Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-COMM-2.4/rules/community-web-misc.rules Fri Dec 2 01:25:43 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 1 | # Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 2 | # These rules are licensed under the GNU General Public License.
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 3 | # Please see the file LICENSE in this directory for more details.
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 4 | # $Id: community-web-misc.rules,v 1.16 2005/11/10 14:15:43 akirk Exp $
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 5 |
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 6 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Test Script Access"; flow:to_server,established; uricontent:"/test"; nocase; pcre:"/test\.(pl|php|cgi|asp|jsp)/Ui"; classtype:web-application-activity; sid:100000121; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 7 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg: "COMMUNITY WEB-MISC mod_jrun overflow attempt"; flow:to_server,established; content:"|3A|"; pcre:"/^.*\x3a[^\n]{1000}/sm"; reference:bugtraq,11245; reference:cve,2004-0646; classtype:web-application-attack; sid:100000122; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 8 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Cisco IOS HTTP Router Management Service Infinite Loop DoS"; flow:to_server,established; uricontent:"?/"; reference:bugtraq,10014; reference:url,www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml; classtype:successful-dos; sid:100000129; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 9 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS"; flow:to_server,established; uricontent:"/Filelist.html"; nocase; reference:bugtraq,12778; classtype:attempted-dos; sid:100000130; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 10 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"COMMUNITY WEB-MISC PY Software Active Webcam Webserver DoS - Floppy Access"; flow:to_server,established; uricontent:"/A|3A|"; nocase; pcre:"/A\x3A[^\r\n]?\.[^\r\n]?[\r\n]/Ui"; reference:bugtraq,12778; classtype:attempted-dos; sid:100000131; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 11 | # Following rule submitted by Alexandru Ionica |
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 12 | alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC Proxy Server Access"; flow:established,from_server; content:"Proxy-Connection"; nocase; content:"Via"; nocase; content:"HTTP"; nocase; content: !"ERR_ACCESS_DENIED"; nocase; logto: "proxy"; sid:100000132; rev:2;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 13 | alert tcp $EXTERNAL_NET any - > $HOME_NET $HTTP_PORTS (msg:"COMMUNITY WEB-DoS Xeneo Server Question Mark GET Request"; flow:to_server,established; pcre:"/GET \/\?{250,}/i"; reference:bugtraq,7398; reference:url,www.northernsolutions.com/support/index.php?view=support&cmd=releasenotes&productid=1; classtype:attempted-dos; sid:100000133; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 14 | alert tcp $EXTERNAL_NET any - > $HOME_NET 9999 (msg:"COMMUNITY WEB-MISC MaxDB Web Tool Remote Stack Overflow"; flow:to_server,established; content:"GET"; nocase; depth:3; content:"/%"; distance:0; pcre:"/^GET\s+\/\%[^\r\n]{215,}/smi"; reference:cve,2005-0684; reference:url,www.idefense.com/application/poi/display?id=234&type=vulnerabilities; classtype:attempted-admin; sid:100000140; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 15 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jsp directory traversal attempt"; flow:to_server,established; content:".jsp"; pcre:"/.jsp\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000141; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 16 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .jpg directory traversal attempt"; flow:to_server,established; content:".jpg"; pcre:"/.jpg\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000142; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 17 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .gif directory traversal attempt"; flow:to_server,established; content:".gif"; pcre:"/.gif\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000143; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 18 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .wav directory traversal attempt"; flow:to_server,established; content:".wav"; pcre:"/.wav\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252;classtype:attempted-recon; sid:100000144; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 19 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .css directory traversal attempt"; flow:to_server,established; content:".css"; pcre:"/.css\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000145; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 20 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8484 (msg:"COMMUNITY WEB-MISC Ipswitch Imail web calendaring .htm directory traversal attempt"; flow:to_server,established; content:".htm"; pcre:"/.htm\S*\x2e\x2e[\x2f\x5c]/smi"; reference:bugtraq,13727; reference:cve,CAN-2005-1252; classtype:attempted-recon; sid:100000146; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 21 | #Rules submitted by rmkml
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 22 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8000 (msg:"COMMUNITY WEB-MISC Barracuda img.pl attempt"; flow:to_server,established; uricontent:"/cgi-bin/img.pl?f=.."; reference:bugtraq,14712; reference:bugtraq,14710; reference:cve,2005-2848; classtype:web-application-attack; sid:100000148; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 23 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS 8083 (msg:"COMMUNITY WEB-MISC Jboss % attempt"; flow:to_server,established; content:"GET %"; reference:bugtraq,13985; reference:cve,2005-2006; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17403; classtype:attempted-recon; sid:100000149; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 24 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC HTTP Transfer-Content Request Smuggling attempt"; flow:to_server,established; content:"Transfer-Encoding|3A|"; content:"chunked"; content:"Content-Length|3A|"; nocase; reference:bugtraq,13873; reference:bugtraq,14106; reference:cve,2005-2088; reference:cve,2005-2089; reference:cve,2005-2090; reference:cve,2005-2091; reference:cve,2005-2092; reference:cve,2005-2093; reference:cve,2005-2094; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=17738; reference:nessus,18337; classtype:attempted-admin; sid:100000150; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 25 | alert tcp any any - > $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Linksys apply.cgi overflow attempt"; flow:to_server,established; uricontent:"/apply.cgi"; content:"Content-Length|3A|"; pcre:"/Content-Length\x3A\s*[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 26 | alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"COMMUNITY WEB-MISC Hasbani-WindWeb GET DoS attempt"; flow:to_server,established; uricontent:"..\:..\:..\:.."; reference:bugtraq,15225; reference:nessus,20097; sid:100000178; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 27 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS 898 (msg:"COMMUNITY WEB-MISC SMC TRACE access"; flow:to_server,established; content:"TRACE"; depth:5; reference:url,www.kb.cert.org/vuls/id/867593; sid:100000179; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 28 | alert tcp $EXTERNAL_NET any - > $HTTP_SERVERS 8080 (msg:"COMMUNITY WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; uricontent:"/invoker/JMXInvokerServlet"; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:1;)
|
| ./snortrules-COMM-2.4/rules/community-web-misc.rules : 29 | alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"COMMUNITY WEB-MISC apache directory list attempt"; flow:to_client,established; content:"HTTP/1.1 200 OK"; depth:15; content:"Index of /"; nocase; within:200; reference:bugtraq,3009; reference:cve,2001-0731; classtype:web-application-activity; sid:100000185; rev:1;)
|