Changes - j0ke.net Open Build Service

Changes of Revision 4

[-] [+]	Changed	fwsnort.spec
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.2 +%define version 1.6.3 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort @@ -184,55 +184,3 @@ %_libdir/%name %changelog -* Sat Apr 28 2012 Michael Rash <mbr@cipherydne.org> -- Updated to use the NetAddr::IP module for all IP/subnet calculations -- fwsnort-1.6.2 release - -* Thu Aug 11 2011 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.6.1 release - -* Wed Jul 27 2011 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.6 release - -* Sat Jan 08 2011 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.5 release - -* Tue Jan 05 2010 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.1 release - -* Sat May 29 2009 Michael Rash <mbr@cipherydne.org> -- Added the "BuildRequires: perl-ExtUtils-MakeMaker" statement. -- fwsnort-1.0.6 release - -* Thu Aug 21 2008 Michael Rash <mbr@cipherydne.org> -- Updated to use the deps/ directory for all perl module sources. -- fwsnort-1.0.5 release - -* Tue Jan 22 2008 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.0.4 release - -* Thu Nov 22 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.0.3 release - -* Sun Aug 26 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.0.2 release - -* Sun Aug 26 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.0.1 release - -* Thu Apr 19 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-1.0 release - -* Fri Mar 22 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-0.9.0 release - -* Sat Feb 17 2007 Michael Rash <mbr@cipherydne.org> -- fwsnort-0.8.2 release - -* Mon Sep 04 2006 Michael Rash <mbr@cipherydne.org> -- Updated to install new IPTables::Parse module out of the IPTables-Parse - directory. -- Removed smtpdaemon requirement since fwsnort does not deal with email. - -* Fri Nov 11 2005 Michael Rash <mbr@cipherydne.org> -- Initial RPM release
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/CREDITS ^
@@ -54,6 +54,7 @@ on the fwsnort mailing list. Guillermo Gomez + - Fedora maintainer of fwsnort. - Suggested a default logging location of /var/log/fwsnort/fwsnort.log instead of /var/log/fwsnort.log. The result was the addition of the LOG_DIR and associated variables in the fwsnort.conf file. @@ -79,3 +80,13 @@ Peter Vrabec - Suggested a new directory /var/lib/fwsnort/ for the fwsnort.sh script and associated files (fwsnort.save, fwsnort_iptcmd.sh, etc.). + +Andrew Merenbach + - Contributed bug fix to properly honor --exclude-regex filtering option. + +Dwight Davis + - Contributed patches for several bugs including not handling + --exclude-regex properly, not ignoring the deleted.rules file, not + handling --strict mode opertions correctly, and more. These issues and + the corresponding patch were originally reported here: + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/ChangeLog ^
@@ -1,3 +1,43 @@ +fwsnort-1.6.3 (12/21/2012): + - Bug fix to ensure that !, <, >, and = chars in content strings are + converted to the appropriate hex equivalents. All content strings with + characters outside of [A-Za-z0-9] are now converted to hex-string format + in their entirety. This should also fix an issue that results in the + following error when running /var/lib/fwsnort/fwsnort.sh: + + Using intrapositioned negation (`--option ! this`) is deprecated in + favor of extrapositioned (`! --option this`). + Bad argument `bm' + Error occurred at line: 64 + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + Done. + + - Bug fix to set default max string length in --no-ipt-test mode where + iptables capabilities are not tested. + - (Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering + option. + - Added fwsnort test suite to the test/ directory. This mimics the test + suites from the psad and fwknop projects, and it designed to examine + many of the run time results of fwsnort. + - Added the ability to easily revert the fwsnort policy back to the + original iptables policy with "/var/lib/fwsnort/fwsnort.sh -r". Note + that this reverts back to the policy as it was when fwsnort itself was + executed. + - Implemented a single unified function for iptables match parameter + length testing, and optimized to drastically reduce run time for iptables + capabilities checks (going from over 20 seconds to less than one second + in some cases). + - (Dwight Davis) Contributed patches for several bugs including not + handling --exclude-regex properly, not ignoring the deleted.rules file, + not handling --strict mode opertions correctly, and more. These issues + and the corresponding patch were originally reported here: + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 + - Bug fix for Snort rules with HOME_NET(any) -> EXTERNAL_NET(any) to + ensure they go into the OUTPUT chain instead of the INPUT chain. This + bug was reported by Dwight Davis. + - Updated to bundle the latest Emerging Threats rule set. + fwsnort-1.6.2 (04/28/2012): - Switched --no-ipt-sync to default to not syncing with the iptables policy. By default fwsnort attempts to match translated Snort rules to the
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/ChangeLog.git ^
@@ -1,426 +1,467 @@ -commit 8033d5d239dd544eaf927f1ea13c855c7ef054b6 (HEAD, refs/heads/fwsnort-1.6.2) +commit 72a47c42f415b6c8551ccb8138626fa4a5ab49ae (HEAD, refs/heads/master) Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 20:45:23 2012 -0400 +Date: Fri Dec 21 21:23:46 2012 -0500 - bumped version to 1.6.2 + removed -pre1 from version string - VERSION \| 2 +- - fwsnort \| 4 ++-- - 2 files changed, 3 insertions(+), 3 deletions(-) + fwsnort \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit 2e67c82d3e1e9752cba6a1e3a3971a75d86b6e3e +Author: Michael Rash <mbr@cipherdyne.org> +Date: Fri Dec 21 21:03:04 2012 -0500 + + ChangeLog.git file update for changes from 1.6.2 -> 1.6.3 + + ChangeLog.git \| 729 +++++++++++++++++++++++++++++---------------------------- + 1 file changed, 376 insertions(+), 353 deletions(-) + +commit bd7c6c622d8d17afe81d893e5cecb8ac2a83bb86 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Fri Dec 21 20:53:35 2012 -0500 + + HOME_NET -> EXTERNAL_NET to OUTPUT chain -commit 59e2ff7b2567126827bdb8136b2e242d32d16ede (refs/heads/master) + ChangeLog \| 3 +++ + 1 file changed, 3 insertions(+) + +commit 7519bff1c82e893fd737861c211d8b2fce99b401 (refs/remotes/web/master, refs/remotes/origin/master) Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 14:27:02 2012 -0400 +Date: Thu Dec 20 23:47:31 2012 -0500 - removed ShortLog in favor of ChangeLog + ChangeLog.git + updated 1.6.3 release date - ShortLog \| 727 -------------------------------------------------------------- - 1 files changed, 0 insertions(+), 727 deletions(-) + ChangeLog \| 2 +- + packaging/fwsnort-nodeps.spec \| 2 +- + packaging/fwsnort-require-makemaker.spec \| 2 +- + packaging/fwsnort.spec \| 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) -commit 562e3acb0afbef722bdfa12ec69cea3d09b1881e (refs/remotes/origin/master) +commit c4c6fed8bf536914213077298a0e9ce446889632 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 14:23:56 2012 -0400 +Date: Thu Dec 20 23:42:28 2012 -0500 - Added --icmp-type 'any' (with capabilities test) + HOME_NET(any) -> EXTERNAL_NET(any) => OUTPUT chain + + Dwight Davis reported that "when EXTERNAL_NET is set to 'any' the outbound rules + get put into the INPUT chain": http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 - Bug fix for recent versions of iptables (such as 1.4.12) where the icmp - match requires --icmp-type to be set - some Snort rules look for a string - to match in icmp traffic, but don't also specify an icmp type. + This commit fixes this behavior, and forces such rules to the OUTPUT chain + whenever the original Snort rule has HOME_NET -> EXTERNAL_NET. - ChangeLog \| 4 +++ - fwsnort \| 70 +++++++++++++++++++++++++++++++++++++++++++++--------------- - 2 files changed, 56 insertions(+), 18 deletions(-) + fwsnort \| 12 +++++++----- + test/test-fwsnort.pl \| 19 +++++++++++++++++-- + 2 files changed, 24 insertions(+), 7 deletions(-) -commit 619d7820e7546e247b9232a3b527cb86009315f2 +commit 0a073fde549f2e937a94dc644294bef509581f32 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 11:44:27 2012 -0400 +Date: Wed Dec 19 23:14:14 2012 -0500 - bug fix psadlibdir -> fwsnortlibdir + added ip6tables tests - packaging/fwsnort-require-makemaker.spec \| 136 +++++++++++++++--------------- - packaging/fwsnort.spec \| 136 +++++++++++++++--------------- - 2 files changed, 136 insertions(+), 136 deletions(-) + test/test-fwsnort.pl \| 203 +++++++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 202 insertions(+), 1 deletion(-) -commit dbfc72ff06809e39bc2dff5b52323d8103625330 +commit 78b8053cddebf5cca43013c1b7ddadeb6eff574b Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 11:43:58 2012 -0400 +Date: Wed Dec 19 23:00:30 2012 -0500 - bug fix for 'qw() used as parenthesis' warnings under perl > 5.14 + converted snort options regex to use qr// form - fwsnort \| 34 +++++++++++++++++----------------- - 1 files changed, 17 insertions(+), 17 deletions(-) + fwsnort \| 152 +++++++++++++++++++++++++++++++-------------------------------- + 1 file changed, 76 insertions(+), 76 deletions(-) -commit 9b31c8bef1e24d114857e38dcf62c22861f6487b +commit 163821e511118ea2a4093e27560d28f347adeb5f Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 10:18:16 2012 -0400 +Date: Wed Dec 19 22:45:40 2012 -0500 - added ChangeLog info for the 1.6.1 and 1.6.2 releases + added --strict test - ChangeLog \| 82 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- - 1 files changed, 81 insertions(+), 1 deletions(-) + test/test-fwsnort.pl \| 15 +++++++++++++++ + 1 file changed, 15 insertions(+) -commit f65256d026d532ef5e7f862ef1273520b3cd173e +commit 894a78ce6611cf39146fb43981801a83b4f23440 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 10:17:48 2012 -0400 +Date: Wed Dec 19 22:40:24 2012 -0500 - updated RPM spec file version to 1.6.2 + Applied patch from Dwight Davis to fix multiple issues. + + (Dwight Davis) Contributed patches for several bugs including not + handling --exclude-regex properly, not ignoring the deleted.rules file, + not handling --strict mode opertions correctly, and more. These issues + and the corresponding patch were originally reported here: + http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=693000 - packaging/fwsnort-nodeps.spec \| 4 ++-- - packaging/fwsnort-require-makemaker.spec \| 4 ++-- - packaging/fwsnort.spec \| 4 ++-- - 3 files changed, 6 insertions(+), 6 deletions(-) + CREDITS \| 7 +++++++ + ChangeLog \| 5 +++++ + fwsnort \| 46 +++++++++++++++++++++++++++++++++++----------- + 3 files changed, 47 insertions(+), 11 deletions(-) -commit ac12a3d634874f480c8e6e4cebd3aed7fcf8bca2 +commit 716d3e8464cd4e49f4231c464c45975a3fa2ec27 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Apr 28 10:17:05 2012 -0400 +Date: Wed Dec 19 21:44:06 2012 -0500 - updated to the latest Snort rules from Emerging Threats + added --include-type emerging-all test - deps/snort_rules/emerging-all.rules \| 2852 +++++++++++++++++++++++++---------- - 1 files changed, 2032 insertions(+), 820 deletions(-) + test/test-fwsnort.pl \| 52 ++++++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 52 insertions(+) -commit eab4b7f597deda88fe01662c1ac0d44ecf8be7f0 +commit fc679fb26d376a615b7e4962c11ce348db599e6d Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Apr 19 21:30:43 2012 -0400 +Date: Wed Dec 19 21:21:39 2012 -0500 - moved ChangeLog.old -> ChangeLog (the old style is much more readable) + added --include-type + --exclude-type test - ChangeLog \| 7229 +++------------------------------------------------------ - ChangeLog.old \| 428 ---- - 2 files changed, 381 insertions(+), 7276 deletions(-) + test/test-fwsnort.pl \| 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) -commit 25c279906d353b90e294b6f6c5c36fc311c15f5f +commit b6b8719c54cf0bc98295f224a138d18419170fa2 Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Apr 19 21:30:16 2012 -0400 +Date: Wed Dec 19 21:17:54 2012 -0500 - minor documentation fixes + added --exclude-type tests - fwsnort \| 2 +- - fwsnort.8 \| 14 +++++++------- - 2 files changed, 8 insertions(+), 8 deletions(-) + test/test-fwsnort.pl \| 34 ++++++++++++++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +commit eaef45f24c9db76de18e70df70abda4195661ee7 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Wed Dec 19 21:17:37 2012 -0500 -commit f8c7588616510c31147da89f8674e3cc27a62d3a + fwsnort.sh to use exec to pick up iptables-restore exit status + + fwsnort \| 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +commit 67b118dd8053e381cf5dc335f3a0cb12dc2c3692 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Wed Dec 19 19:40:12 2012 -0500 + + added return value checking in --enable-fw-exec mode + + test/test-fwsnort.pl \| 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +commit 170abf64b6a6341e2fb6a873e3c8752bee8f9e34 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Wed Dec 19 19:37:16 2012 -0500 + + added --ipt-revert option, though --ipt-flush is usually more desirable + + fwsnort \| 15 +++++++++++++++ + fwsnort.8 \| 13 +++++++++++++ + 2 files changed, 28 insertions(+) + +commit 8b371c570c6a060744775452c5b73fa70aeabaf2 Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Apr 19 21:29:58 2012 -0400 +Date: Wed Dec 19 19:17:16 2012 -0500 - added 1.6.2 release + added fw_exec for --enable-fw-exec mode to instantiate and revert fwsnort policy - packaging/fwsnort-nodeps.spec \| 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) + test/test-fwsnort.pl \| 26 +++++++++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) -commit 6dca2e37a06952146b860f3c34abec34b6dcf149 +commit 8438f236ca912d4e828c8a6e38af2fbf3a1d9fe8 Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Apr 19 21:28:50 2012 -0400 +Date: Wed Dec 19 18:58:08 2012 -0500 - Removed the ExtUtils::MakeMaker build requirement + iptables capabilities check optimization - Although building the fwsnort RPM builds a set of perl modules which themselves - have the 'use ExtUtils::MakeMaker' requirement in their respective Makefile.PL - scripts, some Linux distributions don't seem to make it easy to install - ExtUtils::MakeMaker in a manner in which the local RPM install can see it. - And, at the same time, it usually is there since installing perl modules is - such a common operation. The compromise is this solution, which will allow the - fwsnort RPM to be built even if RPM dosen't or can't see that ExtUtils::MakeMaker - is installed - most likely it will build anyway. If it doesn't, there are - bigger problems since fwsnort is written in perl. If you want to build the fwsnort - RPM with a .spec file that requires ExtUtils::MakeMaker, then use the - "fwsnort-require-makemaker.spec" file that is bundled in the fwsnort sources. - - packaging/fwsnort-nobuildreqs.spec \| 172 --------------------- - packaging/fwsnort-require-makemaker.spec \| 239 ++++++++++++++++++++++++++++++ - packaging/fwsnort.spec \| 83 +++++++++- - 3 files changed, 313 insertions(+), 181 deletions(-) - -commit 774b5841386a69d0e701b1c866bc34bc641ab395 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Fri Mar 2 22:58:11 2012 -0500 - - updated IPTables::Parse to 1.1 - - deps/IPTables-Parse/Changes \| 26 +++- - deps/IPTables-Parse/MANIFEST \| 1 + - deps/IPTables-Parse/META.json \| 39 +++++ - deps/IPTables-Parse/META.yml \| 21 +++ - deps/IPTables-Parse/README \| 2 +- - deps/IPTables-Parse/VERSION \| 2 +- - deps/IPTables-Parse/lib/IPTables/Parse.pm \| 145 +++++++++--------- - deps/IPTables-Parse/t/basic_tests.pl \| 247 +++++++++++++++++++++++++++++ - 8 files changed, 408 insertions(+), 75 deletions(-) - -commit 818483ea7541371c0f771640b6e893823c86bd5b -Author: Michael Rash <mbr@cipherdyne.org> -Date: Mon Feb 20 20:33:18 2012 -0500 - - updated to IPTables::Parse 0.8 - - deps/IPTables-Parse/Changes \| 29 ++- - deps/IPTables-Parse/README \| 4 +- - deps/IPTables-Parse/VERSION \| 2 +- - deps/IPTables-Parse/lib/IPTables/Parse.pm \| 450 ++++++++++++++++++++++++---- - fwsnort \| 17 +- - 5 files changed, 425 insertions(+), 77 deletions(-) + Implemented a single unified function for iptables match parameter + length testing, and optimized to drastically reduce run time for iptables + capabilities checks (going from over 20 seconds to less than one second + in some cases). -commit e7bb9c6d0663b3ebdccfa619f42beff2c851e531 + ChangeLog \| 4 ++ + fwsnort \| 115 +++++++++++++++++++------------------------------- + test/test-fwsnort.pl \| 3 ++ + 3 files changed, 51 insertions(+), 71 deletions(-) + +commit a20b84ba6cfdc1d6a9c61266ae5b73c9b681e82e Author: Michael Rash <mbr@cipherdyne.org> -Date: Sun Feb 19 13:21:27 2012 -0500 +Date: Wed Dec 19 18:57:07 2012 -0500 - bumped version to 1.6.2-pre1 + Added easy way to revert fwsnort iptables policy changes + + Added the ability to easily revert the fwsnort policy back to the + original iptables policy with "/var/lib/fwsnort/fwsnort.sh -r". Note + that this reverts back to the policy as it was when fwsnort itself was + executed. - fwsnort \| 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) + ChangeLog \| 4 ++++ + fwsnort \| 32 ++++++++++++++++++++++++++------ + 2 files changed, 30 insertions(+), 6 deletions(-) -commit 95a39ee4fc5563ea337d9c60178b2bec23692b5e +commit b87e2e0453e10357622f8a6f75634166dbbccec3 Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Feb 18 14:33:29 2012 -0500 +Date: Tue Dec 18 21:44:57 2012 -0500 + + added a test suite for fwsnort - converted from Net::AddrIPv4 to the excellent NetAddr::IP module + ChangeLog \| 3 + + test/conf/default_fwsnort.conf \| 116 ++++++++ + test/test-fwsnort.pl \| 582 ++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 701 insertions(+) + +commit 7aefe38bc8985c2f34cb5bfc61bed7b2c996308a +Author: Michael Rash <mbr@cipherdyne.org> +Date: Tue Dec 18 21:41:14 2012 -0500 - INSTALL \| 2 +- - fwsnort \| 32 ++++++++++++++++---------------- - install.pl \| 4 ++-- - 3 files changed, 19 insertions(+), 19 deletions(-) - -commit 7a7e4653c3dcd56884fc88e78bedcbda691f6647 -Author: Michael Rash <mbr@cipherdyne.org> -Date: Sat Feb 18 14:33:19 2012 -0500 - - converted from Net::AddrIPv4 to the excellent NetAddr::IP module - - deps/Net-IPv4Addr/ChangeLog \| 90 - - deps/Net-IPv4Addr/IPv4Addr.pm \| 385 - - deps/Net-IPv4Addr/IPv4Addr.spec \| 90 - - deps/Net-IPv4Addr/MANIFEST \| 15 - - deps/Net-IPv4Addr/Makefile.PL \| 8 - - deps/Net-IPv4Addr/NEWS \| 28 - - deps/Net-IPv4Addr/README \| 41 - - deps/Net-IPv4Addr/VERSION \| 1 - - deps/Net-IPv4Addr/debian/changelog \| 37 - - deps/Net-IPv4Addr/debian/control \| 12 - - deps/Net-IPv4Addr/debian/copyright \| 14 - - deps/Net-IPv4Addr/debian/dirs \| 4 - - deps/Net-IPv4Addr/debian/docs \| 4 - - deps/Net-IPv4Addr/debian/rules \| 85 - - deps/Net-IPv4Addr/ipv4calc \| 89 - - deps/Net-IPv4Addr/test.pl \| 68 - - deps/NetAddr-IP/Artistic \| 131 + - deps/NetAddr-IP/Changes \| 464 ++ - deps/NetAddr-IP/Copying \| 339 + - deps/NetAddr-IP/IP.pm \| 1572 ++++ - deps/NetAddr-IP/Lite/Changes \| 373 + - deps/NetAddr-IP/Lite/Lite.pm \| 1583 ++++ - deps/NetAddr-IP/Lite/MANIFEST \| 126 + - deps/NetAddr-IP/Lite/MANIFEST.SKIP \| 31 + - deps/NetAddr-IP/Lite/META.yml \| 10 + - deps/NetAddr-IP/Lite/Makefile.PL \| 42 + - deps/NetAddr-IP/Lite/README \| 510 ++ - deps/NetAddr-IP/Lite/Util/Changes \| 255 + - deps/NetAddr-IP/Lite/Util/MANIFEST \| 53 + - deps/NetAddr-IP/Lite/Util/MANIFEST.SKIP \| 31 + - deps/NetAddr-IP/Lite/Util/Makefile.PL \| 235 + - deps/NetAddr-IP/Lite/Util/README \| 605 ++ - deps/NetAddr-IP/Lite/Util/Util.pm \| 968 +++ - deps/NetAddr-IP/Lite/Util/Util.xs \| 801 ++ - deps/NetAddr-IP/Lite/Util/config.h.in \| 127 + - deps/NetAddr-IP/Lite/Util/configure \| 7799 ++++++++++++++++++++ - deps/NetAddr-IP/Lite/Util/configure.ac \| 54 + - .../Lite/Util/lib/NetAddr/IP/InetBase.pm \| 791 ++ - deps/NetAddr-IP/Lite/Util/lib/NetAddr/IP/UtilPP.pm \| 722 ++ - deps/NetAddr-IP/Lite/Util/localconf.h \| 80 + - deps/NetAddr-IP/Lite/Util/t/4to6.t \| 69 + - deps/NetAddr-IP/Lite/Util/t/add128.t \| 92 + - deps/NetAddr-IP/Lite/Util/t/addconst.t \| 77 + - deps/NetAddr-IP/Lite/Util/t/af_inet6.t \| 46 + - deps/NetAddr-IP/Lite/Util/t/anyto6.t \| 86 + - deps/NetAddr-IP/Lite/Util/t/badd.t \| 69 + - deps/NetAddr-IP/Lite/Util/t/bcd2bin.t \| 68 + - deps/NetAddr-IP/Lite/Util/t/bcdn2bin.t \| 73 + - deps/NetAddr-IP/Lite/Util/t/bin.t \| 111 + - deps/NetAddr-IP/Lite/Util/t/binet_n2ad.t \| 49 + - deps/NetAddr-IP/Lite/Util/t/binet_n2dx.t \| 50 + - deps/NetAddr-IP/Lite/Util/t/binet_ntoa.t \| 66 + - deps/NetAddr-IP/Lite/Util/t/binet_pton.t \| 96 + - deps/NetAddr-IP/Lite/Util/t/bipv4_inet.t \| 59 + - deps/NetAddr-IP/Lite/Util/t/bipv6_any2n.t \| 48 + - deps/NetAddr-IP/Lite/Util/t/bipv6func.t \| 76 + - deps/NetAddr-IP/Lite/Util/t/bisIPv4.t \| 187 + - deps/NetAddr-IP/Lite/Util/t/bpackzeros.t \| 52 + - deps/NetAddr-IP/Lite/Util/t/comp128.t \| 48 + - deps/NetAddr-IP/Lite/Util/t/croak.t \| 168 + - deps/NetAddr-IP/Lite/Util/t/hasbits.t \| 147 + - deps/NetAddr-IP/Lite/Util/t/inet_4map6.t \| 70 + - deps/NetAddr-IP/Lite/Util/t/inet_n2ad.t \| 48 + - deps/NetAddr-IP/Lite/Util/t/inet_n2dx.t \| 50 + - deps/NetAddr-IP/Lite/Util/t/inet_pton.t \| 96 + - deps/NetAddr-IP/Lite/Util/t/ipv4_inet.t \| 59 + - deps/NetAddr-IP/Lite/Util/t/ipv6_any2n.t \| 47 + - deps/NetAddr-IP/Lite/Util/t/ipv6_ntoa.t \| 66 + - deps/NetAddr-IP/Lite/Util/t/ipv6func.t \| 75 + - deps/NetAddr-IP/Lite/Util/t/ipv6to4.t \| 55 + - deps/NetAddr-IP/Lite/Util/t/isIPv4.t \| 186 + - deps/NetAddr-IP/Lite/Util/t/leftshift.t \| 58 + - deps/NetAddr-IP/Lite/Util/t/mode.t \| 26 + - deps/NetAddr-IP/Lite/Util/t/naip_gethostbyname.t \| 59 + - .../Lite/Util/t/no6_naip_gethostbyname.t \| 58 + - deps/NetAddr-IP/Lite/Util/t/notcontiguous.t \| 72 + - deps/NetAddr-IP/Lite/Util/t/packzeros.t \| 53 + - deps/NetAddr-IP/Lite/Util/t/simple_pack.t \| 51 + - deps/NetAddr-IP/Lite/Util/t/sub128.t \| 68 + - .../Lite/Util/tlib/NetAddr/IP/Util_IS.pm \| 51 + - deps/NetAddr-IP/Lite/Util/typemap \| 28 + - deps/NetAddr-IP/Lite/bug2742981 \| 96 + - deps/NetAddr-IP/Lite/t/addr.t \| 36 + - deps/NetAddr-IP/Lite/t/aton.t \| 33 + - deps/NetAddr-IP/Lite/t/bigint.t \| 170 + - deps/NetAddr-IP/Lite/t/bignums.t \| 130 + - deps/NetAddr-IP/Lite/t/bin_ips.t \| 102 + - deps/NetAddr-IP/Lite/t/bits.t \| 37 + - deps/NetAddr-IP/Lite/t/broadcast.t \| 37 + - deps/NetAddr-IP/Lite/t/bug62521.t \| 28 + - deps/NetAddr-IP/Lite/t/cidr.t \| 36 + - deps/NetAddr-IP/Lite/t/constants.t \| 19 + - deps/NetAddr-IP/Lite/t/contains.t \| 40 + - deps/NetAddr-IP/Lite/t/copy.t \| 52 + - deps/NetAddr-IP/Lite/t/firstlast.t \| 66 + - deps/NetAddr-IP/Lite/t/lemasklen.t \| 19 + - deps/NetAddr-IP/Lite/t/loops.t \| 51 + - deps/NetAddr-IP/Lite/t/lower.t \| 11 + - deps/NetAddr-IP/Lite/t/mask.t \| 44 + - deps/NetAddr-IP/Lite/t/masklen.t \| 37 + - deps/NetAddr-IP/Lite/t/netaddr.t \| 208 + - deps/NetAddr-IP/Lite/t/network.t \| 44 + - deps/NetAddr-IP/Lite/t/new-nth.t \| 44 + - deps/NetAddr-IP/Lite/t/new-num.t \| 33 + - deps/NetAddr-IP/Lite/t/numeric.t \| 36 + - deps/NetAddr-IP/Lite/t/old-nth.t \| 36 + - deps/NetAddr-IP/Lite/t/old-num.t \| 33 + - deps/NetAddr-IP/Lite/t/over-qq.t \| 53 + - deps/NetAddr-IP/Lite/t/over_comp.t \| 66 + - deps/NetAddr-IP/Lite/t/over_copy.t \| 85 + - deps/NetAddr-IP/Lite/t/over_equal.t \| 122 + - deps/NetAddr-IP/Lite/t/over_math.t \| 64 + - deps/NetAddr-IP/Lite/t/overminus.t \| 45 + - deps/NetAddr-IP/Lite/t/pathological.t \| 27 + - deps/NetAddr-IP/Lite/t/range.t \| 34 + - deps/NetAddr-IP/Lite/t/relops.t \| 59 + - deps/NetAddr-IP/Lite/t/v4-aton.t \| 59 + - deps/NetAddr-IP/Lite/t/v4-badnm.t \| 42 + - deps/NetAddr-IP/Lite/t/v4-base.t \| 19 + - deps/NetAddr-IP/Lite/t/v4-basem.t \| 24 + - deps/NetAddr-IP/Lite/t/v4-cidr.t \| 28 + - deps/NetAddr-IP/Lite/t/v4-cnew.t \| 30 + - deps/NetAddr-IP/Lite/t/v4-contains.t \| 60 + - deps/NetAddr-IP/Lite/t/v4-last.t \| 32 + - deps/NetAddr-IP/Lite/t/v4-new-first.t \| 30 + - deps/NetAddr-IP/Lite/t/v4-new.t \| 67 + - deps/NetAddr-IP/Lite/t/v4-new_from_aton.t \| 27 + - deps/NetAddr-IP/Lite/t/v4-no_octal.t \| 50 + - deps/NetAddr-IP/Lite/t/v4-num.t \| 36 + - deps/NetAddr-IP/Lite/t/v4-numeric.t \| 36 + - deps/NetAddr-IP/Lite/t/v4-old-first.t \| 30 + - deps/NetAddr-IP/Lite/t/v4-range.t \| 48 + - deps/NetAddr-IP/Lite/t/v4-snew.t \| 29 + - deps/NetAddr-IP/Lite/t/v4-wnew.t \| 23 + - deps/NetAddr-IP/Lite/t/v4_new_cis.t \| 68 + - deps/NetAddr-IP/Lite/t/v6-cnew.t \| 27 + - deps/NetAddr-IP/Lite/t/v6-contains.t \| 51 + - deps/NetAddr-IP/Lite/t/v6-inc.t \| 38 + - deps/NetAddr-IP/Lite/t/v6-new-base.t \| 70 + - deps/NetAddr-IP/Lite/t/v6-new_cis6_base.t \| 69 + - deps/NetAddr-IP/Lite/t/v6-new_cis_base.t \| 69 + - deps/NetAddr-IP/Lite/t/v6-num.t \| 53 + - deps/NetAddr-IP/Lite/t/v6-numeric.t \| 91 + - deps/NetAddr-IP/Lite/t/v6-old-base.t \| 70 + - deps/NetAddr-IP/Lite/t/version.t \| 29 + - deps/NetAddr-IP/Lite/t/within.t \| 40 + - deps/NetAddr-IP/MANIFEST \| 165 + - deps/NetAddr-IP/MANIFEST.SKIP \| 31 + - deps/NetAddr-IP/META.yml \| 14 + - deps/NetAddr-IP/Makefile.PL \| 91 + - deps/NetAddr-IP/TODO \| 5 + - deps/NetAddr-IP/VERSION \| 1 + - deps/NetAddr-IP/docs/rfc1884.txt \| 1023 +++ - deps/NetAddr-IP/t/constants.t \| 20 + - deps/NetAddr-IP/t/full.t \| 25 + - deps/NetAddr-IP/t/full6.t \| 25 + - deps/NetAddr-IP/t/imhoff.t \| 35 + - deps/NetAddr-IP/t/loops.t \| 33 + - deps/NetAddr-IP/t/lower.t \| 11 + - deps/NetAddr-IP/t/masklen.t \| 21 + - deps/NetAddr-IP/t/new-store.t \| 40 + - deps/NetAddr-IP/t/old-store.t \| 40 + - deps/NetAddr-IP/t/over-arr.t \| 20 + - deps/NetAddr-IP/t/over-qq.t \| 55 + - deps/NetAddr-IP/t/relops.t \| 59 + - deps/NetAddr-IP/t/short.t \| 57 + - deps/NetAddr-IP/t/splitref.t \| 27 + - deps/NetAddr-IP/t/v4-coalesce.t \| 54 + - deps/NetAddr-IP/t/v4-compact.t \| 110 + - deps/NetAddr-IP/t/v4-compplus.t \| 35 + - deps/NetAddr-IP/t/v4-hostenum.t \| 50 + - deps/NetAddr-IP/t/v4-re.t \| 38 + - deps/NetAddr-IP/t/v4-split-bulk.t \| 23 + - deps/NetAddr-IP/t/v4-split-list.t \| 54 + - deps/NetAddr-IP/t/v4-splitplan.t \| 73 + - deps/NetAddr-IP/t/v4-sprefix.t \| 51 + - deps/NetAddr-IP/t/v4-xprefix.t \| 48 + - deps/NetAddr-IP/t/v6-re.t \| 69 + - deps/NetAddr-IP/t/v6-split-bulk.t \| 21 + - deps/NetAddr-IP/t/v6-splitplan.t \| 72 + - deps/NetAddr-IP/t/wildcard.t \| 37 + - 181 files changed, 26626 insertions(+), 971 deletions(-) - -commit cca8f706be83ffb440b09053cacd032865ca69dd (tag: refs/tags/fwsnort-1.6.2-pre1) -Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Feb 16 21:32:19 2012 -0500 - - added the proper ChangeLog back in + added --install-test-dir argument for test suite installation - ChangeLog \| 2184 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 files changed, 2184 insertions(+), 0 deletions(-) + install.pl \| 93 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 85 insertions(+), 8 deletions(-) -commit f4715fe90d6ae875fc8570d00198c7b72a5eb413 +commit 5435bf6bacb6ed2fd6efdc1d199c2729506ca982 Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Feb 16 21:24:25 2012 -0500 +Date: Tue Dec 18 21:40:44 2012 -0500 - bumped version to 1.6.2-pre1 + bug fix in --no-ipt-test mode to ensure no empty lines in fwsnort.save related to the conntrack test + + fwsnort \| 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +commit bf229236b79e3a33fb9507c384ca783d368de93f +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 22:25:20 2012 -0500 + + (Andrew Merenbach) Bug fix to properly honor --exclude-regex filtering option. + + CREDITS \| 3 +++ + ChangeLog \| 2 ++ + fwsnort \| 2 +- + 3 files changed, 6 insertions(+), 1 deletion(-) + +commit 99650e5b058be7933a2611e1ecee293bc3abbc4a +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 22:00:13 2012 -0500 + + bumped version to 1.6.3 + + fwsnort \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit a4fbc7fe48642e7efab12e812be57ca3abc3995f +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:59:51 2012 -0500 + + bumped version to 1.6.3 VERSION \| 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) + 1 file changed, 1 insertion(+), 1 deletion(-) -commit 724f75a13f3ec264eccb553c6c28f83706048047 +commit 15e3e8b9c45c85aae4870ddfad823a120ddb2158 Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Feb 16 21:18:44 2012 -0500 +Date: Mon Dec 17 21:59:31 2012 -0500 + + added README to version changing script - Switched --no-ipt-sync to default to not syncing with the iptables policy + bump_version.pl \| 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +commit 9dd187797a0656afde69a1422925459bf69d5bbe +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:59:05 2012 -0500 + + minor ChangeLog update + + ChangeLog \| 2 ++ + 1 file changed, 2 insertions(+) + +commit 0eee109dc35305bf6827bb7e8c9332fa451c25e9 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:56:45 2012 -0500 + + All strings with non [A-Za-z0-9] chars now converted to hex format - By default fwsnort attempts to match translated Snort rules to the running - iptables policy, but this is tough to do well because iptables policies can be - complex. And, before fwsnort switched to the iptables-save format for - instantiating the policy, a large set of translated rules could take a really - long time to make active within the kernel. Finally, many Snort rules restrict - themselves to established TCP connections anyway, and if a restrictive policy - doesn't allow connections to get into the established state for some port let's - say, then there is little harm in having translated Snort rules for this port. - Some kernel memory would be wasted (small), but no performance would be lost - since packets won't be processed against these rules anyway. The end result is - that the default behavior is now to not sync with the local iptables policy in - favor of translating and instantiating as many rules as possible. + Bug fix to ensure that !, <, >, and = chars in content strings are + converted to the appropriate hex equivalents. All content strings with + characters outside of [A-Za-z0-9] are now converted to hex-string format + in their entirety. This should also fix an issue that results in the + following error when running /var/lib/fwsnort/fwsnort.sh: - This commit also moves the fwsnort.sh script and associated files into the - /var/lib/fwsnort/ directory. + Using intrapositioned negation (`--option ! this`) is deprecated in + favor of extrapositioned (`! --option this`). + Bad argument `bm' + Error occurred at line: 64 + Try `iptables-restore -h' or 'iptables-restore --help' for more + information. + Done. + + fwsnort \| 115 ++++++++++++++++++++++++++++++++++++++++++++++++++------------- + 1 file changed, 91 insertions(+), 24 deletions(-) + +commit 4468524dedf869f0ad34a243075940cd33376229 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:56:28 2012 -0500 + + added INSTALL_ROOT variable + + install.pl \| 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +commit 85d20e92eee245a475464c418db3b471e2b6502d +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:56:13 2012 -0500 + + added INSTALL_ROOT variable + + fwsnort.conf \| 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +commit 16805833ef3136c085bc432ade8c2ca241b2f3d0 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:50:17 2012 -0500 + + added fwsnort-1.6.3 changes + + ChangeLog \| 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +commit 518ccd791c56cb995e2d4a35f3170cba9420c00a +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:49:54 2012 -0500 + + fwsnort-1.6.3 release + + packaging/fwsnort-nodeps.spec \| 15 ++++++++++----- + packaging/fwsnort-require-makemaker.spec \| 15 ++++++++++----- + packaging/fwsnort.spec \| 15 ++++++++++----- + 3 files changed, 30 insertions(+), 15 deletions(-) + +commit 46260f13b61e47eb1ac9ff47728d517aba9b2b5e +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:43:47 2012 -0500 + + minor README re-ordering + + README \| 45 ++++++++++++++++++++++----------------------- + 1 file changed, 22 insertions(+), 23 deletions(-) + +commit f08b09a5d6f3da23f20cc86209a77d6ca46a2602 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:43:11 2012 -0500 + + added various unrecognized snort rule options + + snort_opts.pl \| 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +commit 897e4296ba0a660e93bc10285357b635c79ebc12 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Mon Dec 17 21:26:56 2012 -0500 + + updated Emerging Threats rule set + + deps/snort_rules/emerging-all.rules \| 1755 +++++++++++++++++++++++++++-------- + 1 file changed, 1349 insertions(+), 406 deletions(-) + +commit c99826c59d1e1b250c98580d7381a4935b78f0d4 (tag: refs/tags/fwsnort-1.6.3-pre1) +Author: Michael Rash <mbr@cipherdyne.org> +Date: Tue Sep 18 20:46:02 2012 -0400 + + bumped version to 1.6.3-pre1 + + VERSION \| 2 +- + fwsnort \| 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +commit 3588d8839bcba830a7d220b509cf15e683c45576 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Tue Sep 18 20:45:18 2012 -0400 + + started on 1.6.3 ChangeLog + + ChangeLog \| 4 ++++ + 1 file changed, 4 insertions(+) + +commit 884e7aafb90739a4bc09a34f7bc96f2508836d85 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Tue Sep 18 20:43:11 2012 -0400 + + make sure \!, <, >, and = are converted to hex equivalents + + fwsnort \| 4 ++++ + 1 file changed, 4 insertions(+) + +commit 56f1fdc03e05f910105facd0efa4640c313322aa +Author: Michael Rash <mbr@cipherdyne.org> +Date: Tue Sep 18 20:39:23 2012 -0400 + + rules update from Emerging Threats + + deps/snort_rules/emerging-all.rules \| 4767 ++++++++++++++++++++++++++++------- + 1 file changed, 3910 insertions(+), 857 deletions(-) + +commit b0f806220e3cdaf02a05a049e21fa1f695d2db65 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun Jun 10 23:07:37 2012 -0400 + + applied patch from Franck to fix man page paths to reflect new installation directory structure + + fwsnort.8 \| 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +commit cb48ba098c51e0d4b9eefcc0a51cbb0219c8907b +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 14:14:16 2012 -0400 + + updated QUEUE_RULES_DIR path to a sub-dir of /var/lib/fwsnort/ + + fwsnort.conf \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit b404d75afbc7351e38249f7f07736154ebb5e47b +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 13:37:20 2012 -0400 + + added note about trying yum/agt-get installation (Guillermo Gomez) + + README.RPM \| 6 ++++++ + 1 file changed, 6 insertions(+) + +commit ea0803577b76aca30a0ca7fbe7ec74d13a4442de +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 13:32:52 2012 -0400 + + minor version update (mentioned by Guillermo Gomez) + + README \| 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +commit fdba1beb554fee3e5556478ee1c2ec186b8811ba +Merge: a15b8f6 f447c4b +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 13:29:04 2012 -0400 + + Merge branch 'refs/heads/fwsnort-1.6.2' + +commit a15b8f6e074274b76903055313f48e4faddd3cfb +Merge: 59e2ff7 5d1d646 +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 13:28:50 2012 -0400 + + merged fwsnort-1.6.2 + +commit f447c4baea916c10daf1a5e19dc73eb1b6dc906a (refs/remotes/web/fwsnort-1.6.2, refs/remotes/origin/fwsnort-1.6.2, refs/heads/fwsnort-1.6.2) +Author: Michael Rash <mbr@cipherdyne.org> +Date: Sun May 27 13:27:18 2012 -0400 + + GPL license address update (mentioned by Guillermo Gomez) - CREDITS \| 5 ++++- - fwsnort \| 36 ++++++++++++++++++------------------ - fwsnort.8 \| 15 +++++++++++---- - fwsnort.conf \| 13 +++++++------ - install.pl \| 2 +- - 5 files changed, 41 insertions(+), 30 deletions(-) + LICENSE \| 2 +- + README \| 2 +- + fwsnort \| 2 +- + install.pl \| 2 +- + packaging/cd_rpmbuilder \| 2 +- + snortspoof.pl \| 2 +- + 6 files changed, 6 insertions(+), 6 deletions(-) -commit 863f73aead5ca9111c64de98fca6a6631e40c7b5 +commit 6e4895e19fdedde6ee0e1448c52727fd88ee4acc Author: Michael Rash <mbr@cipherdyne.org> -Date: Thu Feb 16 20:36:59 2012 -0500 +Date: Sun May 27 13:25:23 2012 -0400 - updated to the latest emerging threats Snort rules + mentioned Guillermo Gomez as the fwsnort maintainer - deps/snort_rules/emerging-all.rules \|26379 ++++++++++++++++++----------------- - 1 files changed, 13483 insertions(+), 12896 deletions(-) + CREDITS \| 1 + + 1 file changed, 1 insertion(+)
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/LICENSE ^
@@ -2,7 +2,7 @@ Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. - 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/README ^
@@ -1,28 +1,8 @@ fwsnort (Firewall Snort) -Version: 1.1 +Version: 1.6.3 Author: Michael Rash <mbr@cipherdyne.org> Website: http://www.cipherdyne.org/fwsnort/ -Snort is a registered trademark of Sourcefire, Inc - -INSTALLATION: - - (See the INSTALL file in the source directory.) - -UPGRADING: - - If are installing fwsnort from sources (i.e. not through a distribution -package manager such as RPM or apt), you can just run the "install.pl" script. -It takes care of upgrades, and it will merge any customized configuration -variables in the /etc/fwsnort/fwsnort.conf file with the new file in the -source directory. Even if you are using a distribution package manager, you -can still run the install.pl script in order to preserve any existing -configuration. However, in this case the install.pl script will also put in -place fwsnort according to how it normally handles installation paths, and -these may not match how your distribution package manager normally handles -things. - - DESCRIPTION: fwsnort is a perl script that translates Snort rules into equivalent iptables @@ -42,7 +22,7 @@ fwsnort requires the iptables string match module in order to be able to detect application layer attacks. If you are running modern Linux distribution then it is likely that the kernel has been compiled with iptables -string matching support, and fwsnort will test this. +string matching support, and fwsnort will automatically test this. PLATFORMS: @@ -50,9 +30,28 @@ on Linux running a 2.6 series kernel (with some support for 2.4 kernels as well). +Snort is a registered trademark of Sourcefire, Inc + +INSTALLATION: + + (See the INSTALL file in the source directory.) + +UPGRADING: + + If are installing fwsnort from sources (i.e. not through a distribution +package manager such as RPM or apt), you can just run the "install.pl" script. +It takes care of upgrades, and it will merge any customized configuration +variables in the /etc/fwsnort/fwsnort.conf file with the new file in the +source directory. Even if you are using a distribution package manager, you +can still run the install.pl script in order to preserve any existing +configuration. However, in this case the install.pl script will also put in +place fwsnort according to how it normally handles installation paths, and +these may not match how your distribution package manager normally handles +things. + COPYRIGHT: -Copyright (C) 2003-2010 Michael Rash (mbr@cipherdyne.org) +Copyright (C) 2003-2012 Michael Rash (mbr@cipherdyne.org) fwsnort is distributed under the GNU General Public License (GPLv2), and the latest version may be downloaded from http://www.cipherdyne.org/ @@ -69,4 +68,4 @@ You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software -Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/README.RPM ^
@@ -1,4 +1,10 @@ +NOTE: Before building an RPM manually for your Linux system, it is recommended +to try installing fwsnort via the standard software install mechanism for your +distribution since fwsnort is available in many distribution software +repositories. For example, you can try installing fwsnort with 'yum' or +'apt-get' depending on the type of Linux distribution that you are running. + Building RPM files that are compatible with all possible Linux distributions is a difficult task. If a given RPM file that is downloaded from http://www.cipherdyne.org/ is not compatible with your particular Linux
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/VERSION ^
@@ -1 +1 @@ -1.6.2 +1.6.3
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/bump_version.pl ^
@@ -11,9 +11,10 @@ use strict; -my @files = qw( +my @files = (qw( fwsnort -); + README +)); my $new_version = $ARGV[0] or die "[*] $0 <new version>";
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/deps/snort_rules/emerging-all.rules ^
@@ -37,6 +37,7 @@ # # This Ruleset is EmergingThreats Open optimized for snort-2.9.0. + #by Jaime Blasco # #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE HTTP 401 Unauthorized"; flow:from_server,established; content:"401"; http_stat_code; threshold: type both, count 1, seconds 300, track by_dst; reference:url,doc.emergingthreats.net/2009345; classtype:attempted-recon; sid:2009345; rev:7;) @@ -682,11 +683,11 @@ #Temporarily disabled until we get a fix for an FP problem # -#alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DOS Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:3;) +##alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET DELETED Possible Cisco ASA 5500 Series Adaptive Security Appliance Remote SIP Inspection Device Reload Denial of Service Attempt"; content:"REGISTER"; depth:8; nocase; isdataat:400,relative; pcre:"/REGISTER.{400}/smi"; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=19915; reference:cve,2010-0569; reference:url,doc.emergingthreats.net/2010818; classtype:attempted-dos; sid:2010818; rev:4;) #matt jonkman, idea from Jason Weir # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename=\|22\|DHL_"; nocase; content:".zip\|22\|"; nocase; pcre:"/filename=\x22DHL_(tracking\|document\|(\|print_\|package_)label)(\|_nr\|_id.nr)(\|[0-9]{4,5}\|_[0-9a-z]{4,5})\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:11;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS DHL Spam Inbound"; flow:established,to_server; content:"name=\|22\|DHL"; nocase; content:".zip\|22\|"; within:68; nocase; pcre:"/name=\x22DHL(\s\|_\|\-)?[a-z0-9\-_\.\s]{0,63}\.zip\x22/i"; reference:url,doc.emergingthreats.net/2010148; classtype:trojan-activity; sid:2010148; rev:12;) #matt jonkman, idea from Jason Weir # @@ -706,7 +707,7 @@ #Matt Jonkman # -alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename"; pcre:"/filename\s=.(UPS\|United Parcel Service).\.(rar\|exe\|zip)/im"; classtype:trojan-activity; sid:2010644; rev:14;) +alert tcp !152.0.0.0/16 any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"ups.com"; nocase; fast_pattern; content:"Content-Disposition\|3A\| attachment\|3b\|"; nocase; content:"filename"; pcre:"/filename\s?=[^\n]?(UPS\|United Parcel Service)[^\n]?\.(rar\|exe\|zip)/im"; classtype:trojan-activity; sid:2010644; rev:15;) #evilghost # @@ -813,7 +814,7 @@ #kevin ross #Additional references and slight modification to msg # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; file_data; content:".addBehavior"; nocase; content:"\|23\|default\|23\|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt"; flow:established,to_client; file_data; content:".addBehavior"; nocase; content:"\|23\|default\|23\|userdata"; nocase; within:100; content:"setAttribute"; nocase; distance:0; content:"onclick"; nocase; distance:0; content:"onclick"; nocase; distance:0; reference:url,www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/; reference:url,tools.cisco.com/security/center/viewAlert.x?alertId=20052; reference:url,www.microsoft.com/technet/security/bulletin/ms10-018.mspx; reference:url,www.kb.cert.org/vuls/id/744549; reference:cve,2010-0806; reference:url,doc.emergingthreats.net/2010931; classtype:attempted-user; sid:2010931; rev:7;) #kevin ross # @@ -1086,7 +1087,7 @@ #56 ocurrences # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infostealer exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/crack."; http_uri; content:".exe"; http_uri; pcre:"/\/crack\.\d+\.exe$/Ui"; classtype:trojan-activity; sid:2010059; rev:7;) #51 ocurrences # @@ -1240,7 +1241,7 @@ #by sp0ok3r # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:4;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Skype Easybits Extras Manager - Exploit"; flow:established,from_server; content:"gygte"; nocase; content:"gygte"; nocase; distance:0; reference:url,www.m86security.com/labs/traceitem.asp?article=1347; reference:url,doc.emergingthreats.net/2011680; classtype:trojan-activity; sid:2011680; rev:5;) #by Pedro Marinho, re 58816f781154bda381fdcb1e3fab7bdd # @@ -1268,7 +1269,7 @@ #by David Wharton # -alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp\|3a\|//"; nocase; distance:0; content:"<script "; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s=\s[\x22\x27]?hcp\x3a\x2f\x2F[^\n]<script\sdefer[^\n]unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; classtype:misc-attack; sid:2011173; rev:8;) +alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Windows Help Center Arbitrary Command Execution Exploit Attempt"; flow:established,from_server; file_data; content:"hcp\|3a\|//"; fast_pattern; nocase; distance:0; content:"script"; nocase; distance:0; content:"defer"; nocase; distance:0; content:"unescape"; nocase; distance:0; pcre:"/src\s=\s[\x22\x27]?hcp\x3a\x2f\x2F[^\n]?(%3c\|<)script[^\n]?defer[^\n]?unescape/i"; reference:url,www.exploit-db.com/exploits/13808/; reference:url,doc.emergingthreats.net/2011173; reference:cve,2010-1885; classtype:misc-attack; sid:2011173; rev:13;) #by evilghost # @@ -1477,7 +1478,7 @@ #by Blake Hartstein # -alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET EXPLOIT MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length\|3A\|"; nocase; pcre:"/^Content-Length\x3a\s-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:4;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 5250 (msg:"ET DELETED MISC Computer Associates Negative Content-Length Buffer Overflow"; flow:established,to_server; content:"Content-Length\|3A\|"; nocase; pcre:"/^Content-Length\x3a\s-\d+/smi"; reference:bugtraq,16354; reference:cve,2005-3653; reference:url,doc.emergingthreats.net/bin/view/Main/2002791; classtype:web-application-attack; sid:2002791; rev:5;) #Blake Hartstein of Demarc # @@ -1509,7 +1510,7 @@ #by David Maciejak # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff\|3f\|f="; nocase; http_uri; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CVSTrac filediff Arbitrary Remote Code Execution"; flow: to_server,established; content:"filediff\|3f\|f="; nocase; http_uri; pcre:"/\/filediff\?((&?v\d?=[\d.]+?)+?&f\x3d\|f\x3d.+?(&v\d?=[\d.]+?)+?).+?\x3b.+?\x3b/Ui"; reference:bugtraq,10878; reference:cve,2004-1456; reference:url,doc.emergingthreats.net/bin/view/Main/2002697; classtype:web-application-attack; sid:2002697; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"ET EXPLOIT CVS server heap overflow attempt (target Linux)"; flow: to_server,established; dsize: >512; content:"\|45 6e 74 72 79 20 43 43 43 43 43 43 43 43 43 2f 43 43\|"; offset: 0; depth: 20; threshold: type limit, track by_dst, count 1, seconds 60; reference:url,doc.emergingthreats.net/bin/view/Main/2000048; classtype:attempted-admin; sid:2000048; rev:5;) @@ -1538,11 +1539,11 @@ #by Shirkdog # -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:6;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss jmx-console POST"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/jmx-console/HtmlAdaptor"; nocase; http_uri; flowbits:set,cmars.jboss; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003064; classtype:attempted-admin; sid:2003064; rev:7;) #by Shirkdog # -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime\|2e\|getRuntime\|25\|28\|25\|29\|2e\|exec\|25\|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:4;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET DELETED Cisco-MARS/JBoss Remote Command Execution"; flowbits:isset,cmars.jboss; flow:to_server,established; content:"action=invokeOp"; nocase; content:"jboss.script"; nocase; content:"Runtime\|2e\|getRuntime\|25\|28\|25\|29\|2e\|exec\|25\|28"; nocase; reference:bugtraq,19071; reference:url,doc.emergingthreats.net/bin/view/Main/2003065; classtype:attempted-admin; sid:2003065; rev:5;) #Submitted by Cody Hatch # @@ -2363,19 +2364,19 @@ #By Michael Hale Ligh and Ryan Smith # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:!"\|0d0a\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:!"\|0d0a\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003145; classtype:web-application-attack; sid:2003145; rev:5;) #By Michael Hale Ligh and Ryan Smith # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:!"\|0d0a\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:!"\|0d0a\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003146; classtype:web-application-attack; sid:2003146; rev:5;) #By Michael Hale Ligh and Ryan Smith # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:"\|0d0a20\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /nds (linewrap)"; flow:to_server,established; content:"/nds"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:"\|0d0a20\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003148; classtype:web-application-attack; sid:2003148; rev:5;) #By Michael Hale Ligh and Ryan Smith # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:"\|0d0a20\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 8028 (msg:"ET EXPLOIT Novell HttpStk Remote Code Execution Attempt /dhost (linewrap)"; flow:to_server,established; content:"/dhost"; depth:10; nocase; fast_pattern; content:"\|0d0a\|Host\|3a\|"; nocase; content:"\|0d0a20\|"; within:56; reference:url,doc.emergingthreats.net/bin/view/Main/2003147; classtype:web-application-attack; sid:2003147; rev:5;) #by Akash Mahajan # @@ -2429,7 +2430,7 @@ #Mark Tombaugh # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; content:"methodCall"; http_client_body; nocase; pcre:"/>.\'\s\)\s\)\s\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER XML-RPC for PHP Remote Code Injection"; flow:established,to_server; content:"POST"; nocase; http_method; content:"xmlrpc.php"; http_uri; fast_pattern:only; content:"methodCall"; http_client_body; nocase; pcre:"/>.?\'\s?\)\s?\)?\s?\;/R"; reference:url,www.securityfocus.com/bid/14088/exploit; reference:cve,2005-1921; reference:url,doc.emergingthreats.net/bin/view/Main/2002158; classtype:web-application-attack; sid:2002158; rev:12;) #by Steve Adair steven@securityzone - 11/28/2006, updates from Mat Rowley # @@ -2489,15 +2490,15 @@ #by Rich Rumble # -alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"\|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65\|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;) +alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT PWDump4 Password dumping exe copied to victim"; flow:to_server,established; content:"\|4F 00 72 00 69 00 67 00 69 00 6E 00 61 00 6C 00 46 00 69 00 6C 00 65 00 6E 00 61 00 6D 00 65 00 00 00 50 00 57 00 44 00 55 00 4D 00 50 00 34 00 2E 00 65 00 78 00 65\|"; reference:url,xinn.org/Snort-pwdump4.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008444; classtype:suspicious-filename-detect; sid:2008444; rev:3;) #PWDump6 # -alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"\|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64\|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:3;) +alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Pwdump6 Session Established test file created on victim"; flow:to_server,established; content:"\|5c 00 74 00 65 00 73 00 74 00 2e 00 70 00 77 00 64\|"; fast_pattern:only; reference:url,xinn.org/Snort-pwdump6.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008445; classtype:suspicious-filename-detect; sid:2008445; rev:4;) #This should catch both FGDump and PWDump # -alert tcp any any -> $HOME_NET 139:445 (msg:"ET EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"\|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61\|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:3;) +alert tcp any any -> $HOME_NET [139,445] (msg:"ET EXPLOIT Foofus.net Password dumping, dll injection"; flow:to_server,established; content:"\|6c 00 73 00 72 00 65 00 6d 00 6f 00 72 00 61\|"; fast_pattern:only; reference:url,xinn.org/Snort-fgdump.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008476; classtype:suspicious-filename-detect; sid:2008476; rev:4;) #by Kyle Haugsness, Erik Fichtner, and Matt Jonkman #VNC State Machine, good for other uses @@ -2661,7 +2662,7 @@ #by David Wharton # -alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"\|2F\|requests\|2F\|status\|2E\|xml\|3F\|"; nocase; http_uri; content:"input\|3D\|smb\|3A 2F 2F\|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"ET EXPLOIT VLC web interface buffer overflow attempt"; flow:to_server,established; content:"\|2F\|requests\|2F\|status\|2E\|xml\|3F\|"; nocase; http_uri; content:"input\|3D\|smb\|3A 2F\|"; nocase; http_uri; pcre:"/\x2Frequests\x2Fstatus\x2Exml\x3F[^\x0A\x0D]input\x3D[^\x0A\x0D\x26\x3B]{1000}/iU"; reference:url,milw0rm.org/exploits/9029; reference:url,doc.emergingthreats.net/2009511; classtype:web-application-attack; sid:2009511; rev:5;) #by kevin ross # @@ -2669,7 +2670,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Medial Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp\|3A\|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"\|0A\|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Possible VLC Media Player M3U File FTP URL Processing Stack Buffer Overflow Attempt"; flowbits:isset,ET.m3u.download; flow:established,to_client; content:"ftp\|3A\|//"; nocase; content:"PRAV"; within:10; isdataat:2000,relative; content:!"