Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules Fri Dec 2 00:57:56 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 2 | # $Id: bleeding-scan.rules,v 1.593 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 3 | # Bleeding Snort scan rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 40 | # Submitted by Frank Knobbe
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 41 | #Note: These are more effective as pass rules to avoid getting hits on other rules that don't really apply. This is benign load balancer probe traffic.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 42 | alert tcp $EXTERNAL_NET any - > $HOME_NET 53 (msg: "BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 1"; id: 1; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; sid: 2001609; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 43 | alert tcp $EXTERNAL_NET any - > $HOME_NET 53 (msg: "BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 2"; id: 2; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; sid: 2001610; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 44 | alert tcp $EXTERNAL_NET any - > $HOME_NET 53 (msg: "BLEEDING-EDGE F5 BIG-IP 3DNS TCP Probe 3"; id: 3; dsize: 24; flags: S,12; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; window: 2048; classtype: misc-activity; reference:url,www.f5.com/f5products/v9intro/index.html; sid: 2001611; rev:6; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 45 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 46 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 47 | alert icmp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth: 64; reference: url,www.ks-soft.net/ip-tools.eng; classtype: misc-activity; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; sid: 2000575; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 47 | alert icmp $EXTERNAL_NET any - > $HOME_NET any (msg: "BLEEDING-EDGE ICMP PING IPTools"; itype: 8; icode: 0; content:"|A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7 A7|"; depth: 64; reference: url,www.ks-soft.net/ip-tools.eng; classtype: misc-activity; reference:url,www.ks-soft.net/ip-tools.eng/index.htm; sid: 2000575; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 48 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 49 | #By Jeff Kell
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 50 | alert tcp any any -> $SQL_SERVERS 3306 (msg: "BLEEDING-EDGE SCAN MYSQL 4.0 brute force root login attempt"; flow: to_server,established; content:"|01|"; within: 1; distance: 3; content:"root|00|"; nocase; within: 5; distance: 5; threshold: type both, track by_src, count 5, seconds 60; classtype: protocol-command-decode; sid: 2001906; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 51 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 52 | #by Bob Grabowsky
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 53 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE SCAN Nessus User Agent"; flow: established,to_server; content:"User-Agent\:"; depth:300; nocase; pcre:"/User-Agent\:[^\n]+Nessus/i"; threshold: type limit, track by_src,count 1, seconds 60; reference: url,www.nessus.org; classtype: attempted-recon; sid:2002664; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 54 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 55 | # These are intended to catch new worms and such scanning internally. Careful of falses.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 56 | alert tcp $HOME_NET any -> $EXTERNAL_NET 445 (msg: "BLEEDING-EDGE Behavioral Unusual Port 445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001569; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 57 | alert tcp $HOME_NET any -> $EXTERNAL_NET 139 (msg: "BLEEDING-EDGE Behavioral Unusual Port 139 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001579; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 58 | alert tcp $HOME_NET any -> $EXTERNAL_NET 137 (msg: "BLEEDING-EDGE Behavioral Unusual Port 137 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001580; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 59 | alert tcp $HOME_NET any -> $EXTERNAL_NET 135 (msg: "BLEEDING-EDGE Behavioral Unusual Port 135 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001581; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 60 | alert tcp $HOME_NET any -> $EXTERNAL_NET 1434 (msg: "BLEEDING-EDGE Behavioral Unusual Port 1434 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001582; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 61 | alert tcp $HOME_NET any -> $EXTERNAL_NET 1433 (msg: "BLEEDING-EDGE Behavioral Unusual Port 1433 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 200 , seconds 60; classtype: misc-activity; sid: 2001583; rev:9; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 62 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 63 | #by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 64 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE SCAN Nikto Web App Scan in Progress"; flow:to_server,established; content:"User-Agent\:"; nocase; pcre:"/User-Agent\:[^\n]+Nikto/i"; reference:url,www.cirt.net/code/nikto.shtml; classtype:web-application-attack; sid:2002677; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 65 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 66 | #Submitted by Joseph Gama
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 67 | alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sO"; dsize: 0; ip_proto: 21; reference: arachnids,162; classtype: attempted-recon; sid: 2000536; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 68 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sS"; fragbits: !D; dsize: 0; flags: S,12; ack: 0; window: 2048; reference: arachnids,162; classtype: attempted-recon; sid: 2000537; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 69 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sA (1)"; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference: arachnids,162; classtype: attempted-recon; sid: 2000538; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 70 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -sA (2)"; fragbits: !D; dsize: 0; flags: A,12; window: 3072; reference: arachnids,162; classtype: attempted-recon; sid: 2000540; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 71 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -f -sF"; fragbits: !M; dsize: 0; flags: F,12; ack: 0; window: 2048; reference: arachnids,162; classtype: attempted-recon; sid: 2000543; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 72 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -f -sN"; fragbits: !M; dsize: 0; flags: 0,12; ack: 0; window: 2048; reference: arachnids,162; classtype: attempted-recon; sid: 2000544; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 73 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -f -sS"; fragbits: !M; dsize: 0; flags: S,12; ack: 0; window: 2048; reference: arachnids,162; classtype: attempted-recon; sid: 2000545; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 74 | alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN NMAP -f -sX"; fragbits: !M; dsize: 0; flags: FPU,12; ack: 0; window: 2048; reference: arachnids,162; classtype: attempted-recon; sid: 2000546; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 75 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 76 | #Submitted by Matt Jonkman
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 77 | alert tcp $EXTERNAL_NET any - > $HOME_NET 22 (msg: "BLEEDING-EDGE Potential SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src, count 5, seconds 120; classtype: suspicious-login; reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/; sid: 2001219; rev:12; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 78 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 79 | #Idea from dynamicnet
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 80 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "BLEEDING-EDGE Scan Possible SSL Brute Force attack or Site Crawl"; flow: established; flags: S; threshold: type threshold, track by_src, count 100, seconds 60; classtype: attempted-dos; sid: 2001553; rev:5; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 81 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 82 | # These are intended to catch new worms and such scanning internally. Careful of falses.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 83 | alert tcp any any - > any 23 (msg: "BLEEDING-EDGE Behavioral Unusually fast Telnet Connections, Potential Scan or Brute Force"; flags: S,12; threshold: type both, track by_src, count 30, seconds 60; classtype: misc-activity; reference:url,www.rapid7.com/nexpose-faq-answer2.htm; sid: 2001904; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 84 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 85 | # Works for other proto's, may as well extend the idea
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 86 | alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg: "BLEEDING-EDGE Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 30 , seconds 60; classtype: misc-activity; sid: 2001972; rev:11; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-scan.rules : 87 |
|