Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-VRT_PR-2.4/rules/exploit.rules Fri Dec 2 01:30:38 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 1 | # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 2 | #
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 3 | # This file may contain proprietary rules that were created, tested and
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 4 | # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 5 | # rules that were created by Sourcefire and other third parties and
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 6 | # distributed under the GNU General Public License (the "GPL Rules"). The
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 7 | # VRT Certified Rules contained in this file are the property of
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 8 | # Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 9 | # The GPL Rules created by Sourcefire, Inc. are the property of
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 10 | # Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 11 | # Reserved. All other GPL Rules are owned and copyrighted by their
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 12 | # respective owners (please see www.snort.org/contributors for a list of
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 13 | # owners and their respective copyrights). In order to determine what
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 14 | # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 15 | # Certified Rules License Agreement.
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 16 | #
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 17 | #
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 18 | # $Id: exploit.rules,v 1.63.2.7.2.7 2005/07/22 19:19:54 mwatchinski Exp $
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 19 | #--------------
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 20 | # EXPLOIT RULES
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 21 | #--------------
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 22 |
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 23 | alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 24 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow filler"; flow:to_server,established; content:"|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1325; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 25 | alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow NOOP"; flow:to_server,established; content:"|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 26 | alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"|00 01|W|00 00 00 18|"; depth:7; content:"|FF FF FF FF 00 00|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 27 | alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"EXPLOIT Netscape 4.7 client overflow"; flow:to_client,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,215; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:attempted-user; sid:283; rev:10;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 28 | alert tcp $EXTERNAL_NET any -> $HOME_NET 2766 (msg:"EXPLOIT nlps x86 Solaris overflow"; flow:to_server,established; content:"|EB 23|^3|C0 88|F|FA 89|F|F5 89|6"; reference:bugtraq,2319; classtype:attempted-admin; sid:300; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 29 | alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPRng overflow"; flow:to_server,established; content:"C|07 89|[|08 8D|K|08 89|C|0C B0 0B CD 80|1|C0 FE C0 CD 80 E8 94 FF FF FF|/bin/sh|0A|"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:301; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 30 | alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300|24|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 31 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"|EB 7F|]U|FE|M|98 FE|M|9B|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 32 | alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"EXPLOIT delegate proxy overflow"; flow:to_server,established; dsize:>1000; content:"whois|3A|//"; nocase; reference:arachnids,267; reference:bugtraq,808; reference:cve,2000-0165; classtype:attempted-admin; sid:305; rev:10;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 33 | alert tcp $EXTERNAL_NET any - > $HOME_NET 9090 (msg:"EXPLOIT VQServer admin"; flow:to_server,established; content:"GET / HTTP/1.1"; nocase; reference:bugtraq,1610; reference:cve,2000-0766; reference:url,www.vqsoft.com/vq/server/docs/other/control.html; classtype:attempted-admin; sid:306; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 34 | alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"EXPLOIT NextFTP client overflow"; flow:to_client,established; content:"|B4| |B4|!|8B CC 83 E9 04 8B 19|3|C9|f|B9 10|"; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:308; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 35 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT sniffit overflow"; flow:stateless; dsize:>512; flags:A+; content:"from|3A 90 90 90 90 90 90 90 90 90 90 90|"; nocase; reference:arachnids,273; reference:bugtraq,1158; reference:cve,2000-0343; classtype:attempted-admin; sid:309; rev:10;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 36 | alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"EXPLOIT x86 windows MailMax overflow"; flow:to_server,established; content:"|EB|E|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,2312; reference:cve,1999-0404; classtype:attempted-admin; sid:310; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 37 | alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"EXPLOIT Netscape 4.7 unsucessful overflow"; flow:to_server,established; content:"3|C9 B1 10|?