\|0A\|"; within:2000; reference:url,securitytracker.com/alerts/2010/Jul/1024172.html; reference:url,doc.emergingthreats.net/2011242; classtype:attempted-user; sid:2011242; rev:3;) #By Paul Dokas, posted on http://isc.sans.org/diary.php?date=2005-06-27 # @@ -2738,12 +2739,12 @@ #by Akash Mahajan of Stillsecure #disabled but adding the default port for the server otherwise sig is way to generic # -alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"\|21 00 21 03\|"; fast_pattern:only; pcre:"/[0-9a-zA-Z]{10,}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging Heap Overflow Vulnerability"; flow:established; content:"\|21 00 21 03\|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007933; classtype:misc-attack; sid:2007933; rev:8;) #by Akash Mahajan of Stillsecure #adding server default port otherwise sig is way to generic # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"\|61 00 09 00 08 00 07 00 21 03\|"; fast_pattern:only; pcre:"/[0-9a-zA-Z]{10,}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 7700 (msg:"ET EXPLOIT Zilab Chat and Instant Messaging User Info BoF Vulnerability"; flow:established; content:"\|61 00 09 00 08 00 07 00 21 03\|"; pcre:"/[0-9a-zA-Z]{10}/R"; reference:url,aluigi.altervista.org/adv/zilabzcsx-adv.txt; reference:bugtraq,27940; reference:url,doc.emergingthreats.net/bin/view/Main/2007934; classtype:misc-attack; sid:2007934; rev:7;) #by evilghost # @@ -3150,7 +3151,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri; content:"HTTP"; nocase; content:!"User-Agent\|3a\| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 180solutions (Zango) Spyware Installer Config 2"; flow:to_server,established; content:"config.aspx"; nocase; http_uri; content:"?ver="; nocase; http_uri; content:!"User-Agent\|3a\| "; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/pf/adware.180search.html; reference:url,doc.emergingthreats.net/bin/view/Main/2003217; classtype:trojan-activity; sid:2003217; rev:9;) #more from the spywarelp #Matt jonkman @@ -3172,7 +3173,7 @@ #Submitted by Jason Haar # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 2020search Update Engine"; flow: to_server,established; content:"POST"; nocase; http_method; content:"srng/reg.php HTTP"; content:"\|0d0a\|Host\|3a\|"; http_header; content:"2020search.com"; http_header; content:"IpAddr="; nocase; http_client_body; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:13;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED 2020search Update Engine"; flow: to_server,established; content:"POST"; nocase; http_method; content:"srng/reg.php HTTP"; content:"\|0d0a\|Host\|3a\|"; http_header; content:"2020search.com"; http_header; content:"IpAddr="; nocase; http_client_body; reference:url,www.safer-networking.org/index.php?page=updatehistory&detail=2004-03-04; reference:url,doc.emergingthreats.net/bin/view/Main/2000934; classtype:trojan-activity; sid:2000934; rev:14;) #by: Jeremy Conway at sudosecure.net #ref: 2b8175726f2dde727132299992dafbe9 @@ -3185,11 +3186,11 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"/?fixtool="; nocase; http_uri; content:"GET"; nocase; http_method; content:"/?fixtool="; http_uri; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/?fixtool="; http_uri; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008036; classtype:trojan-activity; sid:2008036; rev:9;) #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:"/?KillerSet="; http_uri; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE 360safe.com related Fake Security Product Update (KillerSet)"; flow:established,to_server; content:"/?KillerSet="; nocase; http_uri; content:"GET"; nocase; http_method; content:!"User-Agent\|3a\| "; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008149; classtype:trojan-activity; sid:2008149; rev:9;) #from spyware listening post data, by matt Jonkman # @@ -3222,7 +3223,7 @@ #by Matt Jonkman from Listening Post Data #Disabling, obsoleting. To be delleted in a month or so # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AdultfriendFinder.com Spyware Iframe Download"; flow:to_server,established; content:"/promo/affiframe.jsp?Pid="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2002353; classtype:trojan-activity; sid:2002353; rev:5;) #by Philipp Bescht # @@ -3240,7 +3241,7 @@ #by Matt Jonkman #spyware, from the sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d+/Ui"; content:"User-Agent\|3a\| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Advertisementserver.com Spyware Checkin"; flow:to_server,established; content:"monitor.php"; nocase; http_uri; content:"?UID="; nocase; http_uri; pcre:"/UID=\d/Ui"; content:"User-Agent\|3a\| Microsoft URL Control"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007602; classtype:trojan-activity; sid:2007602; rev:7;) #Submitted by Matt Jonkman # @@ -3313,7 +3314,7 @@ #fake antispyware package, sig by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Anti-virus-pro.com Fake AV Checkin"; flow:established,to_server; content:"/stat.php?machine_id={"; nocase; http_uri; pcre:"/machine_id={[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+-[A-F0-9]+}/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2007886; classtype:trojan-activity; sid:2007886; rev:4;) #Submitted by Matt Jonkman # @@ -3439,7 +3440,7 @@ #by Jeffrey Brown # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Borlander Adware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?t="; nocase; http_uri; content:"&i="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&d="; nocase; http_uri; content:"&a="; nocase; http_uri; content:"&n="; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2008736; classtype:bad-unknown; sid:2008736; rev:4;) #Matt Jonkman # @@ -3488,7 +3489,7 @@ #from sandnet analysis, called CASClient by Kaspersky #by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CASClient Spyware/Adware Install Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2006403; classtype:trojan-activity; sid:2006403; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Trojan Checkin by MAC chkmac.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ctrl/chkmac.php?mac="; nocase; http_uri; classtype:trojan-activity; sid:2006403; rev:6;) #from sandnet analysis, called CASClient by Kaspersky #by Matt Jonkman @@ -3634,7 +3635,7 @@ #from Lance James and Secure Science www.securescience.net -- Thanks Lance! #too many falses... # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Corpsespyware.net Blind Data Upload"; flow:to_server,established; content:"/images/data.php?"; http_uri; reference:url,www.securityfocus.com/infocus/1745; reference:url,doc.emergingthreats.net/bin/view/Main/2002774; classtype:trojan-activity; sid:2002774; rev:5;) #from Lance James and Secure Science www.securescience.net -- Thanks Lance! #too many falses... @@ -3685,7 +3686,7 @@ #From Vernon Stark # -#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type\|3a\| image"; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:9;) +#alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Windows executable sent when remote host claims to send an image"; flow: established,from_server; content:"Content-Type\|3a\| image"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2001683; classtype:trojan-activity; sid:2001683; rev:11;) #From Vernon Stark # @@ -3701,11 +3702,11 @@ #deapesh misra # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type\|3a\| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send a Text File"; flow:established,from_server; content:"Content-Type\|3a\| text/plain"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2008438; classtype:trojan-activity; sid:2008438; rev:6;) #deapesh misra # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type\|3a\| text/html\|0d 0a\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send html content"; flow:established,from_server; content:"Content-Type\|3a\| text/html\|0d 0a\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009897; classtype:trojan-activity; sid:2009897; rev:6;) #from vienna # @@ -3713,7 +3714,7 @@ #by: Deapesh Misra # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\|3a\| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent when remote host claims to send HTML/CSS Content"; flow:established,to_client; content:"Content-Type\|3a\| text/css"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; fast_pattern; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009909; classtype:trojan-activity; sid:2009909; rev:4;) #by evilghost # @@ -3725,7 +3726,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED CrazyWinnings.com Activity"; flow: established,to_server; content:"/scripts/protect.php?promo=promo"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2001733; classtype:trojan-activity; sid:2001733; rev:7;) #Submitted by Matt Jonkman # @@ -3817,7 +3818,7 @@ #matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED E2give Related Downloading IeBHOs.dll"; flow: to_server,established; content:"/downloads/IeBHOs.dll"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=E2Give&threatid=4728; reference:url,doc.emergingthreats.net/bin/view/Main/2001415; classtype:trojan-activity; sid:2001415; rev:10;) #matt Jonkman # @@ -3958,7 +3959,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Agent Traffic"; flow: to_server,established; content:"FunWebProducts\|3b\|"; nocase; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:20;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Adware Agent Traffic"; flow: to_server,established; content:"FunWebProducts\|3b\|"; nocase; fast_pattern:only; http_header; threshold: type limit, track by_src, count 2, seconds 360; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2001034; classtype:policy-violation; sid:2001034; rev:22;) #Submitted by Matt Jonkman # @@ -3978,7 +3979,7 @@ #From Listening Post data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fun Web Products Stampchooser Spyware"; flow: to_server,established; content:"/StampChooser.html?"; nocase; http_uri; content: "v="; nocase; http_uri; reference:url,www.funwebproducts.com; reference:url,doc.emergingthreats.net/bin/view/Main/2002307; classtype:policy-violation; sid:2002307; rev:7;) #by Shirkdog # @@ -3998,7 +3999,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:9;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Gator Checkin"; flow: to_server,established; content:"/gbsf/"; nocase; http_uri; reference:url,www3.ca.com/securityadvisor/pest/content.aspx?q=67999; reference:url,doc.emergingthreats.net/bin/view/Main/2000595; classtype:policy-violation; sid:2000595; rev:10;) #Submitted by Matt Jonkman # @@ -4187,7 +4188,7 @@ #by: Jeremy Conway at sudosecure.net #ref: b5880918affcbb25120b431a45b99429 # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type\|3a\| qvod_update"; nocase; http_header; content:"\|5b\|AGENTLIST\|5d 0d 0a\|ip0="; nocase; content:"\|0d 0a\|port0="; nocase; within:25; content:"\|0d 0a 0d 0a\|ip1="; nocase; content:"\|0d 0a\|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:5;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Adware Istbar Search Hijacker and Downloader"; flow:established,to_client; content:"200"; http_stat_code; content:"OK"; nocase; http_stat_msg; content:"Content-Type\|3a\| qvod_update"; nocase; http_header; content:"\|5b\|AGENTLIST\|5d 0d 0a\|ip0="; nocase; content:"\|0d 0a\|port0="; nocase; within:25; content:"\|0d 0a 0d 0a\|ip1="; nocase; content:"\|0d 0a\|port1="; nocase; within:25; reference:url,www.pctools.com/mrc/infections/id/Trojan.ISTbar/; reference:url,www.threatexpert.com/reports.aspx?find=Trojan.ISTbar; reference:url,doc.emergingthreats.net/2009597; classtype:trojan-activity; sid:2009597; rev:6;) #By Matt Jonkman # @@ -4407,11 +4408,11 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update"; flow:established,to_server; content:"/images/mysearchbar/highlight"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003351; classtype:trojan-activity; sid:2003351; rev:5;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE MyGlobalSearch Spyware bar update 2"; flow:established,to_server; content:"/images/mysearchbar/customize"; http_uri; content:" MySearch)"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2003352; classtype:trojan-activity; sid:2003352; rev:5;) #by Akash Mahajan # @@ -4581,7 +4582,7 @@ #by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER\|7c\|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d+/"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Rabio Spyware/Adware Initial Registration"; flow:established,to_server; dsize:<200; content:"POST"; nocase; http_method; content:"REGISTER\|7c\|"; depth:9; http_client_body; pcre:"/REGISTER\x7c\d+\x7c\d+\x7c\d+\x7c\d/P"; reference:url,www.spywareguide.com/product_show.php?id=3770; reference:url,www.rabio.com; reference:url,doc.emergingthreats.net/bin/view/Main/2007820; classtype:trojan-activity; sid:2007820; rev:7;) #by Matt Jonkman # @@ -4682,7 +4683,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\|3a\|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:12;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Searchmiracle.com Access, Likely Spyware"; flow: to_server,established; content:"Host\|3a\|"; nocase; http_header; content:".searchmiracle.com"; nocase; http_header; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.elitebar.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001532; classtype:trojan-activity; sid:2001532; rev:12;) #By Matt Jonkman # @@ -5030,7 +5031,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; content:"dev"; nocase; content:!"User-Agent\|3a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot Checking in to Spam"; flow:established,to_server; content:"/devrandom/"; nocase; http_uri; fast_pattern:only; content:!"User-Agent\|3a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002988; classtype:trojan-activity; sid:2002988; rev:8;) #Matt Jonkman # @@ -5038,7 +5039,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent\|3a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Spambot getting new exe url"; flow:established,to_server; content:"404.txt"; nocase; http_uri; content:"404"; content:!"User-Agent\|3a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2002989; classtype:trojan-activity; sid:2002989; rev:7;) #Matt Jonkman # @@ -5094,7 +5095,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Activity"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host\|3a\| spygalaxy.ws"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spygalaxy.ws Spyware Checkin"; flow: to_server,established; content:"/install.php?id="; nocase; http_uri; content:"Host\|3a\| spygalaxy.ws\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001489; classtype:trojan-activity; sid:2001489; rev:8;) #from sandnet data #by matt jonkman @@ -5127,7 +5128,7 @@ #Submitted by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:9;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Statblaster Receiving New configuration (update)"; flow: to_server,established; content:"/updatestats/update"; nocase; http_uri; content:".xml"; nocase; http_uri; reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.statblaster.html; reference:url,doc.emergingthreats.net/bin/view/Main/2001225; classtype:policy-violation; sid:2001225; rev:9;) #Submitted by Matt Jonkman # @@ -5328,7 +5329,7 @@ #Added by Frank Knobbe on 2006-03-12 # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]\;\ +y=[0-9]+/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious POST to ROBOTS.TXT"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/robots.txt"; nocase; http_uri; pcre:"/^\s?\+x=[0-9]\;\ +y=[0-9]/C"; reference:url,doc.emergingthreats.net/bin/view/Main/2002856; classtype:unknown; sid:2002856; rev:8;) #Added by Frank Knobbe on 2006-07-02 # @@ -5341,7 +5342,7 @@ #Matt Jonkman #This appears to be a controller the above trojan uses # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Web Bot Controller Accessed"; flow:to_server,established; content:"/stata/index.php?tr=ok"; nocase; http_uri; reference:url,doc.emergingthreats.net/bin/view/Main/2003025; classtype:trojan-activity; sid:2003025; rev:5;) #by L0rd Ch0de1m0rt # @@ -5349,11 +5350,11 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Checkin"; flow:established,to_server; content:"/Pro/pro.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; pcre:"/\/Pro\/pro\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008157; classtype:trojan-activity; sid:2008157; rev:5;) #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d+/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sidelinker.com-Upspider.com Spyware Count"; flow:established,to_server; content:"/Pro/cnt.php?mac="; nocase; http_uri; content:"&key="; nocase; http_uri; content:"&pid="; nocase; http_uri; pcre:"/\/Pro\/cnt\.php\?mac=\d\d-\d\d-\d\d-\d\d-\d\d-\d\d\&key=\d/Ui"; reference:url,doc.emergingthreats.net/bin/view/Main/2008158; classtype:trojan-activity; sid:2008158; rev:5;) #by matt jonkman # @@ -5569,7 +5570,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php.saff=(\d+\|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Winquickupdates.com/Mycashloads.com Related Trojan Install Report"; flow:established,to_server; content:"/newuser.php?saff="; http_uri; pcre:"/\/newuser\.php\?saff=(\d+\|x.+)/U"; reference:url,doc.emergingthreats.net/bin/view/Main/2008012; classtype:trojan-activity; sid:2008012; rev:5;) #by matt jonkman # @@ -5629,7 +5630,7 @@ #By Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Install Code Download"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host\|3a\| xpire.info"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Xpire.info Spyware Checkin"; flow: to_server,established; content:"/install.gz"; nocase; http_uri; content:"Host\|3a\| xpire.info\|0d 0a\|"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2001491; classtype:trojan-activity; sid:2001491; rev:10;) #By Matt Jonkman # @@ -5673,7 +5674,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE General Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zenosearch Malware Checkin HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"uid="; http_client_body; depth:4; content:"&ref="; http_client_body; content:"&clid="; http_client_body; content:"&commode="; http_client_body; content:"&cmd="; http_client_body; reference:url,doc.emergingthreats.net/bin/view/Main/2008757; classtype:trojan-activity; sid:2008757; rev:9;) #Matt Jonkman # @@ -6123,7 +6124,7 @@ #by Matt Jonkman # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:10;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE 404 Response with an EXE Attached - Likely Malware Drop"; flow:established,from_server; content:"404"; http_stat_code; content:"Not Found"; http_stat_msg; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2009028; classtype:attempted-admin; sid:2009028; rev:13;) #by Matt Jonkman, from qru # @@ -6194,7 +6195,7 @@ #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:15;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY PE EXE or DLL Windows file download"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; flowbits:set,ET.http.binary; reference:url,doc.emergingthreats.net/bin/view/Main/2000419; classtype:policy-violation; sid:2000419; rev:17;) #Submitted by Joseph Gama #Good rules, turn them on if you are interested. They are accurate. @@ -6257,7 +6258,7 @@ #this sig JUST gets updates from external_net # -alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,&,40,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:4;) +alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"ET POLICY DNS Update From External net"; byte_test:1,!&,128,2; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,!&,16,2; byte_test:1,&,8,2; reference:url,doc.emergingthreats.net/2009702; classtype:policy-violation; sid:2009702; rev:5;) #Idea by David Glosser, sig by Matt Jonkman # @@ -6320,7 +6321,7 @@ #by Kevin Ross # -#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login To Cisco Device"; flow:from_server,established; content:"User Access Verification"; depth:24; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:misc-activity; sid:2008861; rev:5;) +#alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET TELNET External Telnet Login To Cisco Device"; flow:from_server,established; pcre:"/^(\r\n)/"; content:"User Access Verification"; within:24; reference:url,articles.techrepublic.com.com/5100-10878_11-5875046.html; reference:url,doc.emergingthreats.net/bin/view/Main/2008861; classtype:misc-activity; sid:2008861; rev:4;) #by Kevin Ross # @@ -7281,7 +7282,7 @@ #by Jack Pepper # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"Windows 98"; http_header; content:"GtekClient"; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98[^\n]+GtekClient/iH"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Gteko User-Agent Detected - Dell Remote Access"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"Windows 98"; http_header; content:"GtekClient"; fast_pattern:only; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98[^\n]+GtekClient/iH"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2008037; rev:6;) #by Jack Pepper # @@ -7320,15 +7321,15 @@ #by dxp # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:4;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (Win exe under 128)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,<,128,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009033; classtype:policy-violation; sid:2009033; rev:5;) #by dxp # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:4;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 160)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,160,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009034; classtype:policy-violation; sid:2009034; rev:5;) #by dxp # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:4;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Executable (PE offset 512)"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_test:4,=,512,58,relative,little; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,doc.emergingthreats.net/2009035; classtype:policy-violation; sid:2009035; rev:5;) #Matt Jonkman #To catch generic exe downloads via http. This does not mean it's a problem, just of interest. @@ -7346,11 +7347,11 @@ #by RPG, intended to catch exe's being hidden as requested BMPs # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Set flow on bmp file get"; flow:established,to_server; content:"GET"; http_method; content:".bmp"; http_uri; content:".bmp HTTP/1."; flowbits:set,ET.bmp_seen; flowbits:noalert; reference:url,doc.emergingthreats.net/2009083; classtype:not-suspicious; sid:2009083; rev:6;) #by RPG, intended to catch exe's being hidden as requested BMPs # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type\|3a\| application\|2f\|octet-stream"; http_header; content:!"BM"; content:!"\|00 00 00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Possible Trojan File Download - BMP Requested but not received"; flow:established,from_server; flowbits:isset,ET.bmp_seen; flowbits:unset,ET.bmp_seen; content:"200"; http_stat_code; content:"OK"; http_stat_msg; content:"Content-Type\|3a\| application\|2f\|octet-stream"; http_header; content:!"BM"; content:!"\|00 00 00 00\|"; within:4; reference:url,doc.emergingthreats.net/2009084; classtype:trojan-activity; sid:2009084; rev:4;) #From Charles Lacroix #All form elements are encoded before they are sent to the server @@ -7775,7 +7776,7 @@ #Submitted by Joel Esler # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"\|00 01\|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:8;) +#alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful logon"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"\|00 01\|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001253; classtype:policy-violation; sid:2001253; rev:10;) #Submitted by Joel Esler # @@ -7811,7 +7812,7 @@ #Commenting out, duplicated in Snort.org set # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CHAT Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"\|00 98\|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Yahoo IM successful chat join"; flow: from_server,established; content:"YMSG"; nocase; depth: 4; content:"\|00 98\|"; offset: 10; depth: 2; reference:url,doc.emergingthreats.net/2001261; classtype:policy-violation; sid:2001261; rev:8;) #Commenting out, duplicated in Snort.org set # @@ -7863,7 +7864,7 @@ #by matt jonkman #these services aren't bad inherently, but are often used by trojans to get their external IP # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:".cmyip."; http_header; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Retrieving External IP via cmyip.com - Possible Infection"; flow:established,to_server; content:"GET"; http_method; content:"cmyip."; http_header; reference:url,doc.emergingthreats.net/2008988; classtype:attempted-recon; sid:2008988; rev:4;) #by matt jonkman #these services aren't bad inherently, but are often used by trojans to get their external IP @@ -8042,7 +8043,7 @@ #installs are malicious. Storm, rbn, etc. Use this rule if you are interested #disabling by default, falses a lot but may be of interest to some folks # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"Server\|3a\| nginx\|0d 0a\|"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:4;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Nginx Server with no version string - Often Hostile Traffic"; flow:established,from_server; content:"Server\|3a\| nginx\|0d 0a\|"; nocase; http_header; threshold:type limit, seconds 60, count 3, track by_src; reference:url,doc.emergingthreats.net/2008064; classtype:bad-unknown; sid:2008064; rev:5;) #by matt jonkman #nginx is an open http server. It's quite good, but seems an extremely high number of it's @@ -8117,7 +8118,7 @@ #by evilghost # -#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; file_data; content:"var g_szURL = \"http\|3a\|//"; distance:0; content:"var g_szFolder = \""; content:"varg_szVirtualRoot = \"http\\|3a\|//"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:4;) +#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET POLICY Exchange 2003 OWA plain-text E-Mail message access not SSL"; flow:established,from_server; file_data; content:"var g_szURL = \|22\|http\|3a 2f 2f\|"; distance:0; content:"var g_szFolder = \|22\|"; content:"varg_szVirtualRoot = \|22\|http\|3a 2f 2f\|"; content:"Microsoft Corporation."; reference:url,support.microsoft.com/kb/321832; classtype:web-application-activity; sid:2010030; rev:6;) #by Christopher Campesi # @@ -8591,7 +8592,7 @@ #By Robert Grabowsky # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^(\n\|\r)]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Skype User-Agent detected"; flow:to_server,established; content:"Skype"; http_header; pcre:"/User-Agent\x3a[^\n\r]+Skype/Hi"; reference:url,doc.emergingthreats.net/2002157; classtype:policy-violation; sid:2002157; rev:10;) #by Reg Quinton # @@ -8607,7 +8608,7 @@ #next we check that the content-length is less than 7 digits, thus under 1,000,000 bytes. #note: I re-check for the leading HTTP/1 to make sure we're still in the header packet, not in the rest of the binary stream # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:12;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Binary Download Smaller than 1 MB Likely Hostile"; flow:established,from_server; content:"HTTP/1"; depth:6; file_data; content:"MZ"; within:2; fast_pattern; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; pcre:"/\x0d\x0aContent-Length\x3a \d{0,6}\x0d\x0a/"; reference:url,doc.emergingthreats.net/2007671; classtype:policy-violation; sid:2007671; rev:13;) #by evilghost # @@ -8820,7 +8821,7 @@ #Submitted by Erik Vincent # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection"; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Proxy Connection detected"; flow:established; content:"Proxy-Connection\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2001449; classtype:attempted-user; sid:2001449; rev:8;) #You MUST add the SMTP_SERVERS var to your snort.conf!!!! # @@ -8854,7 +8855,7 @@ #By Robert Grabowsky #Updated to have a more unique match than User-Agent. # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED WebshotsNetClient"; flow: to_server,established; content:"WebshotsNetClient"; http_header; nocase; reference:url,www.webshots.com; reference:url,doc.emergingthreats.net/2002407; classtype:policy-violation; sid:2002407; rev:8;) #by Jacob Kitchel of infotex #These are of particular use in detecting recon for phishing, etc. @@ -8910,7 +8911,7 @@ #These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you # -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent\|3a\| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Msnbot Crawl"; flow:established,to_server; content:"User-Agent\|3a\| "; nocase; http_header; content:"msnbot"; nocase; http_header; fast_pattern; distance:0; threshold: type both, track by_src, count 10, seconds 60; reference:url,search.msn.com/msnbot.htm; reference:url,doc.emergingthreats.net/2002831; classtype:attempted-recon; sid:2002831; rev:8;) #These aren't security issues necessarily, but you may be interested in seeing how often these crawlers hit you # @@ -8930,11 +8931,11 @@ #by Jacob Kitchel # -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent\|3a\| "; nocase; http_header; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+Java/\d\.\d+/i"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent"; flow:established,to_server; content:"User-Agent\|3a\| "; nocase; http_header; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+Java\/\d\.\d/Hmi"; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002946; classtype:attempted-recon; sid:2002946; rev:8;) #by Jacob Kitchel # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d+/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Java Url Lib User Agent Web Crawl"; flow:established,to_server; content:"Java/"; nocase; http_header; fast_pattern; pcre:"/User-Agent\x3a[^\n]+Java/\d\.\d/Hi"; threshold: type both, track by_src, count 10, seconds 60; reference:url,www.mozilla.org/docs/netlib/seealso/netmods.html; reference:url,doc.emergingthreats.net/2002945; classtype:attempted-recon; sid:2002945; rev:10;) #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski. #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate @@ -8959,7 +8960,7 @@ #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski. #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:11;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Yahoo Mail Message Send Info Capture"; flow: to_server,established; content:"crumb="; nocase; content:"Subject="; nocase; reference:url,doc.emergingthreats.net/2000045; classtype:policy-violation; sid:2000045; rev:12;) #Originally posted by Matt Jonkman, major tweaks by Matt Watchinski. #Less useful rules are disabled, feel free to enable if you require the information. They are functional and accurate @@ -8999,7 +9000,7 @@ #You may also use this to catch any local win98 machines if they're no longer supposed to be in production #(which for goodness sake they shouldn't!! Haven't been patched for years!) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"Windows 98"; fast_pattern; http_header; pcre:"/User-Agent\x3a[^\n]+Windows 98/Hi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:16;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows 98 User-Agent Detected - Possible Malware or Non-Updated System"; flow:established,to_server; content:"Windows 98"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\n]+Windows 98/Hmi"; reference:url,doc.emergingthreats.net/bin/view/Main/Windows98UA; classtype:policy-violation; sid:2007695; rev:17;) #this sig is to catch HTTP User agents that specify Windows 98 as the platform #Mostly to catch spyware and auto-downloaders that still use these as fake User Agent strings @@ -9135,7 +9136,7 @@ #by Kevin Ross #CISCO TORCH SCAN DETECTION RULES # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent\|3a\| Cisco-torch"; http_header; fast_pattern:only; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Cisco Torch IOS HTTP Scan"; flow:to_server,established; content:"User-Agent\|3a\| Cisco-torch"; http_header; fast_pattern:12,10; reference:url,www.hackingexposedcisco.com/?link=tools; reference:url,www.securiteam.com/tools/5EP0F1FEUA.html; reference:url,doc.emergingthreats.net/2008415; classtype:attempted-recon; sid:2008415; rev:9;) #by Kevin Ross #CISCO TORCH SCAN DETECTION RULES @@ -9144,7 +9145,7 @@ #by Jack Pepper # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent\|3a\| core-project/1.0"; fast_pattern:only; http_header; reference:url,doc.emergingthreats.net/2008529; classtype:web-application-activity; sid:2008529; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Core-Project Scanning Bot UA Detected"; flow:established,to_server; content:"User-Agent\|3a\| core-project/1.0"; fast_pattern:12,11; http_header; reference:url,doc.emergingthreats.net/2008529; classtype:web-application-activity; sid:2008529; rev:6;) #Submitted 2006-10-30 by Frank Knobbe # @@ -9502,7 +9503,7 @@ #by Dennis Distler # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST"; http_method; content:"\|3A\|25 HTTP/"; depth:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN ProxyReconBot POST method to Mail"; flow:established,to_server; content:"POST"; http_method; content:"\|3A\|25 HTTP/"; fast_pattern; depth:200; reference:url,doc.emergingthreats.net/2003870; classtype:misc-attack; sid:2003870; rev:8;) #by Kevin Ross # @@ -9593,7 +9594,7 @@ #These Detect the Latest Sipvious Scanner Version (0.2.6) # -alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"\|0d 0a\|User-Agent\|3A\| friendly-scanner"; fast_pattern:only; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:3;) +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Sipvicious User-Agent Detected (friendly-scanner)"; content:"\|0d 0a\|User-Agent\|3A\| friendly-scanner"; fast_pattern:only; threshold: type limit, track by_src, count 5, seconds 120; reference:url,code.google.com/p/sipvicious/; reference:url,blog.sipvicious.org/; reference:url,doc.emergingthreats.net/2011716; classtype:attempted-recon; sid:2011716; rev:4;) #These Detect the Latest Sipvious Scanner Version (0.2.6) # @@ -9851,15 +9852,15 @@ #New from Chris Taylor and the User agents project # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware User-Agent (BWL Toplist)"; flow:to_server,established; content:"User-Agent\|3a\| BWL Toplist"; nocase; http_header; reference:url,doc.emergingthreats.net/2003505; classtype:trojan-activity; sid:2003505; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Toplist.cz Related Spyware Checkin"; flow:to_server,established; content:"User-Agent\|3a\| BWL"; http_header; pcre:"/BWL(\sToplist\|\d_UPDATE)/H"; classtype:trojan-activity; sid:2003505; rev:10;) #by evilghost # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"User-Agent\|3a\|"; nocase; http_header; content:"\|5C\|"; http_header; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; pcre:"/User-Agent\:.[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010721; classtype:bad-unknown; sid:2010721; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Outbound"; flow:established,to_server; content:"User-Agent\|3a\|"; nocase; http_header; content:"\|5C\|"; http_header; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; pcre:"/User-Agent\:.[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010721; classtype:bad-unknown; sid:2010721; rev:7;) #by evilghost # -#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent\|3a\|"; nocase; http_header; content:"\|5C\|"; http_header; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; pcre:"/User-Agent\:.[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]+/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Non-Escaping backslash in User-Agent Inbound"; flow:established,to_server; content:"User-Agent\|3a\|"; nocase; http_header; content:"\|5C\|"; http_header; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; pcre:"/User-Agent\:.[^\x5c]\x5c[^\x5c\x3d\x2f\x3b\x28\x29]/iH"; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec14.html; reference:url,mws.amazon.com/docs/devGuide/UserAgent.html; reference:url,doc.emergingthreats.net/2010722; classtype:bad-unknown; sid:2010722; rev:7;) #by evilghost # @@ -10281,7 +10282,7 @@ #by pedro marinho # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent\|3a\| InfoBot"; http_header; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (InfoBot)"; flow:to_server,established; content:"User-Agent\|3a\| InfoBot"; http_header; reference:url,doc.emergingthreats.net/2011276; classtype:trojan-activity; sid:2011276; rev:7;) #matt jonkman # @@ -10321,7 +10322,7 @@ #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Fake AV av1-site.info Related User-Agent (AV1)"; flow: established,to_server; content:"User-Agent\|3a\| AV1"; http_header; reference:url,doc.emergingthreats.net/2009223; classtype:trojan-activity; sid:2009223; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fake AV Downloader.Onestage/FakeAlert.ZR User-Agent (AV1)"; flow: established,to_server; content:"User-Agent\|3a\| AV1\|0d 0a\|"; http_header; reference:md5,208e5551efce47ac6c95691715c12e46; reference:md5,735dff747d0c7ce74dde31547b2b5750; reference:md5,a84a144677a786c6855fd4899d024948; classtype:trojan-activity; sid:2009223; rev:8;) #matt jonkman # @@ -10769,7 +10770,7 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; nocase; http_header; content:!"/CallParrotWebClient/"; http_uri; content:!"Host\|3a\| www\|2e\|google\|2e\|com\|0d 0a\|"; nocase; http_header; content:!"Cookie\|3a\| PREF\|3d\|ID\|3d\|"; nocase; http_header; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:12;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; nocase; http_header; fast_pattern:5,20; content:!"/CallParrotWebClient/"; http_uri; content:!"Host\|3a\| www\|2e\|google\|2e\|com\|0d 0a\|"; nocase; http_header; content:!"PREF\|3d\|ID\|3d\|"; nocase; http_cookie; reference:url,doc.emergingthreats.net/2003492; classtype:trojan-activity; sid:2003492; rev:13;) #by evilghost # @@ -10789,7 +10790,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\|3a\| downloader\|0d 0a\|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:10;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User-Agent (downloader) - Used by Winfixmaster.com Fake Anti-Spyware and Others"; flow:to_server,established; content:"User-Agent\|3a\| downloader\|0d 0a\|"; http_header; threshold: type limit, count 3, seconds 300, track by_src; reference:url,doc.emergingthreats.net/bin/view/Main/2003546; classtype:trojan-activity; sid:2003546; rev:11;) #Pluses in a UA, suspicious as well # @@ -10845,7 +10846,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Huai_Huai) - Likely Webhancer Related Spyware"; flow:to_server,established; content:"User-Agent\|3a\| Huai_Huai\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2006361; classtype:trojan-activity; sid:2006361; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (Huai_Huai)"; flow:to_server,established; content:"User-Agent\|3a\| Huai_Huai\|0d 0a\|"; http_header; reference:md5,ee600bdcc45989750dee846b5049f935; reference:md5,91b9aa25563ae524d3ca4582630eb8eb; reference:md5,1051f7176fe0a50414649d369e752e98; classtype:trojan-activity; sid:2006361; rev:8;) #Pluses in a UA, suspicious as well # @@ -10903,9 +10904,8 @@ # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Example)"; flow:to_server,established; content:"User-Agent\|3a\| Example\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007884; classtype:trojan-activity; sid:2007884; rev:6;) -#Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (downloader)"; flow:to_server,established; content:"User-Agent\|3a\| downloader\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (downloader)"; flow:to_server,established; content:"User-Agent\|3a\| downloader\|0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007885; classtype:trojan-activity; sid:2007885; rev:8;) #Pluses in a UA, suspicious as well # @@ -10949,7 +10949,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (1 space)"; flow:to_server,established; content:"User-Agent\|3a 20 0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent (1 space)"; flow:to_server,established; content:"User-Agent\|3a 20 0d 0a\|"; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2007994; classtype:trojan-activity; sid:2007994; rev:8;) #Pluses in a UA, suspicious as well # @@ -10981,7 +10981,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent\|3a\| App"; http_header; content:!"Host\|3a\| liveupdate.symantecliveupdate.com\|0d 0a\|"; http_header; pcre:"/User-Agent\x3a App\d+/Hi"; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (App4)"; flow:to_server,established; content:"User-Agent\|3a\| App"; http_header; content:!"Host\|3a\| liveupdate.symantecliveupdate.com\|0d 0a\|"; http_header; pcre:"/^User-Agent\x3a App\d/Hm"; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008073; classtype:trojan-activity; sid:2008073; rev:12;) #Pluses in a UA, suspicious as well # @@ -11013,7 +11013,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent\|3a\| QQ\|0d 0a\|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (QQ)"; flow:to_server,established; content:"User-Agent\|3a\| QQ\|0d 0a\|"; http_header; content:!"\|0d 0a\|Q-UA\|3a 20\|"; http_header; threshold:type limit,count 2,track by_src,seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008199; classtype:trojan-activity; sid:2008199; rev:14;) #Pluses in a UA, suspicious as well # @@ -11105,7 +11105,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Playtech Downloader)"; flow:to_server,established; content:"User-Agent\|3a\| Playtech "; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,doc.emergingthreats.net/bin/view/Main/2008365; classtype:trojan-activity; sid:2008365; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Playtech Downloader Online Gaming Checkin"; flow:to_server,established; content:"/client_update_urls.php"; http_uri; content:"User-Agent\|3a\| Playtech "; http_header; reference:md5,00740d7d15862efb30629ab1fd7b8242; classtype:trojan-activity; sid:2008365; rev:8;) #Pluses in a UA, suspicious as well # @@ -11249,7 +11249,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (bdwinrun) - Possible Admoke Admware"; flow: to_server,established; content:"User-Agent\|3a\| bdwinrun"; nocase; http_header; reference:url,doc.emergingthreats.net/bin/view/Main/2008742; classtype:trojan-activity; sid:2008742; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Admoke/Adload.AFB!tr.dldr Checkin"; flow: to_server,established; content:"/keyword.html"; http_uri; content:"User-Agent\|3a\| bdwinrun"; nocase; http_header; reference:md5,6085f2ff15282611fd82f9429d82912b; classtype:trojan-activity; sid:2008742; rev:7;) #Pluses in a UA, suspicious as well # @@ -11349,7 +11349,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (Macrovision_DM)"; flow:established,to_server; content:"User-Agent\|3a\| Macrovision_DM"; http_header; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY trymedia.com User-Agent (Macrovision_DM)"; flow:established,to_server; content:"User-Agent\|3a\| Macrovision_DM"; http_header; content:"trymedia.com\|0d 0a\|"; http_header; pcre:"/Host\x3a.+trymedia\.com\r$/Hm"; reference:url,doc.emergingthreats.net/2009445; classtype:trojan-activity; sid:2009446; rev:7;) #Pluses in a UA, suspicious as well # @@ -11377,7 +11377,7 @@ #Pluses in a UA, suspicious as well # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (PCFlashBangA)"; flow:to_server,established; content:"User-Agent\|3a\| PCFlashBangA\|0d 0a\|"; http_header; threshold: type limit, count 2, track by_src, seconds 300; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:trojan-activity; sid:2009540; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PCFlashbang.com Spyware Checkin (PCFlashBangA)"; flow:to_server,established; content:"User-Agent\|3a\| PCFlashBang"; http_header; reference:url,www.ca.com/us/securityadvisor/pest/pest.aspx?id=453113169; reference:url,doc.emergingthreats.net/2009540; classtype:trojan-activity; sid:2009540; rev:8;) #Pluses in a UA, suspicious as well # @@ -11508,11 +11508,11 @@ #cd025fbeb51e2a02793f2c60a2777aa8 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (SeFastSetup)"; flow:to_server,established; content:"User-Agent\|3a\| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Sogou Toolbar Checkin"; flow:to_server,established; content:"/seversion.txt"; http_uri; content:"User-Agent\|3a\| SeFastSetup"; http_header; reference:url,doc.emergingthreats.net/2011225; classtype:trojan-activity; sid:2011226; rev:3;) #cd025fbeb51e2a02793f2c60a2777aa8 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (NSIS_Inetc (Mozilla))"; flow:to_server,established; content:"User-Agent\|3a\| NSIS\|5f\|Inetc \|28\|Mozilla\|29\|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers"; flow:to_server,established; content:"User-Agent\|3a\| NSIS\|5f\|Inetc \|28\|Mozilla\|29\|"; http_header; reference:url,doc.emergingthreats.net/2011227; classtype:trojan-activity; sid:2011227; rev:3;) #by pedro marinho # @@ -11644,7 +11644,7 @@ #Matt Jonkman, From spyware listening post data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Hotbar Zango Toolbar Spyware User Agent (ZangoToolbar )"; flow:to_server,established; content:"ZangoToolbar"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a.+ZangoToolbar.+\r$/Hmi"; reference:url,doc.emergingthreats.net/2003365; classtype:trojan-activity; sid:2003365; rev:11;) #Matt Jonkman, From spyware listening post data # @@ -11724,7 +11724,7 @@ #From Chris Norton. # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent\|3A\| PE-"; http_header; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:8;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Outbound HTTP connection - Downloading Code"; flow:established,to_server; content:"User-Agent\|3A\| PE-"; http_header; reference:url,doc.emergingthreats.net/2002695; classtype:trojan-activity; sid:2002695; rev:9;) #BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM @@ -11734,7 +11734,7 @@ #BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM # -#alert tcp $HOME_NET any -> any 139 (msg:"ET VIRUS BugBear@MM virus in Network share"; flow: established; content:"\|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65\|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:7;) +##alert tcp $HOME_NET any -> any 139 (msg:"ET DELETED BugBear@MM virus in Network share"; flow: established; content:"\|24 48 fb bb ff e6 63 02 3a 20 41 70 61 63 68 65\|"; fast_pattern:only; reference:url,www.symantec.com/avcenter/venc/data/w32.bugbear@mm.html; reference:url,doc.emergingthreats.net/2001765; classtype:misc-activity; sid:2001765; rev:8;) #BugBear #Submitted by Brad Doctor, 3/8/2005, for BugBear@MM @@ -11759,19 +11759,19 @@ #by Jonathan Gross. Experimental # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS WinUpack Modified PE Header Inbound"; flow:established; content:"\|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00\|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO WinUpack Modified PE Header Inbound"; flow:established; content:"\|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00\|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003614; rev:6;) #by Jonathan Gross. Experimental # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET VIRUS WinUpack Modified PE Header Outbound"; flow:established; content:"\|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00\|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET INFO WinUpack Modified PE Header Outbound"; flow:established; content:"\|4d 5a 4b 45 52 4e 45 4c 33 32 2e 44 4c 4c 00 00\|"; fast_pattern:only; reference:url,doc.emergingthreats.net/bin/view/Main/WinPEHeaders; classtype:bad-unknown; sid:2003615; rev:6;) #by Dan Clemens of packetninjas.net # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing\|40\|"; content:"PE\|00 00\|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP Download Possibly Hostile"; flow:from_server,established; content:"UpackByDwing\|40\|"; content:"PE\|00 00\|"; within:20; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008946; classtype:trojan-activity; sid:2008946; rev:2;) #by Dan Clemens of packetninjas.net # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE\|00 00\|"; content:"Upack\|00 00\|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UpackbyDwing binary in HTTP (2) Possibly Hostile"; flow:from_server,established; content:"PE\|00 00\|"; content:"Upack\|00 00\|"; within:255; reference:url,www.packetninjas.net; reference:url,doc.emergingthreats.net/2008947; classtype:trojan-activity; sid:2008947; rev:2;) #matt jonkman/wes brown #falsing, needs adjustment @@ -11782,29 +11782,29 @@ #more information at http://toorcon.org/2006/conference.html?id=29 #These are disabled by default until we learn more about them. # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE CLET polymorphic payload"; dsize: >40; content: "\|74 07 eb\|"; content: "\|e8\|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:3;) +##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE CLET polymorphic payload"; dsize: >40; content: "\|74 07 eb\|"; content: "\|e8\|"; distance: 1; within: 1; pcre: "/\xeb.[\x58-\x5b]\x31[\xc0\xc9\xd2\xdb][\xb0-\xb3].\x8b.[\x05\x2d\x35\x81\xc1]/sm"; pcre: "/[\x40-\x43\xfd\xff][\x40-\x43\xff][\x40-\x43\x80\xff][\x40-\x43\xe9-\xeb\xff\x80\x2c][\x40-\x43\x48-\x4b\xe9-\xeb\x01\x2c\x80][\x48-\x4c\xe9-\xeb\x02\x2c][\x03\x48-\x4b][\x48-\x4b]\x74\x07\xeb.\xe8.\xff\xff\xff/smR"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003117; classtype:shellcode-detect; sid:2003117; rev:4;) #These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load. #more information at http://toorcon.org/2006/conference.html?id=29 #These are disabled by default until we learn more about them. # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "\|d9 74 24 f4\|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])\|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:3;) +##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE Shikata Ga Nai polymorphic payload"; dsize: >26; content: "\|d9 74 24 f4\|"; pcre: "/[\x29\x2b\x31\x33]\xc9/sm"; pcre: "/[\xd9-\xdb\xdd].{1,11}\xd9\x74\x24\xf4.{0,10}[\x58\x5a\x5b\x5d-\x5f]/sm"; pcre: "/([\x29\x2b\x31\x33\xb8\xba\xbb\xbe\xbf\xd9-\xdb\xdd][^\x00\xff][^\x00\xff][^\x00][^\x00\xff][^\x00][^\x00\xff][^\x00\xff][^\x00][^\x00][^\x00][^\x00\xff][^\x00\xff][^\x00\xff][^\x00][^\x00][\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0e\x10\x12\x13\x15\x17\xfc][\x03\x31\x83][\x42\x43\x46\x47\x50\x53\x56-\x58\x5a\x5e\x5f\x70\x72\x73\x77\x78\x7a\x7b\x7e\xc0\xc2\xc3\xc6\xc7\xe8\xea\xeb\xee\xef][\x04\x0a\x0c\x0e-\x13\x15\x17\xfc][\x03\x83]..[^\x1d\xe2][^\x0a\xf5])\|([\x29\x2b\x31\x33\xb8\xba\xbb\xbd-\xbf\xd9-\xdb\xdd][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][^\x00][\x24\xb1\xd9-\xdb\xdd][^\x00][\x58\x5a\x5b\x5d-\x5f\xb8\xba\xbb\xbd-\xbf\xd9][^\x00][^\x00][^\x00][^\x00][\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0e\x12\x17\xfc][\x03\x31\x83][\x42\x43\x45-\x47\x50\x53\x55-\x58\x5a\x5d-\x5f\x68\x6a\x6b\x6e-\x70\x72\x73\x75\x77\x78\x7a\x7b\x7d\x7e\xc0\xc2\xc3\xc5-\xc7\xe8\xea\xeb\xed-\xef][\x04\x0a\x0e\x12\x13\x17\xfc][\x03\x83]..[^\xe2][^\xf5])/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003118; classtype:shellcode-detect; sid:2003118; rev:4;) #These are by Vlad Tsyrklevich during presentation at Toorcon 06. These are experimental and will likely be high load. #more information at http://toorcon.org/2006/conference.html?id=29 #These are disabled by default until we learn more about them. # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET VIRUS SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "\|e8\|"; content: "\|ff ff ff\|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e\|\x58\x96\|\x58\x89\xc6\|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....\|\x68....\x5b).{0,20}(\x31\xc9\|\x31\xc0\x91))\|((\x31\xc9\|\x31\xc0\x91).{0,20}(\xbb....\|\x68....\x5b))).{0,20}(\xb1.\|\x6a.\x58\x89\xc1\|\x6a.\x66\x59).{0,20}(\x31\x1e\|\x93\x31\x06\x93\|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:3;) +##alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED SHELLCODE ADMutate polymorphic payload"; dsize: >45; content: "\|e8\|"; content: "\|ff ff ff\|"; distance: 1; within: 3; pcre: "/\xeb[\x26-\x7a].{0,20}(\x5e\|\x58\x96\|\x58\x89\xc6\|\x8b\x34\x24\x83\xec\x04).{0,20}(((\xbb....\|\x68....\x5b).{0,20}(\x31\xc9\|\x31\xc0\x91))\|((\x31\xc9\|\x31\xc0\x91).{0,20}(\xbb....\|\x68....\x5b))).{0,20}(\xb1.\|\x6a.\x58\x89\xc1\|\x6a.\x66\x59).{0,20}(\x31\x1e\|\x93\x31\x06\x93\|\x8b\x06\x09\xd8\x21\x1e\xf7\x16\x21\x06).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}(\x46\|\x83\xc6\x01\|\x96\x40\x96).{0,20}\xe2[\xa0-\xf9].{0,20}\xeb[\x06-\x20].{0,20}\xe8[\x7f-\xff]\xff\xff\xff/sm"; reference:url,toorcon.org/2006/conference.html?id=29; reference:url,doc.emergingthreats.net/2003119; classtype:shellcode-detect; sid:2003119; rev:4;) #Sobig #Unknown submitter - Sobig E-F downloading goodies # -#alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET VIRUS Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"\|5c bf 01 29 ca 62 eb f1\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:8;) +##alert udp $HOME_NET any -> $EXTERNAL_NET 8998 (msg:"ET DELETED Sobig.E-F Trojan Site Download Request"; dsize: 8; content:"\|5c bf 01 29 ca 62 eb f1\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html; reference:url,doc.emergingthreats.net/2001547; classtype:trojan-activity; sid:2001547; rev:9;) #Spy.Win32.Bancos Trojan #Submitted by Matt Jonkman for Spy.Win32.Bancos Trojan # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"\|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:9;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Trojan-Spy.Win32.Bancos Download"; flow: established,from_server; content:"[AspackDie!]"; content:"\|0f 6d 07 9e 6c 62 6c 68 00 d2 2f 63 6d 64 9d 11 af af 45 c7 72 ac 5f 3138 d0\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/pwsteal.bancos.b.html; reference:url,doc.emergingthreats.net/2001726; classtype:trojan-activity; sid:2001726; rev:10;) #from sandnet data #Disabling by default, hits on the VB api, not unique to this virus. @@ -11813,11 +11813,11 @@ #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\|3a\| p4r4z1t3v3"; http_header; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED AV-Killer.Win32 User Agent Detected (p4r4z1t3v3.one14.J)"; flow:established,to_server; content:"User-Agent\|3a\| p4r4z1t3v3"; http_header; nocase; reference:url,doc.emergingthreats.net/2003638; classtype:trojan-activity; sid:2003638; rev:6;) #by mr Magic Pants # -alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET VIRUS Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\|3a 20 3a 20\|ZOMBIE"; nocase; content:"X-Library\|3a\| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:6;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET DELETED Win32.SMTP-Mailer SMTP Outbound"; flow:to_server,established; content:"Subject\|3a 20 3a 20\|ZOMBIE"; nocase; content:"X-Library\|3a\| Indy 9.00.10"; nocase; distance:0; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Win32.SMTP-Mailer&threatid=48095; reference:url,www.hauri.net/virus/virusinfo_read.php?code=TRW3000774&start=1; reference:url,doc.emergingthreats.net/2003041; classtype:trojan-activity; sid:2003041; rev:7;) #by dn1nj4 # @@ -11868,7 +11868,7 @@ #by dxp # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Armitage Exploit Request"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/bof.php"; http_uri; reference:url,doc.emergingthreats.net/2009032; classtype:trojan-activity; sid:2009032; rev:8;) #by dxp # @@ -12029,7 +12029,7 @@ #by matt jonkman and victor julien # -alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d+/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:3;) +alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.VB.brg C&C Kill Command Send"; flow:established,from_server; dsize:<35; content:"kill-"; offset:0; depth:5; pcre:"/kill\-\d+.