Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules Fri Dec 2 00:46:36 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 1 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 2 | # $Id: bleeding-web.rules,v 1.603 2005/11/30 00:14:20 bhartstein Exp $
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 3 | # Bleeding Snort web rules.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 4 | # These are rules not stable, mature, or applicable enough to be part of the snort.org official sets.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 5 | # Someday some may be, at which time they'll be removed from this list and be available via Snort.org
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 6 | # This is for the bleeding edge junkies. Use at your own risk!!!
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 7 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 8 | # SID's are 2000000+ to avoid conflicts
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 9 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 10 | # Only basic testing has been done. At this point all we guarantee is that they won't crash a recent snort release.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 11 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 12 | # More information available at www.bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 13 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 14 | # Please submit any custom rules or ideas to bleeding@bleedingsnort.com or the snort-sigs mailing list
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 15 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 16 | #*************************************************************
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 17 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 18 | # Copyright (c) 2005, Bleedingsnort.com
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 19 | # All rights reserved.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 20 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 21 | # Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 22 | # following conditions are met:
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 23 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 24 | # * Redistributions of source code must retain the above copyright notice, this list of conditions and the following
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 25 | # disclaimer.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 26 | # * Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 27 | # following disclaimer in the documentation and/or other materials provided with the distribution.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 28 | # * Neither the name of the nor the names of its contributors may be used to endorse or promote products derived
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 29 | # from this software without specific prior written permission.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 30 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 31 | # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 32 | # INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 33 | # DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 34 | # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 35 | # SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 36 | # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 37 | # USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 38 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 39 | #
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 40 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 41 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB WebAPP Apage.CGI Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/apage.cgi?f="; nocase; pcre:"/(\.\|.+\|)/"; reference: bugtraq,13637; classtype: web-application-attack; sid: 2001945; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 42 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 43 | #From Adam Hogan
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 44 | alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Web Proxy GET Request"; flow: to_server,established; content:"GET http\://"; nocase; depth: 11; classtype: bad-unknown; sid: 2001669; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 45 | alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Web Proxy HEAD Request"; flow: to_server,established; content:"HEAD http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001670; rev:3; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 46 | alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Proxy POST Request"; flow: to_server,established; content:"POST http\://"; nocase; depth: 12; classtype: bad-unknown; sid: 2001674; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 47 | alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg: "BLEEDING-EDGE Proxy CONNECT Request"; flow: to_server,established; content:"CONNECT "; nocase; depth: 8; classtype: bad-unknown; sid: 2001675; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 48 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 49 | #By David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 50 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Athena Web Registration Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/athenareg.php?pass=%20\;"; nocase; reference: cve,CAN-2004-1782; reference: bugtraq,9349; classtype: web-application-attack; sid: 2001949; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 51 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 52 | # Submitted 2005-09-04 by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 53 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Barracuda Spam Firewall img.pl Remote Command Execution Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=.+\|)/Ui"; reference:bugtraq,14712; classtype: web-application-attack; sid:2002362; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 54 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 55 | # Submitted 2005-11-22 by David Maciejak (with thanks to Nicob for pointing it out)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 56 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Barracuda Spam Firewall img.pl Remote Directory Traversal Attempt"; flow: to_server,established; uricontent:"/cgi-bin/img.pl?"; nocase; pcre:"/(f=\.\..+)/Ui"; reference:bugtraq,14710; classtype: web-application-attack; sid:2002685; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 57 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 58 | #by Jamie Thinglestad
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 59 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; classtype:web-application-attack; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; sid:2002069; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 59 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; classtype:web-application-attack; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; sid:2002069; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 59 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Blog Spam Insert Attempt"; flow:to_server,established; content:"|0D 0A|x-aaaaaaaaa"; nocase; classtype:web-application-attack; reference:url,spamhuntress.com/2005/05/14/new-block-for-bulgarians/; reference:url,lists.geeklog.net/pipermail/geeklog-spam/2005-June/000020.html; reference:url,www.webmasterworld.com/forum92/3683.htm; sid:2002069; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 60 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 61 | # Submitted by Mark Tombaugh, 2005/07/18
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 62 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/(config_settings|top_graph_header)\.php\?.*=(http|https)\:\//Ui"; classtype:web-application-activity; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; sid:2002129; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 62 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/(config_settings|top_graph_header)\.php\?.*=(http|https)\:\//Ui"; classtype:web-application-activity; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; sid:2002129; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 62 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"BLEEDING-EDGE Cacti Input Validation Attack"; flow:established,to_server; content:"GET"; depth:3; nocase; pcre:"/(config_settings|top_graph_header)\.php\?.*=(http|https)\:\//Ui"; classtype:web-application-activity; reference:url,www.cacti.net; reference:url,www.idefense.com/application/poi/display?id=265&type=vulnerabilities; reference:url,www.idefense.com/application/poi/display?id=266&type=vulnerabilities; sid:2002129; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 63 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 64 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 65 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Cacti graph_image.php Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/graph_image.php?"; nocase; pcre:"/(graph_start=%0a.+%0a)/i"; reference:cve,CAN-2005-1524; reference:bugtraq,14129; reference:bugtraq,14042; classtype: web-application-attack; sid:2002313; rev:2;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 66 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 67 | #By David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 68 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB Community Link Pro Login.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/login.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference: bugtraq,14097; classtype: web-application-attack; sid:2002067; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 69 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 70 | #By David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 71 | alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg: "BLEEDING-EDGE WEB CSV-DB CSV_DB.CGI Remote Command Execution Attempt"; flow:to_server,established; uricontent:"/cgi-bin/csv_db.cgi?"; nocase; pcre:"/(file=\|.+\|)/"; reference: bugtraq,14059; classtype:web-application-attack; sid:2002066; rev:1;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 72 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 73 | # By David Maciejak, 2005-11-03
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 74 | alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg: "BLEEDING-EDGE WEB CutePHP CuteNews directory traversal vulnerability"; flow:to_server,established; content:"GET"; depth:3; nocase; pcre:"/show_(news|archives)\.php?.*template=[./]+/Ui"; reference:bugtraq,15295; classtype: misc-activity; sid: 2002668; rev:2; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 75 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 76 | # Submitted by David Maciejak on 2005-11-15
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 77 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE WEB Cyphor show.php SQL injection attempt"; flow:to_server,established; uricontent:"/show.php?"; nocase; pcre:"/id=-?\d+\s+UNION\s+/Ui"; reference: bugtraq,15418; classtype: web-application-attack; sid: 2002678; rev:1; )
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 78 |
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 79 | #by David Maciejak
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 80 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE IBM Lotus Domino BaseTarget XSS attempt"; flow:to_server,established; uricontent:"OpenForm"; nocase; pcre:"/BaseTarget=.*?\"/iU"; reference: bugtraq,14845; classtype:web-application-attack; sid:2002376; rev:3;)
|
| ./snortrules-BLEEDING-2.4/rules/bleeding-web.rules : 81 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"BLEEDING-EDGE IBM Lotus Domino Src XSS attempt"; flow:to_server,established; uricontent:"OpenFrameSet"; nocase; pcre:"/src=.*\"><\/FRAMESET>.* |