sql_injection.pdf; reference: url,www.securitymap.net/sdm/docs/windows/mssql-checklist.html; classtype: attempted-user; sid: 2000373; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 278 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 279 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 280 | alert udp any any - > $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL heap overflow attempt"; content:"|08 3A 31|"; depth: 3; reference: url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-admin; sid: 2000377; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 281 | alert udp any any - > $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08)"; dsize: > 1; content:"|08|"; depth: 1; content:!"|3A|"; offset: 1; depth: 1; reference: url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000378; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 282 | alert udp any any - > $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS attempt (08) 1 byte"; dsize: 1; content:"|08|"; depth: 1; reference: url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000379; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 283 | alert udp any any -> $HOME_NET 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL Spike buffer overflow"; content:"|12 01 00 34|"; depth: 4; reference: bugtraq,5411; classtype: attempted-admin; sid: 2000380; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 284 | alert udp any any - > $SQL_SERVERS 1434 (msg: "BLEEDING-EDGE EXPLOIT MS-SQL DOS bouncing packets"; content:"|0A|"; depth: 1; reference: url,www.nextgenss.com/papers/tp-SQL2000.pdf; classtype: attempted-dos; sid: 2000381; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 285 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 286 | #By Joel Esler
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 287 | alert tcp $EXTERNAL_NET any -> $HOME_NET 9999 (msg: "BLEEDING-EDGE EXPLOIT MySQL MaxDB Buffer Overflow"; flow: to_server,established; content:"GET"; content:"|31 c9 83 e9 af d9 ee|"; pcre:"/(GET).\/%.{1586,}/i"; classtype: attempted-admin; sid: 2001988; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 288 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 289 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 290 | alert tcp $EXTERNAL_NET any - > $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NII Microsoft ASN.1 Library Buffer Overflow Exploit"; flow: to_server,established; content:"|A1 05 23 03 03 01 07|"; reference: url,www.microsoft.com/technet/security/bulletin/ms04-007.asp; classtype: bad-unknown; sid: 2000017; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 291 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 292 | #by Tom at doctorunix.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 293 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference: url,secunia.com/advisories/15216; reference: url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438;reference: cve,CAN-2005-1439; classtype: web-application-attack; sid:2002702; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 293 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT OSTicket Remote Code Execution Attempt"; flow: established,from_client; uricontent:"/osticket/include"; nocase; pcre:"/.*\[.*\].*\;/U"; reference: url,secunia.com/advisories/15216; reference: url,www.gulftech.org/?node=research&article_id=00071-05022005; reference:cve,CAN-2005-1438;reference: cve,CAN-2005-1439; classtype: web-application-attack; sid:2002702; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 294 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 295 | #Mark Tombaugh
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 296 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE EXPLOIT XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; depth:4; nocase; uricontent:"xmlrpc.php"; content:"methodCall"; nocase; pcre:"/ > .*\'\s*\)\s*\)*\s*\;/"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; classtype: web-application-attack; sid:2002158; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 297 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 298 | #Submitted by Matt Jonkman, Updated by Abe and Matt Sheridan
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 299 | alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000565; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 300 | alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 45 00 62 00 69 00 7a 00 5c 00 68 00 61 00 73 00 68|"; classtype: suspicious-login; sid: 2000566; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 301 | alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 445"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000564; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 302 | alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e pwservice.exe Access port 139"; flow: to_server,established; content:"p|00|w|00|s|00|e|00|r|00|v|00|i|00|c|00|e|00|.|00|e|00|x|00|e"; classtype: misc-attack; sid: 2000567; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 303 | alert tcp $HOME_NET 445 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 445"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000563; rev:8; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 304 | alert tcp $HOME_NET 139 -> any any (msg: "BLEEDING-EDGE EXPLOIT Pwdump3e Password Hash Retrieval port 139"; flow: from_server,established; content:"\:|00|5|00|0|00|0\:"; classtype: misc-attack; sid: 2000568; rev:7; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 305 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 306 | #Submitted by Abe Use