\d+.\d+.\d+\:\d+%\d/"; reference:url,doc.emergingthreats.net/2007980; classtype:trojan-activity; sid:2007980; rev:4;) #by matt jonkman and victor julien # @@ -12302,7 +12302,7 @@ #by jerry at cybercave # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; pcre:"/\/ff\.ie\?rnd=\d+/Ui"; content:"p="; http_client_body; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh C&C HTTP POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/ff.ie?rnd="; http_uri; nocase; pcre:"/\/ff\.ie\?rnd=\d/Ui"; content:"p="; http_client_body; nocase; content:"&ot="; nocase; distance:0; content:"&njeb="; distance:0; reference:url,doc.emergingthreats.net/2010565; classtype:trojan-activity; sid:2010565; rev:8;) #by deapesh misra # @@ -12330,7 +12330,7 @@ #analysis by Jose Nazario at arbor networks. Sig by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control\|3a\| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=.+/P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:13;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackenergy Bot Checkin to C&C"; flow:established,to_server; dsize:<400; content:"POST"; nocase; http_method; content:"Cache-Control\|3a\| no-cache"; http_header; content:"id="; http_client_body; content:"&build_id="; http_client_body; fast_pattern; pcre:"/id=x.+_[0-9A-F]{8}&build_id=./P"; reference:url,asert.arbornetworks.com/2007/10/blackenergy-ddos-bot-analysis-available; reference:url,doc.emergingthreats.net/2007668; classtype:trojan-activity; sid:2007668; rev:14;) #by Jaime Blasco # @@ -12443,7 +12443,7 @@ #by Darren Spruell # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"\|0d 0a\|Entity-Info\|3a\|"; nocase; content:"\|0d 0a\|Magic-Number\|3a\|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d+/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\\|\d+/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Bredolab Downloader Response Binaries from Controller"; flow:established,from_server; content:"\|0d 0a\|Entity-Info\|3a\|"; nocase; content:"\|0d 0a\|Magic-Number\|3a\|"; nocase; pcre:"/\x0d\x0aEntity-Info\x3a\s+\d+\x3a\d/"; pcre:"/\x0d\x0aMagic-Number\x3a\s+\d+\\|\d/"; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=TrojanDownloader%3aWin32/Bredolab.B; reference:url,doc.emergingthreats.net/2009388; classtype:trojan-activity; sid:2009388; rev:4;) #Bredolab Infection # @@ -12503,7 +12503,7 @@ #by Jeffrey Brown at synacktip # -#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2\|7c\|"; depth:10; content:"\|7c\|"; distance:0; content:"\|7c\|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d+/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Ceckno Reporting to Controller"; flow:established,to_server; dsize:<30; content:"\:2\|7c\|"; depth:10; content:"\|7c\|"; distance:0; content:"\|7c\|"; distance:0; pcre:"/^\d+\x3a\d\x7c\d+\x7c[0-9a-z]+\x7c\d/i"; flowbits:set,ET.cekno.initial; reference:url,doc.emergingthreats.net/2008177; classtype:trojan-activity; sid:2008177; rev:5;) #by Jeffrey Brown at synacktip # @@ -12559,7 +12559,7 @@ #By RPG and Jack Pepper, modified by thierry chich and darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downadup/Conficker A Worm reporting"; flow:to_server,established; content:"/search?q="; http_uri; content:"&aq="; http_uri; pcre:"/\/search\?q\=\d+&aq=\d/mi"; reference:url,www.f-secure.com/weblog/archives/00001584.html; reference:url,doc.emergingthreats.net/bin/view/Main/2009114; classtype:trojan-activity; sid:2009114; rev:5;) #by Tillman Werner # @@ -12619,7 +12619,7 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; distance:0; content:"&v="; http_client_body; distance:0; content:"&os="; http_client_body; distance:0; content:"&panic="; http_client_body; distance:0; content:"&input="; http_client_body; distance:0; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN CoreFlooder C&C Checkin (2)"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/index.php"; http_uri; nocase; content:"r="; http_client_body; content:"&i="; http_client_body; distance:0; content:"&v="; http_client_body; distance:0; content:"&os="; http_client_body; distance:0; content:"&panic="; fast_pattern; http_client_body; distance:0; content:"&input="; http_client_body; distance:0; reference:url,doc.emergingthreats.net/2009287; classtype:trojan-activity; sid:2009287; rev:5;) #by matt jonkman, Proxy.Corpes.j 0fe727c2779b6891697db8f768b6d34b # @@ -12784,7 +12784,7 @@ #by matt jonkman #re sample 41c62970ea34413c4011b220724bf029 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent\|3a\| Mozilla/3.0 (compatible\|3b\| Indy Library)"; fast_pattern:30,20; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:9;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Delf Checkin via HTTP (8)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; nocase; content:"User-Agent\|3a\| Mozilla/3.0 (compatible\|3b\| Indy Library)"; fast_pattern:30,20; http_header; content:"name="; http_client_body; depth:5; reference:url,doc.emergingthreats.net/2008268; classtype:trojan-activity; sid:2008268; rev:10;) #matt jonkman # @@ -12823,11 +12823,11 @@ #re 146244b0d5cce3d21719ad94d650a82f #traffic was on port 2009 in sample, since it is a new year. Maybe use it as the source # -alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"\|05 00 00 00\|"; depth:4; content:"\|cd\|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:2;) +#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Delfsnif/Buzus.fte Remote Response"; flow:established,from_server; dsize:9; content:"\|05 00 00 00\|"; depth:4; content:"\|cd\|"; distance:4; within:1; reference:url,www.threatexpert.com/threats/virtool-win32-delfsnif-gen.html; reference:url,doc.emergingthreats.net/2009079; classtype:trojan-activity; sid:2009079; rev:3;) #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d+/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Densmail.com Related Trojan Checkin"; flow:established,to_server; content:"/cc.php"; nocase; http_uri; content:"v="; nocase; http_uri; content:"&rnd="; http_uri; nocase; pcre:"/v=\d+&rnd=\d/Ui"; reference:url,doc.emergingthreats.net/2007822; classtype:trojan-activity; sid:2007822; rev:4;) #By Scott Melnick # @@ -12930,7 +12930,7 @@ #Sigs for general downloader trojans and worms. Not all get unique names #by Matt Jonkman. Saw a downloader appending ver7 to the end of a regular UA. No spaces. very unique # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; nocase; content:")ver"; http_header; fast_pattern; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:9;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent - Possible Trojan Downloader (ver18/ver19, etc)"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; nocase; content:")ver"; http_header; fast_pattern; distance:0; pcre:"/^User-Agent\:[^\n]+\)ver\d/Hmi"; reference:url,doc.emergingthreats.net/2003380; classtype:trojan-activity; sid:2003380; rev:10;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman # @@ -12938,7 +12938,7 @@ #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX User Agent Detected (Microsoft URL Control)"; flow:established,to_server; content:"User-Agent\|3a\| Microsoft URL Control -"; nocase; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.VB.TX/Backdoor.Win32.DSSdoor!IK Checkin"; flow:established,to_server; content:"/tx.txt"; http_uri; content:" Microsoft URL Control -"; http_header; reference:url,doc.emergingthreats.net/2003646; classtype:trojan-activity; sid:2003646; rev:8;) #Reports of falsing here, the UA is legit within MS VB stuff. Scheduled to be deleted in a week or so. Do not recommend using this # @@ -12978,7 +12978,7 @@ #from sandnet data, by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]+/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Agent.cav Url Pattern Detected (ping)"; flow:established,to_server; content:"/ping/"; nocase; http_uri; pcre:"/\/ping\/[0-9a-fA-F]{64}\/[0-9a-fA-F]+\/[0-9a-fA-F]/Ui"; reference:url,doc.emergingthreats.net/2007284; classtype:trojan-activity; sid:2007284; rev:5;) #matt jonkman, from sandnet data # @@ -13125,11 +13125,11 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Downloader URL - Post Infection"; flow:established,to_server; content:"/count.jsp?id="; http_uri; content:"&mac=0"; http_uri; content:"te="; http_uri; reference:url,doc.emergingthreats.net/2008728; classtype:trojan-activity; sid:2008728; rev:4;) #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP\|3a\|"; depth:100; content:"??IP\|3a\|"; distance:0; content:"????\|3a\|"; distance:0; pcre:"/IP\:\d[1,3]\.\d[1,3]\.\d[1,3]\.\d[1,3]/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Generic Downloader Checkin Url Detected"; flow:established,to_server; content:"??IP\|3a\|"; depth:100; content:"??IP\|3a\|"; distance:0; content:"????\|3a\|"; distance:0; pcre:"/IP\:\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}/U"; reference:url,doc.emergingthreats.net/2008766; classtype:trojan-activity; sid:2008766; rev:5;) #by robert grabowsky # @@ -13167,12 +13167,12 @@ #by: Jeremy Conway at sudosecure.net #ref: 0f79f76f0ea1d53690ed916142f94083 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]&os=[a-z]&ver=[0-9]{8}&id=[0-9\.]/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Hupigon.dkwt Related Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"htm?mac="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&ver="; nocase; http_uri; content:"&id="; http_uri; pcre:"/\?mac=[0-9]?&os=[a-z]?&ver=[0-9]{8}&id=/Ui"; reference:url,doc.emergingthreats.net/2009704; classtype:trojan-activity; sid:2009704; rev:8;) #by: Jeremy Conway at sudosecure.net #ref: 59c9112d9d39c3051f0c6ae1dd499d97 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader Generic - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Downloader Generic - GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?mode="; nocase; http_uri; content:"&port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&ltime="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009803; classtype:trojan-activity; sid:2009803; rev:5;) #by jerry # @@ -13230,7 +13230,7 @@ #by Jaime Blasco # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; uricontent:"c_pcode="; http_uri;content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Generic Downloader checkin (3)"; flow:established,to_server; content:".php?"; http_uri; content:"c_pcode="; http_uri; content:"c_pid="; http_uri; content:"c_kind="; http_uri; content:"c_mac="; http_uri; reference:url,doc.emergingthreats.net/2010888; classtype:trojan-activity; sid:2010888; rev:5;) #Submitted by Tom Fischer, 2006-01-08, updated 4/22/06 # @@ -13390,7 +13390,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Emogen Reporting via HTTP"; flow:established,to_server; content:".asp?"; nocase; http_uri; content:"mac="; fast_pattern; nocase; http_uri; content:"&name="; nocase; http_uri; content:"&p="; nocase; http_uri; content:"&id="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007986; classtype:trojan-activity; sid:2007986; rev:4;) #another one. Fortinet calls it emogen, others call it a dropper # @@ -13443,7 +13443,7 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer\|3a\| "; http_header; nocase; content:"User-Agent\|3a\| Microsoft Internet Explorer\|0d 0a\|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]+/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential FakeAV HTTP POST Check-IN (?r=)"; flow:established,to_server; content:"POST"; nocase; http_method; content:!"Referer\|3a\| "; http_header; nocase; content:"User-Agent\|3a\| Microsoft Internet Explorer\|0d 0a\|"; http_header; nocase; content:"loads2.php?r="; nocase; http_uri; fast_pattern; pcre:"/loads2\.php\?r=[0-9]{2}\.[0-9]/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=94e13e13c6da5e32bde00bc527475bd2; reference:url,www.malwaredomainlist.com/forums/index.php?topic=3190.420; reference:url,doc.emergingthreats.net/2010594; classtype:trojan-activity; sid:2010594; rev:6;) #by evilghost # @@ -13485,7 +13485,7 @@ #by Jeffrey Brown # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; content:"/getmac.asp"; nocase; http_uri; content:"x="; nocase; http_uri; content:"&y="; nocase; content:"&z="; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-/Ui"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:trojan-activity; sid:2009215; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Farfli HTTP Checkin Activity"; flow: to_server,established; content:"/getmac.asp?x="; fast_pattern:only; http_uri; content:"&y="; http_uri; pcre:"/x=[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}-[a-f0-9]{2}/Ui"; reference:url,www.virustotal.com/analisis/3b532a7bf7850483882024652f6c8a8b; reference:url,doc.emergingthreats.net/2009215; classtype:trojan-activity; sid:2009215; rev:6;) #by: Jeremy Conway at sudosecure.net #ref: a93af8f350689c700ee3fde7442a956e @@ -13550,11 +13550,11 @@ #by marcus at unsober #re: ee1539a7b6b7012a68b986262f01756c # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"?p4="; http_uri; content:"&p5="; http_uri; fast_pattern; content:"&hs="; http_uri; pcre:"/p4=\d+&p5=\d+&hs=\d+/Ui"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gamania Trojan Check-in"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; content:"?p4="; http_uri; content:"&p5="; http_uri; fast_pattern; content:"&hs="; http_uri; pcre:"/p4=\d+&p5=\d+&hs=\d/Ui"; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=166939; reference:url,doc.emergingthreats.net/2009531; classtype:trojan-activity; sid:2009531; rev:9;) #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d+/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:10;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Gemini Malware Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?cmd=getFile&counter="; http_uri; pcre:"/\.php\?cmd=getFile&counter=\d/U"; reference:url,www.virustotal.com/analisis/c36e206c6dfe88345815da41c1b14b4f33a9636ad94dd46ce48f5b367f1c736c-1254242791; reference:url,doc.emergingthreats.net/2010007; classtype:trojan-activity; sid:2010007; rev:11;) #by Mike Cox # @@ -13594,7 +13594,7 @@ #by victort julien # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Malformed Double Accept header - Likely Trojan-PWS.Win32.QQPass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Accept\|3a\| Accept\|3a\| "; http_header; pcre:"/^Accept\x3A\sAccept\x3A[^\r\n]\d+,\s/[A-z0-9\.]+,\s[A-z0-9\.]+/Hmi"; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Suspicious Malformed Double Accept Header"; flow:established,to_server; content:"Accept\|3a\| Accept\|3a\| "; http_header; reference:url,doc.emergingthreats.net/2008975; classtype:trojan-activity; sid:2008975; rev:8;) #by joe stewart and bojan zdrjna # @@ -13602,7 +13602,7 @@ #by bojan # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Murlo Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]+/iU"; content: "&ver="; nocase; http_uri; content: "&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009442; classtype:trojan-activity; sid:2009442; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Murlo Trojan Checkin"; flow: to_server,established; content:"GET"; nocase; http_method; content: ".asp?mac="; nocase; http_uri; pcre:"/mac=[a-f0-9]/iU"; content: "&ver="; nocase; http_uri; content: "&os="; nocase; http_uri; reference:url,doc.emergingthreats.net/2009442; classtype:trojan-activity; sid:2009442; rev:9;) #by: Jeremy Conway at sudosecure.net #ref: 0e94639577df8c4b684b42d2acaa4417 @@ -13670,27 +13670,27 @@ #by steven Adair of shadowserver.org # -#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"\|00 00 00\|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Client Connect"; flow:to_server,established; content:"Gh0st"; depth:5; nocase; content:"\|00 00 00\|"; within:5; dsize:<180; flowbits:set,ET.ghost; reference:url,doc.emergingthreats.net/2008888; classtype:trojan-activity; sid:2008888; rev:5;) #by steven Adair of shadowserver.org # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Remote Access Trojan Server Response"; flowbits:isset,ET.ghost; flow:to_client,established; content:"Gh0st"; depth:5; nocase; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20081211; reference:url,doc.emergingthreats.net/2008889; classtype:trojan-activity; sid:2008889; rev:5;) #Jason aka dn1nj4 at shadowserver dot org #ref: 4e224c80f62c1b3dc74d295d0633e699 #also re 53c26839720c9b3e9c6ed9f0d288d288 # -#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:trojan-activity; sid:2010859; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Gh0st Trojan CnC"; flow:established,to_server; content:"Gh0st"; depth:5; flowbits:set,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010859; classtype:trojan-activity; sid:2010859; rev:5;) #Jason aka dn1nj4 at shadowserver dot org #ref: 4e224c80f62c1b3dc74d295d0633e699 #also re 53c26839720c9b3e9c6ed9f0d288d288 # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:trojan-activity; sid:2010860; rev:5;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET DELETED Gh0st Trojan CnC Response"; flow:established,from_server; content:"Gh0st"; depth:5; flowbits:isset,ET.gh0st_client; reference:url,doc.emergingthreats.net/2010860; classtype:trojan-activity; sid:2010860; rev:5;) #by Martin Holste # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:6;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED GhostNet Trojan Reporting"; flow:established,to_server; content:"/microsoft/v2/update/upgrade.aspx?hostname="; http_uri; content:"&ostype="; http_uri; content:"&macaddr="; http_uri; content:"&ipaddr="; http_uri; content:"&owner="; http_uri; threshold: type limit, track by_src, count 1, seconds 300; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,doc.emergingthreats.net/2009202; classtype:trojan-activity; sid:2009202; rev:7;) #by michael sconzo # @@ -13718,7 +13718,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d+/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Goldun Reporting Install"; flow:established,to_server; content:".php?codec="; http_uri; pcre:"/codec=\d+D\d+D\d/U"; reference:url,doc.emergingthreats.net/2007965; classtype:trojan-activity; sid:2007965; rev:4;) #by dxp and Darren Spruell. Compilation of former sids 2003509-2003511 and 2002854 # @@ -13775,39 +13775,39 @@ #by Don Jackson of Secureworks # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET\|20\|"; offset:0; depth:4; content:"\|3F\|mod\|3D\|"; offset:5; depth:40; pcre:"/^GET\s+[^\x0A\x0D]+\x3Fmod\x3D\w\x26id\x3D[^\x26\s]+\x5F\w+\x26up\x3D[^\x26]+\x26mid\x3D[^\x26\s]+/"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HotLan.C Spambot Trojan Activity"; flow:to_server,established; content:"GET"; http_method; content:"\|3F\|mod\|3D\|"; fast_pattern:only; http_uri; content:"&id="; http_uri; content:"&up="; http_uri; content:"&mid="; http_uri; pcre:"/\x3Fmod\x3D\w?\x26id\x3D[^\x26\s]+?\x5F\w+?\x26up\x3D[^\x26]+?\x26mid\x3D[^\x26\s]/Ui"; reference:url,doc.emergingthreats.net/2008473; classtype:trojan-activity; sid:2008473; rev:7;) #Matt Jonkman # -alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Hotword Trojan in Transit"; flow: established,from_server; content:"\|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:8;) +#alert tcp $EXTERNAL_NET !$HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan in Transit"; flow: established,from_server; content:"\|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001959; classtype:trojan-activity; sid:2001959; rev:9;) #Matt Jonkman # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Hotword Trojan inbound via http"; flow: established,from_server; content:"\|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:7;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Hotword Trojan inbound via http"; flow: established,from_server; content:"\|63 6f 6d 66 69 64 65 6e 74 69 61 6c 20 64 6f 63 75 6d 65 6e 74 20 28 57 6f 72 64 29 20 66 72 6f 6d 20 44 69 67 69 44 6f 63 00 43 4d 20 25 73 20\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001960; classtype:trojan-activity; sid:2001960; rev:8;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:12;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CHJO"; flow: to_server,established; content:"STOR __"; content:"-CHJO.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001961; classtype:trojan-activity; sid:2001961; rev:13;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible File Upload CFXP"; flow: to_server,established; content:"STOR __"; content:"-CFXP.DRV"; nocase; within: 100; fast_pattern; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001962; classtype:trojan-activity; sid:2001962; rev:11;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request pspv.exe"; flow: to_server,established; content:"SIZE pspv.exe"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001963; classtype:trojan-activity; sid:2001963; rev:11;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:9;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Request .tea"; flow: to_server,established; content:"LIST "; content:".tea"; nocase; within: 50; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001964; classtype:trojan-activity; sid:2001964; rev:10;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"\|53 54 4f 52 20 5f 5f 5f 0d 0a\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Upload ___"; flow: to_server,established; content:"\|53 54 4f 52 20 5f 5f 5f 0d 0a\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001965; classtype:trojan-activity; sid:2001965; rev:11;) #Matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET VIRUS Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"\|53 49 5a 45 20 5f 5f 5f 0d 0a\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET DELETED Hotword Trojan - Possible FTP File Status Check ___"; flow: to_server,established; content:"\|53 49 5a 45 20 5f 5f 5f 0d 0a\|"; fast_pattern:only; reference:url,securityresponse.symantec.com/avcenter/venc/data/trojan.hotword.html; reference:url,doc.emergingthreats.net/2001966; classtype:trojan-activity; sid:2001966; rev:11;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman # @@ -13973,7 +13973,7 @@ #Bot potty # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"\|3a\|"; content:"\|20\|332\|20\|"; within:50; content:"\|2023\|"; within:20; content:"\|203a\|"; pcre:"/(\.aim\w\|ascanall)\s+\w+/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN IRC channel topic misc bot commands"; flowbits:isset,is_proto_irc; flow:established,from_server; content:"\|3a\|"; content:"\|20\|332\|20\|"; within:50; content:"\|2023\|"; within:20; content:"\|203a\|"; pcre:"/(\.aim\w\|ascanall)\s+\w/i"; reference:url,doc.emergingthreats.net/2002386; classtype:trojan-activity; sid:2002386; rev:12;) #Bot potty # @@ -14285,7 +14285,7 @@ #by Darren Spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d+/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Koobface HTTP Request (2)"; flow:established,to_server; content:"?action="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\?action=\w+gen&v=\d/U"; reference:url,ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html; reference:url,doc.emergingthreats.net/2010150; classtype:trojan-activity; sid:2010150; rev:4;) #by jerry at cybercave # @@ -14333,7 +14333,7 @@ #By matt Jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d+/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lager Trojan Reporting (gcu)"; flow:established,to_server; content:"/cp/rule.php?"; nocase; http_uri; pcre:"/\/cp\/rule\.php\?gcu=\d/Ui"; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=87732; reference:url,doc.emergingthreats.net/2003189; classtype:trojan-activity; sid:2003189; rev:5;) #By matt Jonkman # @@ -14346,7 +14346,7 @@ #by Shirkdog #re 8888fcb5020d1295f4343f601263306a # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Lanfiltrator Checkin"; flow:established,to_server; content:"/ralog.cgi"; http_uri; content:"&ip="; http_uri; content:"&servertype=lanfiltrator"; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:trojan-activity; sid:2009078; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor Lanfiltrator Checkin"; flow:established,to_server; content:"/ralog.cgi"; nocase; http_uri; content:"&ip="; nocase; http_uri; content:"&servertype=lanfiltrator"; nocase; http_uri; reference:url,research.sunbelt-software.com/threatdisplay.aspx?name=Backdoor.Win32.LanFiltrator.3b&threatid=51642; reference:url,doc.emergingthreats.net/2009078; classtype:trojan-activity; sid:2009078; rev:4;) #by matt jonkman # @@ -14431,7 +14431,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d+/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Lydra.hj HTTP Checkin"; flow:established,to_server; content:"/NewsFolder/News00"; http_uri; content:".ASP?id="; http_uri; pcre:"/\/NewsFolder\/News00\d\d\.ASP\?id=/U"; pcre:"/Host\: \d+\.\d+\.\d+\.\d/"; reference:url,doc.emergingthreats.net/2008130; classtype:trojan-activity; sid:2008130; rev:4;) #by Matt Jonkman, MBR Virus related # @@ -14441,13 +14441,13 @@ #Ikarus: AdWare.Win32.MWGuide, #re a98bb554bf012dd25d94b764bc4a0678 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide checkin"; flow:established,to_server; content:"/sidebar_load.php?maddr="; http_uri; content:"ipaddr="; http_uri; content:"aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008839; classtype:trojan-activity; sid:2008839; rev:6;) #by Victor Julien #Ikarus: AdWare.Win32.MWGuide, #re a98bb554bf012dd25d94b764bc4a0678 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.MWGuide keepalive"; flow:established,to_server; content:"/alive.php?aff_id="; http_uri; reference:url,doc.emergingthreats.net/2008840; classtype:trojan-activity; sid:2008840; rev:5;) #info from Bojan at ISC and Russell Fulton #sig by Russell and Matt Jonkman @@ -14464,7 +14464,7 @@ #by Chuck Conn at the World Bank # -alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"\|61\|"; depth:1; flowbits:noalert; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:6;) +alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Palevo/BFBot/Mariposa client join attempt"; dsize:7; content:"\|61\|"; depth:1; flowbits:set,ET.MariposaJoin; reference:url,defintel.com/docs/Mariposa_Analysis.pdf; reference:url,defintel.blogspot.com/2009/09/half-of-fortune-100-companies.html; reference:url,doc.emergingthreats.net/2010100; reference:url,blogs.pcmag.com/securitywatch/2009/09/botnet_reported_loose_in_fortu.php; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2009-093006-0442-99&tabid=2; reference:url,www.symantec.com/connect/blogs/mariposa-butterfly; classtype:trojan-activity; sid:2010100; rev:7;) #by Chuck Conn at the World Bank # @@ -14492,7 +14492,7 @@ #Added 2005-10-04 in response to ISC diary # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d+/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:8;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Mitglieder Proxy Bot Checking In"; flow:established,to_server; content:"/scr5.php"; nocase; http_uri; pcre:"/\/scr5\.php\?p=\d+&id=\d/Ui"; reference:url,isc.sans.org/diary.php?storyid=722; reference:url,doc.emergingthreats.net/2002387; classtype:trojan-activity; sid:2002387; rev:9;) #by Marcus of unsober #ref: 7d5651c19e316480971eb5406727f720 @@ -14588,7 +14588,7 @@ ##by darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d\x26v\x3D\d\x26tm\x3D\d\x26b\x3D\d/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Oficla Downloader Activity Observed"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&tm="; nocase; http_uri; fast_pattern:only; content:"&b="; nocase; http_uri; pcre:"/\x2Ephp\x3Fid\x3D\d\x26v\x3D\d\x26tm\x3D\d\x26b\x3D/iU"; reference:url,www.threatexpert.com/report.aspx?md5=38e1d644e2a16041b5ec1a02826df280; reference:url,www.threatexpert.com/report.aspx?md5=1db0c8d48a76662496af7faf581b1cf0; reference:url,doc.emergingthreats.net/2009776; classtype:trojan-activity; sid:2009776; rev:8;) #by evilghost and darren spruell and mike cox and crew # @@ -14640,15 +14640,15 @@ #by Russ McRee of expedia.com # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea.php?p=\d+/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updatea)"; flow:to_server,established; content:"/updatea.php?p="; nocase; http_uri; pcre:"/updatea.php?p=\d/Ui"; flowbits:set,BT.ppagent.updatea; flowbits:noalert; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003115; classtype:trojan-activity; sid:2003115; rev:5;) #by Russ McRee of expedia.com # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb.php?p=\d+/Ui"; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Trojan.Proxy.PPAgent.t (updateb)"; flowbits:isset,BT.ppagent.updatea; flow:to_server,established; content:"/updateb.php?p="; nocase; http_uri; pcre:"/updateb.php?p=\d/Ui"; flowbits:unset,BT.ppagent.updatea; reference:url,original.avira.com/en/threats/vdf_history.html?id_vdf=2738; reference:url,doc.emergingthreats.net/2003116; classtype:trojan-activity; sid:2003116; rev:5;) #by Lance James and Michael Ligh, referenced in paper at http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf # -alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET TROJAN Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type\|3a20\|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:9;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"ET DELETED Prg Trojan v0.1-v0.3 Data Upload"; flow:to_server,established; content:"POST"; nocase; http_method; content:"php?"; http_uri; content:"Content-Type\|3a20\|binary"; http_header; content:"LLAH"; reference:url,www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf; reference:url,doc.emergingthreats.net/2003182; classtype:trojan-activity; sid:2003182; rev:11;) #by Lance James and Michael Ligh, referenced in paper at http://www.securescience.net/FILES/securescience/10378/pubMalwareCaseStudy.pdf # @@ -14689,11 +14689,11 @@ #New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data"; flow:established,to_server; dsize:>400; content:"POST"; nocase; http_method; content:"a="; http_client_body; nocase; content:"&b="; http_client_body; nocase; content:"&d="; http_client_body; nocase; content:".bin&"; fast_pattern; http_client_body; nocase; content:"u="; http_client_body; nocase; content:"&c="; nocase; http_client_body; reference:url,doc.emergingthreats.net/2006385; classtype:trojan-activity; sid:2006385; rev:8;) #New by Matt Jonkman, re 0a7b2d160c90af079dbe560b38c89d3f in sandnet # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-LDPinch posting data (2)"; flow:established,to_server; dsize:>400; content:"POST / HTTP/1.1"; depth:15; content:!"User-Agent\|3a\| BDNC"; http_header; content:"a="; http_client_body; content:"&b="; distance:0; http_client_body; content:"&c="; distance:0; http_client_body; reference:url,doc.emergingthreats.net/2007756; classtype:trojan-activity; sid:2007756; rev:6;) #more pinch # @@ -14821,7 +14821,7 @@ #by: Jeremy Conway at sudosecure.net #ref: 030500a6ef292ecf6fc4e2a5bf5a424c # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Parite.B GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent\|3a\| gomtour"; http_header; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Parite.B GET"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent\|3a\| gomtour"; http_header; reference:url,www.pandasecurity.com/homeusers/security-info/18181/information/Parite.B; reference:url,www.pctools.com/mrc/infections/id/Virus.Parite.B/; reference:url,www.threatexpert.com/threats/w32-parite-b.html; reference:url,doc.emergingthreats.net/2009454; classtype:trojan-activity; sid:2009454; rev:5;) #Submitted 2006-03-20 by Tom Fischer # @@ -14833,7 +14833,7 @@ #by Paul Dokas # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; http_method; nocase; content:"a=%"; http_raw_uri; fast_pattern; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:8;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Password Stealer Reporting - ?a=%NN&b="; flow:to_server,established; content:"POST"; http_method; nocase; content:"a=%"; http_raw_uri; content:"&b="; http_uri; pcre:"/a=\%[0-9a-fA-F]{2}\&b/Ii"; reference:url,doc.emergingthreats.net/2009082; classtype:trojan-activity; sid:2009082; rev:9;) #by: Jeremy Conway at sudosecure.net #ref: a03cadd15d8f658ee73c8829fb4a3019 @@ -14844,7 +14844,7 @@ #by dn1nj4 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http\|3a\|//"; depth:12; content:"C\|3a\|\\"; distance:0; nocase; content:".exe\|00 00\|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Paymilon-A HTTP POST"; flow:established,to_server; content:"POST http\|3a\|//"; depth:12; content:"C\|3a\|\\"; distance:0; nocase; content:".exe\|00 00\|"; distance:0; reference:url,www.sophos.com/security/analyses/viruses-and-spyware/malpaymilona.html; reference:url,doc.emergingthreats.net/2010918; classtype:trojan-activity; sid:2010918; rev:5;) #by pedro marinho # @@ -14868,7 +14868,7 @@ #by matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587] (msg:"ET TROJAN Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject\|3a\| Perfect Keylogger was installed successfully\|3a\|"; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET [25,587,2525] (msg:"ET TROJAN Perfect Keylogger Install Email Report"; flow:established,to_server; content:"Subject\|3a\| Perfect Keylogger was installed successfully\|3a\|"; fast_pattern:7,20; reference:url,doc.emergingthreats.net/2008893; classtype:trojan-activity; sid:2008893; rev:8;) #by matt jonkman # @@ -14955,7 +14955,7 @@ #by: Jeremy Conway at sudosecure.net #ref: b853a0bc503b0e35959601cca79ec809 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poisionivy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Poison Ivy RAT/Backdoor follow on POST Data PUSH Packet"; flow:established,to_server; flags:AP,12; content:"op="; depth:3; nocase; content:"&servidor="; nocase; content:"&senha="; nocase; content:"&usuario="; nocase; content:"&base="; nocase; content:"&sgdb="; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPoisonivy.I&ThreatID=-2147363597; reference:url,www.viruslist.com/en/viruses/encyclopedia?virusid=133781; reference:url,doc.emergingthreats.net/2009806; classtype:trojan-activity; sid:2009806; rev:3;) #by anonymous submitter #2 # @@ -14968,12 +14968,12 @@ #by Jaime Blasco, updates by evilghost #these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".gif"; nocase; http_uri; content:".gif HTTP"; nocase; pcre:"/\.gif$/Ui"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (gif)"; flow:to_server,established; content:"POST"; http_method; content:".gif"; http_uri; fast_pattern:only; pcre:"/\.gif$/U"; pcre:"/POST\s[^\r\n]+?(?<!__utm)\.gif HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010066; classtype:trojan-activity; sid:2010066; rev:9;) #by Jaime Blasco, updates by evilghost #these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:established,to_server; content:"POST"; nocase; http_method; content:".jpg"; nocase; http_uri; content:".jpg HTTP"; nocase; pcre:"/\.jpg$/i"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Data POST to an image file (jpg)"; flow:to_server,established; content:"POST"; http_method; content:".jpg"; http_uri; fast_pattern:only; pcre:"/\.jpg$/U"; pcre:"/POST\s[^\r\n]+?\.jpg HTTP\/1\./"; reference:url,doc.emergingthreats.net/2010067; classtype:trojan-activity; sid:2010067; rev:8;) #by Jaime Blasco, updates by evilghost #these sigs are intended to catch post data to images. This is suspicious and often trojan or spyware @@ -14992,15 +14992,15 @@ #Submitted by Brad Doctor # -alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET VIRUS Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET DELETED Greeting card gif.exe email incoming SMTP"; flow: established,to_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001919; classtype:trojan-activity; sid:2001919; rev:8;) #Submitted by Brad Doctor # -alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET VIRUS Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:7;) +#alert tcp $EXTERNAL_NET 110:220 -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming POP3/IMAP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001920; classtype:trojan-activity; sid:2001920; rev:8;) #Submitted by Brad Doctor # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET VIRUS Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:7;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Greeting card gif.exe email incoming HTTP"; flow: established,from_server; content:"postcard.gif.exe"; nocase; reference:url,securityresponse.symantec.com/avcenter/venc/data/vbs.postcard@mm.html; reference:url,doc.emergingthreats.net/2001921; classtype:trojan-activity; sid:2001921; rev:8;) #Created by Jeremy Conway with contributions from Steven Adair # @@ -15026,7 +15026,7 @@ #from sandnet analysis, looking for User Agents like bL0j3jKdUwy3kUCZnsqaHlFTNEU4Ik8IhfG5kpu1Up9qFuqAtSnmqDYUHgAWPsjf1soqBMqxqts1OkiavJn05uGl38NIw4lPZHKHvO36WFcSNu81CJx # # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent\|3a\| App"; http_header; content:!"Host\|3a\| liveupdate.symantecliveupdate.com\|0d 0a\|"; http_header; pcre:"/^User-Agent\: App\d+/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:8;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED QQPass Related User-Agent Infection Checkin (App4)"; flow:to_server,established; content:"User-Agent\|3a\| App"; http_header; content:!"Host\|3a\| liveupdate.symantecliveupdate.com\|0d 0a\|"; http_header; pcre:"/^User-Agent\: App\d/Hmi"; reference:url,doc.emergingthreats.net/2007569; classtype:trojan-activity; sid:2007569; rev:10;) #by Marcus at unsober.org #re: 1c3ead1c4a033b6af8f29e53fedd96c1 @@ -15065,7 +15065,7 @@ #by Don Jackson of Secureworks. RE: US courts related phishes # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent\|3A\| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]\x20HTTP\x2F1\x2E0\x0D\x0A.\x0D\x0AHost\x3A\x20\w+/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:7;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RhiFrem Trojan Activity - cmd"; flow:to_server,established; content:"GET"; nocase; http_method; content:"?mod=cmd&user="; http_uri; content:"User-Agent\|3A\| Mozilla/5.0 Gecko/20050212 Firefox/1.5.0.2"; http_header; pcre:"/^GET\x20[^\x0D\x0A]+\x3Fmod\x3Dcmd\x26user\x3D\w+[^\x0D\x0A]\x20HTTP\x2F1\x2E0\x0D\x0A.\x0D\x0AHost\x3A\x20\w/"; reference:url,www.castlecops.com/U_S_Courts_phish792683.html; reference:url,doc.emergingthreats.net/2008139; classtype:trojan-activity; sid:2008139; rev:8;) #by Don Jackson of Secureworks. RE: US courts related phishes # @@ -15074,7 +15074,7 @@ #by: Jeremy Conway at sudosecure.net #ref: 14d98e50d25dfc3c1bc011c2856ac1a8 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner (Often Rootkit) - POST"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent\|3a\|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:url,doc.emergingthreats.net/2009711; classtype:trojan-activity; sid:2009711; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Runner/Bublik Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"G="; http_client_body; nocase; content:"&PG="; http_client_body; nocase; content:"&EPBB="; http_client_body; nocase; content:!"User-Agent\|3a\|"; http_header; reference:url,www.spywarecease.com/spyware-list/Spyware_Trojan.Win32.Runner.s.html; reference:url,www.threatexpert.com/threats/trojan-win32-runner.html; reference:md5,6d2919a92d7dda22f4bc7f9a9b15739f; classtype:trojan-activity; sid:2009711; rev:6;) #by Jaime Blasco # @@ -15092,7 +15092,7 @@ #Matt Jonkman # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; nocase; http_uri; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:4;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sality Trojan Web Update"; flow:to_server,established; content:"/new_array2.php?speed="; nocase; http_uri; reference:url,www.sophos.com/security/analyses/w32salityu.html; reference:url,doc.emergingthreats.net/2003424; classtype:trojan-activity; sid:2003424; rev:5;) #from castlecops research, http://www.castlecops.com, sig by Matt Jonkman # @@ -15135,7 +15135,7 @@ #by Tom Fisher # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"id="; nocase; http_uri; content:"User-Agent\|3a\| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SickleBot Reporting User Activity"; flow:established,to_server; content:"GET"; http_method; content:"id="; nocase; http_uri; content:"User-Agent\|3a\| SickleBot"; http_header; reference:url,doc.emergingthreats.net/2002776; classtype:trojan-activity; sid:2002776; rev:7;) #by Darren Spruell # @@ -15159,7 +15159,7 @@ #by Marcus at unsober.org # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d+/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:trojan-activity; sid:2009300; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Small.zon checkin"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?n="; http_uri; content:"&id="; http_uri; content:"&t="; http_uri; content:"&i="; http_uri; pcre:"/\?n=\d+&id=.+&t=.+&i=\d/Ui"; reference:url,doc.emergingthreats.net/2009300; classtype:trojan-activity; sid:2009300; rev:5;) #y Tom Fischer # @@ -15191,7 +15191,7 @@ #re: 7596ec9308082edec613ac8d78ee4fe6 #updates by darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{10}&v=[\w\.]+/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zalupko/Koceg/Mandaph HTTP Checkin (2)"; flow:established,to_server; content:"/manda.php?"; http_uri; content:"id="; nocase; http_uri; content:"&v="; nocase; http_uri; pcre:"/\/manda\.php\?id=(-)?\d{9,10}&v=\w/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Backdoor%3aWin32%2fKoceg.gen!B; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2008-042816-0445-99&tabid=2; reference:url,www.threatexpert.com/report.aspx?md5=b2aad8e259cbfdd2ba1fcbf22bcee2e9; reference:url,doc.emergingthreats.net/2010765; classtype:trojan-activity; sid:2010765; rev:7;) #This is a new type of proxying via port 80. Tha agent opens up a conn to the controller, then repeats whatever the controller tells it to do #the initial 2 packets seem to be a checkin, then a command of the host and port to connect to. @@ -15327,24 +15327,24 @@ #more storm, uses a tcp connection now for some specialized commands. reversed by Joe Stewart #temporarily disabling for falses # -#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Making initial outbound connection"; flowbits:isnotset,BE.stormtcp.init; flow:established,to_server; dsize:4; flowbits:noalert; flowbits:set,BE.stormtcp.init; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007640; rev:6;) #more storm, uses a tcp connection now for some specialized commands. reversed by Joe Stewart #temporarily disabling for falses # -#alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET TROJAN Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:5;) +##alert tcp $EXTERNAL_NET 1024:65535 -> $HOME_NET any (msg:"ET DELETED Storm Controller Response to Drone via tcp"; flowbits:isset,BE.stormtcp.init; flow:established,from_server; dsize:4; reference:url,doc.emergingthreats.net/bin/view/Main/StormWorm; classtype:trojan-activity; sid:2007641; rev:6;) #adding these for a specific storm variant that is encrypting traffic. #Temporary, there has so far been only one key used, no others have been detected here. This has remained for #at last a month, so may stay a while. These sigs are for THIS VARIANT'S KEY ONLY # -alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"\|10 a6\|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:4;) +##alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (1)"; dsize:25; content:"\|10 a6\|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007701; classtype:trojan-activity; sid:2007701; rev:5;) #adding these for a specific storm variant that is encrypting traffic. #Temporary, there has so far been only one key used, no others have been detected here. This has remained for #at last a month, so may stay a while. These sigs are for THIS VARIANT'S KEY ONLY # -alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET TROJAN Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"\|10 a0\|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:4;) +##alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 1024:65535 (msg:"ET DELETED Storm Worm Encrypted Variant 1 Traffic (2)"; dsize:25; content:"\|10 a0\|"; depth:2; threshold: type both, count 2, seconds 60, track by_src; reference:url,doc.emergingthreats.net/2007702; classtype:trojan-activity; sid:2007702; rev:5;) #storm c&c with a typo'd UA # @@ -15454,7 +15454,7 @@ #by darren spruell # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:established,to_server; content:".php?adv="; nocase; http_uri; content:"&code1="; nocase; http_uri; content:"&code2="; nocase; http_uri; pcre:"/\.php\?adv=adv\d+&code1=\w+&code2=\d+&id=-?\d+&p=\d+/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tibs/Harnig Downloader Activity"; flow:to_server,established; content:".php?adv=adv"; http_uri; content:"User-Agent\|3a\| "; http_header; nocase; content:")ver"; distance:0; http_header; fast_pattern; pcre:"/^User-Agent\x3a[^\r\n]+\)ver\d+\r?$/Hmi"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3aWin32%2fHarnig; reference:url,www.threatexpert.com/report.aspx?md5=2ce9c871a8a217cafcdce15c6c1e8dfc; reference:url,doc.emergingthreats.net/2010165; classtype:trojan-activity; sid:2010165; rev:6;) #matt jonkman # @@ -15470,7 +15470,7 @@ #by dxp # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; reference:url,doc.emergingthreats.net/2009389; classtype:trojan-activity; sid:2009389; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tornado Pack Binary Request"; flow:established,to_server; content:"GET"; depth:3; http_method; content:"?o="; http_uri; fast_pattern; content:"&t="; http_uri; content:"&i="; http_uri; content:"&e="; http_uri; reference:url,dxp2532.blogspot.com/2009/05/tornado-exploit-pack.html; classtype:trojan-activity; sid:2009389; rev:5;) #Description of parameters: #?o= integer value to identify attacker @@ -15587,12 +15587,12 @@ #by matt jonkman and victor julien #Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB # -alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:3;) +alert tcp $EXTERNAL_NET 81: -> $HOME_NET any (msg:"ET TROJAN Turkojan C&C Info Command (MINFO)"; flow:established,from_server; dsize:5; content:"MINFO"; reference:url,doc.emergingthreats.net/2008022; classtype:trojan-activity; sid:2008022; rev:4;) #by matt jonkman and victor julien #Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO\|7c\|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 81: (msg:"ET TROJAN Turkojan C&C Info Command Response (MINFO)"; flow:established,to_server; dsize:<100; content:"MINFO\|7c\|"; depth:6; reference:url,doc.emergingthreats.net/2008023; classtype:trojan-activity; sid:2008023; rev:5;) #by matt jonkman and victor julien #Backdoor.Win32.Turkojan.jv or Turkojan.gen1 or GenPack:Trojan.Agent.AHAB @@ -15642,7 +15642,7 @@ #by marcus at unsober #re: 1331ffcae4e8d1de36a708db0e30346b # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Password Stealing Trojan Check-in"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host\|3a\| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sisron/BackDoor.Cybergate.1 Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?action=add&a="; http_uri; content:"&c="; http_uri; content:"&u="; http_uri; content:"&l="; http_uri; content:"&p="; http_uri; content:!"Host\|3a\| whos.amung.us"; reference:url,doc.emergingthreats.net/2009458; classtype:trojan-activity; sid:2009458; rev:8;) #by marcus at unsober #re: 2cb21d88a0217595455591c7345c0395 @@ -15788,7 +15788,7 @@ #by Marcus at unsober # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"GET"; depth:3; http_method; content:".asp?mac="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d+/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Virut Counter/Check-in "; flow:established,to_server; content:"GET"; http_method; content:".asp?mac="; http_uri; content:"&ver="; http_uri; pcre:"/.asp\?mac=([0-9A-F]{2}-){5}([0-9A-F]{2})+&ver=\d/Ui"; reference:url,www.threatexpert.com/reports.aspx?find=ipk8888.cn&x=0&y=0; reference:url,doc.emergingthreats.net/2009374; classtype:trojan-activity; sid:2009374; rev:9;) #by Marcus at unsober # @@ -15820,7 +15820,7 @@ #by Matt Jonkman #from sandnet analysis # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vundo.dam http Checkin after infection"; flow:established,to_server; content:"install.php?"; nocase; http_uri; content:"afid="; nocase; http_uri; content:"&user_id="; nocase; http_uri; content:"&version="; nocase; http_uri; reference:url,doc.emergingthreats.net/2007572; classtype:trojan-activity; sid:2007572; rev:5;) #by Matt Jonkman #from sandnet analysis @@ -15952,7 +15952,7 @@ #also seeing the same on 443 # -alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"\|c8\|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:trojan-activity; sid:2008058; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32.Inject.ajq Initial Checkin to CnC port 443"; flow:established,to_server; dsize:1; content:"\|c8\|"; flowbits:set,ET.inj.ajq.1; flowbits:noalert; reference:url,doc.emergingthreats.net/2008058; classtype:trojan-activity; sid:2008058; rev:6;) #also seeing the same on 443 # @@ -16004,12 +16004,12 @@ #by Matt Jonkman, from sandnet analysis # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d+/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Small.qh/xSock Checkin URL Detected"; flow:established,to_server; content:"port="; nocase; http_uri; content:"&id="; nocase; http_uri; content:"&v="; nocase; http_uri; content:"&sm="; nocase; http_uri; pcre:"/port=\d/Ui"; pcre:"/id=[a-f0-9-]+&/Ui"; reference:url,doc.emergingthreats.net/2007610; classtype:trojan-activity; sid:2007610; rev:5;) #by: Jeremy Conway at sudosecure.net #ref: 2e79af552fa6d3bd2cb654cc0f15cd76 # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows NT 2.1\|3b\| SV3)\|0d0a\|"; fast_pattern:21,20; http_header; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.VB.tdq - Fake User-Agent"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows NT 2.1\|3b\| SV3)\|0d0a\|"; fast_pattern:47,15; http_header; reference:url,vil.nai.com/vil/content/v_187654.htm; reference:url,home.mcafee.com/VirusInfo/VirusProfile.aspx?key=187654; reference:url,doc.emergingthreats.net/2009825; classtype:trojan-activity; sid:2009825; rev:7;) #by shirkdog, from sandnet analysis # @@ -16037,11 +16037,11 @@ #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; depth:4; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d+/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST"; flow:established,to_server; content:"POST"; http_method; content:"verint="; http_client_body; content:"&uid="; http_client_body; content:"&wv="; http_client_body; content:"&report="; http_client_body; content:"&abbr="; http_client_body; content:"&pid="; http_client_body; pcre:"/verint=\d+&uid=\d+&wv=[A-Za-z0-9]+&report=\d+&abbr=[A-Za-z0-9]+&pid=\d/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010247; classtype:trojan-activity; sid:2010247; rev:6;) #by evilghost # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; depth:4; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]+/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN WindowsEnterpriseSuite FakeAV Reporting via POST initial check-in"; flow:established,to_server; content:"POST"; http_method; content:"/MicroinstallServiceReport.php"; http_uri; content:"report="; http_client_body; content:"&pid="; http_client_body; content:"&wv="; http_client_body; pcre:"/report=\d+&pid=\d+&wv=[A-Za-z0-9]/P"; reference:url,www.threatexpert.com/report.aspx?md5=d9bcb4e4d650a6ed4402fab8f9ef1387; reference:url,doc.emergingthreats.net/2010246; classtype:trojan-activity; sid:2010246; rev:7;) #by evilghost # @@ -16077,7 +16077,7 @@ #matt jonkman # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yahoo550.com Related Downloader/Trojan Checkin"; flow:established,to_server; content:"/image/logo.jpg?queryid="; http_uri; pcre:"/queryid=\d+$/U"; reference:url,doc.emergingthreats.net/2008049; classtype:trojan-activity; sid:2008049; rev:5;) #by Jaime Blasco # @@ -16141,15 +16141,15 @@ #by axn jxn # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent\|3a\| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (internetsecurity)"; flow:established,to_server; content:"User-Agent\|3a\| internetsecurity"; http_header; reference:url,secubox.aldria.com/topic-post1618.html#post1618; reference:url,doc.emergingthreats.net/2003632; classtype:trojan-activity; sid:2003632; rev:7;) #by axn jxn # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent\|3a\| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (Winlogon)"; flow:established,to_server; content:"User-Agent\|3a\| Winlogon"; http_header; reference:url,doc.emergingthreats.net/2006441; classtype:trojan-activity; sid:2006441; rev:6;) #from sandnet data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\|3a\| unknown"; http_header; content:!".real.com\|0d 0a\|"; http_header; content:!".rhapsody.com\|0D 0A\|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:8;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent - updating (unknown)"; flow:established,to_server; content:"User-Agent\|3a\| unknown"; http_header; content:!".real.com\|0d 0a\|"; http_header; content:!".rhapsody.com\|0D 0A\|"; http_header; reference:url,doc.emergingthreats.net/2007567; classtype:trojan-activity; sid:2007567; rev:9;) #from sandnet data # @@ -16157,11 +16157,11 @@ #from sandnet data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d+/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob Updating via HTTP (v2)"; flow:established,to_server; content:".php?Code="; nocase; http_uri; content:"&V="; nocase; http_uri; content:"&ID="; nocase; http_uri; pcre:"/Code=\d/Ui"; pcre:"/ID=.{40}&.