Which may be found at http://www.grotto-group.com/~gulfie/projects... maybe
| ./snortrules-VRT_PR-2.4/rules/telnet.rules Fri Dec 2 01:26:49 2005 | |
|---|---|
| Filename : line | Rules |
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 1 | # Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 2 | #
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 3 | # This file may contain proprietary rules that were created, tested and
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 4 | # certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 5 | # rules that were created by Sourcefire and other third parties and
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 6 | # distributed under the GNU General Public License (the "GPL Rules"). The
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 7 | # VRT Certified Rules contained in this file are the property of
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 8 | # Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 9 | # The GPL Rules created by Sourcefire, Inc. are the property of
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 10 | # Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 11 | # Reserved. All other GPL Rules are owned and copyrighted by their
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 12 | # respective owners (please see www.snort.org/contributors for a list of
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 13 | # owners and their respective copyrights). In order to determine what
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 14 | # rules are VRT Certified Rules or GPL Rules, please refer to the VRT
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 15 | # Certified Rules License Agreement.
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 16 | #
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 17 | #
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 18 | # $Id: telnet.rules,v 1.35.2.4.2.5 2005/06/29 15:35:04 mwatchinski Exp $
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 19 | #-------------
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 20 | # TELNET RULES
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 21 | #-------------
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 22 | #
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 23 | # These signatures are based on various telnet exploits and unpassword
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 24 | # protected accounts.
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 25 | #
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 26 |
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 27 |
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 28 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET Solaris memory mismanagement exploit attempt"; flow:to_server,established; content:"|A0 23 A0 10 AE 23 80 10 EE 23 BF EC 82 05 E0 D6 90|%|E0|"; classtype:shellcode-detect; sid:1430; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 29 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET SGI telnetd format bug"; flow:to_server,established; content:"_RLD"; content:"bin/sh"; reference:arachnids,304; reference:bugtraq,1572; reference:cve,2000-0733; classtype:attempted-admin; sid:711; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 30 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET ld_library_path"; flow:to_server,established; content:"ld_library_path"; reference:arachnids,367; reference:bugtraq,459; reference:cve,1999-0073; classtype:attempted-admin; sid:712; rev:8;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 31 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET livingston DOS"; flow:to_server,established; content:"|FF F3 FF F3 FF F3 FF F3 FF F3|"; rawbytes; reference:arachnids,370; reference:bugtraq,2225; reference:cve,1999-0218; classtype:attempted-dos; sid:713; rev:10;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 32 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET resolv_host_conf"; flow:to_server,established; content:"resolv_host_conf"; reference:arachnids,369; reference:bugtraq,2181; reference:cve,2001-0170; classtype:attempted-admin; sid:714; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 33 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; flow:from_server,established; content:"to su root"; nocase; classtype:attempted-admin; sid:715; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 34 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flow:from_server,established; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:6;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 35 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; flow:from_server,established; content:"login|3A| root"; classtype:suspicious-login; sid:719; rev:7;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 36 | alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"TELNET bsd telnet exploit response"; flow:from_server,established; content:"|0D 0A|[Yes]|0D 0A FF FE 08 FF FD|&"; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:attempted-admin; sid:1252; rev:15;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 37 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET bsd exploit client finishing"; flow:to_client,established; dsize:>200; content:"|FF F6 FF F6 FF FB 08 FF F6|"; depth:50; offset:200; rawbytes; reference:bugtraq,3064; reference:cve,2001-0554; reference:nessus,10709; classtype:successful-admin; sid:1253; rev:13;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 38 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET 4Dgifts SGI account attempt"; flow:to_server,established; content:"4Dgifts"; reference:cve,1999-0501; reference:nessus,11243; classtype:suspicious-login; sid:709; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 39 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET EZsetup account attempt"; flow:to_server,established; content:"OutOfBox"; reference:cve,1999-0501; reference:nessus,11244; classtype:suspicious-login; sid:710; rev:9;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 40 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET APC SmartSlot default admin account attempt"; flow:to_server,established; content:"TENmanUFactOryPOWER"; reference:bugtraq,9681; reference:cve,2004-0311; reference:nessus,12066; classtype:suspicious-login; sid:2406; rev:4;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 41 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|"; rawbytes; pcre:"/T.*?T.*?Y.*?P.*?R.*?O.*?M.*?P.*?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 42 | alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"TELNET login buffer overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"|FF FA|'|00 00|TTYPROMPT|01|"; rawbytes; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3147; rev:3;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 43 | alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"TELNET client LINEMODE SLC overflow attempt"; flow:to_client,established; content:"|FF FA 22 03|"; rawbytes; isdataat:123,relative; content:!"|FF|"; within:124; rawbytes; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3533; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 44 | alert tcp $EXTERNAL_NET 23 -> $HOME_NET any (msg:"TELNET client ENV OPT escape overflow attempt"; flow:to_client,established; content:"|FF FA|'|01|"; rawbytes; pcre:"/(\x02([\x01\x02\x03]|\xFF\xFF)){100,}/RBsm"; content:"|FF F0|"; distance:0; rawbytes; reference:bugtraq,12918; reference:cve,2005-0469; classtype:attempted-user; sid:3537; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 45 | alert tcp $EXTERNAL_NET 23 - > $HOME_NET any (msg:"TELNET client ENV OPT USERVAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 03|"; rawbytes; reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; classtype:attempted-recon; sid:3687; rev:2;)
|
| ./snortrules-VRT_PR-2.4/rules/telnet.rules : 46 | alert tcp $EXTERNAL_NET 23 - > $HOME_NET any (msg:"TELNET client ENV OPT VAR information disclosure"; flow:to_client,established; content:"|FF FA|'|01 00|"; rawbytes; reference:cve,2005-1205; reference:url,www.microsoft.com/technet/Security/bulletin/ms05-033.mspx; classtype:attempted-recon; sid:3688; rev:2;)
|