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 307 | alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 139"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001053; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 308 | alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump.exe Service Started port 445"; flow: to_server,established; content:"|4e 00 74 00 44 00 75 00 6d 00 70 00 53 00 76 00 63 00 2e 00 65 00 78 00 65 00|"; classtype: misc-activity; sid: 2001544; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 309 | alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 139"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001052; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 310 | alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT NTDump Session Established Reg-Entry port 445"; flow: to_server,established; content:"|53 00 4f 00 46 00 54 00 57 00 41 00 52 00 45 00 5c 00 4e 00 74 00 44 00 75 00 6d 00 70 00|"; classtype: misc-activity; sid: 2001543; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 311 | alert tcp any any -> $HOME_NET 139 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 139"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001753; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 312 | alert tcp any any -> $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT Pwdump4 Session Established GetHash port 445"; flow: to_server,established; content:"|50 57 44 75 6d 70 34 2e 64 6c 6c 00 47 65 74 48 61 73 68|"; classtype: suspicious-login; sid: 2001754; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 313 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 314 | #By Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 315 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg:"BLEEDING-EDGE RealPlayer/Helix Player Format String Exploit"; flow:established,from_server; content:" < imfl > "; pcre:"/ < [^ > %]*%/R"; content:" < /imfl > "; distance:0; reference:url,milw0rm.com/id.php?id=1232; reference:bugtraq,14945; reference:cve,2005-2710; classtype:web-application-attack; sid:2002381; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 316 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 317 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 318 | alert tcp any any - > $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid: 2000032; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 318 | alert tcp any any - > $HOME_NET 445 (msg: "BLEEDING-EDGE EXPLOIT LSA exploit"; flow: to_server,established; content:"|313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131313131|"; offset: 78; depth: 192; classtype: misc-activity; reference:url,www.eeye.com/html/research/advisories/AD20040501.html; reference:url,www.upenn.edu/computing/virus/04/w32.sasser.worm.html; sid: 2000032; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 319 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 320 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 321 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Local Privilege Escalation Vulnerability"; flow: to_server,established; content:"site exec"; nocase; rawbytes;reference: url,www.securiteam.com/windowsntfocus/5YP0F1FDPO.html; classtype: misc-activity; sid: 2001210; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 322 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (1)"; flow: to_server,established; pcre:"/\\[\.]+%20/Bi"; reference: url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001211; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 323 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U directory traversal vulnerability (2)"; flow: to_server,established; pcre:"/%20[\.]+\//Bi"; reference: url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-activity; sid: 2001212; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 324 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U LIST -l Parameter Buffer Overflow"; flow: to_server,established; content:"LIST -l\:"; nocase; isdataat: 134,relative; reference: url,www.securiteam.com/windowsntfocus/5ZP0G2KCKA.html; classtype: misc-activity; sid: 2001213; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 325 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT FTP Serv-U Server Long Filename Stack Overflow Vulnerability"; flow: to_server,established; content:"chmod"; nocase; pcre:"/chmod[\s]+([\d]{1,4})*[\s]*[\w\.\/]{250}/Bi"; reference: url,www.securiteam.com/windowsntfocus/5OP0N1PBPG.html; classtype: misc-activity; sid: 2001215; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 326 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 327 | #Submitted by Cooljay ref: http://www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=139