|E9 06|Q<|FA|G3|C0|P|F7 D0|P"; reference:arachnids,214; reference:bugtraq,822; reference:cve,1999-1189; reference:cve,2000-1187; classtype:unsuccessful-user; sid:311; rev:11;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 38 | alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:312; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 39 | alert udp $EXTERNAL_NET any -> $HOME_NET 518 (msg:"EXPLOIT ntalkd x86 Linux overflow"; content:"|01 03 00 00 00 00 00 01 00 02 02 E8|"; reference:bugtraq,210; classtype:attempted-admin; sid:313; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 40 | alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"^|B0 02 89 06 FE C8 89|F|04 B0 06 89|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 41 | alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|V^VVV1|D2 88|V|0B 88|V|1E|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:316; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 42 | alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|EB|@^1|C0|@|89|F|04 89 C3|@|89 06|"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:317; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 43 | alert tcp $EXTERNAL_NET any -> $HOME_NET 2224 (msg:"EXPLOIT MDBMS overflow"; flow:to_server,established; content:"|01|1|DB CD 80 E8|[|FF FF FF|"; reference:bugtraq,1252; reference:cve,2000-0446; classtype:attempted-admin; sid:1240; rev:5;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 44 | alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"|7F FF FB|x|7F FF FB|x|7F FF FB|x|7F FF FB|x"; content:"@|8A FF C8|@|82 FF D8 3B|6|FE 03 3B|v|FE 02|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 45 | alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"EXPLOIT rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 46 | alert tcp $EXTERNAL_NET any - > $HOME_NET 6112 (msg:"EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 47 | alert tcp $EXTERNAL_NET any -> $HOME_NET 32772:34000 (msg:"EXPLOIT cachefsd buffer overflow attempt"; flow:to_server,established; dsize:>720; content:"|00 01 87 86 00 00 00 01 00 00 00 05|"; reference:bugtraq,4631; reference:cve,2002-0084; reference:nessus,10951; classtype:misc-attack; sid:1751; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 48 | alert tcp $EXTERNAL_NET any - > $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1894; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 49 | alert tcp $EXTERNAL_NET any - > $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|00 C0 05 08 00 C0 05 08 00 C0 05 08 00 C0 05 08|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1895; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 50 | alert tcp $EXTERNAL_NET any - > $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1896; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 51 | alert tcp $EXTERNAL_NET any - > $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"|FF FF|KADM0.0A|00 00 FB 03|"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1897; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 52 | alert tcp $EXTERNAL_NET any - > $HOME_NET 749 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1898; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 53 | alert tcp $EXTERNAL_NET any - > $HOME_NET 751 (msg:"EXPLOIT kadmind buffer overflow attempt"; flow:established,to_server; content:"/shh//bi"; reference:bugtraq,5731; reference:bugtraq,6024; reference:cve,2002-1226; reference:cve,2002-1235; reference:url,www.kb.cert.org/vuls/id/875073; classtype:shellcode-detect; sid:1899; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 54 | alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"EXPLOIT gobbles SSH exploit attempt"; flow:to_server,established; content:"GOBBLES"; reference:bugtraq,5093; reference:cve,2002-0390; reference:cve,2002-0639; classtype:misc-attack; sid:1812; rev:5;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 55 | alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=|22|`"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:1821; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 56 |
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 57 | alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:1838; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 58 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6666:7000 (msg:"EXPLOIT CHAT IRC topic overflow"; flow:to_client,established; content:"|EB|K[S2|E4 83 C3 0B|K|88 23 B8|Pw"; reference:bugtraq,573; reference:cve,1999-0672; classtype:attempted-user; sid:307; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 59 | alert tcp any any - > any 6666:7000 (msg:"EXPLOIT CHAT IRC Ettercap parse overflow attempt"; flow:to_server,established; content:"PRIVMSG"; nocase; content:"nickserv"; nocase; content:"IDENTIFY"; nocase; isdataat:100,relative; pcre:"/^PRIVMSG\s+nickserv\s+IDENTIFY\s[^\n]{100}/smi"; reference:url,www.bugtraq.org/dev/GOBBLES-12.txt; classtype:misc-attack; sid:1382; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 60 | alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"EXPLOIT x86 Linux samba overflow"; flow:to_server,established; content:"|EB|/_|EB|J^|89 FB 89|>|89 F2|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 61 | alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola PASS overflow attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2319; rev:1;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 62 | alert tcp $EXTERNAL_NET any -> $HOME_NET 1655 (msg:"EXPLOIT ebola USER overflow attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]{49}/smi"; reference:bugtraq,9156; classtype:attempted-admin; sid:2320; rev:1;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 63 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 64 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"|07|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 65 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP third payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2378; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 66 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 67 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; byte_test:4,>,2043,24; byte_jump:2,30,relative; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"|07|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 68 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"|08|"; depth:1; offset:16; content:"|0C|"; depth:1; offset:28; content:"|00 04|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 69 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:16; content:"|00 0C 00 