{6}/Ui"; reference:url,doc.emergingthreats.net/2007620; classtype:trojan-activity; sid:2007620; rev:5;) #from sandnet data # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0 (compatible"; http_header; content:"\|3b\| UA"; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:10;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Suspicious User Agent (Zlob Related) (UA00000)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0 (compatible"; http_header; content:"\|3b\| UA"; http_header; fast_pattern; pcre:"/User-Agent\:[^\n]+\; UA\d\d\d\d\d\;/H"; reference:url,doc.emergingthreats.net/2008083; classtype:trojan-activity; sid:2008083; rev:11;) #by Philipp Betch # @@ -16173,11 +16173,11 @@ #By Darren Spruell and dxp # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Zlob User Agent - Likely Zlob (securityinternet)"; flow:established,to_server; content:"User-Agent\|3a\| securityinternet"; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob User Agent (securityinternet)"; flow:established,to_server; content:"User-Agent\|3a\| securityinternet"; http_header; reference:url,www.bitdefender.com/VIRUS-1000328-en--Trojan.Pws.Wow.NCY.html; reference:url,doc.emergingthreats.net/2009022; classtype:trojan-activity; sid:2009022; rev:7;) #marcus at unsober # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zlob post installation checkin (.php?inst_result=&hwid)"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"inst_result="; http_uri; content:"&hwid="; http_uri; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Adware.AdzgaloreBiz/AdRotator!IK Install/Checkin"; flow:established,to_server; content:"GET"; http_method; content:".php?inst_result="; http_uri; content:"&hwid="; http_uri; content:"User-Agent\|3a\| NSISDL/1.2 (Mozilla)\|0d 0a\|"; http_header; pcre:"/\.php\?inst_result=.+&hwid=/Ui"; reference:url,www.threatexpert.com/report.aspx?md5=1ca433d3f5538fda49c5defb59232f9d; reference:url,doc.emergingthreats.net/2009305; classtype:trojan-activity; sid:2009305; rev:6;) #by Pedro Marinho #ref 483dbf6dd97ec249b0ec84a358e39260 @@ -16295,7 +16295,7 @@ #Rbot trojan #by M Shirk # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET VIRUS HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host\|3A 20\|"; nocase; content:"\|3A 20\|Negotiate\|20\|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:7;) +##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET DELETED HTTP RBOT Challenge/Response Authentication"; flow: to_server,established; content:"Host\|3A 20\|"; nocase; content:"\|3A 20\|Negotiate\|20\|YIIQegYGKwYBBQUCoIIQbjCCEGqhghBmI4IQYgOCBAEAQUFBQUFBQUFBQUFBQUFB"; nocase; reference:url,isc.sans.org/diary.php?date=2005-06-03; reference:url,www.phreedom.org/solar/exploits/msasn1-bitstring; reference:url,doc.emergingthreats.net/2001985; classtype:trojan-activity; sid:2001985; rev:8;) #by matt jonkman # @@ -16348,11 +16348,11 @@ #Submitted by Joseph Gama # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:11;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN UPX compressed file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; content:"UPX0"; content:"UPX1"; content:"UPX!"; reference:url,doc.emergingthreats.net/2001046; classtype:misc-activity; sid:2001046; rev:12;) #Submitted by Joseph Gama # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; content:"\|00\|code\|00\|"; content:"\|00 C0\|text\|00\|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:8;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE UPX encrypted file download possible malware"; flow:established,from_server; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; content:"\|00\|code\|00\|"; content:"\|00 C0\|text\|00\|"; reference:url,doc.emergingthreats.net/2001047; classtype:misc-activity; sid:2001047; rev:9;) #from Jack Pepper #Disabling, tends to false @@ -16512,7 +16512,7 @@ #by Akash Mahajan # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"String"; nocase; distance:0; pcre:"/[0-9]{4,}/"; pcre:"/(SetBgColor\|SetMovieName\|SetTarget\|SetMatrix\|SetHREF)/i"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:13;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Apple QuickTime <= 7.4.1 QTPlugin.ocx Multiple Remote Stack Overflow"; flow:to_client,established; file_data; content:"02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"; nocase; distance:0; content:"String("; nocase; distance:0; pcre:"/^\s?[0-9]{4}/R"; pcre:"/(SetBgColor\|SetMovieName\|SetTarget\|SetMatrix\|SetHREF)/Ri"; reference:bugtraq,27769; reference:cve,CVE-2008-0778; reference:url,www.milw0rm.com/exploits/5110; reference:url,doc.emergingthreats.net/2007878; classtype:web-application-attack; sid:2007878; rev:15;) #by stillsecure # @@ -17985,7 +17985,7 @@ #by Kevin Ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; content:"chmod"; fast_pattern:only; nocase; http_uri; pcre:"/chmod.([r\|w\|x\|1-7])/Ui"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Suspicious Chmod Usage in URI"; flow:to_server,established; content:"chmod"; fast_pattern:only; nocase; http_uri; pcre:"/chmod\s+([+-][rwx]\|[0-7])/Ui"; reference:url,doc.emergingthreats.net/2009363; classtype:attempted-admin; sid:2009363; rev:7;) #by kevin ross # @@ -18022,7 +18022,7 @@ #Submitted by Matt Jonkman # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:".aspx"; nocase; http_uri; content:"GET"; nocase; http_method; content:"\|5C\|"; content:"aspx"; nocase; within: 100; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:24;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS ASP.net Auth Bypass / Canonicalization"; flow: to_server,established; content:"GET"; nocase; http_method; content:"\|5C\|"; http_uri; content:".aspx"; within:100; nocase; http_uri; reference:url,doc.emergingthreats.net/2001342; reference:cve,CVE-2004-0847; classtype:web-application-attack; sid:2001342; rev:25;) #Submitted by Matt Jonkman # @@ -18061,7 +18061,7 @@ #by David Maciejak # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; http_uri; pcre:"/date=\d{8}\)\;.+/Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Light Weight Calendar 'date' Arbitrary Remote Code Execution"; flow: to_server,established; content:"/index.php?"; nocase; http_uri; content:"date="; http_uri; pcre:"/date=\d{8}\)\;./Ui"; reference:url,doc.emergingthreats.net/2002777; classtype:web-application-attack; sid:2002777; rev:7;) #Submitted by bdoctor # @@ -18316,7 +18316,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; pcre:"/BULK.+INSERT/Ui"; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER SQL Injection BULK INSERT in URI to Insert File Content into Database Table"; flow:established,to_server; content:"BULK"; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; reference:url,msdn.microsoft.com/en-us/library/ms188365.aspx; reference:url,msdn.microsoft.com/en-us/library/ms175915.aspx; reference:url,www.sqlteam.com/article/using-bulk-insert-to-load-a-text-file; reference:url,doc.emergingthreats.net/2011035; classtype:web-application-attack; sid:2011035; rev:4;) #by kevin ross # @@ -18404,7 +18404,7 @@ #this is disabled because it doesn't work for some reason. # -#alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:8;) +##alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET DELETED Tilde in URI after file, potential source disclosure vulnerability"; flow:established,from_server; pcre:"/^HTTP\x2f1\.[01] 200/"; reference:url,seclists.org/fulldisclosure/2009/Sep/0321.html; reference:url,doc.emergingthreats.net/2009954; classtype:web-application-attack; sid:2009954; rev:9;) #By Blake Hartstein #Detects uri evasions too @@ -20039,7 +20039,7 @@ #Submitted to Snort-Sigs by Chas Tomlin, with additions by David Maciejak # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir\|update\|pluginmode)=.(\\|.+\\|\|system)./Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:15;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Awstats Remote Code Execution Attempt"; flow: established,from_client; content:"/awstats.pl?"; nocase; http_uri; pcre:"/(configdir\|update\|pluginmode)=.(\\|.+\\|\|system)/Ui"; reference:url,www.k-otik.com/exploits/20050124.awexpl.c.php; reference:url,www.k-otik.com/exploits/20050302.awstats_shell.c.php; reference:url,awstats.sourceforge.net; reference:url,www.idefense.com/application/poi/display?id=185&type=vulnerabilities&flashstatus=false; reference:bugtraq,12298; reference:cve,CAN-2005-0116; reference:url,doc.emergingthreats.net/2001686; classtype:web-application-attack; sid:2001686; rev:16;) #by stillsecure # @@ -20607,7 +20607,7 @@ #by Nagraj S # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/id_menu\x3d.+INSERT.+INTO/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; distance:0; nocase; http_uri; content:"INSERT"; distance:0; nocase; http_uri; content:"INTO"; distance:0; nocase; http_uri; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009978; classtype:web-application-attack; sid:2009978; rev:6;) #by Nagraj S # @@ -20615,7 +20615,7 @@ #by Nagraj S # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/id_menu\x3d.+UNION.+SELECT.+FROM/Ui"; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CMScontrol 7.x (index.php id_menu) SQL Injection Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"id_menu="; fast_pattern; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:cve,CVE-2009-3326; reference:url,www.milw0rm.com/exploits/9727; reference:url,doc.emergingthreats.net/2009980; classtype:web-application-attack; sid:2009980; rev:6;) #By David Maciejak # @@ -21051,7 +21051,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; nocase; http_uri; content:"UNION"; nocase; http_uri; pcre:"/UNION\s+SELECT/Ui"; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ClickTech ClickContact SQL Injection Attempt -- default.asp AlphaSort UNION SELECT"; flow:established,to_server; content:"/default.asp?"; nocase; http_uri; content:"AlphaSort="; fast_pattern; distance:0; nocase; http_uri; content:"UNION"; nocase; http_uri; distance:0; content:"SELECT"; nocase; http_uri; distance:0; reference:cve,CVE-2006-6181; reference:url,www.securityfocus.com/bid/21302; reference:url,doc.emergingthreats.net/2007266; classtype:web-application-attack; sid:2007266; rev:6;) #by tinytwitty # @@ -21511,11 +21511,11 @@ #By David Maciejak, 2005-11-03 # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_news"; flow:to_server,established; content:"/show_news.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2002668; classtype:misc-activity; sid:2002668; rev:9;) #By David Maciejak, 2005-11-03 # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]+/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS CutePHP CuteNews directory traversal vulnerability - show_archives"; flow:to_server,established; content:"/show_archives.php"; nocase; http_uri; content:"template="; nocase; http_uri; pcre:"/template=[./]/Ui"; reference:bugtraq,15295; reference:url,doc.emergingthreats.net/2003152; classtype:misc-activity; sid:2003152; rev:6;) #by stillsecure # @@ -21523,7 +21523,7 @@ #Submitted by David Maciejak on 2005-11-15 # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s+/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Cyphor show.php SQL injection attempt"; flow:to_server,established; content:"/show.php?"; nocase; http_uri; pcre:"/id=-?\d+\s+UNION\s/Ui"; reference:bugtraq,15418; reference:url,doc.emergingthreats.net/2002678; classtype:web-application-attack; sid:2002678; rev:7;) #by stillsecure # @@ -24175,7 +24175,7 @@ #Submitted 2006-06-29 by Frank Knobbe # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.\]=(http\|ftps?\|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS GeekLog Remote File Include Vulnerability"; flow:established,to_server; content:".php?"; nocase; http_uri; content:"_CONF"; nocase; http_uri; pcre:"/_CONF\[.\]=(data\|https?\|ftps?\|php)\:\//Ui"; reference:url,securitydot.net/xpl/exploits/vulnerabilities/articles/1122/exploit.html; reference:url,doc.emergingthreats.net/2002996; classtype:web-application-attack; sid:2002996; rev:8;) #by tinytwitty # @@ -27590,7 +27590,7 @@ #by kevin ross # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s(https\|ftps\|php\|http\|ftp)\x3A\x2F\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible Mambo Cache_Lite Class mosConfig_absolute_path Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/Cache/Lite/Output.php?mosConfig_absolute_path="; nocase; http_uri; pcre:"/=\s(https\|ftps\|php\|http\|ftp)\x3A\x2F/Ui"; reference:url,www.securityfocus.com/bid/29716/info; reference:url,downloads.securityfocus.com/vulnerabilities/exploits/29716.rb; reference:url,doc.emergingthreats.net/2010223; classtype:web-application-attack; sid:2010223; rev:4;) #by mike cox # @@ -31502,7 +31502,7 @@ #by stillsecure # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS SaschArt SasCam Webcam Server ActiveX Buffer Overflow Function Call"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"XHTTP.HTTP"; fast_pattern; nocase; distance:0; content:"Head"; nocase; reference:url,exploit-db.com/exploits/14215/; reference:bugtraq,41343; reference:url,doc.emergingthreats.net/2011208; classtype:attempted-user; sid:2011208; rev:3;) #by stillsecure # @@ -31970,7 +31970,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"us="; nocase; uricontent:"INSERT"; nocase; pcre:"/INSERT.+INTO/Ui"; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SmE FileMailer SQL Injection Attempt -- index.php us INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"us="; distance:0; nocase; http_uri; content:"INSERT"; nocase; http_uri; distance:0; content:"INTO"; nocase; http_uri; distance:0; reference:cve,CVE-2007-0350; reference:url,www.frsirt.com/english/advisories/2007/0221; reference:url,doc.emergingthreats.net/2005526; classtype:web-application-attack; sid:2005526; rev:8;) #by tinytwitty # @@ -32554,7 +32554,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"board["; nocase; uricontent:"DELETE"; nocase; pcre:"/DELETE.+FROM/Ui"; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ThWboard SQL Injection Attempt -- index.php board DELETE"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"board["; fast_pattern; http_uri; nocase; content:"DELETE"; http_uri; nocase; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-0340; reference:url,www.milw0rm.com/exploits/3124; reference:url,doc.emergingthreats.net/2005570; classtype:web-application-attack; sid:2005570; rev:7;) #by tinytwitty # @@ -35698,7 +35698,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"gruppe_id="; nocase; uricontent:"INSERT"; nocase; pcre:"/.+INSERT.+INTO/Ui"; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dev4u CMS SQL Injection Attempt -- index.php gruppe_id INSERT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"gruppe_id="; http_uri; fast_pattern; distance:0; nocase; content:"INSERT"; http_uri; distance:0; nocase; content:"INTO"; http_uri; distance:0; nocase; reference:cve,CVE-2006-6218; reference:url,www.securityfocus.com/bid/21170; reference:url,doc.emergingthreats.net/2006959; classtype:web-application-attack; sid:2006959; rev:6;) #by tinytwitty # @@ -36286,7 +36286,7 @@ #by tinytwitty # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; uricontent:"/index.php?"; nocase; uricontent:"cat_id="; nocase; pcre:"/SELECT.+FROM/Ui"; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:5;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS myBloggie SQL Injection Attempt -- index.php cat_id SELECT"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"cat_id="; nocase; distance:0; http_uri; content:"SELECT"; http_uri; nocase; distance:0; content:"FROM"; http_uri; nocase; distance:0; reference:cve,CVE-2007-3003; reference:url,www.securityfocus.com/bid/24249; reference:url,doc.emergingthreats.net/2004492; classtype:web-application-attack; sid:2004492; rev:7;) #by Stillsecure # @@ -37319,34 +37319,34 @@ alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE AIX NOOP"; content:"O\|FF FB 82\|O\|FF FB 82\|O\|FF FB 82\|O\|FF FB 82\|"; fast_pattern:only; classtype:shellcode-detect; sid:2100640; rev:8;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G\|FF 04 1F\|G\|FF 04 1F\|G\|FF 04 1F\|G\|FF 04 1F\|"; fast_pattern:only; reference:arachnids,352; classtype:shellcode-detect; sid:641; rev:7;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Digital UNIX NOOP"; content:"G\|FF 04 1F\|G\|FF 04 1F\|G\|FF 04 1F\|G\|FF 04 1F\|"; fast_pattern:only; reference:arachnids,352; classtype:shellcode-detect; sid:2100641; rev:8;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"\|08\|!\|02 80 08\|!\|02 80 08\|!\|02 80 08\|!\|02 80\|"; fast_pattern:only; reference:arachnids,358; classtype:shellcode-detect; sid:642; rev:7;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"\|08\|!\|02 80 08\|!\|02 80 08\|!\|02 80 08\|!\|02 80\|"; fast_pattern:only; reference:arachnids,358; classtype:shellcode-detect; sid:2100642; rev:8;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"\|0B\|9\|02 80 0B\|9\|02 80 0B\|9\|02 80 0B\|9\|02 80\|"; fast_pattern:only; reference:arachnids,359; classtype:shellcode-detect; sid:643; rev:8;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE HP-UX NOOP"; content:"\|0B\|9\|02 80 0B\|9\|02 80 0B\|9\|02 80 0B\|9\|02 80\|"; fast_pattern:only; reference:arachnids,359; classtype:shellcode-detect; sid:2100643; rev:9;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"\|90 90 90 E8 C0 FF FF FF\|/bin/sh"; fast_pattern:only; reference:arachnids,343; classtype:shellcode-detect; sid:652; rev:10;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE Linux shellcode"; content:"\|90 90 90 E8 C0 FF FF FF\|/bin/sh"; fast_pattern:only; reference:arachnids,343; classtype:shellcode-detect; sid:2100652; rev:11;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"\|03 E0 F8\|%\|03 E0 F8\|%\|03 E0 F8\|%\|03 E0 F8\|%"; fast_pattern:only; reference:arachnids,356; classtype:shellcode-detect; sid:638; rev:6;) +#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"\|03 E0 F8\|%\|03 E0 F8\|%\|03 E0 F8\|%\|03 E0 F8\|%"; fast_pattern:only; reference:arachnids,356; classtype:shellcode-detect; sid:2100638; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"\|24 0F 12\|4\|24 0F 12\|4\|24 0F 12\|4\|24 0F 12\|4"; fast_pattern:only; reference:arachnids,357; classtype:shellcode-detect; sid:639; rev:6;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE SGI NOOP"; content:"\|24 0F 12\|4\|24 0F 12\|4\|24 0F 12\|4\|24 0F 12\|4"; fast_pattern:only; reference:arachnids,357; classtype:shellcode-detect; sid:2100639; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6\|"; fast_pattern:only; reference:arachnids,345; classtype:shellcode-detect; sid:644; rev:6;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|13 C0 1C A6 13 C0 1C A6 13 C0 1C A6 13 C0 1C A6\|"; fast_pattern:only; reference:arachnids,345; classtype:shellcode-detect; sid:2100644; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|80 1C\|@\|11 80 1C\|@\|11 80 1C\|@\|11 80 1C\|@\|11\|"; fast_pattern:only; reference:arachnids,353; classtype:shellcode-detect; sid:645; rev:6;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|80 1C\|@\|11 80 1C\|@\|11 80 1C\|@\|11 80 1C\|@\|11\|"; fast_pattern:only; reference:arachnids,353; classtype:shellcode-detect; sid:2100645; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13\|"; fast_pattern:only; reference:arachnids,355; classtype:shellcode-detect; sid:646; rev:6;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc NOOP"; content:"\|A6 1C C0 13 A6 1C C0 13 A6 1C C0 13 A6 1C C0 13\|"; fast_pattern:only; reference:arachnids,355; classtype:shellcode-detect; sid:2100646; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"\|82 10\| \|17 91 D0\| \|08\|"; fast_pattern:only; reference:arachnids,282; classtype:system-call-detect; sid:647; rev:7;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE sparc setuid 0"; content:"\|82 10\| \|17 91 D0\| \|08\|"; fast_pattern:only; reference:arachnids,282; classtype:system-call-detect; sid:2100647; rev:8;) # alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x71FB7BAB NOOP unicode"; content:"q\|00 FB 00\|{\|00 AB 00\|q\|00 FB 00\|{\|00 AB 00\|q\|00 FB 00\|{\|00 AB 00\|q\|00 FB 00\|{\|00 AB 00\|"; fast_pattern:only; classtype:shellcode-detect; sid:2102313; rev:4;) @@ -37361,28 +37361,28 @@ alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0x90 unicode NOOP"; content:"\|90 00 90 00 90 00 90 00 90 00\|"; classtype:shellcode-detect; sid:653; rev:9;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"\|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C\|"; fast_pattern:only; classtype:shellcode-detect; sid:1424; rev:7;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 0xEB0C NOOP"; content:"\|EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C EB 0C\|"; fast_pattern:only; classtype:shellcode-detect; sid:2101424; rev:8;) # alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 NOOP"; content:"\|90 90 90 90 90 90 90 90 90 90 90 90 90 90\|"; depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:1390; rev:6;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 inc ebx NOOP"; content:"CCCCCCCCCCCCCCCCCCCCCCCC"; fast_pattern:only; classtype:shellcode-detect; sid:2101390; rev:7;) # -#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"\|B0 B5 CD 80\|"; fast_pattern:only; reference:arachnids,284; classtype:system-call-detect; sid:649; rev:9;) +#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setgid 0"; content:"\|B0 B5 CD 80\|"; fast_pattern:only; reference:arachnids,284; classtype:system-call-detect; sid:2100649; rev:10;) # -#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"\|B0 17 CD 80\|"; fast_pattern:only; reference:arachnids,436; classtype:system-call-detect; sid:650; rev:9;) +#alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 setuid 0"; content:"\|B0 17 CD 80\|"; fast_pattern:only; reference:arachnids,436; classtype:system-call-detect; sid:2100650; rev:10;) # -alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"\|EB 02 EB 02 EB 02\|"; fast_pattern:only; reference:arachnids,291; classtype:shellcode-detect; sid:651; rev:9;) +alert ip $EXTERNAL_NET $SHELLCODE_PORTS -> $HOME_NET any (msg:"GPL SHELLCODE x86 stealth NOOP"; content:"\|EB 02 EB 02 EB 02\|"; fast_pattern:only; reference:arachnids,291; classtype:shellcode-detect; sid:2100651; rev:10;) # #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; ip_proto:!17; classtype:non-standard-protocol; sid:2101620; rev:7;) # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;) +#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC 0 ttl"; ttl:0; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q138268; reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:2101321; rev:9;) # #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Unassigned/Reserved IP protocol"; ip_proto:>134; reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standard-protocol; sid:2101627; rev:4;) @@ -37391,13 +37391,13 @@ #alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC ip reserved bit set"; fragbits:R; classtype:misc-activity; sid:2100523; rev:6;) # -alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:10;) +#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS IGMP dos attack"; fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:2100272; rev:11;) # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:268; rev:4;) +#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DOS Jolt attack"; dsize:408; fragbits:M; reference:cve,1999-0345; classtype:attempted-dos; sid:2100268; rev:5;) # -#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;) +#alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC source route ssrr"; ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:2100502; rev:3;) # #alert ip $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE id check returned userid"; content:"uid="; byte_test:5,<,65537,0,relative,string; content:" gid="; within:15; byte_test:5,<,65537,0,relative,string; classtype:bad-unknown; sid:2101882; rev:11;) @@ -37433,13 +37433,13 @@ #alert ip any any -> any any (msg:"GPL SCAN same SRC/DST"; sameip; reference:bugtraq,2666; reference:cve,1999-0016; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:bad-unknown; sid:2100527; rev:9;) # -#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;) +#alert ip any any -> any any (msg:"GPL EXPLOIT EIGRP prefix length overflow attempt"; ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102464; rev:8;) # -#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2462; rev:7;) +#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP account overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102462; rev:8;) # -#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2463; rev:7;) +#alert ip any any -> any any (msg:"GPL EXPLOIT IGMP IGAP message overflow attempt"; ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13; reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367; classtype:attempted-admin; sid:2102463; rev:8;) # #alert ip any any <> 127.0.0.0/8 any (msg:"GPL SCAN loopback traffic"; reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:2100528; rev:6;) @@ -37448,10 +37448,10 @@ alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM receive message"; flow:to_client; content:"\|02\|"; depth:2; content:"\|00 04 00 07\|"; depth:4; offset:6; classtype:policy-violation; sid:2101633; rev:7;) # -alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM AddExternalApp attempt"; flow:to_client,established; content:"aim\|3A\|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:5;) +#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddExternalApp attempt"; flow:to_client,established; content:"aim\|3A\|AddExternalApp?"; nocase; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101752; rev:6;) # -#alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL CHAT AIM AddGame attempt"; flow:to_client,established; content:"aim\|3A\|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:1393; rev:12;) +##alert tcp $AIM_SERVERS any -> $HOME_NET any (msg:"GPL DELETED AIM AddGame attempt"; flow:to_client,established; content:"aim\|3A\|AddGame?"; nocase; reference:bugtraq,3769; reference:cve,2002-0005; reference:url,www.w00w00.org/files/w00aimexp/; classtype:misc-attack; sid:2101393; rev:13;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Internet Explorer URLMON.DLL Content-Encoding Overflow Attempt"; flow:to_client,established; content:"Content-Encoding\|3A\|"; nocase; pcre:"/Content-Encoding\x3A[^\r\n]{300,}/i"; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:100000119; rev:3;) @@ -37460,7 +37460,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Mozilla Firefox DOMNodeRemoved attack attempt"; flow:to_client,established; content:"document\|2e\|addEventListener\|28 22\|DOMNodeRemoved\|22\|"; nocase; content:"document\|2e\|body\|2e\|appendChild\|28\|document\|2e\|getElementById\|28\|"; reference:bugtraq,18228; reference:cve,2006-2779; classtype:attempted-user; sid:100000447; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding\|3a\|"; nocase; content:"chunked"; nocase; content:"Content-Type\|3a\|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:3;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL DELETED RealMedia invalid chunk size heap overflow attempt"; flow:to_client,established; content:"Transfer-Encoding\|3a\|"; nocase; content:"chunked"; nocase; content:"Content-Type\|3a\|"; nocase; distance:0; content:"realvideo"; nocase; pcre:"/\r\n[0-9A-Fa-f]{9}/Ri"; reference:bugtraq,17202; reference:cve,2005-2922; reference:url,service.real.com/realplayer/security/03162006_player/en/; classtype:attempted-user; sid:100000284; rev:5;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT Winamp PlayList buffer overflow attempt"; flow:from_server,established; content:"playlist"; nocase; content:"\\\\"; reference:bugtraq,16410; reference:cve,2006-0476; reference:url,www.frsirt.com/english/advisories/2006/0361; classtype:attempted-admin; sid:100000228; rev:3;) @@ -37562,13 +37562,13 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL ACTIVEX winhelp clsid attempt"; flow:from_server,established; file_data; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]classid\s=\s[\x22\x27]?\sclsid\s\x3a\sadb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:2103148; rev:7;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length\|3A\|"; http_header; nocase; content:"-"; within:3; http_header; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:9;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL WEB_CLIENT server negative Content-Length attempt"; flow:from_server,established; content:"Content-Length\|3A\| -"; http_header; fast_pattern:only; reference:cve,2004-0492; reference:url,www.guninski.com/modproxy1.html; classtype:attempted-admin; sid:2102580; rev:10;) # -#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:613; rev:6;) +#alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"GPL SCAN myscan"; flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon; sid:2100613; rev:7;) # -alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"\|0A\|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:8;) +##alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"GPL DELETED sendmail 8.6.9 exploit"; flow:to_server,established; content:"\|0A\|D/"; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:2100655; rev:9;) # #alert tcp $EXTERNAL_NET 119 -> $HOME_NET any (msg:"GPL MISC NNTP Lynx overflow attempt"; flow:to_client,established; content:"Subject"; nocase; isdataat:100,relative; pcre:"/^Subject\x3a[^\r\n]{100,}/smi"; reference:cve,2005-3120; reference:bugtraq,15117; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=20019; reference:nessus,20035; classtype:attempted-admin; sid:100000172; rev:4;) @@ -37583,7 +37583,7 @@ alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"GPL CHAT MSN outbound file transfer rejected"; flow:established; content:"MSG "; depth:4; content:"Content-Type\|3A\| application/x-msnmsgrp2p"; distance:0; nocase; content:"MSNSLP/1.0 603 Decline"; distance:0; nocase; classtype:policy-violation; sid:2101989; rev:7;) # -#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503; rev:7;) +#alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"GPL MISC Source Port 20 to <1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:2100503; rev:8;) # #alert tcp $EXTERNAL_NET 21 -> $HOME_NET any (msg:"GPL FTP NextFTP client overflow"; flow:to_client,established; content:"\|B4\| \|B4\|!\|8B CC 83 E9 04 8B 19\|3\|C9\|f\|B9 10\|"; fast_pattern:only; reference:bugtraq,572; reference:cve,1999-0671; classtype:attempted-user; sid:2100308; rev:10;) @@ -37592,25 +37592,25 @@ #alert tcp $EXTERNAL_NET 22 -> $HOME_NET any (msg:"GPL EXPLOIT SSH server banner overflow"; flow:established,from_server; content:"SSH-"; nocase; isdataat:200,relative; pcre:"/^SSH-\s[^\n]{200}/ism"; reference:bugtraq,5287; reference:cve,2002-1059; classtype:misc-attack; sid:2101838; rev:9;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 18\|"; depth:2; offset:10; classtype:policy-violation; sid:2453; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference invitation"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 18\|"; depth:2; offset:10; classtype:policy-violation; sid:2102453; rev:4;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 19\|"; depth:2; offset:10; classtype:policy-violation; sid:2454; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference logon success"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 19\|"; depth:2; offset:10; classtype:policy-violation; sid:2102454; rev:4;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 98\|"; depth:2; offset:10; classtype:policy-violation; sid:2458; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful chat join"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 98\|"; depth:2; offset:10; classtype:policy-violation; sid:2102458; rev:5;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 01\|"; depth:2; offset:10; classtype:policy-violation; sid:2450; rev:3;) +##alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL DELETED Yahoo IM successful logon"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 01\|"; depth:2; offset:10; classtype:policy-violation; sid:2102450; rev:4;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00\|J"; depth:2; offset:10; classtype:policy-violation; sid:2451; rev:3;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM voicechat"; flow:from_server,established; content:"YMSG"; depth:4; nocase; content:"\|00\|J"; depth:2; offset:10; classtype:policy-violation; sid:2102451; rev:4;) # -alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"\|00\|M"; depth:2; offset:10; classtype:policy-violation; sid:2456; rev:4;) +alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"GPL CHAT Yahoo Messenger File Transfer Receive Request"; flow:established; content:"YMSG"; depth:4; content:"\|00\|M"; depth:2; offset:10; classtype:policy-violation; sid:2102456; rev:5;) # -alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"\|0D 00 05 00\|"; depth:4; classtype:policy-violation; sid:2461; rev:4;) +alert tcp $EXTERNAL_NET 5100 -> $HOME_NET any (msg:"GPL CHAT Yahoo IM conference watch"; flow:from_server,established; content:"\|0D 00 05 00\|"; depth:4; classtype:policy-violation; sid:2102461; rev:5;) # alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Incoming Message"; flow:to_client,established; content:"<message"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000236; rev:2;) @@ -37619,19 +37619,19 @@ alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"GPL CHAT Jabber/Google Talk Logon Success"; flow:to_client,established; content:"<success"; offset:0; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000235; rev:2;) # -#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504; rev:7;) +#alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"GPL MISC source port 53 to <1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:2100504; rev:8;) # #alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"GPL P2P eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; content:"\|01\|SENDLINK\|7c\|"; distance:0; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s\x01SENDLINK\x7c[^\x7c]{69}/smi"; reference:bugtraq,10039; reference:nessus,12233; classtype:attempted-user; sid:2102584; rev:5;) # -#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:488; rev:4;) +#alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"GPL MISC Connection Closed MSG from Port 80"; flow:from_server,established; content:"Connection closed by foreign host"; nocase; classtype:unknown; sid:2100488; rev:5;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media Video download"; flow:from_server,established; content:"Content-type\|3A\| video/x-ms-asf"; nocase; http_header; classtype:policy-violation; sid:2101438; rev:11;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type\|3A\|"; nocase; http_header; pcre:"/^Content-Type\x3a\s(?=[av])(video\/x\-ms\-(w[vm]x\|asf)\|a(udio\/x\-ms\-w(m[av]\|ax)\|pplication\/x\-ms\-wm[zd]))/smi"; classtype:policy-violation; sid:2101437; rev:9;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"GPL POLICY Windows Media download"; flow:from_server,established; content:"Content-Type\|3A\|"; nocase; http_header; pcre:"/^Content-Type\x3a\s(?=[av])(video\/x\-ms\-(w[vm]x\|asf)\|a(udio\/x\-ms\-w(m[av]\|ax)\|pplication\/x\-ms\-wm[zd]))/Hmi"; classtype:policy-violation; sid:2101437; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-IIS Remote IIS Server Name spoof attempt loopback IP"; flow:to_server,established; content:"http\|3a\|//127.0.0.1"; fast_pattern:only; pcre:"/http\x3A\/\/127\.0\.0\.1\/.\.asp/i"; reference:cve,2005-2678; classtype:web-application-activity; sid:100000139; rev:4;) @@ -37640,7 +37640,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-PHP phpinfo access"; flow:to_server,established; content:"/phpinfo.php"; fast_pattern:only; http_uri; nocase; reference:bugtraq,5789; reference:cve,2002-1149; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=3356; classtype:successful-recon-limited; sid:100000186; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization\|3A\|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; http_header; distance:0; pcre:"/^Authorization\x3a\sBasic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2230; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL SCAN NetGear router default password login attempt admin/password"; flow:to_server,established; content:"Authorization\|3A\|"; http_header; nocase; content:"YWRtaW46cGFzc3dvcmQ"; http_header; distance:0; pcre:"/^Authorization\x3a\sBasic\s+YWRtaW46cGFzc3dvcmQ/smi"; reference:nessus,11737; classtype:default-login-attempt; sid:2102230; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SERVER TRACE attempt"; flow:to_server,established; content:"TRACE"; http_method; reference:bugtraq,9561; reference:nessus,11213; reference:url,www.whitehatsec.com/press_releases/WH-PR-20030120.pdf; classtype:web-application-attack; sid:2102056; rev:6;) @@ -37661,13 +37661,16 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS PHPNuke Forum viewtopic SQL insertion attempt"; flow:to_server,established; uricontent:"/modules.php"; nocase; content:"name=Forums"; content:"file=viewtopic"; pcre:"/forum=.'/"; reference:bugtraq,7193; classtype:web-application-attack; sid:2654; rev:2;) # +##alert tcp $EXTERNAL_NET any -> $HOME_NET 1020 (msg:"GPL DELETED Vampire 1.2 connection request"; flow:to_server,established; content:"Hello..."; depth:8; flowbits:set,backdoor.vampire_12.connect; flowbits:noalert; classtype:misc-activity; sid:2103063; rev:4;) + +# alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service bind attempt"; flow:to_server,established; content:"\|05 00 0B\|"; depth:3; byte_test:1,&,16,1,relative; content:"\|98 D0 FF\|k\|12 A1 10\|6\|98\|3F\|C3 F8\|~4Z"; within:16; distance:29; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102315; rev:7;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL RPC status GHBN format string attack"; flow:to_server, established; content:"\|00 01 86 B8\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"%x %x"; within:256; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:misc-attack; sid:2101891; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:615; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"GPL POLICY SOCKS Proxy attempt"; flags:S,12; flow:stateless; reference:url,help.undernet.org/proxyscan/; classtype:attempted-recon; sid:2100615; rev:10;) # ##alert tcp $EXTERNAL_NET any -> $HOME_NET 109 (msg:"GPL DELETED FOLD arbitrary file attempt"; flow:established,to_server; content:"FOLD"; nocase; pcre:"/^FOLD\s+\//smi"; classtype:misc-attack; sid:2101935; rev:6;) @@ -37694,19 +37697,19 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:10,relative; pcre:"/^DELE\s[^\n]{10}/smi"; classtype:attempted-admin; sid:2102111; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 qpopper overflow"; flow:to_server,established; content:"\|E8 D9 FF FF FF\|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:290; rev:10;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL DELETED qpopper overflow"; flow:to_server,established; content:"\|E8 D9 FF FF FF\|/bin/sh"; reference:bugtraq,830; reference:cve,1999-0822; reference:nessus,10184; classtype:attempted-admin; sid:2100290; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^\|0E\|1\|C0 B0 3B 8D\|~\|0E 89 FA 89 F9\|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:286; rev:12;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow"; flow:to_server,established; content:"^\|0E\|1\|C0 B0 3B 8D\|~\|0E 89 FA 89 F9\|"; reference:bugtraq,133; reference:cve,1999-0006; reference:nessus,10196; classtype:attempted-admin; sid:2100286; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^\|FF D5 FF D4 FF F5 8B F5 90\|f1"; classtype:attempted-admin; sid:287; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 BSD overflow 2"; flow:to_server,established; content:"h]^\|FF D5 FF D4 FF F5 8B F5 90\|f1"; classtype:attempted-admin; sid:2100287; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"\|D8\|@\|CD 80 E8 D9 FF FF FF\|/bin/sh"; classtype:attempted-admin; sid:288; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 Linux overflow"; flow:to_server,established; content:"\|D8\|@\|CD 80 E8 D9 FF FF FF\|/bin/sh"; classtype:attempted-admin; sid:2100288; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V\|0E\|1\|C0 B0 3B 8D\|~\|12 89 F9 89 F9\|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:289; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 x86 SCO overflow"; flow:to_server,established; content:"V\|0E\|1\|C0 B0 3B 8D\|~\|12 89 F9 89 F9\|"; reference:bugtraq,156; reference:cve,1999-0006; classtype:attempted-admin; sid:2100289; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 110 (msg:"GPL POP3 LIST overflow attempt"; flow:to_server,established; content:"LIST"; nocase; isdataat:10,relative; pcre:"/^LIST\s[^\n]{10}/smi"; reference:bugtraq,948; reference:cve,2000-0096; reference:nessus,10197; classtype:attempted-admin; sid:2101937; rev:8;) @@ -37766,13 +37769,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:1265; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:595; rev:16;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2100595; rev:17;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87\|}"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102006; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:598; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing TCP 111"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2100598; rev:13;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:1266; rev:10;) @@ -37817,13 +37820,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:1273; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:593; rev:18;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100593; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2102016; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1274; rev:17;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101274; rev:19;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:1275; rev:10;) @@ -37832,52 +37835,52 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:1276; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request TCP"; flow:to_server,established; content:"\|00 01 86 A0\|"; depth:4; offset:16; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:2100591; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION\|0A\|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:616; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 113 (msg:"GPL MISC ident version request"; flow:to_server,established; content:"VERSION\|0A\|"; depth:16; reference:arachnids,303; classtype:attempted-recon; sid:2100616; rev:5;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC AUTHINFO USER overflow attempt"; flow:to_server,established; content:"AUTHINFO"; nocase; content:"USER"; distance:0; nocase; isdataat:200,relative; pcre:"/^AUTHINFO\s+USER\s[^\n]{200}/smi"; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-admin; sid:2101538; rev:14;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:291; rev:12;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL DELETED Cassandra Overflow"; dsize:>512; flow:to_server,established; content:"AUTHINFO USER"; depth:16; nocase; reference:arachnids,274; reference:bugtraq,1156; reference:cve,2000-0341; classtype:attempted-user; sid:2100291; rev:13;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC nntp SEARCH pattern overflow attempt"; flow:to_server,established; content:"SEARCH"; nocase; pcre:"/^SEARCH\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2103078; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2927; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP XPAT pattern overflow attempt"; flow:to_server,established; content:"PAT"; nocase; isdataat:1024,relative; pcre:"/^X?PAT\s+[^\n]{1024}/smi"; reference:cve,2004-0574; reference:url,www.microsoft.com/technet/security/bulletin/MS04-036.mspx; classtype:attempted-admin; sid:2102927; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.?Path\x3a.?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2432; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP article post without path attempt"; flow:to_server,established; content:"takethis"; nocase; pcre:!"/^takethis.?Path\x3a.?[\r]{0,1}?\n[\r]{0,1}\n/si"; classtype:attempted-admin; sid:2102432; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2427; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP checkgroups overflow attempt"; flow:to_server,established; content:"checkgroups"; nocase; pcre:"/^checkgroups\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102427; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2428; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP ihave overflow attempt"; flow:to_server,established; content:"ihave"; nocase; pcre:"/^ihave\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102428; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2430; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP newgroup overflow attempt"; flow:to_server,established; content:"newgroup"; nocase; isdataat:21,relative; pcre:"/^newgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102430; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2431; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC Nntp rmgroup overflow attempt"; flow:to_server,established; content:"rmgroup"; nocase; pcre:"/^rmgroup\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102431; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2429; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendme overflow attempt"; flow:to_server,established; content:"sendme"; nocase; pcre:"/^sendme\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102429; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2424; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP sendsys overflow attempt"; flow:to_server,established; content:"sendsys"; nocase; pcre:"/^sendsys\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102424; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2425; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP senduuname overflow attempt"; flow:to_server,established; content:"senduuname"; nocase; pcre:"/^senduuname\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102425; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2426; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 119 (msg:"GPL MISC NNTP version overflow attempt"; flow:to_server,established; content:"version"; nocase; pcre:"/^version\x3a[^\n]{21}/smi"; reference:bugtraq,9382; reference:cve,2004-0045; classtype:attempted-admin; sid:2102426; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL TROJAN netbus getinfo"; flow:to_server,established; content:"GetInfo\|0D\|"; reference:arachnids,403; classtype:misc-activity; sid:110; rev:4;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 12345:12346 (msg:"GPL DELETED netbus getinfo"; flow:to_server,established; content:"GetInfo\|0D\|"; reference:arachnids,403; classtype:misc-activity; sid:2100110; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"\|05\|"; content:"\|00\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|05\|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2494; rev:8;) @@ -37946,7 +37949,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 137 (msg:"GPL NETBIOS name query overflow attempt TCP"; flow:to_server,established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; classtype:attempted-admin; sid:2103195; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"\|EB\|/_\|EB\|J^\|89 FB 89\|>\|89 F2\|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:292; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS x86 Linux samba overflow"; flow:to_server,established; content:"\|EB\|/_\|EB\|J^\|89 FB 89\|>\|89 F2\|"; reference:bugtraq,1816; reference:bugtraq,536; reference:cve,1999-0182; reference:cve,1999-0811; classtype:attempted-admin; sid:2100292; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS DOS RFPoison"; flow:to_server,established; content:"\|5C 00 5C 00\|\|00\|S\|00\|M\|00\|B\|00\|S\|00\|E\|00\|R\|00\|V\|00\|E\|00\|R\|00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 00\|"; reference:arachnids,454; classtype:attempted-dos; sid:2100529; rev:8;) @@ -38024,7 +38027,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|04 00\|"; within:2; distance:19; content:"\|5C 00 5C 00\|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103432; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|01 00\|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:3183; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|01 00\|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103183; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB CoGetInstanceFromFile unicode little endian attempt"; flow:established,to_server; flowbits:isset,dce.isystemactivator.bind; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|04 00\|"; within:2; distance:19; content:"\|5C 00 5C 00\|"; byte_test:4,>,256,8,little; classtype:protocol-command-decode; sid:2103428; rev:4;) @@ -38135,25 +38138,25 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00\|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103396; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2992; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102992; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102942; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2993; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102993; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102943; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2994; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102994; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102944; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2995; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102995; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102945; rev:6;) @@ -38183,10 +38186,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|02 00\|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103259; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2964; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102964; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2965; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102965; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102946; rev:7;) @@ -38195,10 +38198,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102936; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2966; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102966; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2967; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102967; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102947; rev:6;) @@ -38255,7 +38258,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx invalid SACL ace size dos attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-7,little,relative,from_beginning; isdataat:4,relative; content:!"\|00 00 00 00\|"; within:4; distance:20; byte_jump:4,20,relative,little; content:"\|00 00\|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103053; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:3021; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode andx oversized Security Descriptor attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A0\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; isdataat:4,relative; byte_test:4,>,1024,40,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103021; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode invalid SACL ace size dos attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB\|A0\|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"\|01 00\|"; within:2; distance:64; byte_jump:4,-7,little,relative,from_beginning; content:!"\|00 00 00 00\|"; within:4; distance:16; byte_jump:4,16,relative,little; content:"\|00 00\|"; within:2; distance:-10; classtype:protocol-command-decode; sid:2103044; rev:6;) @@ -38267,7 +38270,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NT Trans NT CREATE unicode oversized Security Descriptor attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|00\|"; depth:1; content:"\|FF\|SMB\|A0\|"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/R"; content:"\|01 00\|"; within:2; distance:37; byte_jump:4,-15,little,relative,from_beginning; pcre:"/^.{4}/R"; byte_test:4,>,1024,36,relative,little; reference:cve,2004-1154; classtype:protocol-command-decode; sid:2103020; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"\|00 00 00\|b\|06 83 00 00 06\|+\|06 01 05 05 02\|"; within:15; distance:1; content:"\|06 0A\|+\|06 01 04 01 82\|7\|02 02 0A\|"; distance:0; content:"\|A3\|>0<\|A0\|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2384; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"\|00 00 00\|b\|06 83 00 00 06\|+\|06 01 05 05 02\|"; within:15; distance:1; content:"\|06 0A\|+\|06 01 04 01 82\|7\|02 02 0A\|"; distance:0; content:"\|A3\|>0<\|A0\|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102384; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB OpenKey andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0F\|"; within:2; distance:19; byte_test:2,>,1024,20,relative; reference:bugtraq,1331; reference:cve,2000-0377; classtype:attempted-admin; sid:2103222; rev:4;) @@ -38327,7 +38330,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_test:4,!&,2147483648,21,relative,little; content:!"