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 328 | alert tcp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible ShixxNote buffer-overflow + remote shell attempt"; flow: established,to_server; content:"|68 61 63 6b 75|"; offset: 126; depth: 5; content:"|68 61 63 6b 90 61 61 61 61|"; offset: 519; depth: 9; reference: url,aluigi.altervista.org/adv/shixxbof-adv.txt; classtype: shellcode-detect; sid: 2001385; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 329 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 330 | #by Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 331 | alert tcp any any -> $HOME_NET 8000:8030 (msg:"BLEEDING-EDGE Nullsoft Shoutcast Server Format String Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/\/content\/.*?%#?\d*[a-z\.].*?\.mp3/Ri"; reference:cve,2004-1373; reference:bugtraq,12096; classtype:web-application-attack; sid:2001751; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 332 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 333 | #by Summit Siddharth
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 334 | alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"BLEEDING-EDGE EXPLOIT malformed Sack --Snort DoS-by-$um$id";seq:0; ack:0; window:65535; dsize:0; classtype:attempted-dos; sid:2002656; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 335 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 336 | #By Kyle Haugsness for the ISC on 2005-10-21
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 337 | #Disabling by default. This is now caught by the upgraded BO preproc 2.4.3+
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 338 | #alert udp any !31337 < > any !31337 (msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; dsize: > 1024; content:"|ce 63 d1 d2 16 e7 13 cf|"; offset: 0; depth: 8; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?storyid=782; reference:url,isc.sans.org/diary.php?storyid=770; reference:url,xforce.iss.net/xforce/alerts/id/207; sid: 2002661; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 338 | #alert udp any !31337 < > any !31337 (msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; dsize: > 1024; content:"|ce 63 d1 d2 16 e7 13 cf|"; offset: 0; depth: 8; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?storyid=782; reference:url,isc.sans.org/diary.php?storyid=770; reference:url,xforce.iss.net/xforce/alerts/id/207; sid: 2002661; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 338 | #alert udp any !31337 < > any !31337 (msg: "BLEEDING-EDGE EXPLOIT Snort Back Orifice pre-processor buffer overflow attempt"; dsize: > 1024; content:"|ce 63 d1 d2 16 e7 13 cf|"; offset: 0; depth: 8; threshold: type limit, track by_dst, count 1, seconds 60; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?storyid=782; reference:url,isc.sans.org/diary.php?storyid=770; reference:url,xforce.iss.net/xforce/alerts/id/207; sid: 2002661; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 339 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 340 | #submitted by bdoctor
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 341 | alert tcp any any - > $HOME_NET 23 (msg: "BLEEDING-EDGE EXPLOIT Solaris TTYPROMPT environment variable set"; flow: established,to_server; content:"|00 54 54 59 50 52 4F 4D 50 54|"; reference: url,online.securityfocus.com/archive/1/293844; classtype: attempted-admin; sid: 2001780; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 342 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 343 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 344 | alert tcp any any - > $HOME_NET 3128 (msg: "BLEEDING-EDGE EXPLOIT Squid NTLM Auth Overflow Exploit"; flow: to_server; content:"|4141 414a 4351 6b4a 4351 6b4a 4351 6b4a|"; offset: 96; reference: url,www.idefense.com/application/poi/display?id=107; reference: cve,CAN-2004-0541; classtype: misc-attack; sid: 2000342; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 345 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 346 | #Submitted by Dale Handy
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 347 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (1)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001549; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 348 | alert tcp $EXTERNAL_NET any - > $SMTP_SERVERS 25 (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (2)"; flow: to_server; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001550; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 349 | alert tcp $EXTERNAL_NET 110 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (3)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001551; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 350 | alert tcp $EXTERNAL_NET 143 - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Possible Sun Java Plugin arbitrary package access exploit (4)"; flow: to_client; content:"|2e|getClass|28|"; content:"|2e|forName|28|"; offset: 0; depth: 30; reference: url,jouko.iki.fi/adv/javaplugin.html; reference: url,sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1; reference: url,www.idefense.com/application/poi/display?id=158&type=vulnerabilities&flashstatus=true; reference: url,archives.neohapsis.com/archives/bugtraq/2004-11/0299.html; reference: url,secunia.com/advisories/13271/; reference: url,www.kb.cert.org/vuls/id/760344; reference: cve,CAN-2004-1029; classtype: web-application-attack; sid: 2001552; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 351 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 352 | #By Blake Hartstein