00 00 01 01 00 06 02|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 70 | alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"|0B|"; depth:1; offset:28; byte_jump:2,30; content:"|00 0C 00 00 00 01 01 00|`|02|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 71 | alert udp any 4000 - > any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1, > ,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2, > ,128,18,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2443; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 72 | alert udp any 4000 - > any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER first name overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1, > ,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_test:2, > ,128,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2444; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 73 | alert udp any 4000 - > any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER last name overflow attempt"; content:"|05 00|"; depth:2; byte_test:2, > ,128,0,relative,little; content:"|12 02|"; within:2; distance:5; byte_test:1, > ,1,12,relative; content:"|05 00|"; distance:0; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_jump:2,18,relative,little; byte_jump:2,0,relative,little; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2445; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 74 | alert udp any 4000 - > any any (msg:"EXPLOIT ICQ SRV_MULTI/SRV_META_USER overflow attempt"; content:"|05 00|"; depth:2; content:"|12 02|"; within:2; distance:5; byte_test:1, > ,1,12,relative; content:"|05 00|"; content:"n|00|"; within:2; distance:5; content:"|05 00|"; content:"|DE 03|"; within:2; distance:5; byte_test:2, > ,512,-11,relative,little; reference:cve,2004-0362; reference:url,www.eeye.com/html/Research/Advisories/AD20040318.html; classtype:misc-attack; sid:2446; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 75 |
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 76 | alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 77 | alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 78 | alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 79 | alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal STREAMQUOTE buffer overflow attempt"; flow:to_server,established; content:" |
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 80 | alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"EXPLOIT esignal SNAPQUOTE buffer overflow attempt"; flow:to_server,established; content:" |
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 81 | alert tcp $EXTERNAL_NET any - > $HOME_NET 548 (msg:"EXPLOIT AFP FPLoginExt username buffer overflow attempt"; flow:to_server,established; content:"|00 02|"; depth:2; content:"?"; within:1; distance:14; content:"cleartxt passwrd"; nocase; byte_jump:2,1,relative; byte_jump:2,1,relative; isdataat:2,relative; reference:bugtraq,10271; reference:cve,2004-0430; reference:url,www.atstake.com/research/advisories/2004/a050304-1.txt; classtype:attempted-admin; sid:2545; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 82 | alert tcp $EXTERNAL_NET 80 - > $HOME_NET any (msg:"EXPLOIT winamp XM module name overflow"; flow:established,from_server; content:"Extended module|3A|"; nocase; isdataat:20,relative; content:!"|1A|"; within:21; reference:url,www.nextgenss.com/advisories/winampheap.txt; classtype:attempted-user; sid:2550; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 83 |
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 84 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache GET overflow attempt"; flow:to_server,established; content:"GET"; pcre:"/^GET[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2551; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 85 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache HEAD overflow attempt"; flow:to_server,established; content:"HEAD"; pcre:"/^HEAD[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2552; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 86 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache PUT overflow attempt"; flow:to_server,established; content:"PUT"; pcre:"/^PUT[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2553; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 87 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache POST overflow attempt"; flow:to_server,established; content:"POST"; pcre:"/^POST[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2554; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 88 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache TRACE overflow attempt"; flow:to_server,established; content:"TRACE"; pcre:"/^TRACE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2555; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 89 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache DELETE overflow attempt"; flow:to_server,established; content:"DELETE"; pcre:"/^DELETE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2556; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 90 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache LOCK overflow attempt"; flow:to_server,established; content:"LOCK"; pcre:"/^LOCK[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2557; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 91 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MKCOL overflow attempt"; flow:to_server,established; content:"MKCOL"; pcre:"/^MKCOL[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2558; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 92 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache COPY overflow attempt"; flow:to_server,established; content:"COPY"; pcre:"/^COPY[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2559; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 93 | alert tcp $EXTERNAL_NET any -> $HOME_NET 7777:7778 (msg:"EXPLOIT Oracle Web Cache MOVE overflow attempt"; flow:to_server,established; content:"MOVE"; pcre:"/^MOVE[^s]{432}/sm"; reference:bugtraq,9868; reference:cve,2004-0385; reference:nessus,12126; classtype:attempted-admin; sid:2560; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 94 | alert udp $EXTERNAL_NET any - > $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow UDP"; content:"j"; depth:1; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2578; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 95 | alert tcp $EXTERNAL_NET any - > $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 96 | alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 97 | alert tcp $EXTERNAL_NET any - > $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 97 | alert tcp $EXTERNAL_NET any - > $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 98 | alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 99 | alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 100 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:60; content:!"