\|00 00\|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102403; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; byte_test:2,>,322,2; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"\|00 00 00 00\|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"\|00\|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2401; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; byte_test:2,>,322,2; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"\|00 00 00 00\|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"\|00\|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102401; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103001; rev:5;) @@ -38342,16 +38345,16 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Session Setup NTMLSSP unicode asn1 overflow attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBs"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_test:4,&,2147483648,48,relative,little; content:!"NTLMSSP"; within:7; distance:54; asn1:double_overflow, bitstring_overflow, relative_offset 54, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103000; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103140; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|01 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|01 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103139; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|07 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|07 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103136; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|07 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|07 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103135; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB irot andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"`\|9E E7 B9\|R=\|CE 11 AA A1 00 00\|i\|01 29\|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103244; rev:4;) @@ -38462,10 +38465,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB msqueue unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|B0 01\|R\|97 CA\|Y\|D0 11 A8 D5 00 A0 C9 0D 80\|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103163; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2960; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102960; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2956; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102956; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102932; rev:6;) @@ -38474,10 +38477,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB\|A2\|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102928; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2961; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102961; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|n\|00\|d\|00\|d\|00\|e\|00\|a\|00\|p\|00\|i\|00 00 00\|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2957; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|n\|00\|d\|00\|d\|00\|e\|00\|a\|00\|p\|00\|i\|00 00 00\|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102957; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102933; rev:6;) @@ -38492,7 +38495,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB startup folder unicode access"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; depth:5; offset:4; content:"\|5C 00\|S\|00\|t\|00\|a\|00\|r\|00\|t\|00\| \|00\|M\|00\|e\|00\|n\|00\|u\|00 5C 00\|P\|00\|r\|00\|o\|00\|g\|00\|r\|00\|a\|00\|m\|00\|s\|00 5C 00\|S\|00\|t\|00\|a\|00\|r\|00\|t\|00\|u\|00\|p"; distance:0; nocase; classtype:attempted-recon; sid:2102177; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2950; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102950; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB trans2open buffer overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; depth:5; offset:4; content:"\|00 14\|"; depth:2; offset:60; byte_test:2,>,256,0,relative,little; reference:bugtraq,7294; reference:cve,2003-0201; reference:url,www.digitaldefense.net/labs/advisories/DDI-1013.txt; classtype:attempted-admin; sid:2102103; rev:10;) @@ -38501,10 +38504,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103206; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2988; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102988; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|winreg\|00\|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2984; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|winreg\|00\|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102984; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103202; rev:4;) @@ -38525,10 +38528,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103208; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2989; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102989; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|w\|00\|i\|00\|n\|00\|r\|00\|e\|00\|g\|00 00 00\|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2985; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|w\|00\|i\|00\|n\|00\|r\|00\|e\|00\|g\|00 00 00\|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102985; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103204; rev:5;) @@ -38546,34 +38549,34 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"GPL NETBIOS SMB winreg unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103205; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU Mailutils imap4d hex attempt"; flow:established,to_server; content:"SEARCH TOPIC %"; reference:cve,2005-2878; reference:bugtraq,14794; reference:nessus,19605; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; classtype:misc-attack; sid:100000207; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:2;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED GNU imapd search format string attempt"; flow:established,to_server; pcre:"/\sSEARCH.\%/smi"; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19306; reference:cve,2005-2878; classtype:misc-attack; sid:100000136; rev:3;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication multiple packet overflow attempt"; flow:to_server,established; flowbits:isset,community_imap.auth; isdataat:342; pcre:"/[^\x0A]{342,}/"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000153; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5\|LOGIN][^\n]\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:2;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED MDaemon authentication overflow single packet attempt"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5\|LOGIN][^\n]\n[^\n]{342}/smi"; reference:bugtraq,14317; classtype:attempted-admin; sid:100000155; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5\|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:3;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED MDaemon authentication protocol decode"; flow:to_server,established; content:"AUTHENTICATE"; nocase; pcre:"/\sAUTHENTICATE\s[CRAM-MD5\|LOGIN]/smi"; flowbits:set,community_imap.auth; flowbits:noalert; classtype:protocol-command-decode; sid:100000152; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"\|2E 2E\|"; nocase; pcre:"/^\d\sSELECT\s\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:2;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED Qualcomm WorldMail SELECT dot dot attempt"; flow:established,to_server; content:"SELECT"; content:"\|2E 2E\|"; nocase; pcre:"/^\d\sSELECT\s\.\./smi"; reference:cve,2005-3189; reference:bugtraq,15488; classtype:misc-attack; sid:100000196; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT overflow"; flow:to_server,established; content:"\|E8 C0 FF FF FF\|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP Overflow Attempt"; flow:to_server,established; content:"\|E8 C0 FF FF FF\|/bin/sh"; classtype:attempted-admin; sid:2100293; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP EXPLOIT partial body overflow attempt"; dsize:>1092; flow:to_server,established; content:" x PARTIAL 1 BODY["; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101780; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3066; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP append overflow attempt"; flow:established,to_server; content:"APPEND"; nocase; isdataat:100,relative; pcre:"/\sAPPEND\s[^\n]{256}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103066; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]?\sAUTH)\|AUTH\s[^\n]?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:6;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED auth literal overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; pcre:"/({(?=\d+}[^\n]?\sAUTH)\|AUTH\s[^\n]?{(?=\d+}))/smi"; byte_test:5,>,256,0,string,dec,relative; reference:cve,1999-0005; classtype:misc-attack; sid:2101930; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP auth overflow attempt"; flow:established,to_server; content:"AUTH"; nocase; isdataat:100,relative; pcre:"/AUTH\s[^\n]{100}/smi"; reference:bugtraq,8861; classtype:misc-attack; sid:2102330; rev:3;) @@ -38585,28 +38588,28 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP authenticate overflow attempt"; flow:established,to_server; content:"AUTHENTICATE"; nocase; isdataat:100,relative; pcre:"/\sAUTHENTICATE\s[^\n]{100}/smi"; reference:bugtraq,12995; reference:bugtraq,130; reference:cve,1999-0005; reference:cve,1999-0042; reference:nessus,10292; classtype:misc-attack; sid:2101844; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; nocase; pcre:"/\sCOPY\s[^\n]?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:3058; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP copy literal overflow attempt"; flow:established,to_server; content:"COPY"; fast_pattern:only; nocase; pcre:"/\sCOPY\s[^\n]?\{/smi"; byte_test:5,>,1024,0,string,dec,relative; reference:bugtraq,1110; classtype:misc-attack; sid:2103058; rev:3;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create buffer overflow attempt"; flow:to_server,established; content:"CREATE"; isdataat:1024,relative; pcre:"/\sCREATE\s[^\n]{1024}/smi"; reference:bugtraq,7446; classtype:misc-attack; sid:2102107; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP create literal buffer overflow attempt"; flow:to_server,established; content:"CREATE"; nocase; content:"{"; distance:1; pcre:"/\sCREATE\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,7446; classtype:misc-attack; sid:2102120; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; pcre:"/\sDELETE\s[^\n]?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:3008; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete literal overflow attempt"; flow:established,to_server; content:"DELETE"; fast_pattern:only; nocase; pcre:"/\sDELETE\s[^\n]?\{/smi"; byte_test:5,>,100,0,string,dec,relative; reference:bugtraq,11675; classtype:misc-attack; sid:2103008; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:3007; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP delete overflow attempt"; flow:established,to_server; content:"DELETE"; nocase; isdataat:100,relative; pcre:"/\sDELETE\s[^\n]{100}/smi"; reference:bugtraq,11675; classtype:misc-attack; sid:2103007; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; pcre:"/\sEXAMINE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3067; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine literal overflow attempt"; flow:established,to_server; content:"EXAMINE"; fast_pattern:only; nocase; pcre:"/\sEXAMINE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103067; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3068; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP examine overflow attempt"; flow:established,to_server; content:"EXAMINE"; nocase; isdataat:100,relative; pcre:"/\sEXAMINE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103068; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; pcre:"/\sFETCH\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3069; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch literal overflow attempt"; flow:established,to_server; content:"FETCH"; fast_pattern:only; nocase; pcre:"/\sFETCH\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103069; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP fetch overflow attempt"; flow:established,to_server; content:"FETCH"; nocase; isdataat:500,relative; pcre:"/\sFETCH\s[^\n]{500}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103070; rev:3;) @@ -38615,7 +38618,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP find overflow attempt"; flow:established,to_server; content:"FIND"; nocase; isdataat:100,relative; pcre:"/\sFIND\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101904; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list literal overflow attempt"; flow:established,to_server; content:"LIST"; nocase; pcre:"/\sLIST\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101845; rev:16;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP list overflow attempt"; flow:established,to_server; content:"LIST"; nocase; isdataat:100,relative; pcre:"/\sLIST\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102118; rev:7;) @@ -38624,61 +38627,61 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; isdataat:100,relative; pcre:"/\sLOGIN\s[^\n]{100}/smi"; reference:bugtraq,13727; reference:bugtraq,502; reference:cve,1999-0005; reference:cve,1999-1557; reference:cve,2005-1255; reference:nessus,10123; reference:cve,2007-2795; reference:nessus,10125; classtype:attempted-user; sid:2101842; rev:16;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2664; rev:2;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL DELETED login format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102664; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal buffer overflow attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; classtype:misc-attack; sid:2101993; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2665; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP login literal format string attempt"; flow:established,to_server; content:"LOGIN"; nocase; pcre:"/\sLOGIN\s\w+\s\{\d+\}[\r]?\n[^\n]?%/smi"; reference:bugtraq,10976; classtype:attempted-admin; sid:2102665; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub literal overflow attempt"; flow:to_server,established; content:"LSUB"; nocase; pcre:"/\sLSUB\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101902; rev:10;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP lsub overflow attempt"; flow:to_server,established; content:"LSUB"; isdataat:100,relative; pcre:"/\sLSUB\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102106; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY["; distance:0; nocase; pcre:"/\sPARTIAL.BODY\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2101755; rev:15;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP partial body.peek buffer overflow attempt"; flow:to_server,established; content:"PARTIAL"; nocase; content:"BODY.PEEK["; isdataat:1024,relative; distance:0; nocase; pcre:"/\sPARTIAL.BODY\.PEEK\[[^\]]{1024}/smi"; reference:bugtraq,4713; reference:cve,2002-0379; classtype:misc-attack; sid:2102046; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename literal overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; content:"{"; distance:1; pcre:"/\sRENAME\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2102119; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP rename overflow attempt"; flow:established,to_server; content:"RENAME"; nocase; isdataat:100,relative; pcre:"/\sRENAME\s[^\n]{100}/smi"; reference:bugtraq,1110; reference:cve,2000-0284; reference:nessus,10374; classtype:misc-attack; sid:2101903; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; pcre:"/\sSTATUS\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3071; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status literal overflow attempt"; flow:established,to_server; content:"STATUS"; fast_pattern:only; nocase; pcre:"/\sSTATUS\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103071; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:3072; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP status overflow attempt"; flow:established,to_server; content:"STATUS"; nocase; isdataat:100,relative; pcre:"/\sSTATUS\s[^\n]{100}/smi"; reference:bugtraq,11775; reference:bugtraq,13727; reference:cve,2005-1256; classtype:misc-attack; sid:2103072; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; pcre:"/\sSUBSCRIBE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3073; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe literal overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sSUBSCRIBE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103073; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3074; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP subscribe overflow attempt"; flow:established,to_server; content:"SUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103074; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:3075; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe literal overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; fast_pattern:only; nocase; pcre:"/\sUNSUBSCRIBE\s[^\n]?\s\{/smi"; byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,11775; classtype:misc-attack; sid:2103075; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:3076; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"GPL IMAP unsubscribe overflow attempt"; flow:established,to_server; content:"UNSUBSCRIBE"; nocase; isdataat:100,relative; pcre:"/\sUNSUBSCRIBE\s[^\n]{100}/smi"; reference:bugtraq,11775; classtype:misc-attack; sid:2103076; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL MISC private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1414; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access tcp"; flow:to_server,established; content:"private"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101414; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL MISC public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1412; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access tcp"; flow:to_server,established; content:"public"; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,7212; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101412; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101418; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap tcp"; flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101420; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 1720 (msg:"GPL VOIP Q.931 Invalid Call Reference Length Buffer Overflow"; flow:established; content:"\|08\|"; depth:1; byte_test:1,>,4,1; reference:url,www.ethereal.com/news/item_20050504_01.html; reference:url,www.elook.org/internet/126.html; classtype:attempted-dos; sid:100000892; rev:2;) @@ -38708,7 +38711,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CMD overflow attempt"; flow:to_server,established; content:"CMD"; nocase; isdataat:100,relative; pcre:"/^CMD\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2101621; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:1229; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ..."; flow:to_server,established; content:"CWD"; nocase; content:"..."; distance:0; pcre:"/^CWD\s[^\n]?\.\.\./smi"; reference:bugtraq,9237; classtype:bad-unknown; sid:2101229; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD .... attempt"; flow:to_server,established; content:"CWD "; content:" ...."; reference:bugtraq,4884; classtype:denial-of-service; sid:2101779; rev:4;) @@ -38726,7 +38729,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~<CR><NEWLINE> attempt"; flow:to_server,established; content:"CWD "; content:" ~\|0D 0A\|"; reference:bugtraq,2601; reference:cve,2001-0421; classtype:denial-of-service; sid:2101728; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:336; rev:10;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP CWD ~root attempt"; flow:to_server,established; content:"CWD"; nocase; content:"~root"; distance:1; nocase; pcre:"/^CWD\s+~root/smi"; reference:arachnids,318; reference:cve,1999-0082; classtype:bad-unknown; sid:2100336; rev:11;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP DELE overflow attempt"; flow:to_server,established; content:"DELE"; nocase; isdataat:100,relative; pcre:"/^DELE\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101975; rev:9;) @@ -38777,7 +38780,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST directory traversal attempt"; flow:to_server,established; content:"LIST"; nocase; content:".."; distance:1; content:".."; distance:1; reference:bugtraq,2618; reference:cve,2001-0680; reference:cve,2002-1054; reference:nessus,11112; classtype:protocol-command-decode; sid:2101992; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d+/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP LIST integer overflow attempt"; flow:to_server,established; content:"LIST"; nocase; pcre:"/^LIST\s+\x22-W\s+\d/smi"; reference:bugtraq,8875; reference:cve,2003-0853; reference:cve,2003-0854; classtype:misc-attack; sid:2102272; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MDTM overflow attempt"; flow:to_server,established; content:"MDTM"; nocase; isdataat:100,relative; pcre:"/^MDTM\s[^\n]{100}/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; reference:nessus,12080; classtype:attempted-admin; sid:2102546; rev:6;) @@ -38789,7 +38792,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKDIR format string attempt"; flow:to_server,established; content:"MKDIR"; nocase; pcre:"/^MKDIR\s[^\n]?%[^\n]?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102332; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2374; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP NLST overflow attempt"; flow:to_server,established; content:"NLST"; nocase; isdataat:100,relative; pcre:"/^NLST\s[^\n]{100}/smi"; reference:bugtraq,10184; reference:bugtraq,7909; reference:bugtraq,9675; reference:cve,1999-1544; classtype:attempted-admin; sid:2102374; rev:7;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS format string attempt"; flow:to_server,established; content:"PASS"; nocase; pcre:"/^PASS\s[^\n]?%[^\n]?%/smi"; reference:bugtraq,7474; reference:bugtraq,9262; reference:bugtraq,9800; reference:cve,2000-0699; classtype:misc-attack; sid:2102179; rev:7;) @@ -38798,7 +38801,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PASS overflow attempt"; flow:to_server,established,no_stream; content:"PASS"; nocase; isdataat:100,relative; pcre:"/^PASS\s[^\n]{100}/smi"; reference:bugtraq,10078; reference:bugtraq,10720; reference:bugtraq,1690; reference:bugtraq,3884; reference:bugtraq,8601; reference:bugtraq,9285; reference:cve,1999-1519; reference:cve,1999-1539; reference:cve,2000-1035; reference:cve,2002-0126; reference:cve,2002-0895; classtype:attempted-admin; sid:2101972; rev:17;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:3441; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP PORT bounce attempt"; flow:to_server,established; content:"PORT"; nocase; ftpbounce; pcre:"/^PORT/smi"; classtype:misc-attack; sid:2103441; rev:2;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RENAME format string attempt"; flow:to_server,established; content:"RENAME"; nocase; pcre:"/^RENAME\s[^\n]?%[^\n]?%/smi"; reference:bugtraq,9262; classtype:misc-attack; sid:2102333; rev:2;) @@ -38807,13 +38810,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST overflow attempt"; flow:to_server,established; content:"REST"; nocase; isdataat:100,relative; pcre:"/^REST\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2001-0826; classtype:attempted-admin; sid:2101974; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:3460; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP REST with numeric argument"; flow:to_server,established; content:"REST"; nocase; pcre:"/REST\s+[0-9]+\n/i"; reference:bugtraq,7825; classtype:attempted-recon; sid:2103460; rev:3;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR format string attempt"; flow:to_server,established; content:"RETR"; nocase; pcre:"/^RETR\s[^\n]?%[^\n]?%/smi"; reference:bugtraq,9800; classtype:attempted-admin; sid:2102574; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2392; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RETR overflow attempt"; flow:to_server,established; content:"RETR"; nocase; isdataat:100,relative; pcre:"/^RETR\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; reference:cve,2004-0287; reference:cve,2004-0298; classtype:attempted-admin; sid:2102392; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RMD overflow attempt"; flow:to_server,established; content:"RMD"; nocase; isdataat:100,relative; pcre:"/^RMD\s[^\n]{100}/smi"; reference:bugtraq,2972; reference:cve,2000-0133; reference:cve,2001-0826; reference:cve,2001-1021; classtype:attempted-admin; sid:2101976; rev:10;) @@ -38825,10 +38828,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:2101622; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:3077; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNFR overflow attempt"; flow:to_server,established; content:"RNFR"; nocase; isdataat:100,relative; pcre:"/^RNFR\s[^\n]{100}/smi"; classtype:attempted-admin; sid:2103077; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2389; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP RNTO overflow attempt"; flow:to_server,established; content:"RNTO"; nocase; isdataat:100,relative; pcre:"/^RNTO\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2000-0133; reference:cve,2001-1021; reference:cve,2003-0466; classtype:attempted-admin; sid:2102389; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE CHMOD overflow attempt"; flow:to_server,established; content:"SITE"; nocase; content:"CHMOD"; distance:0; nocase; isdataat:100,relative; pcre:"/^SITE\s+CHMOD\s[^\n]{100}/smi"; reference:bugtraq,10181; reference:bugtraq,9483; reference:bugtraq,9675; reference:cve,1999-0838; reference:nessus,12037; classtype:attempted-admin; sid:2102340; rev:8;) @@ -38858,13 +38861,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP SITE overflow attempt"; flow:to_server,established; content:"SITE"; nocase; isdataat:100,relative; pcre:"/^SITE\s[^\n]{100}/smi"; reference:cve,1999-0838; reference:cve,2001-0755; reference:cve,2001-0770; classtype:attempted-admin; sid:2101529; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STAT overflow attempt"; flow:to_server,established; content:"STAT"; nocase; isdataat:100,relative; pcre:"/^STAT\s[^\n]{100}/smi"; reference:bugtraq,3507; reference:bugtraq,8542; reference:cve,2001-0325; reference:cve,2001-1021; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:2101379; rev:13;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOR overflow attempt"; flow:to_server,established; content:"STOR"; nocase; isdataat:100,relative; pcre:"/^STOR\s[^\n]{100}/smi"; reference:bugtraq,8668; reference:cve,2000-0133; classtype:attempted-admin; sid:2102343; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2390; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP STOU overflow attempt"; flow:to_server,established; content:"STOU"; nocase; isdataat:100,relative; pcre:"/^STOU\s[^\n]{100}/smi"; reference:bugtraq,8315; reference:cve,2003-0466; classtype:attempted-admin; sid:2102390; rev:5;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP USER format string attempt"; flow:to_server,established; content:"USER"; nocase; pcre:"/^USER\s[^\n]?%[^\n]?%/smi"; reference:bugtraq,7474; reference:bugtraq,7776; reference:bugtraq,9262; reference:bugtraq,9402; reference:bugtraq,9600; reference:bugtraq,9800; reference:cve,2004-0277; reference:nessus,10041; reference:nessus,11687; classtype:misc-attack; sid:2102178; rev:17;) @@ -38876,7 +38879,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XCWD overflow attempt"; flow:to_server,established; content:"XCWD"; nocase; isdataat:100,relative; pcre:"/^XCWD\s[^\n]{100}/smi"; reference:bugtraq,11542; reference:bugtraq,8704; classtype:attempted-admin; sid:2102344; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2373; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP XMKD overflow attempt"; flow:to_server,established; content:"XMKD"; nocase; isdataat:100,relative; pcre:"/^XMKD\s[^\n]{100}/smi"; reference:bugtraq,7909; reference:cve,2000-0133; reference:cve,2001-1021; classtype:attempted-admin; sid:2102373; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL SCAN adm scan"; flow:to_server,established; content:"PASS ddd@\|0A\|"; reference:arachnids,332; classtype:suspicious-login; sid:2100353; rev:7;) @@ -38888,13 +38891,13 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; reference:cve,2002-0606; classtype:protocol-command-decode; sid:2101748; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.?%.?%/smi"; classtype:string-detect; sid:2417; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%"; fast_pattern:only; pcre:"/\s+.?%.?%/smi"; classtype:string-detect; sid:2102417; rev:3;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP format string attempt"; flow:to_server,established; content:"%p"; fast_pattern:only; nocase; reference:nessus,10452; reference:bugtraq,1387; reference:bugtraq,2240; reference:bugtraq,726; reference:cve,2000-0573; reference:cve,1999-0997; classtype:attempted-admin; sid:2101530; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2416; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MDTM command attempt"; flow:to_server,established; content:"MDTM"; fast_pattern:only; nocase; pcre:"/^MDTM \d+[-+]\D/smi"; reference:bugtraq,9751; reference:cve,2001-1021; reference:cve,2004-0330; classtype:attempted-admin; sid:2102416; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP invalid MODE"; flow:to_server,established; content:"MODE"; fast_pattern:only; nocase; pcre:"/^MODE\s+[^ABSC]{1}/msi"; classtype:protocol-command-decode; sid:2101623; rev:8;) @@ -38912,7 +38915,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; fast_pattern:only; nocase; reference:arachnids,324; classtype:suspicious-login; sid:2100355; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP passwd retrieval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:2100356; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; fast_pattern:only; classtype:suspicious-login; sid:2100357; rev:7;) @@ -38933,13 +38936,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP tar parameters"; flow:to_server,established; content:" --use-compress-program "; fast_pattern:only; nocase; reference:arachnids,134; reference:bugtraq,2240; reference:cve,1999-0202; reference:cve,1999-0997; classtype:bad-unknown; sid:2100362; rev:14;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1377; rev:16;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt"; flow:to_server,established; content:"~"; content:"["; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101377; rev:17;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:1378; rev:15;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP wu-ftp bad file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; distance:0; reference:bugtraq,3581; reference:bugtraq,3707; reference:cve,2001-0550; reference:cve,2001-0886; classtype:misc-attack; sid:2101378; rev:16;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s\n/smi"; reference:arachnids,322; classtype:unknown; sid:489; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP no password"; flow:from_client,established; content:"PASS"; nocase; fast_pattern:only; pcre:"/^PASS\s\n/smi"; reference:arachnids,322; classtype:unknown; sid:2100489; rev:9;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'CWD ' possible warez site"; flow:to_server,established; content:"CWD "; depth:5; nocase; classtype:misc-activity; sid:2100546; rev:7;) @@ -38954,7 +38957,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'MKD .' possible warez site"; flow:to_server,established; content:"MKD ."; depth:5; nocase; classtype:misc-activity; sid:2100548; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:554; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP MKD / possible warez site"; flow:to_server,established; content:"MKD"; nocase; content:"/ "; distance:1; classtype:misc-activity; sid:2100554; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'RETR 1MB' possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100544; rev:8;) @@ -38963,31 +38966,31 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP 'STOR 1MB' possible warez site"; flow:to_server,established; content:"STOR"; nocase; content:"1MB"; fast_pattern; distance:1; nocase; classtype:misc-activity; sid:2100543; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp\|0D 0A\|"; nocase; classtype:misc-activity; sid:1449; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous ftp login attempt"; flow:to_server,established; content:"USER"; nocase; content:" ftp\|0D 0A\|"; nocase; classtype:misc-activity; sid:2101449; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP anonymous login attempt"; flow:to_server,established; content:"USER "; nocase; depth:5; content:"anon"; distance:0; classtype:misc-activity; sid:2100553; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:1445; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"GPL FTP FTP file_id.diz access possible warez site"; flow:to_server,established; content:"RETR"; nocase; content:"file_id.diz"; distance:1; nocase; classtype:suspicious-filename-detect; sid:2101445; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1324; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow /bin/sh"; flow:to_server,established; content:"/bin/sh"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101324; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"\|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\|"; fast_pattern:only; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1326; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SHELLCODE ssh CRC32 overflow NOOP"; flow:to_server,established; content:"\|90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90\|"; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101326; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"\|00 01\|W\|00 00 00 18\|"; depth:7; content:"\|FF FF FF FF 00 00\|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:1327; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL EXPLOIT ssh CRC32 overflow"; flow:to_server,established; content:"\|00 01\|W\|00 00 00 18\|"; depth:7; content:"\|FF FF FF FF 00 00\|"; depth:14; offset:8; reference:bugtraq,2347; reference:cve,2001-0144; reference:cve,2001-0572; classtype:shellcode-detect; sid:2101327; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN SSH Version map attempt"; flow:to_server,established; content:"Version_Mapper"; fast_pattern:only; nocase; classtype:network-scan; sid:2101638; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"\|00 00 00\|`\|00 00 00 00 00 00 00 00 01 00 00 00\|"; fast_pattern:only; classtype:attempted-recon; sid:617; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"GPL SCAN ssh-research-scanner"; flow:to_server,established; content:"\|00 00 00\|`\|00 00 00 00 00 00 00 00 01 00 00 00\|"; fast_pattern:only; classtype:attempted-recon; sid:2100617; rev:6;) #modified due to some fp's. - duc -alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:1199; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 2301 (msg:"GPL WEB_SERVER Compaq Insight directory traversal"; flow:to_server,established; content:"../../../"; reference:arachnids,244; reference:bugtraq,282; reference:cve,1999-0771; classtype:web-application-attack; sid:2101199; rev:13;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL DELETED CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]\d{3,}/msi"; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2102583; rev:3;) @@ -38996,13 +38999,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"GPL EXPLOIT CVS non-relative path access attempt"; flow:to_server,established; content:"Argument "; content:"Directory"; distance:0; pcre:"/^Argument\s+\//smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102318; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"\|85 13\|<\|9E A2\|"; depth:5; classtype:trojan-activity; sid:3272; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 3127:3198 (msg:"GPL WORM mydoom.a backdoor upload/execute attempt"; flow:to_server,established; content:"\|85 13\|<\|9E A2\|"; depth:5; classtype:trojan-activity; sid:2103272; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"\|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01\|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:9;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"\|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01\|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100571; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"\|C0 22\|?\|FC A2 02\| \|09 C0\|,\|7F FF E2 22\|?\|F4\|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL EXPLOIT EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"\|C0 22\|?\|FC A2 02\| \|09 C0\|,\|7F FF E2 22\|?\|F4\|"; fast_pattern:only; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:2100570; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"GPL RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"\|00 01 87\|}"; depth:4; offset:16; byte_jump:4,20,relative,align; byte_jump:4,4,relative,align; content:"/../"; distance:0; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2102007; rev:11;) @@ -39020,43 +39023,46 @@ ##alert tcp $EXTERNAL_NET any -> $HOME_NET 3535 (msg:"GPL DELETED RMD / attempt"; flow:to_server,established; content:"RMD"; nocase; pcre:"/^RMD\s+\x2f$/smi"; reference:bugtraq,9159; classtype:attempted-dos; sid:2102335; rev:3;) # +##alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"GPL DELETED distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:2103061; rev:3;) + +# alert tcp $EXTERNAL_NET any -> $HOME_NET 389 (msg:"GPL EXPLOIT MISC Lotus Domino LDAP attack"; flow:established; content:"\|30 0c 02 01 01 60 07 02 00 03 04 00 80 00\|"; fast_pattern:only; reference:bugtraq,16523; reference:cve,2006-0580; reference:url,lists.immunitysec.com/pipermail/dailydave/2006-February/002896.html; classtype:misc-attack; sid:100000229; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; reference:bugtraq,9624; reference:cve,2003-0825; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:2103199; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]\|[\x1F-\x2F].\|\x30[\x00-\x70])\|\x00\x00\x00[\x00-\x65]\|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"GPL EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]\|[\x1F-\x2F].\|\x30[\x00-\x70])\|\x00\x00\x00[\x00-\x65]\|\x02\x68\x05\xC0)/s"; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:2103017; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"\|7F FF FB\|x\|7F FF FB\|x\|7F FF FB\|x\|7F FF FB\|x"; content:"@\|8A FF C8\|@\|82 FF D8 3B\|6\|FE 03 3B\|v\|FE 02\|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:1261; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4242 (msg:"GPL EXPLOIT AIX pdnsd overflow"; flow:to_server,established; dsize:>1000; content:"\|7F FF FB\|x\|7F FF FB\|x\|7F FF FB\|x\|7F FF FB\|x"; content:"@\|8A FF C8\|@\|82 FF D8 3B\|6\|FE 03 3B\|v\|FE 02\|"; reference:bugtraq,3237; reference:bugtraq,590; reference:cve,1999-0745; classtype:attempted-user; sid:2101261; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:1323; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 4321 (msg:"GPL MISC rwhoisd format string attempt"; flow:to_server,established; content:"-soa %p"; reference:bugtraq,3474; reference:cve,2001-0838; classtype:misc-attack; sid:2101323; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB DCERPC invalid bind attempt"; flow:to_server,established; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00\|"; within:12; distance:5; nocase; content:"\|05\|"; within:1; distance:2; content:"\|0B\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|00\|"; within:1; distance:21; classtype:attempted-dos; sid:2102191; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2982; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"ADMIN\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102982; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"ADMIN\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102474; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A\|00\|D\|00\|M\|00\|I\|00\|N\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2983; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"A\|00\|D\|00\|M\|00\|I\|00\|N\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102983; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ADMIN$ unicode share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"A\|00\|D\|00\|M\|00\|I\|00\|N\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102475; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C\|24 00\|"; distance:2; nocase; content:!"IPC\|24 00\|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2978; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C\|24 00\|"; distance:2; nocase; content:!"IPC\|24 00\|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102978; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"C\|24 00\|"; distance:2; nocase; content:!"IPC\|24 00\|"; within:5; distance:-5; nocase; classtype:protocol-command-decode; sid:2102471; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C\|00 24 00 00 00\|"; distance:2; nocase; content:!"I\|00\|P\|00\|C\|00 24 00 00 00\|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2979; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"C\|00 24 00 00 00\|"; distance:2; nocase; content:!"I\|00\|P\|00\|C\|00 24 00 00 00\|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102979; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS C$ unicode share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"C\|00 24 00 00 00\|"; distance:2; nocase; content:!"I\|00\|P\|00\|C\|00 24 00 00 00\|"; within:10; distance:-10; nocase; classtype:protocol-command-decode; sid:2102472; rev:11;) @@ -39110,25 +39116,25 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS CoGetInstanceFromFile unicode overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.msqueue; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 01\|"; within:2; distance:19; byte_test:4,>,256,20,relative; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:attempted-admin; sid:2103186; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2974; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102974; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"D\|24 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102468; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2975; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"D\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102975; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS D$ unicode share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"D\|00 24 00 00 00\|"; distance:2; nocase; classtype:protocol-command-decode; sid:2102469; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"\|05\|"; depth:1; content:"\|00\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|05\|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2496; rev:8;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCEPRC ORPCThis request flood attempt"; flow:to_server,established; content:"\|05\|"; depth:1; content:"\|00\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|05\|"; within:1; distance:21; content:"MEOW"; flowbits:isset,dce.isystemactivator.bind.call.attempt; threshold:type both, track by_dst, count 20, seconds 60; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:misc-attack; sid:2102496; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator bind attempt"; flow:to_server,established; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00\|"; within:12; distance:5; nocase; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00\|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8205; reference:cve,2003-0352; reference:nessus,11808; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2102193; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 05 00 0B\|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00\|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2491; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC ISystemActivator unicode bind attempt"; flow:to_server,established; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; byte_test:2,&,1,5,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 05 00 0B\|"; within:15; distance:4; byte_test:1,&,16,1,relative; content:"\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00\|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind.call.attempt; reference:bugtraq,8811; reference:cve,2003-0813; reference:nessus,12206; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:protocol-command-decode; sid:2102491; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC LSASS DsRolerUpgradeDownlevelServer exploit attempt"; flow:to_server,established; flowbits:isset,netbios.lsass.bind.attempt; content:"\|FF\|SMB"; depth:4; offset:4; nocase; content:"\|05\|"; distance:59; content:"\|00\|"; within:1; distance:1; content:"\|09 00\|"; within:2; distance:19; reference:bugtraq,10108; reference:cve,2003-0533; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:2102514; rev:8;) @@ -39146,7 +39152,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Messenger Service buffer overflow attempt"; flow:to_server,established; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00\|"; within:12; distance:5; nocase; content:"\|04 00\|"; within:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102258; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"\|00 00 00\|b\|06 83 00 00 06\|+\|06 01 05 05 02\|"; within:15; distance:1; content:"\|06 0A\|+\|06 01 04 01 82\|7\|02 02 0A\|"; distance:0; content:"\|A3\|>0<\|A0\|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2385; rev:11;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC NTLMSSP invalid mechlistMIC attempt"; flow:to_server,established; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; content:"`"; depth:1; offset:63; content:"\|00 00 00\|b\|06 83 00 00 06\|+\|06 01 05 05 02\|"; within:15; distance:1; content:"\|06 0A\|+\|06 01 04 01 82\|7\|02 02 0A\|"; distance:0; content:"\|A3\|>0<\|A0\|0"; distance:0; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12054; reference:nessus,12065; classtype:attempted-dos; sid:2102385; rev:12;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS DCERPC Remote Activation bind attempt"; flow:to_server,established; content:"\|FF\|SMB%"; depth:5; offset:4; nocase; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00\|"; within:12; distance:5; nocase; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; byte_test:1,&,1,0,relative; content:"\|B8\|J\|9F\|M\|1C\|}\|CF 11 86 1E 00\| \|AF\|n\|7C\|W"; within:16; distance:29; tag:session,5,packets; reference:bugtraq,8234; reference:bugtraq,8458; reference:cve,2003-0528; reference:cve,2003-0605; reference:cve,2003-0715; reference:nessus,11798; reference:nessus,11835; reference:url,www.microsoft.com/technet/security/bulletin/MS03-039.mspx; classtype:attempted-admin; sid:2102252; rev:15;) @@ -39188,13 +39194,13 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IActivation unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|B8\|J\|9F\|M\|1C\|}\|CF 11 86 1E 00\| \|AF\|n\|7C\|W"; within:16; distance:29; flowbits:set,dce.iactivation.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103388; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC\|24 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2954; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC\|24 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102954; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; byte_jump:2,34,little,relative; content:"IPC\|24 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102465; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I\|00\|P\|00\|C\|00 24 00 00 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2955; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode andx share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I\|00\|P\|00\|C\|00 24 00 00 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102955; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; byte_jump:2,34,little,relative; content:"I\|00\|P\|00\|C\|00 24 00 00 00\|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; classtype:protocol-command-decode; sid:2102466; rev:9;) @@ -39224,25 +39230,25 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS ISystemActivator unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|A0 01 00 00 00 00 00 00 C0 00 00 00 00 00 00\|F"; within:16; distance:29; flowbits:set,dce.isystemactivator.bind; flowbits:noalert; classtype:protocol-command-decode; sid:2103404; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2996; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102996; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102482; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2997; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102997; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102483; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2998; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102998; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 18\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102480; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2999; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian andx attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; within:1; distance:4; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102999; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS InitiateSystemShutdown unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|18 00\|"; within:2; distance:19; classtype:protocol-command-decode; sid:2102481; rev:10;) @@ -39272,10 +39278,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS IrotIsRunning unicode little endian attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.irot; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|02 00\|"; within:2; distance:19; byte_jump:4,8,relative,little,align; byte_test:4,>,1024,0,little; reference:bugtraq,6005; reference:cve,2002-1561; reference:url,www.microsoft.com/technet/security/bulletin/MS03-010.mspx; classtype:protocol-command-decode; sid:2103267; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2968; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102968; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2969; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102969; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102948; rev:7;) @@ -39284,10 +39290,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:256,relative; content:!"\|00\|"; within:256; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102938; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2970; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|00 0C\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102970; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2971; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian andx overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102971; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS NDdeSetTrustedShareW unicode little endian overflow attempt"; flow:established,to_server; flowbits:isset,smb.tree.bind.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; byte_test:1,!&,16,3,relative; content:"\|00\|"; within:1; distance:1; content:"\|0C 00\|"; within:2; distance:19; isdataat:512,relative; content:!"\|00 00\|"; within:512; distance:12; reference:bugtraq,11372; reference:cve,2004-0206; classtype:attempted-admin; sid:2102949; rev:7;) @@ -39407,7 +39413,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request unicode username overflow attempt"; flow:stateless; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,!&,2147483648,21,relative,little; content:!"\|00 00\|"; within:510; distance:29; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:protocol-command-decode; sid:2102404; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; byte_test:2,>,322,2; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"\|00 00 00 00\|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"\|00\|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2402; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup AndX request username overflow attempt"; flow:to_server,established; content:"\|00\|"; depth:1; byte_test:2,>,322,2; content:"\|FF\|SMBs"; depth:5; offset:4; nocase; byte_test:1,<,128,6,relative; content:"\|00 00 00 00\|"; within:4; distance:42; byte_test:2,>,255,8,relative,little; content:!"\|00\|"; within:255; distance:10; reference:bugtraq,9752; reference:url,www.eeye.com/html/Research/Advisories/AD20040226.html; classtype:attempted-admin; sid:2102402; rev:6;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Session Setup NTMLSSP andx asn1 overflow attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"s"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_test:4,&,2147483648,21,relative,little; content:!"NTLMSSP"; within:7; distance:27; asn1:double_overflow, bitstring_overflow, relative_offset 27, oversize_length 2048; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:protocol-command-decode; sid:2103004; rev:5;) @@ -39425,13 +39431,13 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|01 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103142; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|01 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|01 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103141; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|07 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO andx attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|07 00\|"; within:2; distance:29; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103138; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|07 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:4;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS Trans2 QUERY_FILE_INFO attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; content:"\|07 00\|"; within:2; distance:56; flowbits:set,smb.trans2; flowbits:noalert; classtype:protocol-command-decode; sid:2103137; rev:5;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS irot andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"`\|9E E7 B9\|R=\|CE 11 AA A1 00 00\|i\|01 29\|?"; within:16; distance:29; flowbits:set,smb.tree.bind.irot; flowbits:noalert; classtype:protocol-command-decode; sid:2103252; rev:4;) @@ -39542,10 +39548,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS msqueue unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; content:"\|05\|"; distance:4; within:1; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|B0 01\|R\|97 CA\|Y\|D0 11 A8 D5 00 A0 C9 0D 80\|Q"; within:16; distance:29; flowbits:set,smb.tree.bind.msqueue; flowbits:noalert; reference:cve,2003-0995; reference:url,www.eeye.com/html/Research/Advisories/AD20030910.html; reference:url,www.microsoft.com/technet/security/bulletin/MS03-026.mspx; classtype:protocol-command-decode; sid:2103171; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2962; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102962; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2958; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102958; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102934; rev:6;) @@ -39554,10 +39560,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB\|A2\|"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"\|5C\|nddeapi\|00\|"; within:9; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102930; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2963; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102963; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|n\|00\|d\|00\|d\|00\|e\|00\|a\|00\|p\|00\|i\|00 00 00\|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2959; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|n\|00\|d\|00\|d\|00\|e\|00\|a\|00\|p\|00\|i\|00 00 00\|"; within:18; distance:51; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102959; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.nddeapi; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; content:"\|0B\|"; within:1; distance:1; content:" 2_/&\|C1\|v\|10 B5\|I\|07\|M\|07 86 19 DA\|"; within:16; distance:29; flowbits:set,smb.tree.bind.