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 353 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; classtype:attempted-recon; sid:2002406; rev:1; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 353 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE TAC Attack Directory Traversal"; flow:established,to_server; uricontent:"/ISALogin.dll?"; nocase; pcre:"/Template=.*\.\./UGi"; reference:cve,2005-3040; reference:url,secunia.com/advisories/16854; reference:url,cirt.dk/advisories/cirt-37-advisory.pdf; classtype:attempted-recon; sid:2002406; rev:1; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 354 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 355 | #By Paul Dokas, posted on http://isc.sans.org/diary.php?date=2005-06-27
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 356 | #alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002061; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 356 | #alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (inbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002061; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 357 | #alert tcp $HOME_NET any - > $EXTERNAL_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002062; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 357 | #alert tcp $HOME_NET any - > $EXTERNAL_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Possible BackupExec Metasploit Exploit (outbound)"; flow:established,to_server; content: "|00 00 03 00 00 02 00 58 58 58|"; offset: 24; depth: 20; classtype: attempted-admin; reference:url,isc.sans.org/diary.php?date=2005-06-27; reference:url,www.metasploit.org/projects/Framework/modules/exploits/backupexec_agent.pm; sid:2002062; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 358 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 359 | #By Chris Ries of Vigilant Minds. This is not specific to the exploit as previous versions
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 360 | alert TCP any any - > any 10000 (msg:"BLEEDING-EDGE EXPLOIT Veritas backupexec_agent exploit"; flow:to_server,established; content:"|00 00 00 00 00 00 09 01|"; offset:12; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; byte_jump: 4, 32; byte_test: 4, > ,3000,0,relative; reference:url,isc.sans.org/diary.php?date=2005-06-27; classtype:misc-attack; sid:2002065; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 361 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 362 | #By Mark Tombaugh: Alerts on responses of version checks.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 363 | alert tcp $HOME_NET 10000 - > any any (msg:"BLEEDING-EDGE NDMP Notify Connect - Possible Backup Exec Remote Agent Recon"; flow:established,from_server; content:"|00 00 05 02|"; offset:16; depth:20; content: "|00 00 00 03|"; offset: 28; depth: 32; classtype:attempted-recon; reference:url,www.ndmp.org/download/sdk_v4/draft-skardal-ndmp4-04.txt; sid:2002068; rev:4;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 364 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 365 | # Added 2005/08/11 by Frank Knobbe - Rough first draft after exploit release
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 366 | #alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas Backup Exec Windows Agent Remote File Access Exploit"; flow:to_server,established; content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,isc.sans.org/diary.php?date=2005-08-11; classtype:string-detect; sid:2002176; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 366 | #alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas Backup Exec Windows Agent Remote File Access Exploit"; flow:to_server,established; content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,isc.sans.org/diary.php?date=2005-08-11; classtype:string-detect; sid:2002176; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 366 | #alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE Veritas Backup Exec Windows Agent Remote File Access Exploit"; flow:to_server,established; content:"|b4 b8 0f 26 20 5c 42 34 03 fc ae ee 8f 91 3d 6f|"; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; reference:url,isc.sans.org/diary.php?date=2005-08-11; classtype:string-detect; sid:2002176; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 367 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 368 | # Added 2005/08/12 by Frank Knobbe - This version alerts if a system is vulnerable. flowbits:noalert is optional on the first rule if you don't want to detect (possibly unsuccessfull) attempts.