|00|"; depth:66; offset:6; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 101 | alert tcp $EXTERNAL_NET 1863 - > $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4, > ,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 102 | alert udp $EXTERNAL_NET any - > $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 103 | alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3458; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 104 | alert tcp $EXTERNAL_NET any - > $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname Buffer Overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 105 | alert tcp $EXTERNAL_NET any - > $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 106 | alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; isdataat:31; content:!"|00|"; depth:23; offset:8; reference:bugtraq,12594; classtype:attempted-user; sid:3457; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 107 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3475; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 108 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3485; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 109 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3479; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 110 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; dsize:>966; reference:bugtraq,12491; reference:can,2005-0260; classtype:attempted-admin; sid:3472; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 111 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3484; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 112 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3476; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 113 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3481; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 114 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3483; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 115 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3477; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 116 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3480; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 117 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3474; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 118 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3482; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 119 | # alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12563; classtype:attempted-admin; sid:3478; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 120 | alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"EXPLOIT RADIUS registration vendor ATTR_TYPE_STR overflow attempt"; content:"|01|"; depth:1; content:"|01 01 1A|"; depth:3; offset:32; content:"|00 00 15 9F|"; depth:4; offset:36; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; classtype:attempted-admin; sid:3540; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 121 | alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; threshold:type limit,track by_dst,count 5,seconds 60; reference:bugtraq,3274; classtype:attempted-admin; sid:3527; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 122 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:"/(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}/Ri"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3521; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 123 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12563; classtype:attempted-admin; sid:3531; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 124 | alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"EXPLOIT RADIUS ATTR_TYPE_STR overflow attempt"; content:"|01 01 1A|"; depth:3; offset:28; content:"|00 00 15 9F|"; depth:4; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26).{15}(\x0A|\x34)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; classtype:attempted-admin; sid:3541; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 125 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license GCR NETWORK overflow attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:"/^\S{65}|\S+\s+\S{65}|\S+\s+\S+\s+\S{65}/Ri"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3520; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 126 | alert tcp $EXTERNAL_NET 10202 -> $HOME_NET any (msg:"EXPLOIT Computer Associates license GETCONFIG client overflow attempt"; flow:from_server,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!" |
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 127 | # alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12563; classtype:attempted-admin; sid:3530; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 128 | alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"EXPLOIT RADIUS MSID overflow attempt"; content:"|01 01 1F|"; depth:3; offset:28; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^(\x03|[\x14-\x17]).{19}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; classtype:attempted-admin; sid:3539; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 129 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license invalid GCR NETWORK attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:!"/^\S+\s+\S+\s+\S+/Ri"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3525; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 130 | alert udp $EXTERNAL_NET any -> $HOME_NET 699 (msg:"EXPLOIT RADIUS registration MSID overflow attempt"; content:"|01|"; depth:1; content:"|01 01 1F|"; depth:3; offset:32; byte_test:1,>,30,1,relative; isdataat:29,relative; pcre:"/^\x01.