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102935; rev:7;) @@ -39566,16 +39572,16 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS nddeapi unicode create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB\|A2\|"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"\|5C 00\|n\|00\|d\|00\|d\|00\|e\|00\|a\|00\|p\|00\|i\|00 00 00\|"; within:18; distance:78; nocase; flowbits:set,smb.tree.create.nddeapi; reference:bugtraq,11372; reference:cve,2004-0206; classtype:protocol-command-decode; sid:2102931; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2951; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS too many stacked requests"; flow:to_server,established; content:"\|FF\|SMB"; pcre:"/^\x00.{3}\xFFSMB(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f).{28}(\x73\|\x74\|\x75\|\xa2\|\x24\|\x2d\|\x2e\|\x2f)/"; byte_jump:2,39,little; content:!"\|FF\|"; within:1; distance:-36; classtype:protocol-command-decode; sid:2102951; rev:3;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103214; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2990; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102990; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|winreg\|00\|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2986; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C\|winreg\|00\|"; within:8; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102986; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,!&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C\|PIPE\|5C 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103210; rev:4;) @@ -39596,10 +39602,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103216; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; pcre:"/^.{4}/R"; content:"\|05\|"; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2991; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx bind attempt"; flow:established,to_server; flowbits:isset,smb.tree.create.winreg; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"%"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"&\|00\|"; within:2; distance:29; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-10,relative,from_beginning; content:"\|05\|"; distance:4; within:1; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; classtype:protocol-command-decode; sid:2102991; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|w\|00\|i\|00\|n\|00\|r\|00\|e\|00\|g\|00 00 00\|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2987; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode andx create tree attempt"; flow:established,to_server; flowbits:isset,smb.tree.connect.ipc; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\x2e\|\x24\|\x74)/sR"; byte_test:1,&,128,6,relative; content:"\|A2\|"; depth:1; offset:39; byte_jump:2,0,little,relative; content:"\|5C 00\|w\|00\|i\|00\|n\|00\|r\|00\|e\|00\|g\|00 00 00\|"; within:16; distance:51; nocase; flowbits:set,smb.tree.create.winreg; classtype:protocol-command-decode; sid:2102987; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,!&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103212; rev:4;) @@ -39617,7 +39623,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"GPL NETBIOS SMB-DS winreg unicode little endian bind attempt"; flow:established,to_server; content:"\|00\|"; depth:1; content:"\|FF\|SMB%"; within:5; distance:3; byte_test:1,&,128,6,relative; content:"&\|00\|"; within:2; distance:56; content:"\|5C 00\|P\|00\|I\|00\|P\|00\|E\|00 5C 00 00 00\|"; distance:4; nocase; byte_jump:2,-17,relative,from_beginning,little; isdataat:4,relative; content:"\|05\|"; byte_test:1,&,16,3,relative; content:"\|0B\|"; within:1; distance:1; content:"\|01 D0 8C\|3D\|22 F1\|1\|AA AA 90 00\|8\|00 10 03\|"; within:16; distance:29; flowbits:set,smb.tree.bind.winreg; flowbits:noalert; classtype:protocol-command-decode; sid:2103213; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL EXPLOIT Netscape Unixware overflow"; flow:to_server,established; content:"\|EB\|_\|9A FF FF FF FF 07 FF C3\|^1\|C0 89\|F\|9D\|"; fast_pattern:only; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:1132; rev:9;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 457 (msg:"GPL DELETED Netscape Unixware overflow"; flow:to_server,established; content:"\|EB\|_\|9A FF FF FF FF 07 FF C3\|^1\|C0 89\|F\|9D\|"; fast_pattern:only; reference:arachnids,180; reference:bugtraq,908; reference:cve,1999-0744; classtype:attempted-recon; sid:2101132; rev:11;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL RPC rexec password overflow attempt"; flow:to_server,established; content:"\|00\|"; content:"\|00\|"; distance:33; content:"\|00\|"; distance:0; classtype:attempted-admin; sid:2102114; rev:4;) @@ -39626,31 +39632,31 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"GPL EXPLOIT rexec username overflow attempt"; flow:to_server,established; content:"\|00\|"; offset:9; content:"\|00\|"; distance:0; content:"\|00\|"; distance:0; classtype:attempted-admin; sid:2102113; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"\|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A\|"; classtype:bad-unknown; sid:601; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL RPC rlogin LinuxNIS"; flow:to_server,established; content:"\|3A 3A 3A 3A 3A 3A 3A 3A 00 3A 3A 3A 3A 3A 3A 3A 3A\|"; classtype:bad-unknown; sid:2100601; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; reference:arachnids,384; classtype:attempted-user; sid:602; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; reference:arachnids,384; classtype:attempted-user; sid:2100602; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo \|22\| + + \|22\|"; reference:arachnids,385; classtype:bad-unknown; sid:603; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin echo++"; flow:to_server,established; content:"echo \|22\| + + \|22\|"; reference:arachnids,385; classtype:bad-unknown; sid:2100603; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root\|00\|root\|00\|"; reference:arachnids,389; classtype:attempted-admin; sid:606; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL MISC rlogin root"; flow:to_server,established; content:"root\|00\|root\|00\|"; reference:arachnids,389; classtype:attempted-admin; sid:2100606; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot\|00\|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:604; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 513 (msg:"GPL EXPLOIT rsh froot"; flow:to_server,established; content:"-froot\|00\|"; fast_pattern:only; reference:arachnids,387; classtype:attempted-admin; sid:2100604; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; reference:arachnids,390; classtype:attempted-user; sid:607; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL EXPLOIT rsh bin"; flow:to_server,established; content:"bin\|00\|bin\|00\|"; reference:arachnids,390; classtype:attempted-user; sid:2100607; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo \|22\|+ +\|22\|"; reference:arachnids,388; classtype:attempted-user; sid:608; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh echo + +"; flow:to_server,established; content:"echo \|22\|+ +\|22\|"; reference:arachnids,388; classtype:attempted-user; sid:2100608; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot\|00\|"; reference:arachnids,387; classtype:attempted-admin; sid:609; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh froot"; flow:to_server,established; content:"-froot\|00\|"; reference:arachnids,387; classtype:attempted-admin; sid:2100609; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root\|00\|root\|00\|"; reference:arachnids,391; classtype:attempted-admin; sid:610; rev:5;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 514 (msg:"GPL MISC rsh root"; flow:to_server,established; content:"root\|00\|root\|00\|"; reference:arachnids,391; classtype:attempted-admin; sid:2100610; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT EXPLOIT HPUX LPD overflow attempt"; flow:to_server,established; content:"\|24 7B 49 46 53 7D\|"; reference:cve,2005-3277; reference:bugtraq,15136; classtype:attempted-dos; sid:100000176; rev:1;) @@ -39659,43 +39665,43 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT LPD dvips remote command execution attempt"; flow:to_server,established; content:"psfile=\|22 60\|"; reference:bugtraq,3241; reference:cve,2001-1002; reference:nessus,11023; classtype:system-call-detect; sid:2101821; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300\|24\|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:302; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"GPL EXPLOIT Redhat 7.0 lprd overflow"; flow:to_server,established; content:"XXXX%.172u%300\|24\|n"; reference:bugtraq,1712; reference:cve,2000-0917; classtype:attempted-admin; sid:2100302; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:258; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named 8.2->8.2.1"; flow:to_server,established; content:"../../../"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100258; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:259; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow ADM"; flow:to_server,established; content:"thisissometempspaceforthesockinaddrinyeahyeahiknowthisislamebutanywaywhocareshorizongotitworkingsoalliscool"; reference:bugtraq,788; reference:cve,1999-0833; classtype:attempted-admin; sid:2100259; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS EXPLOIT named overflow attempt"; flow:to_server,established; content:"\|CD 80 E8 D7 FF FF FF\|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:261; rev:6;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named overflow attempt"; flow:to_server,established; content:"\|CD 80 E8 D7 FF FF FF\|/bin/sh"; reference:url,www.cert.org/advisories/CA-1998-05.html; classtype:attempted-admin; sid:2100261; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS TCP inverse query overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400; reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:2103153; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"\|07\|authors"; offset:12; nocase; content:"\|04\|bind\|00\|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:1435; rev:7;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named authors attempt"; flow:to_server,established; content:"\|07\|authors"; offset:12; nocase; content:"\|04\|bind\|00\|"; offset:12; nocase; reference:arachnids,480; reference:nessus,10728; classtype:attempted-recon; sid:2101435; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS named version attempt"; flow:to_server,established; content:"\|07\|version"; offset:12; nocase; content:"\|04\|bind\|00\|"; offset:12; nocase; reference:arachnids,278; reference:nessus,10028; classtype:attempted-recon; sid:2100257; rev:10;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"\|00 00 FC\|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:255; rev:13;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"GPL DNS zone transfer TCP"; flow:to_server,established; content:"\|00 00 FC\|"; offset:15; reference:arachnids,212; reference:cve,1999-0532; reference:nessus,10595; classtype:attempted-recon; sid:2100255; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:507; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 5631 (msg:"GPL POLICY PCAnywhere Attempted Administrator Login"; flow:to_server,established; content:"ADMINISTRATOR"; classtype:attempted-admin; sid:2100507; rev:5;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5802 (msg:"GPL POLICY vncviewer Java applet download attempt"; flow:to_server,established; content:"/vncviewer.jar"; reference:nessus,10758; classtype:misc-activity; sid:2101846; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:1398; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 6112 (msg:"GPL EXPLOIT CDE dtspcd exploit attempt"; flow:to_server,established; content:"1"; depth:1; offset:10; content:!"000"; depth:3; offset:11; reference:bugtraq,3517; reference:cve,2001-0803; reference:url,www.cert.org/advisories/CA-2002-01.html; classtype:misc-attack; sid:2101398; rev:11;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"GPL EXPLOIT Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT\|MACHINE)_INFO/Ri"; reference:bugtraq,12594; classtype:attempted-recon; sid:2103453; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL EXPLOIT SCO calserver overflow"; flow:to_server,established; content:"\|EB 7F\|]U\|FE\|M\|98 FE\|M\|9B\|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:304; rev:9;) +##alert tcp $EXTERNAL_NET any -> $HOME_NET 6373 (msg:"GPL DELETED SCO calserver overflow"; flow:to_server,established; content:"\|EB 7F\|]U\|FE\|M\|98 FE\|M\|9B\|"; reference:bugtraq,2353; reference:cve,2000-0306; classtype:attempted-admin; sid:2100304; rev:10;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 7100 (msg:"GPL EXPLOIT xfs overflow attempt"; flow:to_server,established; dsize:>512; content:"B\|00 02\|"; depth:3; reference:bugtraq,6241; reference:cve,2002-1317; reference:nessus,11188; classtype:misc-activity; sid:2101987; rev:8;) @@ -39791,7 +39797,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 79 (msg:"GPL SCAN Finger Version Query"; flow:to_server,established; content:"version"; classtype:attempted-recon; sid:2101541; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:619; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"GPL SCAN cybercop os probe"; flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon; sid:2100619; rev:7;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"GPL MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2102549; rev:2;) @@ -39818,19 +39824,19 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"GPL MISC rsyncd overflow attempt"; flow:to_server; byte_test:2,>,4000,0; content:"\|00 00\|"; depth:2; offset:2; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2102048; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"\|01 A1\|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:3;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"\|01 A1\|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102579; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET 9090 (msg:"GPL POLICY Sun JavaServer default password login attempt"; flow:to_server,established; content:"/servlet/admin"; content:"ae9f86d6beaa3f9ecb9a5b7e072a4138"; reference:cve,1999-0508; reference:nessus,10995; classtype:default-login-attempt; sid:2101859; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:558; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Outbound GNUTella client request"; flow:established; content:"GNUTELLA OK"; depth:40; classtype:misc-activity; sid:2100558; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL P2P Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:559; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED Inbound GNUTella client request"; flags:A+; flow:established; content:"GNUTELLA CONNECT"; depth:40; classtype:misc-activity; sid:2100559; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:560; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL POLICY VNC server response"; flow:established; content:"RFB 0"; depth:5; content:".0"; depth:2; offset:7; classtype:misc-activity; sid:2100560; rev:7;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_CREATE array buffer overflow attempt"; flow:to_server,established; content:"\|00 01 86 E4\|"; depth:4; offset:16; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102095; rev:7;) @@ -39842,7 +39848,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"\|00 01 86 E4\|"; depth:4; offset:16; content:"\|00 00 00 06\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_jump:4,0,relative,align; byte_test:4,>,1000,28,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,524; reference:cve,1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:2101909; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin\|C7\|F\|04\|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL EXPLOIT EXPLOIT statdx"; flow:to_server,established; content:"/bin\|C7\|F\|04\|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:2100600; rev:8;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"\|00 01 86 B8\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,100,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,1480; reference:cve,2000-0666; classtype:attempted-admin; sid:2101916; rev:10;) @@ -39854,7 +39860,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP dump request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:attempted-recon; sid:2102018; rev:5;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP export request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2100574; rev:9;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC mountd TCP exportall request"; flow:to_server,established; content:"\|00 01 86 A5\|"; depth:4; offset:16; content:"\|00 00 00 06\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:arachnids,26; classtype:attempted-recon; sid:2101925; rev:7;) @@ -39887,7 +39893,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind query with root credentials attempt TCP"; flow:to_server,established; content:"\|00 01 87 88\|"; fast_pattern; depth:4; offset:16; content:"\|00 00 00 01 00 00 00 01\|"; within:8; distance:4; byte_jump:4,8,relative,align; content:"\|00 00 00 00\|"; within:4; classtype:misc-attack; sid:2102255; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"\|00 01 87 99\|"; depth:4; offset:16; content:"\|00 00 01 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569; rev:14;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC snmpXdmi overflow attempt TCP"; flow:to_server,established; content:"\|00 01 87 99\|"; depth:4; offset:16; content:"\|00 00 01 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:2100569; rev:15;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"\|00 01 86 F3\|"; depth:4; offset:16; content:"\|00 00 00 07\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,128,0,relative; content:"\|00 00 00 00\|"; depth:4; offset:8; reference:bugtraq,122; reference:cve,1999-0003; classtype:misc-attack; sid:2101965; rev:9;) @@ -39911,49 +39917,49 @@ ##alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL DELETED ypupdated arbitrary command attempt TCP"; flow:to_server,established; content:"\|00 01 86 BC\|"; depth:4; offset:16; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|7C\|"; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:8; classtype:misc-attack; sid:2102089; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:623; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN NULL"; flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon; sid:2100623; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN SYN FIN"; flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:2100624; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:625; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN XMAS"; flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon; sid:2100625; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:626; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os PA12 attempt"; flow:stateless; flags:PA12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,149; classtype:attempted-recon; sid:2100626; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:627; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN cybercop os SFU12 probe"; flow:stateless; ack:0; flags:SFU12; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,150; classtype:attempted-recon; sid:2100627; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:628; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap TCP"; ack:0; flags:A,12; flow:stateless; reference:arachnids,28; classtype:attempted-recon; sid:2100628; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap XMAS"; flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:2101228; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:629; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN nmap fingerprint attempt"; flags:SFPU; flow:stateless; reference:arachnids,05; classtype:attempted-recon; sid:2100629; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:989; rev:12;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN sensepost.exe command shell attempt"; flow:to_server,established; content:"/sensepost.exe"; http_uri; nocase; reference:nessus,11003; classtype:web-application-activity; sid:2100989; rev:13;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS SAP WAS syscmd access"; flow:to_server,established; content:"/sap/bc/BSp/sap/menu/frameset.htm"; http_uri; nocase; content:"sap-syscmd"; http_uri; nocase; reference:url,www.cybsec.com/vuln/CYBSEC_Security_Advisory_Multiple_XSS_in_SAP_WAS.pdf; classtype:web-application-activity; sid:100000183; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include"; flow:to_server,established; content:"/base_include.inc.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?\|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_include.inc.php remote file include"; flow:to_server,established; content:"/base_include.inc.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000358; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include"; flow:to_server,established; content:"/base_qry_common.php"; http_uri; nocase; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?\|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:4;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_qry_common.php remote file include"; flow:to_server,established; content:"/base_qry_common.php"; http_uri; nocase; fast_pattern:only; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000356; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; content:"/base_stat_common.php"; nocase; http_uri; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(https?\|ftp)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS BASE base_stat_common.php remote file include"; flow:to_server,established; content:"/base_stat_common.php"; nocase; http_uri; content:"BASE_path="; http_uri; nocase; pcre:"/BASE_path=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:url,secunia.com/advisories/20300/; classtype:web-application-attack; sid:100000357; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEB-MISC JBoss web-console access"; flow:to_server,established; content:"/web-console"; http_uri; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEB-MISC JBoss web-console access"; flow:to_server,established; content:"/web-console"; http_uri; reference:url,www.jboss.org/wiki/Wiki.jsp?page=WebConsole; classtype:misc-activity; sid:100000429; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/BlackList.Examine.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog BlackList.Examine.class.php remote file include"; flow:to_server,established; content:"plugins/spamx/BlackList.Examine.class.php"; nocase; http_uri; content:"$_CONF[path]="; nocase; http_uri; pcre:"/\$_CONF\[path\]=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000730; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog DeleteComment.Action.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/DeleteComment.Action.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000731; rev:3;) @@ -39989,10 +39995,10 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog MassDelete.Admin.class.php remote file include"; flow:to_server,established; uricontent:"plugins/spamx/MassDelete.Admin.class.php"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000734; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/links/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; content:"plugins/links/functions.inc"; nocase; http_uri; fast_pattern:7,20; content:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000728; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/polls/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; content:"plugins/polls/functions.inc"; nocase; http_uri; fast_pattern:7,20; content:"$_CONF[path]="; nocase; http_uri; pcre:"/\$_CONF\[path\]=(?:(?:ht\|f)tps?\|data\|php)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000729; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Geeklog functions.inc remote file include"; flow:to_server,established; uricontent:"plugins/staticpages/functions.inc"; nocase; uricontent:"$_CONF[path]="; nocase; pcre:"/\$_CONF\[path\]=(https?\|ftp)/Ui"; reference:bugtraq,18740; classtype:web-application-attack; sid:100000742; rev:3;) @@ -40001,46 +40007,49 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS WEB-PHP phpMyWebmin create_file script remote file include"; flow:to_server,established; content:"create_file.php?"; http_uri; nocase; content:"target="; http_uri; nocase; pcre:"/target=(https?\|ftp)/Ui"; reference:url,www.securityfocus.com/bid/20281/info; classtype:web-application-attack; sid:100000908; rev:2;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:1133; rev:12;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop os probe"; flow:stateless; ack:0; flags:SFP; content:"AAAAAAAAAAAAAAAA"; depth:16; reference:arachnids,145; classtype:attempted-recon; sid:2101133; rev:13;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:2101369; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls command attempt"; flow:to_server,established; content:"/bin/ls"; http_uri; nocase; classtype:web-application-attack; sid:1369; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls\| command attempt"; flow:to_server,established; content:"/bin/ls\|7C\|"; http_uri; nocase; classtype:web-application-attack; sid:2101368; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ls\| command attempt"; flow:to_server,established; content:"/bin/ls\|7C\|"; http_uri; nocase; classtype:web-application-attack; sid:1368; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; content:"/bin/ps"; http_uri; nocase; classtype:web-application-attack; sid:2101328; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /bin/ps command attempt"; flow:to_server,established; uricontent:"/bin/ps"; nocase; classtype:web-application-attack; sid:1328; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; http_uri; nocase; classtype:web-application-activity; sid:2101370; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/inetd.conf access"; flow:to_server,established; content:"/etc/inetd.conf"; nocase; classtype:web-application-activity; sid:1370; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; http_uri; classtype:web-application-activity; sid:2101371; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/motd access"; flow:to_server,established; content:"/etc/motd"; nocase; http_uri; classtype:web-application-activity; sid:1371; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; http_uri; nocase; classtype:web-application-activity; sid:2101372; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED /etc/shadow access"; flow:to_server,established; content:"/etc/shadow"; fast_pattern:only; nocase; classtype:web-application-activity; sid:1372; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; http_uri; nocase; classtype:web-application-attack; sid:2101332; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/id command attempt"; flow:to_server,established; content:"/usr/bin/id"; nocase; classtype:web-application-attack; sid:1332; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:2101355; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /usr/bin/perl execution attempt"; flow:to_server,established; content:"/usr/bin/perl"; http_uri; nocase; classtype:web-application-attack; sid:1355; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:2101349; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER bin/python access attempt"; flow:to_server,established; content:"bin/python"; http_uri; nocase; classtype:web-application-attack; sid:1349; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101334; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT echo command attempt"; flow:to_server,established; content:"/bin/echo"; fast_pattern:only; nocase; classtype:web-application-attack; sid:1334; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; content:"python "; http_uri; nocase; classtype:web-application-attack; sid:2101350; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER python access attempt"; flow:to_server,established; content:"python%20"; http_uri; nocase; classtype:web-application-attack; sid:1350; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101340; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT tftp command attempt"; flow:to_server,established; content:"tftp%20"; fast_pattern:only; nocase; classtype:web-application-attack; sid:1340; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS NetScreen SA 5000 delhomepage.cgi access"; flow:to_server,established; content:"/delhomepage.cgi"; http_uri; fast_pattern:only; reference:bugtraq,9791; classtype:web-application-activity; sid:2103062; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:884; rev:15;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail access"; flow:to_server,established; content:"/formmail"; nocase; http_uri; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-activity; sid:2100884; rev:16;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT formmail arbitrary command execution attempt"; flow:to_server,established; content:"/formmail"; nocase; http_uri; content:"%0a"; nocase; reference:arachnids,226; reference:bugtraq,1187; reference:bugtraq,2079; reference:cve,1999-0172; reference:cve,2000-0411; reference:nessus,10076; reference:nessus,10782; classtype:web-application-attack; sid:2101610; rev:13;) @@ -40049,76 +40058,76 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER perl command attempt"; flow:to_server,established; content:"/perl?"; http_uri; nocase; reference:arachnids,219; reference:cve,1999-0509; reference:nessus,10173; reference:url,www.cert.org/advisories/CA-1996-11.html; classtype:attempted-recon; sid:2101649; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:824; rev:14;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT php.cgi access"; flow:to_server,established; content:"/php.cgi"; nocase; http_uri; reference:arachnids,232; reference:bugtraq,2250; reference:bugtraq,712; reference:cve,1999-0238; reference:cve,1999-058; reference:nessus,10178; classtype:attempted-recon; sid:2100824; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER printenv access"; flow:to_server,established; content:"/printenv"; http_uri; reference:bugtraq,1658; reference:cve,2000-0868; reference:nessus,10188; reference:nessus,10503; classtype:web-application-activity; sid:2101877; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:920; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource attempt"; flow:to_server,established; content:"CF_ISCOLDFUSIONDATASOURCE\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100920; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:919; rev:8;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource password attempt"; flow:to_server,established; content:"CF_SETDATASOURCEPASSWORD\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100919; rev:9;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:909; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER datasource username attempt"; flow:to_server,established; content:"CF_SETDATASOURCEUSERNAME\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100909; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:915; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED evaluate.cfm access"; flow:to_server,established; content:"/cfdocs/snippets/evaluate.cfm"; nocase; http_uri; reference:bugtraq,550; classtype:attempted-recon; sid:2100915; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:923; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER getodbcin attempt"; flow:to_server,established; content:"CFUSION_GETODBCINI\|28 29\|"; nocase; reference:bugtraq,550; classtype:web-application-attack; sid:2100923; rev:8;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:1288; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /_vti_bin/ access"; flow:to_server,established; content:"/_vti_bin/"; http_uri; nocase; reference:nessus,11032; classtype:web-application-activity; sid:2101288; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:937; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER _vti_rpc access"; flow:to_server,established; content:"/_vti_rpc"; http_uri; nocase; reference:bugtraq,2144; reference:cve,2001-0096; reference:nessus,10585; classtype:web-application-activity; sid:2100937; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:953; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT administrators.pwd access"; flow:to_server,established; content:"/administrators.pwd"; nocase; http_uri; reference:bugtraq,1205; classtype:web-application-activity; sid:2100953; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; http_uri; nocase; classtype:web-application-activity; sid:952; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER author.exe access"; flow:to_server,established; content:"/_vti_bin/_vti_aut/author.exe"; http_uri; nocase; classtype:web-application-activity; sid:2100952; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; http_uri; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:951; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER authors.pwd access"; flow:to_server,established; content:"/authors.pwd"; http_uri; nocase; reference:bugtraq,989; reference:cve,1999-0386; reference:nessus,10078; classtype:web-application-activity; sid:2100951; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:958; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.cnf access"; flow:to_server,established; content:"/_vti_pvt/service.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100958; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; content:"/service.pwd"; http_uri; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:959; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER service.pwd"; flow:to_server,established; content:"/service.pwd"; http_uri; nocase; reference:bugtraq,1205; classtype:web-application-activity; sid:2100959; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:961; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER services.cnf access"; flow:to_server,established; content:"/_vti_pvt/services.cnf"; http_uri; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100961; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; uricontent:"/_vti_pvt/writeto.cnf"; nocase; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:965; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER writeto.cnf access"; flow:to_server,established; content:"/_vti_pvt/writeto.cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100965; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd\|22\|"; nocase; http_uri; pcre:"/.cmd\x22.\x26./smi"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:3193; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cmd executable file parsing attack"; flow:established,to_server; content:".cmd\|22\|"; nocase; http_uri; pcre:"/\.cmd\x22.?\x26/Ui"; reference:bugtraq,1912; reference:cve,2000-0886; classtype:web-application-attack; sid:2103193; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:977; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .cnf access"; flow:to_server,established; content:".cnf"; nocase; http_uri; reference:bugtraq,4078; reference:nessus,10575; classtype:web-application-activity; sid:2100977; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:987; rev:15;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT .htr access"; flow:to_server,established; content:".htr"; nocase; http_uri; reference:bugtraq,1488; reference:cve,2000-0630; reference:nessus,10680; classtype:web-application-activity; sid:2100987; rev:16;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:1487; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /iisadmpwd/aexp2.htr access"; flow:to_server,established; content:"/iisadmpwd/aexp2.htr"; http_uri; reference:bugtraq,2110; reference:bugtraq,4236; reference:cve,1999-0407; reference:cve,2002-0421; reference:nessus,10371; classtype:web-application-activity; sid:2101487; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:1401; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT /msadc/samples/ access"; flow:to_server,established; content:"/msadc/samples/"; http_uri; nocase; reference:bugtraq,167; reference:cve,1999-0736; reference:nessus,1007; classtype:web-application-attack; sid:2101401; rev:10;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; http_uri; nocase; classtype:web-application-attack; sid:994; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /scripts/iisadmin/default.htm access"; flow:to_server,established; content:"/scripts/iisadmin/default.htm"; http_uri; nocase; classtype:web-application-attack; sid:2100994; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Alternate Data streams ASP file access attempt"; flow:to_server,established; content:".asp\|3A 3A 24\|DATA"; nocase; http_uri; reference:bugtraq,149; reference:cve,1999-0278; reference:nessus,10362; reference:url,support.microsoft.com/default.aspx?scid=kb#-#-EN-US#-#-q188806; classtype:web-application-attack; sid:2100975; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:1256; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT CodeRed v2 root.exe access"; flow:to_server,established; content:"/root.exe"; nocase; http_uri; reference:url,www.cert.org/advisories/CA-2001-19.html; classtype:web-application-attack; sid:2101256; rev:10;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER IISProtect access"; flow:to_server,established; content:"/iisprotect/admin/"; http_uri; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102131; rev:4;) @@ -40127,19 +40136,19 @@ ##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED IISProtect globaladmin.asp access"; flow:to_server,established; uricontent:"/iisprotect/admin/GlobalAdmin.asp"; nocase; reference:nessus,11661; classtype:web-application-activity; sid:2102157; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1242; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida access"; flow:to_server,established; content:".ida"; nocase; http_uri; pcre:"/\.ida$/iU"; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101242; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:1243; rev:12;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .ida attempt"; flow:to_server,established; content:".ida?"; nocase; http_uri; reference:arachnids,552; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-attack; sid:2101243; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:1245; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq access"; flow:to_server,established; content:".idq"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:cve,2000-0071; classtype:web-application-activity; sid:2101245; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:1244; rev:15;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT ISAPI .idq attempt"; flow:to_server,established; content:".idq?"; nocase; http_uri; reference:arachnids,553; reference:bugtraq,1065; reference:bugtraq,968; reference:cve,2000-0071; reference:cve,2000-0126; reference:nessus,10115; classtype:web-application-attack; sid:2101244; rev:16;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; uricontent:".printer"; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:971; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ISAPI .printer access"; flow:to_server,established; content:".printer"; http_uri; nocase; reference:arachnids,533; reference:bugtraq,2674; reference:cve,2001-0241; reference:nessus,10661; reference:url,www.microsoft.com/technet/security/bulletin/MS01-023.mspx; classtype:web-application-activity; sid:2100971; rev:12;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server admin attempt"; flow:to_server,established; content:"/Site Server/Admin/knowledge/persmbr/"; nocase; http_uri; reference:nessus,11018; classtype:web-application-attack; sid:2101818; rev:4;) @@ -40148,10 +40157,10 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER MS Site Server default login attempt"; flow:to_server,established; content:"/SiteServer/Admin/knowledge/persmbr/"; nocase; http_uri; content:"TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE"; pcre:"/^Authorization\|3A\|\sBasic\s+TERBUF9Bbm9ueW1vdXM6TGRhcFBhc3N3b3JkXzE=/smi"; reference:nessus,11018; classtype:web-application-attack; sid:2101817; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization\|3A\| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2386; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT NTLM ASN.1 vulnerability scan attempt"; flow:to_server,established; content:"Authorization\|3A\| Negotiate YIQAAABiBoMAAAYrBgEFBQKgggBTMIFQoA4wDAYKKwYBBAGCNwICCqM"; http_header; reference:bugtraq,9633; reference:bugtraq,9635; reference:cve,2003-0818; reference:nessus,12052; reference:nessus,12055; reference:nessus,12065; reference:url,www.microsoft.com/technet/security/bulletin/MS04-007.mspx; classtype:attempted-dos; sid:2102386; rev:11;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:988; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER SAM Attempt"; flow:to_server,established; content:"sam._"; http_uri; nocase; reference:url,www.ciac.org/ciac/bulletins/h-45.shtml; classtype:web-application-attack; sid:2100988; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT WEBDAV exploit attempt"; flow:to_server,established; content:"HTTP/1.1\|0A\|Content-type\|3A\| text/xml\|0A\|HOST\|3A\|"; fast_pattern:32,4; content:"Accept\|3A\| /\|0A\|Translate\|3A\| f\|0A\|Content-length\|3A\|5276\|0A 0A\|"; distance:1; reference:bugtraq,7116; reference:bugtraq,7716; reference:cve,2003-0109; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102090; rev:12;) @@ -40160,13 +40169,13 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER WEBDAV nessus safe scan attempt"; flow:to_server,established; content:"SEARCH"; http_method; content:"/"; http_uri; urilen:1; content:" HTTP/1.1\|0D 0A\|Host\|3A\|"; content:"\|0D 0A 0D 0A\|"; within:255; reference:bugtraq,7116; reference:cve,2003-0109; reference:nessus,11412; reference:nessus,11413; reference:url,www.microsoft.com/technet/security/bulletin/ms03-007.mspx; classtype:attempted-admin; sid:2102091; rev:10;) # -##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:1002; rev:8;) +##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED cmd.exe access"; flow:to_server,established; content:"cmd.exe"; nocase; http_uri; classtype:web-application-attack; sid:2101002; rev:9;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd32.exe access"; flow:to_server,established; content:"cmd32.exe"; nocase; classtype:web-application-attack; sid:2101661; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:1003; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT cmd? access"; flow:to_server,established; content:".cmd?&"; nocase; http_uri; classtype:web-application-attack; sid:2101003; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE del attempt"; flow:to_server,established; content:"&del+/s+c\|3A 5C\|."; fast_pattern:only; nocase; classtype:web-application-attack; sid:2101008; rev:9;) @@ -40175,19 +40184,19 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL ATTACK_RESPONSE directory listing"; flow:to_server,established; content:"/ServerVariables_Jscript.asp"; http_uri; nocase; reference:nessus,10573; classtype:web-application-attack; sid:2101009; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:1013; rev:10;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT fpcount access"; flow:to_server,established; content:"/fpcount.exe"; nocase; http_uri; reference:bugtraq,2252; reference:cve,1999-1376; classtype:web-application-activity; sid:2101013; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; content:"/global.asa"; http_uri; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:1016; rev:13;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.asa access"; flow:to_server,established; content:"/global.asa"; http_uri; nocase; reference:cve,2000-0778; reference:nessus,10491; reference:nessus,10991; classtype:web-application-activity; sid:2101016; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:993; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER iisadmin access"; flow:to_server,established; content:"/iisadmin"; nocase; http_uri; reference:bugtraq,189; reference:cve,1999-1538; reference:nessus,11032; classtype:web-application-attack; sid:2100993; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:1018; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iisadmpwd attempt"; flow:to_server,established; content:"/iisadmpwd/aexp"; nocase; http_uri; reference:bugtraq,2110; reference:cve,1999-0407; classtype:web-application-attack; sid:2101018; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:1402; rev:7;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT iissamples access"; flow:to_server,established; content:"/iissamples/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-attack; sid:2101402; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msadcs.dll access"; flow:to_server,established; content:"/msadcs.dll"; http_uri; nocase; reference:bugtraq,529; reference:cve,1999-1011; reference:nessus,10357; classtype:web-application-activity; sid:2101023; rev:13;) @@ -40196,25 +40205,25 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER msdac access"; flow:to_server,established; content:"/msdac/"; nocase; http_uri; reference:nessus,11032; classtype:web-application-activity; sid:2101285; rev:9;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:1046; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT site/iisamples access"; flow:to_server,established; content:"/site/iisamples"; nocase; http_uri; reference:nessus,10370; classtype:web-application-activity; sid:2101046; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER unicode directory traversal attempt"; flow:to_server,established; content:"/..%255c.."; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2101945; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:981; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c0%af../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100981; rev:14;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:982; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%1c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100982; rev:12;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; nocase; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:983; rev:11;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT unicode directory traversal attempt"; flow:to_server,established; content:"/..%c1%9c../"; reference:bugtraq,1806; reference:cve,2000-0884; reference:nessus,10537; classtype:web-application-attack; sid:2100983; rev:15;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htaccess access"; flow:to_server,established; content:".htaccess"; nocase; http_uri; classtype:attempted-recon; sid:2101129; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:1071; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER .htpasswd access"; flow:to_server,established; content:".htpasswd"; nocase; classtype:web-application-attack; sid:2101071; rev:7;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /etc/passwd"; flow:to_server,established; content:"/etc/passwd"; fast_pattern:only; nocase; classtype:attempted-recon; sid:2101122; rev:8;) @@ -40223,7 +40232,7 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~ftp access"; flow:to_server,established; content:"/~ftp"; http_uri; nocase; classtype:attempted-recon; sid:2101662; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~nobody access"; flow:to_server,established; content:"/~nobody"; http_uri; reference:nessus,10484; classtype:web-application-attack; sid:2101489; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER /~root access"; flow:to_server,established; content:"/~root"; http_uri; nocase; classtype:attempted-recon; sid:2101145; rev:9;) @@ -40238,7 +40247,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Oracle Java Process Manager access"; flow:to_server,established; content:"/oprocmgr-status"; http_uri; reference:nessus,10851; classtype:web-application-activity; sid:2101874; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"\|0A\|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2703; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SQL Oracle iSQLPlus login.uix username overflow attempt"; flow:to_server,established; content:"/login.uix"; fast_pattern:only; http_uri; nocase; content:"username="; nocase; isdataat:250,relative; content:!"\|0A\|"; within:250; pcre:"/username=[^&\x3b\r\n]{250}/smi"; reference:bugtraq,10871; reference:url,www.nextgenss.com/advisories/ora-isqlplus.txt; classtype:web-application-attack; sid:2102703; rev:4;) # ##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED Samba SWAT Authorization overflow attempt"; flow:to_server,established; content:"Authorization\|3A\| Basic"; nocase; http_header; pcre:"/^Authorization\x3a Basic\s+=/smi"; reference:bugtraq,10780; classtype:web-application-attack; sid:2102597; rev:5;) @@ -40247,7 +40256,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat directory traversal attempt"; flow:to_server,established; content:"\|00\|.jsp"; http_uri; reference:bugtraq,2518; classtype:web-application-attack; sid:2101055; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:1111; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT Tomcat server exploit access"; flow:to_server,established; content:"/contextAdmin/contextAdmin.html"; nocase; http_uri; reference:bugtraq,1548; reference:cve,2000-0672; reference:nessus,10477; classtype:attempted-recon; sid:2101111; rev:12;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER Tomcat server snoop access"; flow:to_server,established; content:"/jsp/snp/"; http_uri; content:".snp"; http_uri; reference:bugtraq,1532; reference:cve,2000-0760; classtype:attempted-recon; sid:2101108; rev:12;) @@ -40271,28 +40280,28 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT apache chunked encoding memory corruption exploit attempt"; flow:established,to_server; content:"\|C0\|PR\|89 E1\|PQRP\|B8 3B 00 00 00 CD 80\|"; reference:bugtraq,5033; reference:cve,2002-0392; classtype:web-application-activity; sid:2101808; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:1156; rev:10;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache directory disclosure attempt"; flow:to_server,established; content:"////////"; depth:200; reference:bugtraq,2503; classtype:attempted-dos; sid:2101156; rev:11;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; uricontent:"/site/eg/source.asp"; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:1110; rev:9;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER apache source.asp file access"; flow:to_server,established; content:"/site/eg/source.asp"; http_uri; nocase; reference:bugtraq,1457; reference:cve,2000-0628; reference:nessus,10480; classtype:attempted-recon; sid:2101110; rev:11;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop scan"; flow:to_server,established; uricontent:"/cybercop"; nocase; reference:arachnids,374; classtype:web-application-activity; sid:1099; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN cybercop scan"; flow:to_server,established; content:"/cybercop"; http_uri; nocase; reference:arachnids,374; classtype:web-application-activity; sid:2101099; rev:8;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER global.inc access"; flow:to_server,established; content:"/global.inc"; http_uri; nocase; reference:bugtraq,4612; reference:cve,2002-0614; classtype:web-application-attack; sid:2101738; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:1118; rev:5;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER ls%20-l"; flow:to_server,established; content:"ls%20-l"; nocase; classtype:attempted-recon; sid:2101118; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; uricontent:"/nessus_is_probing_you_"; depth:32; reference:arachnids,301; classtype:web-application-attack; sid:1102; rev:8;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 1.X 404 probe"; flow:to_server,established; content:"/nessus_is_probing_you_"; http_uri; reference:arachnids,301; classtype:web-application-attack; sid:2101102; rev:10;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN nessus 2.x 404 probe"; flow:to_server,established; content:"/NessusTest"; http_uri; nocase; reference:nessus,10386; classtype:attempted-recon; sid:2102585; rev:2;) # -#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:1193; rev:11;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS oracle web arbitrary command execution attempt"; flow:to_server,established; content:"/ows-bin/"; nocase; http_uri; content:"?&"; http_uri; reference:bugtraq,1053; reference:cve,2000-0169; reference:nessus,10348; classtype:web-application-attack; sid:2101193; rev:12;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robot.txt access"; flow:to_server,established; content:"/robot.