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 369 | alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:default-login-attempt; sid:2002181; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 369 | alert tcp $EXTERNAL_NET any - > $HOME_NET 10000 (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Attempt"; flow:to_server,established; flowbits:isnotset,SID2002181; content:"|0000 0000 0000 0901 0000 0000 0000 0000 0000 0002 0000 0004 726f 6f74 b4b8 0f26 205c 4234 03fc aeee 8f91 3d6f|"; offset:8; depth:52; flowbits:set,SID2002181; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:default-login-attempt; sid:2002181; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 370 | alert tcp $HOME_NET 10000 - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:misc-attack; sid:2002182; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 370 | alert tcp $HOME_NET 10000 - > $EXTERNAL_NET any (msg:"BLEEDING-EDGE EXPLOIT Backup Exec Windows Agent Remote File Access - Vulnerable"; flow:from_server,established; flowbits:isset,SID2002181; content:"|0000 0001 0000 0901|"; offset:8; depth:16; content:"|0000 0000 0000 0000|"; distance:4; within:12; reference:url,www.frsirt.com/english/advisories/2005/1387; reference:url,www.frsirt.com/exploits/20050811.backupexec_dump.pm.php; classtype:misc-attack; sid:2002182; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 371 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 372 | #David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 373 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE EXPLOIT WebHints Scripts Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/hints.pl?|7c|"; nocase; classtype: web-application-attack; reference:bugtraq,13930; sid: 2001991; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 374 | #Written by Erik Fichtner
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 375 | alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 1"; flowbits:noalert; flow: to_client,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within: 5; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001622; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 376 | alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 2"; flow: to_client,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001623; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 377 | alert tcp any $HTTP_PORTS -> $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack, phase 3"; flow: to_client, established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; flowbits: isset,winhlp32; classtype: web-application-attack; sid: 2001624; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 378 | alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 1"; flowbits:noalert; flow: to_server,established; content:"|3C|OBJECT"; nocase; content:"application/x-oleobject"; nocase; within: 64; content:"codebase="; nocase; content:"hhctrl.ocx"; nocase; within: 5; flowbits:set,winhlp32; classtype: web-application-activity; sid: 2001625; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 379 | alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 2"; flow: to_server,established; flowbits:isset,winhlp32; content:"|3C|PARAM"; nocase; content:"value="; nocase; content:"command|3B|"; nocase; pcre:"/(javascript|http|ftp|vbscript)/iR"; classtype: web-application-attack; sid: 2001626; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 380 | alert tcp any any -> $HOME_NET 25 (msg: "BLEEDING-EDGE EXPLOIT winhlp32 ActiveX control attack via EMAIL, phase 3"; flow: to_server,established; flowbits:isset,winhlp32; content:".HHClick|2829|"; nocase; classtype: web-application-attack; sid: 2001627; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 381 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 382 | #By Sam Pabon
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 383 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (1)"; flow: to_client,established; content:"pchealth"; nocase; pcre:"/^file\x3A\\/\/C\x3A\\\WINDOWS\\PCHealth\\HelpCtr\\System\\blurbs\\tools\x2E\htm/mi"; reference: url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001633; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 384 | alert tcp $EXTERNAL_NET $HTTP_PORTS - > $HOME_NET any (msg: "BLEEDING-EDGE EXPLOIT Probable MSIE XPSP2 Remote Compromise (2)"; flow: to_client,established; content:"writehta.txt"; pcre:"/^C\x3A\\\Documents\s+and\s+Settings\\All\s+Users\\Start\s+Menu\\Programs\\Startup\\+?([A-Z]|[a-z]|[0-9])\x2E\hta/mi"; reference: url,freehost07.websamba.com/greyhats/sp2rc-analysis.htm; classtype: web-application-attack; sid: 2001634; rev:4; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 385 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 386 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 387 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE Exploit wowBB view_user.php SQL Injection"; flow: to_server,established; uricontent:"/wowbb/view_user.php?"; nocase; uricontent:"&sort_by='"; nocase; pcre:"/(alter|delete|insert|select)/i"; reference: bugtraq,13569; classtype: web-application-attack; sid: 2001932; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 388 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 389 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 390 | alert tcp $EXTERNAL_NET any - > $HOME_NET 21 (msg: "BLEEDING-EDGE EXPLOIT Wzdftpd SITE command arbitrary command execution attempt"; flow:to_server,established; pcre:"/site\s+.*?[\;|&]/i"; reference: bugtraq,14935; reference:url,www.securiteam.com/exploits/5CP0R1PGUE.html; classtype:web-application-attack; sid:2002382; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-exploit.rules : 391 |
|