{23}(\x25|\x26)/smi"; reference:bugtraq,12759; reference:cve,2005-0699; classtype:attempted-admin; sid:3538; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 131 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:!"/^(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+/Ri"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3524; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 132 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license PUTOLF overflow attempt"; flow:to_server,established; content:"PUTOLF"; depth:6; offset:3; nocase; pcre:"/PUTOLF\s+((\S+\s+){4}[^\s]{256}|(\S+\s+){6}[^\x3c]{512})/i"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3517; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 133 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202 (msg:"EXPLOIT Computer Associates license GETCONFIG server overflow attempt"; flow:to_server,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!" |
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 134 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license PUTOLF directory traversal attempt"; flow:to_server,established; content:"PUTOLF"; pcre:"/(0x)?[0-9a-f]+\s+PUTOLF\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S+\s+\S+\s+((0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*))\s+\S*\.\.[\x2f\x5c]/i"; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3637; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 135 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 00 little endian buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3660; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 136 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 1000 little endian buffer overflow attempt"; flow:to_server,established; content:"|E8 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3658; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 137 | alert tcp $EXTERNAL_NET any - > $HOME_NET 514 (msg:"EXPLOIT CVS rsh annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; nocase; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3651; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 137 | alert tcp $EXTERNAL_NET any - > $HOME_NET 514 (msg:"EXPLOIT CVS rsh annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; nocase; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3651; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 138 | alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"EXPLOIT PPTP echo request buffer overflow attempt"; flow:established,to_server; content:"|00 01|"; depth:2; content:"|00 01|"; depth:2; offset:2; content:"|00 05|"; depth:2; offset:8; reference:bugtaq,7316; reference:cve,2003-0213; classtype:attempted-admin; sid:3664; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 139 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 1000 buffer overflow attempt"; flow:to_server,established; content:"|03 E8|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3659; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 140 | alert tcp $EXTERNAL_NET any - > $HOME_NET 2401 (msg:"EXPLOIT CVS pserver annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; nocase; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3652; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 140 | alert tcp $EXTERNAL_NET any - > $HOME_NET 2401 (msg:"EXPLOIT CVS pserver annotate revision overflow attempt"; flow:to_server,established; content:"|0A|annotate|0A|"; nocase; pcre:"/^Entry \/file\/[0-9.]{71,}\/\/.*\x0aannotate\x0a/smi"; reference:bugtraq,13217; reference:cve,2005-0753; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=141; reference:url,ccvs.cvshome.org/servlets/NewsItemView?newsItemID=142; classtype:attempted-dos; sid:3652; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 141 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 03 buffer overflow attempt"; flow:to_server,established; content:"|00 03|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3663; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 142 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 03 little endian buffer overflow attempt"; flow:to_server,established; content:"|03 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6,little; byte_test:2,<,1705,6,little; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3662; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 143 | alert tcp $EXTERNAL_NET any -> $HOME_NET 6050 (msg:"EXPLOIT ARCserve backup universal agent option 00 buffer overflow attempt"; flow:to_server,established; content:"|00 00|"; depth:2; offset:256; isdataat:430,relative; byte_test:2,>,679,6; byte_test:2,<,1705,6; reference:bugtraq,13102; reference:cve,2005-1018; classtype:attempted-admin; sid:3661; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 144 | alert udp $EXTERNAL_NET any - > $HOME_NET 5060 (msg:"EXPLOIT SIP UDP CSeq overflow attempt"; content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:3677; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 145 | alert tcp $EXTERNAL_NET any - > $HOME_NET 5060 (msg:"EXPLOIT SIP TCP CSeq overflow attempt"; flow:stateless; content:"CSeq|3A|"; nocase; isdataat:16,relative; content:!"|0A|"; within:16; reference:url,www.ethereal.com/news/item_20050504_01.html; classtype:attempted-dos; sid:3678; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 146 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"EXPLOIT Veritas Backup Agent password overflow attempt"; flow:to_server,established; content:"|00 00 09 01|"; depth:4; offset:16; content:"|00 00 00 03|"; depth:4; offset:28; byte_jump:4,32; byte_test:4,>,1023,0,relative; reference:cve,2005-0773; classtype:attempted-admin; sid:3695; rev:1;)
|
| ./snortrules-VRT_PR-2.4/rules/exploit.rules : 147 | alert tcp $EXTERNAL_NET any -> $HOME_NET 10000 (msg:"EXPLOIT Veritas Backup Agent DoS attempt"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:12; byte_test:4,>,0,24; reference:bugtraq,14201; reference:cve,2005-0772; classtype:attempted-dos; sid:3696; rev:1;)
|