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101857; rev:5;) @@ -40301,28 +40310,31 @@ #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER robots.txt access"; flow:to_server,established; content:"/robots.txt"; http_uri; nocase; reference:nessus,10302; classtype:web-application-activity; sid:2101852; rev:5;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; uricontent:"/viewcode"; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:1403; rev:9;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER viewcode access"; flow:to_server,established; content:"/viewcode"; http_uri; reference:cve,1999-0737; reference:nessus,10576; reference:nessus,12048; classtype:web-application-attack; sid:2101403; rev:11;) # #alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SERVER webalizer access"; flow:established,to_server; content:"/webalizer/"; nocase; http_uri; reference:bugtraq,3473; reference:cve,2001-0835; reference:nessus,10816; classtype:web-application-activity; sid:2101847; rev:11;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1139; rev:7;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL SCAN whisker HEAD/./"; flow:to_server,established; content:"HEAD/./"; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:2101139; rev:8;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:1060; rev:6;) +##alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_availablemedia attempt"; flow:to_server,established; content:"xp_availablemedia"; nocase; classtype:web-application-attack; sid:2101060; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:1061; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_cmdshell attempt"; flow:to_server,established; content:"xp_cmdshell"; nocase; classtype:web-application-attack; sid:2101061; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:1058; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_enumdsn attempt"; flow:to_server,established; content:"xp_enumdsn"; nocase; classtype:web-application-attack; sid:2101058; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:1059; rev:6;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_filelist attempt"; flow:to_server,established; content:"xp_filelist"; nocase; classtype:web-application-attack; sid:2101059; rev:7;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL EXPLOIT xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:1069; rev:6;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL DELETED xp_regread attempt"; flow:to_server,established; content:"xp_regread"; nocase; classtype:web-application-activity; sid:2101069; rev:7;) + +# +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg:"GPL DELETED TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"\|01\|"; depth:1; offset:2; content:"\|03 01\|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; classtype:protocol-command-decode; sid:2103059; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 8080 (msg:"GPL EXPLOIT WEB-MISC JBoss JMXInvokerServlet access"; flow:to_server,established; content:"/invoker/JMXInvokerServlet"; http_uri; reference:url,online.securityfocus.com/archive/1/415707; classtype:misc-activity; sid:100000184; rev:2;) @@ -40346,1015 +40358,1015 @@ #alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP MAIL FROM overflow attempt"; flow:to_server,established; content:"MAIL FROM"; nocase; isdataat:260; content:!"\|0A\|"; within:256; reference:bugtraq,10290; reference:bugtraq,7506; reference:cve,2004-0399; reference:url,www.guninski.com/exim1.html; classtype:attempted-admin; sid:2102590; rev:5;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to\|3A\|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:654; rev:14;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to\|3A\|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; classtype:attempted-admin; sid:2100654; rev:15;) # -#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop\|0A\|quit\|0A\|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:6;) +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop\|0A\|quit\|0A\|"; reference:arachnids,372; classtype:protocol-command-decode; sid:2100631; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn @"; flow:to_server,established; content:"expn"; nocase; content:"@"; pcre:"/^expn\s+\@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:5;) +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn @"; flow:to_server,established; content:"expn"; nocase; content:"@"; pcre:"/^expn\s+\@/smi"; reference:cve,1999-1200; classtype:misc-attack; sid:2101450; rev:6;) # -#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:5;) +#alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:2100632; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:2100659; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:12;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; fast_pattern; distance:0; nocase; pcre:"/^expn\s+root/smi"; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:2100660; rev:13;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:9;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:2100672; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:1446; rev:6;) +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"GPL SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; classtype:attempted-recon; sid:2101446; rev:7;) # #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL EXECUTE_SYSTEM attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; fast_pattern:only; nocase; classtype:system-call-detect; sid:2101673; rev:5;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; fast_pattern:only; nocase; pcre:"/TO_CHAR\s\(\sSYSTIMESTAMP\s,\s(\x27[^\x27]{256}\|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2699; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL TO_CHAR buffer overflow attempt"; flow:to_server,established; content:"TO_CHAR"; nocase; pcre:"/TO_CHAR\s\(\sSYSTIMESTAMP\s,\s(\x27[^\x27]{256}\|\x22[^\x22]{256})/smi"; classtype:attempted-user; sid:2102699; rev:2;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; fast_pattern:only; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))\|((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000,})\|(\x22[^\x22 ]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2600; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL add_grouped_column ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))\|((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000})\|(\x22[^\x22 ]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102600; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; fast_pattern:only; nocase; pcre:"/ALTER\s.?FILE\s+((AS\|MEMBER\|TO)\s+)?(\x27[^\x27]{512}\|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2697; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter file buffer overflow attempt"; flow:to_server,established; content:"alter"; nocase; fast_pattern:only; pcre:"/ALTER\s.?FILE\s+((AS\|MEMBER\|TO)\s+)?(\x27[^\x27]{512}\|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102697; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; fast_pattern:only; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2618; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL alter_mview_propagation ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102618; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; fast_pattern:only; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))\|((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2610; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL cancel_statistics ordered sname/oname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))\|((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102610; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; fast_pattern:only; nocase; pcre:"/\((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){2}\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2607; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL comment_on_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; pcre:"/\((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){2}\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102607; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL connect_data remote version detection attempt"; flow:to_server,established; content:"connect_data\|28\|command=version\|29\|"; fast_pattern:only; nocase; classtype:protocol-command-decode; sid:2101674; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.?FILE\s+((AS\|MEMBER\|TO)\s+)?(\x27[^\x27]{512}\|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2698; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create file buffer overflow attempt"; flow:to_server,established; content:"create"; nocase; content:"file "; nocase; isdataat:512; pcre:"/CREATE\s.?FILE\s+((AS\|MEMBER\|TO)\s+)?(\x27[^\x27]{512}\|\x22[^\x22]{512})/smi"; classtype:attempted-user; sid:2102698; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; fast_pattern:only; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){4}\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2604; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL create_mview_repgroup ordered fname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){4}\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102604; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.logfile[\r\n\s]=>[\r\n\s]\2\|logfile\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2678; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctx_output.start_log buffer overflow attempt"; flow:to_server,established; content:"ctx_output.start_log"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.logfile[\r\n\s]=>[\r\n\s]\2\|logfile\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102678; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.logfile[\r\n\s]=>[\r\n\s]\2\|logfile\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\d+\s,\s){3}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2680; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL ctxsys.driddlr.subindexpopulate buffer overflow attempt"; flow:to_server,established; content:"ctxsys.driddlr.subindexpopulate"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.logfile[\r\n\s]=>[\r\n\s]\2\|logfile\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\d+\s,\s){3}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102680; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2708; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102708; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2709; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102709; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2652; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102652; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2710; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102710; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; fast_pattern:only; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2711; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102711; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2712; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102712; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2713; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102713; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2714; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_og.resume_subset_of_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.resume_subset_of_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102714; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2715; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.begin_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.begin_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102715; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2635; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102635; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2716; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_offline_snapshot.end_load buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102716; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(missing_rows_oname1\|missing_rows_oname2)[\r\n\s]=>[\r\n\s]\2\|(missing_rows_oname1\|missing_rows_oname2)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){10}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2717; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.differences"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(missing_rows_oname1\|missing_rows_oname2)[\r\n\s]=>[\r\n\s]\2\|(missing_rows_oname1\|missing_rows_oname2)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){10}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102717; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(missing_rows_oname1\|missing_rows_oname2)[\r\n\s]=>[\r\n\s]\2\|(missing_rows_oname1\|missing_rows_oname2)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){8}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2718; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(missing_rows_oname1\|missing_rows_oname2)[\r\n\s]=>[\r\n\s]\2\|(missing_rows_oname1\|missing_rows_oname2)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){8}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102718; rev:2;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2719; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102719; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2720; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102720; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2721; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102721; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.oname[\r\n\s]=>[\r\n\s]\2\|oname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2674; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.oname[\r\n\s]=>[\r\n\s]\2\|oname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102674; rev:2;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_grouped_column"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.oname[\r\n\s]=>[\r\n\s]\2\|oname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102599; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2722; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102722; rev:2;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2723; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102723; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2724; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102724; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2725; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102725; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_number"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2726; rev:2;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2727; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102727; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2728; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102728; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2729; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102729; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2730; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102730; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2731; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102731; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2732; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102732; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2733; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102733; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2619; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102619; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2734; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102734; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2741; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102741; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2735; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102735; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2736; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102736; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2737; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102737; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2738; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102738; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2739; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102739; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2740; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102740; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2742; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102742; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2744; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102744; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2743; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102743; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2745; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102745; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2747; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102747; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.oname[\r\n\s]=>[\r\n\s]\2\|oname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2609; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.oname[\r\n\s]=>[\r\n\s]\2\|oname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102609; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2748; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102748; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2749; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102749; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gowner\|gname)[\r\n\s]=>[\r\n\s]\2\|(gowner\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2750; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_mview_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_mview_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gowner\|gname)[\r\n\s]=>[\r\n\s]\2\|(gowner\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102750; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2751; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102751; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2752; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102752; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2606; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102606; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2753; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_repsites buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_repsites"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102753; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2754; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102754; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2755; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102755; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2756; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102756; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.operation[\r\n\s]=>[\r\n\s]\2\|operation\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2605; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.operation[\r\n\s]=>[\r\n\s]\2\|operation\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102605; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2757; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102757; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2758; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102758; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.fname[\r\n\s]=>[\r\n\s]\2\|fname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2603; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.fname[\r\n\s]=>[\r\n\s]\2\|fname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck633.html; classtype:attempted-user; sid:2102603; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){7}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2850; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){7}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102850; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2759; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102759; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2851; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102851; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2760; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102760; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2761; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102761; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2762; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102762; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2763; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102763; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2765; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102765; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2764; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102764; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2766; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102766; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2767; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102767; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2768; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_grouped_column buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_grouped_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102768; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2601; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102601; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2637; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102637; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2639; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102639; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2769; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_mview_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102769; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2770; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102770; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2777; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102777; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2771; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102771; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2772; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102772; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2773; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102773; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2774; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102774; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2775; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102775; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2776; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102776; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2778; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102778; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2780; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102780; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2779; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102779; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2781; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102781; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2782; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102782; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2783; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102783; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2784; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102784; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2785; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.execute_ddl buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.execute_ddl"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102785; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2852; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_mview_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_mview_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102852; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; fast_pattern:only; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2786; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102786; rev:3;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_support"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.package_prefix[\r\n\s]=>[\r\n\s]\2\|package_prefix\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.procedure_prefix[\r\n\s]=>[\r\n\s]\2\|procedure_prefix\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck93.html; classtype:attempted-user; sid:2102576; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|gname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2853; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_replication_trigger buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_replication_trigger"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|gname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|gname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102853; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2854; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102854; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2788; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.make_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.make_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102788; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2789; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.obsolete_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102789; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2790; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.publish_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102790; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2791; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102791; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2792; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102792; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2793; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102793; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(true\|false)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2631; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(true\|false)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102631; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2794; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102794; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2795; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102795; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2796; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102796; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2797; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102797; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2798; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.register_statistics buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102798; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2799; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102799; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2855; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.remove_master_databases buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.remove_master_databases"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102855; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2800; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102800; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2627; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gowner[\r\n\s]=>[\r\n\s]\2\|gowner\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102627; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2801; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102801; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2804; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_and_compare_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_and_compare_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102804; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.operation[\r\n\s]=>[\r\n\s]\2\|operation\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2626; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.send_old_values buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.send_old_values"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.operation[\r\n\s]=>[\r\n\s]\2\|operation\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck91.html; classtype:attempted-user; sid:2102626; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2805; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_columns buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_columns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102805; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2806; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102806; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2807; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.specify_new_masters buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.specify_new_masters"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102807; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2808; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102808; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2856; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_mview_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_mview_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102856; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1073,}\x27\|\x22[^\x22]{1073,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1073,}\|\x22[^\x22]{1073,})\|\(\s(\x27[^\x27]{1073,}\|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2857; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1073,}\x27\|\x22[^\x22]{1073,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1073,}\|\x22[^\x22]{1073,})\|\(\s(\x27[^\x27]{1073,}\|\x22[^\x22]{1073,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102857; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2809; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_mview_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_mview_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102809; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2810; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102810; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2811; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102811; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2812; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102812; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2629; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.register_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102629; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2624; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_admin.unregister_user_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102624; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2746; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102746; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2641; rev:3;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102641; rev:5;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2645; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102645; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2647; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102647; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2787; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_instantiate.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_instantiate.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102787; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(object_type\|user_name)[\r\n\s]=>[\r\n\s]\2\|(object_type\|user_name)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2802; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.check_ddl_text"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(object_type\|user_name)[\r\n\s]=>[\r\n\s]\2\|(object_type\|user_name)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102802; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2676; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102676; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(refresh_template_name\|user_name)[\r\n\s]=>[\r\n\s]\2\|(refresh_template_name\|user_name)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2803; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.drop_site_instantiation buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.drop_site_instantiation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(refresh_template_name\|user_name)[\r\n\s]=>[\r\n\s]\2\|(refresh_template_name\|user_name)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102803; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2675; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_offline buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_offline"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.privilege_type[\r\n\s]=>[\r\n\s]\2\|privilege_type\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102675; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2677; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_rgt.instantiate_online buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_rgt.instantiate_online"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.refresh_template_name[\r\n\s]=>[\r\n\s]\2\|refresh_template_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102677; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2623; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102623; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2621; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_sna_utl.register_flavor_change buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_sna_utl.register_flavor_change"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102621; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2622; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102622; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2602; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repgroup ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repgroup"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck87.html; classtype:attempted-user; sid:2102602; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){2}\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2638; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_master_repobject ordered type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_master_repobject"; nocase; pcre:"/\((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,){2}\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rsmi"; reference:url,www.appsecinc.com/Policy/PolicyCheck634.html; classtype:attempted-user; sid:2102638; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2640; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_mview_repgroup ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.drop_mview_repgroup"; nocase; pcre:"/\(\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102640; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2642; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL drop_site_instantiate ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"drop_site_instantiation"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck629.html; classtype:attempted-user; sid:2102642; rev:3;) # #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL execute_system attempt"; flow:to_server,established; content:"EXECUTE_SYSTEM"; nocase; classtype:protocol-command-decode; sid:2101698; rev:5;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\sTIMESTAMP\s(\s(\x27[^\x27]+'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2644; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL from_tz buffer overflow attempt"; flow:to_server,established; content:"FROM_TZ"; nocase; pcre:"/\(\sTIMESTAMP\s(\s(\x27[^\x27]+'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.nextgenss.com/advisories/ora_from_tz.txt; classtype:attempted-user; sid:2102644; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2616; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL grant_surrogate_repcat ordered userid buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102616; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2646; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_offline ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_offline"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck630.html; classtype:attempted-user; sid:2102646; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2648; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL instantiate_online ordered refresh_template_name buffer overflow attempt"; flow:to_server,established; content:"instantiate_online"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck631.html; classtype:attempted-user; sid:2102648; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{512,}\x27\|\x22[^\x22]{512,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,})\|\(\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2683; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.sdo_code_size"; nocase; isdataat:512,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{512,}\x27\|\x22[^\x22]{512,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,})\|\(\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102683; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{128,}\x27\|\x22[^\x22]{128,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{128,}\|\x22[^\x22]{128,})\|\(\s(\x27[^\x27]{128,}\|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2682; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.md2.validate_geom buffer overflow attempt"; flow:to_server,established; content:"mdsys.md2.validate_geom"; nocase; isdataat:500,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{128,}\x27\|\x22[^\x22]{128,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{128,}\|\x22[^\x22]{128,})\|\(\s(\x27[^\x27]{128,}\|\x22[^\x22]{128,}))/si"; classtype:attempted-user; sid:2102682; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2681; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL mdsys.sdo_admin.sdo_code_size buffer overflow attempt"; flow:to_server,established; content:"mdsys.sdo_admin.sdo_code_size"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.layer[\r\n\s]=>[\r\n\s]\2\|layer\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102681; rev:3;) # #alert tcp $SQL_SERVERS $ORACLE_PORTS -> $EXTERNAL_NET any (msg:"GPL SQL Oracle misparsed login response"; flow:to_server,established; content:"description=\|28\|"; nocase; content:!"connect_data=\|28\|sid="; nocase; content:!"address=\|28\|protocol=tcp"; nocase; classtype:suspicious-login; sid:2101675; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s\(\s\d+\s,\s(\x27[^\x27]{32}\|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2700; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL numtoyminterval buffer overflow attempt"; flow:to_server,established; content:"numtoyminterval"; nocase; pcre:"/numtoyminterval\s\(\s\d+\s,\s(\x27[^\x27]{32}\|\x22[^\x22]{32})/smi"; classtype:attempted-user; sid:2102700; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2653; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL og.begin_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_og.begin_load"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102653; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2634; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL rectifier_diff ordered sname1 buffer overflow attempt"; flow:to_server,established; content:"dbms_rectifier_diff"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102634; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,(\s(true\|false)\s,\s){3}((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2632; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL refresh_mview_repgroup ordered gowner buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.refresh_mview_repgroup"; nocase; pcre:"/\(\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,(\s(true\|false)\s,\s){3}((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102632; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2630; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL register_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.register_user_repgroup"; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102630; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))\|\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2628; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL repcat_import_check ordered gowner/gname buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat.repcat_import_check"; nocase; pcre:"/\((\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))\|\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,\s(true\|false)\s,\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck90.html; classtype:attempted-user; sid:2102628; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"\|28\|service_name="; nocase; isdataat:1000,relative; content:!"\|22\|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2649; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL service_name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"\|28\|service_name="; nocase; isdataat:1000,relative; content:!"\|22\|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck52.html; classtype:attempted-user; sid:2102649; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2636; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL snapshot.end_load ordered gname buffer overflow attempt"; flow:to_server,established; content:"dbms_offline_snapshot.end_load"; nocase; pcre:"/\(\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000}))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102636; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.qt_name[\r\n\s]=>[\r\n\s]\2\|qt_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2695; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aq_import_internal.aq_table_defn_update buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aq_import_internal.aq_table_defn_update"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.qt_name[\r\n\s]=>[\r\n\s]\2\|qt_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102695; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2694; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_get_nrp buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_get_nrp"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102694; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2693; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm.verify_queue_types_no_queue buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm.verify_queue_types_no_queue"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102693; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2692; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_aqadm_sys.verify_queue_types buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_aqadm_sys.verify_queue_types"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.src_queue_name[\r\n\s]=>[\r\n\s]\2\|src_queue_name\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102692; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.destination[\r\n\s]=>[\r\n\s]\2\|destination\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2691; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_internal_sys.parallel_push_recovery buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_internal_sys.parallel_push_recovery"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.destination[\r\n\s]=>[\r\n\s]\2\|destination\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102691; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.dblink[\r\n\s]=>[\r\n\s]\2\|dblink\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2690; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_defer_repcat.enable_propagation_to_dblink buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_defer_repcat.enable_propagation_to_dblink"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.dblink[\r\n\s]=>[\r\n\s]\2\|dblink\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102690; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2689; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.disable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.disable_receiver_trace"; nocase; isdataat:1024; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102689; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2688; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.enable_receiver_trace buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.enable_receiver_trace"; nocase; isdataat:1024,relative; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102688; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2687; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_internal_repcat.validate buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_internal_repcat.validate"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102687; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.missing_rows_oname1[\r\n\s]=>[\r\n\s]\2\|missing_rows_oname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname1[\r\n\s]=>[\r\n\s]\2\|sname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2686; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.differences buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.differences"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.missing_rows_oname1[\r\n\s]=>[\r\n\s]\2\|missing_rows_oname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname1[\r\n\s]=>[\r\n\s]\2\|sname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){9}(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102686; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.missing_rows_oname1[\r\n\s]=>[\r\n\s]\2\|missing_rows_oname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname1[\r\n\s]=>[\r\n\s]\2\|sname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2633; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_rectifier_diff.rectify buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_rectifier_diff.rectify"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.missing_rows_oname1[\r\n\s]=>[\r\n\s]\2\|missing_rows_oname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|(\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.sname1[\r\n\s]=>[\r\n\s]\2\|sname1\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102633; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2617; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat.alter_mview_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat.alter_mview_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck632.html; classtype:attempted-user; sid:2102617; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2615; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.grant_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.grant_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102615; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2612; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_auth.revoke_surrogate_repcat buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_auth.revoke_surrogate_repcat"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.userid[\r\n\s]=>[\r\n\s]\2\|userid\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102612; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2858; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102858; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2859; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102859; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2860; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102860; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2861; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102861; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2862; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102862; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2863; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102863; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2864; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102864; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2865; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102865; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2866; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102866; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2867; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102867; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2868; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.add_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.add_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102868; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2875; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102875; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2869; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102869; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2870; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102870; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2871; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102871; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2872; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102872; rev:3;) # #alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2873; rev:1;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2874; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102874; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2876; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102876; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2878; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102878; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2877; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.alter_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.alter_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102877; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2879; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.cancel_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.cancel_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102879; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2880; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102880; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2881; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102881; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2882; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102882; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2883; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102883; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2884; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.comment_on_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.comment_on_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102884; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2885; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_priority_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_priority_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102885; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2886; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.define_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.define_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102886; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2887; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_delete_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_delete_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102887; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2894; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102894; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2888; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_char buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_char"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102888; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2889; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_date buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_date"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102889; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2890; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nchar buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nchar"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102890; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2891; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_number buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_number"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102891; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2892; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_nvarchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_nvarchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102892; rev:5;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2893; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_raw buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_raw"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102893; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2895; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_priority_varchar2 buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_priority_varchar2"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102895; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2897; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102897; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2896; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_site_priority_site buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_site_priority_site"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102896; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2898; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_unique_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_unique_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102898; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2899; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.drop_update_resolution buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.drop_update_resolution"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102899; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2900; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.purge_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.purge_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102900; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2901; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_conf.register_statistics buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_conf.register_statistics"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102901; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2813; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.abort_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.abort_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102813; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2814; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.add_object_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.add_object_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102814; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2815; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.begin_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.begin_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102815; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2816; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.drop_object_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.drop_object_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102816; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; pcre:"/\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2643; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.ensure_not_published buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.ensure_not_published"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck96.html; classtype:attempted-user; sid:2102643; rev:4;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; pcre:"/(\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2824; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.set_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102824; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2825; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102825; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; pcre:"/(\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2826; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/(\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102826; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2817; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_column_group_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_column_group_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102817; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2818; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.add_columns_to_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.add_columns_to_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102818; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2819; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_column_group_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_column_group_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102819; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2820; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.drop_columns_from_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.drop_columns_from_flavor"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102820; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2821; rev:2;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.obsolete_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.obsolete_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102821; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2822; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.publish_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.publish_flavor_definition"; nocase; isdataat:1075,relative; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102822; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2823; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_fla_mas.purge_flavor_definition buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_fla_mas.purge_flavor_definition"; nocase; fast_pattern:only; pcre:"/\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102823; rev:2;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2827; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.alter_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.alter_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102827; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2828; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102828; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2829; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.comment_on_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.comment_on_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102829; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2830; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102830; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2831; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.create_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.create_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102831; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2832; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.do_deferred_repcat_admin buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.do_deferred_repcat_admin"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102832; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2833; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.drop_master_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.drop_master_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102833; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2834; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.generate_replication_package buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.generate_replication_package"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102834; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2835; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.purge_master_log buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.purge_master_log"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102835; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2836; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.relocate_masterdef buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.relocate_masterdef"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102836; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2837; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.rename_shadow_column_group buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.rename_shadow_column_group"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102837; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2838; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.resume_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.resume_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102838; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2839; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_mas.suspend_master_activity buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_mas.suspend_master_activity"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102839; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.SCHEMA_NAME[\r\n\s]=>[\r\n\s]\2\|SCHEMA_NAME\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2685; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_rq.add_column buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_rq.add_column"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.SCHEMA_NAME[\r\n\s]=>[\r\n\s]\2\|SCHEMA_NAME\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102685; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2902; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102902; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2903; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102903; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){7}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2904; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type\|gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type\|gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){7}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102904; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2905; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.create_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.create_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102905; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2906; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102906; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2907; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102907; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2908; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.drop_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.drop_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102908; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2909; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.generate_snapshot_support buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.generate_snapshot_support"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102909; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2910; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102910; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2911; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.refresh_snapshot_repschema buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.refresh_snapshot_repschema"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.sname[\r\n\s]=>[\r\n\s]\2\|sname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102911; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2912; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102912; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2913; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102913; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2914; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.set_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.set_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102914; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2915; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102915; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2916; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102916; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2918; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna.validate_for_local_flavor buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna.validate_for_local_flavor"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102918; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2840; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.alter_snapshot_propagation buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.alter_snapshot_propagation"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){3}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102840; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2841; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.create_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.create_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|fname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|fname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){5}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102841; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2842; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102842; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2843; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.drop_snapshot_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.drop_snapshot_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(sname\|oname\|type)[\r\n\s]=>[\r\n\s]\2\|(sname\|oname\|type)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102843; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2844; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.refresh_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102844; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2845; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){4}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102845; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2846; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.repcat_import_check buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.repcat_import_check"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102846; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2917; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.switch_snapshot_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.switch_snapshot_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102917; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2847; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_sna_utl.unregister_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.(gname\|gowner)[\r\n\s]=>[\r\n\s]\2\|(gname\|gowner)\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102847; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2919; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_untrusted.register_snapshot_repgroup buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_untrusted.register_snapshot_repgroup"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.gname[\r\n\s]=>[\r\n\s]\2\|gname\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102919; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; pcre:"/(\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2849; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.drop_an_object buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.drop_an_object"; nocase; fast_pattern:only; pcre:"/(\(\s(\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102849; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.CANON_GNAME[\r\n\s]=>[\r\n\s]\2\|CANON_GNAME\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2696; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl.is_master buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl.is_master"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.CANON_GNAME[\r\n\s]=>[\r\n\s]\2\|CANON_GNAME\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102696; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2848; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_repcat_utl4.drop_master_repobject buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_repcat_utl4.drop_master_repobject"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1075,}\x27\|\x22[^\x22]{1075,}\x22)[\r\n\s]\x3b.type[\r\n\s]=>[\r\n\s]\2\|type\s=>\s(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,})\|\(\s((\x27[^\x27]\x27\|\x22[^\x22]+\x22)\s,\s){2}(\x27[^\x27]{1075,}\|\x22[^\x22]{1075,}))/si"; reference:url,www.appsecinc.com/resources/alerts/oracle/2004-0001/25.html; classtype:attempted-user; sid:2102848; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.tst[\r\n\s]=>[\r\n\s]\2\|tst\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s\d+\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2679; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.dbms_system.ksdwrt buffer overflow attempt"; flow:to_server,established; content:"sys.dbms_system.ksdwrt"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{1024,}\x27\|\x22[^\x22]{1024,}\x22)[\r\n\s]\x3b.tst[\r\n\s]=>[\r\n\s]\2\|tst\s=>\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})\|\(\s\d+\s,\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,}))/si"; classtype:attempted-user; sid:2102679; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{512,}\x27\|\x22[^\x22]{512,}\x22)[\r\n\s]\x3b.repgrpname[\r\n\s]=>[\r\n\s]\2\|repgrpname\s=>\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,})\|\(\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2684; rev:1;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sys.ltutil.pushdeferredtxns buffer overflow attempt"; flow:to_server,established; content:"sys.ltutil.pushdeferredtxns"; nocase; fast_pattern:only; pcre:"/((\w+)[\r\n\s]\x3a=[\r\n\s](\x27[^\x27]{512,}\x27\|\x22[^\x22]{512,}\x22)[\r\n\s]\x3b.repgrpname[\r\n\s]=>[\r\n\s]\2\|repgrpname\s=>\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,})\|\(\s(\x27[^\x27]{512,}\|\x22[^\x22]{512,}))/si"; classtype:attempted-user; sid:2102684; rev:3;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2608; rev:3;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL sysdbms_repcat_rgt.check_ddl_text buffer overflow attempt"; flow:to_server,established; content:"sysdbms_repcat_rgt.check_ddl_text"; nocase; isdataat:1024,relative; pcre:"/\(\s(\x27[^\x27]{1024,}\|\x22[^\x22]{1024,})/si"; reference:url,www.appsecinc.com/Policy/PolicyCheck97.html; classtype:attempted-user; sid:2102608; rev:4;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s=\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2614; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL time_zone buffer overflow attempt"; flow:to_server,established; content:"TIME_ZONE"; nocase; isdataat:1000,relative; pcre:"/TIME_ZONE\s=\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,}))/msi"; reference:bugtraq,9587; reference:url,www.nextgenss.com/advisories/ora_time_zone.txt; classtype:attempted-user; sid:2102614; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000,})\|(\x22[^\x22]{1000,})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2625; rev:1;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL unregister_user_repgroup ordered privilege_type buffer overflow attempt"; flow:to_server,established; content:"dbms_repcat_admin.unregister_user_repgroup"; nocase; pcre:"/\(((\s(\x27[^\x27]'\|\x22[^\x22]+\x22)\s,)\s((\x27[^\x27]{1000})\|(\x22[^\x22]{1000})))/Rmsi"; reference:url,www.appsecinc.com/Policy/PolicyCheck94.html; classtype:attempted-user; sid:2102625; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"\|28\|user="; nocase; isdataat:1000,relative; content:!"\|22\|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2650; rev:2;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"GPL SQL user name buffer overflow attempt"; flow:to_server,established; content:"connect_data"; nocase; content:"\|28\|user="; nocase; isdataat:1000,relative; content:!"\|22\|"; within:1000; reference:url,www.appsecinc.com/Policy/PolicyCheck62.html; classtype:attempted-user; sid:2102650; rev:3;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 \|D0 00 92 01 C2 00\|R\|00\|U\|00\|9 \|EC 00\|"; classtype:shellcode-detect; sid:692; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"9 \|D0 00 92 01 C2 00\|R\|00\|U\|00\|9 \|EC 00\|"; classtype:shellcode-detect; sid:2100692; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H\|00\|%\|00\|x\|00\|w\|00 90 00 90 00 90 00 90 00 90 00\|3\|00 C0 00\|P\|00\|h\|00\|.\|00\|"; classtype:attempted-user; sid:694; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL shellcode attempt"; flow:to_server,established; content:"H\|00\|%\|00\|x\|00\|w\|00 90 00 90 00 90 00 90 00 90 00\|3\|00 C0 00\|P\|00\|h\|00\|.\|00\|"; classtype:attempted-user; sid:2100694; rev:7;) # -#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|a\|00\|d\|00\|d\|00\|u\|00\|s\|00\|e\|00\|r\|00\|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:679; rev:6;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_adduser database user creation"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|a\|00\|d\|00\|d\|00\|u\|00\|s\|00\|e\|00\|r\|00\|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100679; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|d\|00\|e\|00\|l\|00\|e\|00\|t\|00\|e\|00\|_\|00\|a\|00\|l\|00\|e\|00\|"; nocase; classtype:attempted-user; sid:678; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|d\|00\|e\|00\|l\|00\|e\|00\|t\|00\|e\|00\|_\|00\|a\|00\|l\|00\|e\|00\|"; nocase; classtype:attempted-user; sid:2100678; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|p\|00\|a\|00\|s\|00\|s\|00\|w\|00\|o\|00\|r\|00\|d\|00\|"; nocase; classtype:attempted-user; sid:677; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL sp_password password change"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|p\|00\|a\|00\|s\|00\|s\|00\|w\|00\|o\|00\|r\|00\|d\|00\|"; nocase; classtype:attempted-user; sid:2100677; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|s\|00\|t\|00\|a\|00\|r\|00\|t\|00\|_\|00\|j\|00\|o\|00\|b\|00\|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:676; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT sp_start_job - program execution"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|s\|00\|t\|00\|a\|00\|r\|00\|t\|00\|_\|00\|j\|00\|o\|00\|b\|00\|"; depth:32; offset:32; nocase; classtype:attempted-user; sid:2100676; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|c\|00\|m\|00\|d\|00\|s\|00\|h\|00\|e\|00\|l\|00\|l\|00\|"; offset:32; nocase; classtype:attempted-user; sid:681; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_cmdshell program execution"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|c\|00\|m\|00\|d\|00\|s\|00\|h\|00\|e\|00\|l\|00\|l\|00\|"; offset:32; nocase; classtype:attempted-user; sid:2100681; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|d\|00\|i\|00\|s\|00\|p\|00\|l\|00\|a\|00\|y\|00\|p\|00\|a\|00\|r\|00\|a\|00\|m\|00\|s\|00\|t\|00\|m\|00\|t\|00\|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:702; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|d\|00\|i\|00\|s\|00\|p\|00\|l\|00\|a\|00\|y\|00\|p\|00\|a\|00\|r\|00\|a\|00\|m\|00\|s\|00\|t\|00\|m\|00\|t\|00\|"; offset:32; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100702; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|e\|00\|n\|00\|u\|00\|m\|00\|r\|00\|e\|00\|s\|00\|u\|00\|l\|00\|t\|00\|s\|00\|e\|00\|t\|00\|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:708; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|e\|00\|n\|00\|u\|00\|m\|00\|r\|00\|e\|00\|s\|00\|u\|00\|l\|00\|t\|00\|s\|00\|e\|00\|t\|00\|"; offset:32; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100708; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|e\|00\|e\|00\|k\|00\|q\|00\|u\|00\|e\|00\|u\|00\|e\|00\|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:697; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|e\|00\|e\|00\|k\|00\|q\|00\|u\|00\|e\|00\|u\|00\|e\|00\|"; offset:32; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100697; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|s\|00\|t\|00\|a\|00\|t\|00\|e\|00\|m\|00\|e\|00\|n\|00\|t\|00\|s\|00\|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:690; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|s\|00\|t\|00\|a\|00\|t\|00\|e\|00\|m\|00\|e\|00\|n\|00\|t\|00\|s\|00\|"; offset:32; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100690; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|o\|00\|x\|00\|i\|00\|e\|00\|d\|00\|m\|00\|e\|00\|t\|00\|a\|00\|d\|00\|a\|00\|t\|00\|a\|00\|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:698; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|o\|00\|x\|00\|i\|00\|e\|00\|d\|00\|m\|00\|e\|00\|t\|00\|a\|00\|d\|00\|a\|00\|t\|00\|a\|00\|"; offset:32; nocase; reference:bugtraq,2042; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100698; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|r\|00\|e\|00\|g\|00\|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:689; rev:11;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL NETBIOS xp_reg* registry access"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|r\|00\|e\|00\|g\|00\|"; depth:32; offset:32; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100689; rev:12;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|e\|00\|t\|00\|s\|00\|q\|00\|l\|00\|s\|00\|e\|00\|c\|00\|u\|00\|r\|00\|i\|00\|t\|00\|y\|00\|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:703; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|e\|00\|t\|00\|s\|00\|q\|00\|l\|00\|s\|00\|e\|00\|c\|00\|u\|00\|r\|00\|i\|00\|t\|00\|y\|00\|"; offset:32; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100703; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|h\|00\|o\|00\|w\|00\|c\|00\|o\|00\|l\|00\|v\|00\|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:696; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|h\|00\|o\|00\|w\|00\|c\|00\|o\|00\|l\|00\|v\|00\|"; offset:32; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100696; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|f\|00\|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:695; rev:9;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL EXPLOIT xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|f\|00\|"; offset:32; nocase; reference:bugtraq,1204; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100695; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|u\|00\|p\|00\|d\|00\|a\|00\|t\|00\|e\|00\|c\|00\|o\|00\|l\|00\|v\|00\|b\|00\|m\|00\|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:700; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|u\|00\|p\|00\|d\|00\|a\|00\|t\|00\|e\|00\|c\|00\|o\|00\|l\|00\|v\|00\|b\|00\|m\|00\|"; offset:32; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100700; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 \|D0 00 92 01 C2 00\|R\|00\|U\|00\|9 \|EC 00\|"; fast_pattern:only; classtype:shellcode-detect; sid:691; rev:7;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SHELLCODE MSSQL shellcode attempt"; flow:to_server,established; content:"9 \|D0 00 92 01 C2 00\|R\|00\|U\|00\|9 \|EC 00\|"; fast_pattern:only; classtype:shellcode-detect; sid:2100691; rev:8;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H\|00\|%\|00\|x\|00\|w\|00 90 00 90 00 90 00 90 00 90 00\|3\|00 C0 00\|P\|00\|h\|00\|.\|00\|"; classtype:shellcode-detect; sid:693; rev:6;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL MSSQL shellcode attempt 2"; flow:to_server,established; content:"H\|00\|%\|00\|x\|00\|w\|00 90 00 90 00 90 00 90 00 90 00\|3\|00 C0 00\|P\|00\|h\|00\|.\|00\|"; classtype:shellcode-detect; sid:2100693; rev:7;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|a\|00\|d\|00\|d\|00\|u\|00\|s\|00\|e\|00\|r\|00\|"; nocase; classtype:attempted-user; sid:685; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_adduser - database user creation"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|a\|00\|d\|00\|d\|00\|u\|00\|s\|00\|e\|00\|r\|00\|"; nocase; classtype:attempted-user; sid:2100685; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|d\|00\|e\|00\|l\|00\|e\|00\|t\|00\|e\|00\|_\|00\|a\|00\|l\|00\|e\|00\|r\|00\|t\|00\|"; nocase; classtype:attempted-user; sid:684; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_delete_alert log file deletion"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|d\|00\|e\|00\|l\|00\|e\|00\|t\|00\|e\|00\|_\|00\|a\|00\|l\|00\|e\|00\|r\|00\|t\|00\|"; nocase; classtype:attempted-user; sid:2100684; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|p\|00\|a\|00\|s\|00\|s\|00\|w\|00\|o\|00\|r\|00\|d\|00\|"; nocase; classtype:attempted-user; sid:683; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_password - password change"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|p\|00\|a\|00\|s\|00\|s\|00\|w\|00\|o\|00\|r\|00\|d\|00\|"; nocase; classtype:attempted-user; sid:2100683; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|s\|00\|t\|00\|a\|00\|r\|00\|t\|00\|_\|00\|j\|00\|o\|00\|b\|00\|"; nocase; classtype:attempted-user; sid:673; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL sp_start_job - program execution"; flow:to_server,established; content:"s\|00\|p\|00\|_\|00\|s\|00\|t\|00\|a\|00\|r\|00\|t\|00\|_\|00\|j\|00\|o\|00\|b\|00\|"; nocase; classtype:attempted-user; sid:2100673; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|c\|00\|m\|00\|d\|00\|s\|00\|h\|00\|e\|00\|l\|00\|l\|00\|"; nocase; classtype:attempted-user; sid:687; rev:5;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL EXPLOIT xp_cmdshell - program execution"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|c\|00\|m\|00\|d\|00\|s\|00\|h\|00\|e\|00\|l\|00\|l\|00\|"; nocase; classtype:attempted-user; sid:2100687; rev:6;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|d\|00\|i\|00\|s\|00\|p\|00\|l\|00\|a\|00\|y\|00\|p\|00\|a\|00\|r\|00\|a\|00\|m\|00\|s\|00\|t\|00\|m\|00\|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:674; rev:8;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_displayparamstmt possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|d\|00\|i\|00\|s\|00\|p\|00\|l\|00\|a\|00\|y\|00\|p\|00\|a\|00\|r\|00\|a\|00\|m\|00\|s\|00\|t\|00\|m\|00\|t"; nocase; reference:bugtraq,2030; reference:cve,2000-1081; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100674; rev:9;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|e\|00\|n\|00\|u\|00\|m\|00\|r\|00\|e\|00\|s\|00\|u\|00\|l\|00\|t\|00\|s\|00\|e\|00\|t\|00\|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:682; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_enumresultset possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|e\|00\|n\|00\|u\|00\|m\|00\|r\|00\|e\|00\|s\|00\|u\|00\|l\|00\|t\|00\|s\|00\|e\|00\|t\|00\|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100682; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|e\|00\|e\|00\|k\|00\|q\|00\|u\|00\|e\|00\|u\|00\|e\|00\|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:706; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_peekqueue possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|e\|00\|e\|00\|k\|00\|q\|00\|u\|00\|e\|00\|u\|00\|e\|00\|"; nocase; reference:bugtraq,2040; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100706; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|s\|00\|t\|00\|a\|00\|t\|00\|e\|00\|m\|00\|e\|00\|n\|00\|t\|00\|s\|00\|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:699; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_printstatements possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|s\|00\|t\|00\|a\|00\|t\|00\|e\|00\|m\|00\|e\|00\|n\|00\|t\|00\|s\|00\|"; nocase; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100699; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|o\|00\|x\|00\|i\|00\|e\|00\|d\|00\|m\|00\|e\|00\|t\|00\|a\|00\|d\|00\|a\|00\|t\|00\|a\|00\|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:707; rev:10;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_proxiedmetadata possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|p\|00\|r\|00\|o\|00\|x\|00\|i\|00\|e\|00\|d\|00\|m\|00\|e\|00\|t\|00\|a\|00\|d\|00\|a\|00\|t\|00\|a\|00\|"; nocase; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100707; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|r\|00\|e\|00\|g\|00\|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:686; rev:10;) +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL NETBIOS xp_reg* - registry access"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|r\|00\|e\|00\|g\|00\|"; nocase; reference:bugtraq,5205; reference:cve,2002-0642; reference:nessus,10642; reference:url,www.microsoft.com/technet/security/bulletin/MS02-034; classtype:attempted-user; sid:2100686; rev:11;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|e\|00\|t\|00\|s\|00\|q\|00\|l\|00\|s\|00\|e\|00\|c\|00\|u\|00\|r\|00\|i\|00\|t\|00\|y\|00\|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:675; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_setsqlsecurity possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|e\|00\|t\|00\|s\|00\|q\|00\|l\|00\|s\|00\|e\|00\|c\|00\|u\|00\|r\|00\|i\|00\|t\|00\|y\|00\|"; nocase; reference:bugtraq,2043; reference:cve,2000-1088; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100675; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|h\|00\|o\|00\|w\|00\|c\|00\|o\|00\|l\|00\|v\|00\|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:705; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_showcolv possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|h\|00\|o\|00\|w\|00\|c\|00\|o\|00\|l\|00\|v\|00\|"; nocase; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100705; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|f\|00\|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|s\|00\|p\|00\|r\|00\|i\|00\|n\|00\|t\|00\|f\|00\|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:2100704; rev:10;) # -alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL SQL xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|u\|00\|p\|00\|d\|00\|a\|00\|t\|00\|e\|00\|c\|00\|o\|00\|l\|00\|v\|00\|b\|00\|m\|00\|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:701; rev:9;) +#alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"GPL DELETED xp_updatecolvbm possible buffer overflow"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|u\|00\|p\|00\|d\|00\|a\|00\|t\|00\|e\|00\|c\|00\|o\|00\|l\|00\|v\|00\|b\|00\|m\|00\|"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/MS00-092.mspx; classtype:attempted-user; sid:2100701; rev:10;) # alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"GPL SQL MYSQL root login attempt"; flow:to_server,established; content:"\|0A 00 00 01 85 04 00 00 80\|root\|00\|"; classtype:protocol-command-decode; sid:2101775; rev:4;) @@ -41369,7 +41381,7 @@ alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"GPL EXPLOIT xp_cmdshell program execution 445"; flow:to_server,established; content:"x\|00\|p\|00\|_\|00\|c\|00\|m\|00\|d\|00\|s\|00\|h\|00\|e\|00\|l\|00\|l\|00\|"; nocase; classtype:attempted-user; sid:2101759; rev:6;) # -alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"\|FF FA\|'\|00 00\|"; rawbytes; pcre:"/T.?T.?Y.?P.?R.?O.?M.?P.?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:3274; rev:3;) +alert tcp $EXTERNAL_NET any -> $TELNET_SERVERS 23 (msg:"GPL EXPLOIT login buffer non-evasive overflow attempt"; flow:to_server,established; flowbits:isnotset,ttyprompt; content:"\|FF FA\|'\|00 00\|"; rawbytes; pcre:"/T.?T.?Y.?P.?R.?O.?M.?P.?T/RBi"; flowbits:set,ttyprompt; reference:bugtraq,3681; reference:cve,2001-0797; classtype:attempted-admin; sid:2103274; rev:4;) # #alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"GPL POLICY tcp port 0 traffic"; flow:stateless; classtype:misc-activity; sid:2100524; rev:9;) @@ -41381,22 +41393,25 @@ #alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"GPL MISC BGP invalid type 0"; flow:stateless; content:"\|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF\|"; depth:16; content:"\|00\|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; classtype:bad-unknown; sid:2102159; rev:12;) # -alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows \|5b\|Version "; content:"Copyright"; within:12; content:"Microsoft Corp"; within:16; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:6;) +alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"GPL EXPLOIT Microsoft cmd.exe banner"; flow:established; content:"Microsoft Windows "; content:"Copyright \|28\|c\|29\| 20"; distance:0; content:"Microsoft Corp"; distance:0; reference:nessus,11633; classtype:successful-admin; sid:2102123; rev:7;) + +# +##alert tcp $HOME_NET 1020 -> $EXTERNAL_NET any (msg:"GPL DELETED Vampire 1.2 connection confirmation"; flow:from_server,established; flowbits:isset,backdoor.vampire_12.connect; content:"Vampire v1.2 Server On-Line....."; depth:32; classtype:misc-activity; sid:2103064; rev:3;) # -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:3;) +#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103144; rev:4;) # -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:3;) +#alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103143; rev:5;) # -alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"\|FF\|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m\|00 00 C0\|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2923; rev:3;) +alert tcp $HOME_NET 139 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB repeated logon failure"; flow:from_server,established; content:"\|FF\|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m\|00 00 C0\|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102923; rev:4;) # -#alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login\|User)/smi"; classtype:bad-unknown; sid:491; rev:9;) +#alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"GPL FTP FTP Bad login"; flow:from_server,established; content:"530 "; depth:4; pcre:"/^530\s+(Login\|User)/smi"; classtype:bad-unknown; sid:2100491; rev:11;) # -alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; fast_pattern:only; nocase; classtype:bad-unknown; sid:1251; rev:8;) + alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Bad Login"; flow:from_server,established; content:"Login incorrect"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2101251; rev:10;) # alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free\|28 29 3A\| warning\|3A\| chunk is already free"; reference:bugtraq,6650; reference:cve,2003-0015; classtype:misc-attack; sid:2102010; rev:5;) @@ -41420,13 +41435,13 @@ alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"GPL MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server\|3A\| warning\|3A\| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; classtype:misc-attack; sid:2102317; rev:5;) # -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:3;) +#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response andx overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB"; within:4; distance:3; pcre:"/^(\x75\|\x2d\|\x2f\|\x73\|\xa2\|\x2e\|\x24\|\x74)/sR"; content:"2"; depth:1; offset:39; byte_jump:2,0,little,relative; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103146; rev:4;) # -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; pcre:"/^.{27}/R"; flowbits:unset,smb.trans2; byte_test:2,>,15,7,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:3;) +#alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS Trans2 FIND_FIRST2 response overflow attempt"; flow:established,to_client; flowbits:isset,smb.trans2; content:"\|00\|"; depth:1; content:"\|FF\|SMB2"; within:5; distance:3; flowbits:unset,smb.trans2; byte_test:2,>,15,34,relative,little; reference:cve,2005-0045; reference:url,www.microsoft.com/technet/security/Bulletin/MS05-011.mspx; classtype:protocol-command-decode; sid:2103145; rev:5;) # -alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"\|FF\|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m\|00 00 C0\|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2924; rev:3;) +alert tcp $HOME_NET 445 -> $EXTERNAL_NET any (msg:"GPL NETBIOS SMB-DS repeated logon failure"; flow:from_server,established; content:"\|FF\|SMB"; depth:4; offset:4; content:"s"; within:1; content:"m\|00 00 C0\|"; within:4; threshold:type threshold,track by_dst,count 10,seconds 60; classtype:unsuccessful-user; sid:2102924; rev:4;) # alert tcp any 4711 -> $HOME_NET any (msg:"GPL P2P eDonkey server response"; flow:established,from_server; content:"Server\|3A\| eMule"; reference:url,www.emule-project.net; classtype:policy-violation; sid:2102587; rev:4;) @@ -41435,10 +41450,10 @@ alert tcp $HOME_NET 512 -> $EXTERNAL_NET any (msg:"GPL RPC rexec username too long response"; flow:from_server,established; content:"username too long"; depth:17; reference:bugtraq,7459; classtype:unsuccessful-user; sid:2102104; rev:6;) # -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:605; rev:6;) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"login incorrect"; reference:arachnids,393; classtype:unsuccessful-user; sid:2100605; rev:7;) # -alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"\|01\|rlogind\|3A\| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:611; rev:7;) +alert tcp $HOME_NET 513 -> $EXTERNAL_NET any (msg:"GPL RPC rlogin login failure"; flow:from_server,established; content:"\|01\|rlogind\|3A\| Permission denied."; reference:arachnids,392; classtype:unsuccessful-user; sid:2100611; rev:8;) # alert tcp $HOME_NET 5631 -> $EXTERNAL_NET any (msg:"GPL MISC Invalid PCAnywhere Login"; flow:from_server,established; content:"Invalid login"; depth:13; offset:5; classtype:unsuccessful-user; sid:2100511; rev:6;) @@ -41471,22 +41486,22 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN user search"; flow:to_server,established; content:"CAL "; depth:4; nocase; classtype:policy-violation; sid:2101990; rev:2;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition\|3A\|"; nocase; content:"filename"; distance:0; pcre:"/filename\s=\s.?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]\|s[dfx])\|c([ho]m\|li\|md\|pp)\|d(iz\|ll\|ot)\|e(m[fl]\|xe)\|h(lp\|sq\|ta)\|jse?\|m(d[abew]\|s[ip])\|p(p[st]\|if\|[lm]\|ot)\|r(eg\|tf)\|s(cr\|[hy]s\|wf)\|v(b[es]?\|cf\|xd)\|w(m[dfsz]\|p[dmsz]\|s[cfh])\|xl[tw]\|bat\|ini\|lnk\|nws\|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:721; rev:9;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"GPL SMTP OUTBOUND bad file attachment"; flow:to_server,established; content:"Content-Disposition\|3A\|"; nocase; content:"filename"; distance:0; pcre:"/filename\s=\s.?\.(?=[abcdehijlmnoprsvwx])(a(d[ep]\|s[dfx])\|c([ho]m\|li\|md\|pp)\|d(iz\|ll\|ot)\|e(m[fl]\|xe)\|h(lp\|sq\|ta)\|jse?\|m(d[abew]\|s[ip])\|p(p[st]\|if\|[lm]\|ot)\|r(eg\|tf)\|s(cr\|[hy]s\|wf)\|v(b[es]?\|cf\|xd)\|w(m[dfsz]\|p[dmsz]\|s[cfh])\|xl[tw]\|bat\|ini\|lnk\|nws\|ocx)[\x27\x22\n\r\s]/iR"; classtype:suspicious-filename-detect; sid:2100721; rev:10;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 4242 (msg:"GPL P2P eDonkey transfer"; flow:to_server,established; content:"\|E3\|"; depth:1; reference:url,www.kom.e-technik.tu-darmstadt.de/publications/abstracts/HB02-1.html; classtype:policy-violation; sid:2102586; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 1D\|"; depth:2; offset:10; classtype:policy-violation; sid:2455; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference message"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 1D\|"; depth:2; offset:10; classtype:policy-violation; sid:2102455; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00\|P"; depth:2; offset:10; classtype:policy-violation; sid:2459; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM conference offer invitation"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00\|P"; depth:2; offset:10; classtype:policy-violation; sid:2102459; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 12\|"; depth:2; offset:10; classtype:policy-violation; sid:2452; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"GPL CHAT Yahoo IM ping"; flow:to_server,established; content:"YMSG"; depth:4; nocase; content:"\|00 12\|"; depth:2; offset:10; classtype:policy-violation; sid:2102452; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG\|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2460; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 5100 (msg:"GPL CHAT Yahoo IM conference request"; flow:to_server,established; content:"<R"; depth:2; pcre:"/^\x3c(REQIMG\|RVWCFG)\x3e/ism"; classtype:policy-violation; sid:2102460; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"GPL CHAT Google Talk Logon"; flow:to_server,established; content:"<stream\|3a\|stream to=\"gmail.com\""; nocase; reference:url,www.google.com/talk/; classtype:policy-violation; sid:100000232; rev:3;) @@ -41531,19 +41546,19 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Fastrack kazaa/morpheus traffic"; flow:to_server,established; content:"GET "; depth:4; content:"UserAgent\|3A\| KazaaClient"; reference:url,www.kazaa.com; classtype:policy-violation; sid:2101699; rev:11;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:557; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA OK"; depth:40; classtype:policy-violation; sid:2100557; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:1432; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P GNUTella client request"; flow:to_server,established; content:"GNUTELLA"; depth:8; classtype:policy-violation; sid:2101432; rev:7;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:556; rev:5;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"GPL P2P Outbound GNUTella client request"; flow:to_server,established; content:"GNUTELLA CONNECT"; depth:40; classtype:policy-violation; sid:2100556; rev:6;) # alert tcp $HOME_NET any <> $EXTERNAL_NET 1863 (msg:"GPL CHAT MSN message"; flow:established; content:"MSG "; depth:4; content:"Content-Type\|3A\|"; nocase; content:"text/plain"; distance:1; classtype:policy-violation; sid:2100540; rev:12;) # -alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"HTTP/1.1 403"; depth:12; classtype:attempted-recon; sid:1201; rev:7;) +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL WEB_SERVER 403 Forbidden"; flow:from_server,established; content:"403"; http_stat_code; classtype:attempted-recon; sid:2101201; rev:9;) # #alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE Invalid URL"; flow:from_server,established; content:"Invalid URL"; fast_pattern:only; nocase; reference:url,www.microsoft.com/technet/security/bulletin/MS00-063.mspx; classtype:attempted-recon; sid:2101200; rev:12;) @@ -41573,34 +41588,34 @@ alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"GPL ATTACK_RESPONSE index of /cgi-bin/ response"; flow:from_server,established; content:"Index of /cgi-bin/"; fast_pattern:only; nocase; reference:nessus,10039; classtype:bad-unknown; sid:2101666; rev:7;) # -#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:567; rev:11;) +#alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP SMTP relaying denied"; flow:established,from_server; content:"550 5.7.1"; depth:70; reference:arachnids,249; reference:url,mail-abuse.org/tsi/ar-fix.html; classtype:misc-activity; sid:2100567; rev:12;) # alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"GPL SMTP AUTH LOGON brute force attempt"; flow:from_server,established; content:"Authentication unsuccessful"; offset:54; nocase; threshold:type threshold, track by_dst, count 5, seconds 60; classtype:suspicious-login; sid:2102275; rev:3;) # -alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:9;) +alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:2100680; rev:10;) # alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103152; rev:4;) # -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L\|00\|o\|00\|g\|00\|i\|00\|n\|00\| \|00\|f\|00\|a\|00\|i\|00\|l\|00\|e\|00\|d\|00\| \|00\|f\|00\|o\|00\|r\|00\| \|00\|u\|00\|s\|00\|e\|00\|r\|00\| \|00\|'\|00\|s\|00\|a\|00\|'\|00\|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:3;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L\|00\|o\|00\|g\|00\|i\|00\|n\|00\| \|00\|f\|00\|a\|00\|i\|00\|l\|00\|e\|00\|d\|00\| \|00\|f\|00\|o\|00\|r\|00\| \|00\|u\|00\|s\|00\|e\|00\|r\|00\| \|00\|'\|00\|s\|00\|a\|00\|'\|00\|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2103273; rev:4;) # -alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:10;) +alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"GPL SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:2100688; rev:11;) # -#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"\|FF FD\|"; rawbytes; content:"\|FF FD\|"; distance:0; rawbytes; content:"\|FF FD\|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:716; rev:13;) +#alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET access"; flow:from_server,established; content:"\|FF FD\|"; rawbytes; content:"\|FF FD\|"; distance:0; rawbytes; content:"\|FF FD\|"; distance:0; rawbytes; reference:arachnids,08; reference:cve,1999-0619; reference:nessus,10280; classtype:not-suspicious; sid:2100716; rev:14;) # -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; fast_pattern:only; nocase; classtype:bad-unknown; sid:492; rev:10;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET TELNET login failed"; flow:from_server,established; content:"Login failed"; fast_pattern:only; nocase; classtype:bad-unknown; sid:2100492; rev:11;) # -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern:only; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:8;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET Telnet Root not on console"; flow:from_server,established; content:"not on system console"; fast_pattern:only; nocase; reference:arachnids,365; classtype:bad-unknown; sid:2100717; rev:9;) # -alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login\|3A\| root"; fast_pattern:only; classtype:suspicious-login; sid:719; rev:8;) +alert tcp $TELNET_SERVERS 23 -> $EXTERNAL_NET any (msg:"GPL TELNET root login"; flow:from_server,established; content:"login\|3A\| root"; fast_pattern:only; classtype:suspicious-login; sid:2100719; rev:9;) # alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"GPL WEB_SPECIFIC_APPS Linksys apply.cgi overflow attempt"; flow:to_server,established; content:"/apply.cgi"; http_uri; fast_pattern:only; content:"Content-Length\|3A\|"; isdataat:1000,relative; pcre:"/Content-Length\x3A\s[^\r\n]{1000,}/smi"; reference:bugtraq,14822; reference:cve,2005-2799; reference:nessus,20096; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=19389; classtype:web-application-attack; sid:100000177; rev:4;) @@ -41612,10 +41627,10 @@ alert udp $EXTERNAL_NET 137 -> $HOME_NET any (msg:"GPL NETBIOS NS lookup response name overflow attempt"; byte_test:1,>,127,2; content:"\|00 01\|"; depth:2; offset:6; byte_test:1,>,32,12; reference:bugtraq,10333; reference:bugtraq,10334; reference:cve,2004-0444; reference:cve,2004-0445; reference:url,www.eeye.com/html/Research/Advisories/AD20040512A.html; classtype:attempted-admin; sid:2102563; rev:6;) # -#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"\|85 80 00 01 00 01 00 00 00 00\|"; content:"\|C0 0C 00 0C 00 01 00 00 00\|<\|00 0F\|"; classtype:bad-unknown; sid:253; rev:4;) +#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response PTR with TTL of 1 min. and no authority"; content:"\|85 80 00 01 00 01 00 00 00 00\|"; content:"\|C0 0C 00 0C 00 01 00 00 00\|<\|00 0F\|"; classtype:bad-unknown; sid:2100253; rev:5;) # -#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"\|81 80 00 01 00 01 00 00 00 00\|"; content:"\|C0 0C 00 01 00 01 00 00 00\|<\|00 04\|"; classtype:bad-unknown; sid:254; rev:4;) +#alert udp $EXTERNAL_NET 53 -> $HOME_NET any (msg:"GPL DNS SPOOF query response with TTL of 1 min. and no authority"; content:"\|81 80 00 01 00 01 00 00 00 00\|"; content:"\|C0 0C 00 01 00 01 00 00 00\|<\|00 04\|"; classtype:bad-unknown; sid:2100254; rev:5;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"GPL NETBIOS DCERPC Workstation Service direct service access attempt"; content:"\|04 00\|"; depth:2; byte_test:1,&,16,2,relative; content:"\|98 D0 FF\|k\|12 A1 10\|6\|98\|3F\|C3 F8\|~4Z"; within:16; distance:22; reference:bugtraq,9011; reference:cve,2003-0812; reference:url,www.microsoft.com/technet/security/bulletin/MS03-049.mspx; classtype:misc-attack; sid:2102316; rev:7;) @@ -41633,19 +41648,19 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap UNSET attempt UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1892; classtype:rpc-portmap-decode; sid:2102015; rev:6;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap admind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F7\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,18; classtype:rpc-portmap-decode; sid:2100575; rev:9;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:576; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap amountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 03\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,19; classtype:rpc-portmap-decode; sid:2100576; rev:9;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:577; rev:13;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap bootparam request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BA\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,16; reference:cve,1999-0647; classtype:rpc-portmap-decode; sid:2100577; rev:14;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cachefsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 8B\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,4674; reference:cve,2002-0033; reference:cve,2002-0084; classtype:rpc-portmap-decode; sid:2101746; rev:12;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap cmsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 E4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,17; classtype:rpc-portmap-decode; sid:2100578; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap espd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|u"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2714; reference:cve,2001-0331; classtype:rpc-portmap-decode; sid:2102017; rev:13;) @@ -41654,22 +41669,22 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap kcms_server request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87\|}"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,6665; reference:cve,2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2102005; rev:11;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:1280; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap listing UDP 111"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,428; classtype:rpc-portmap-decode; sid:2101280; rev:10;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap mountd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,13; classtype:rpc-portmap-decode; sid:2100579; rev:9;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap network-status-monitor request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 03 0D\|p"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2102035; rev:7;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nisd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 CC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,21; classtype:rpc-portmap-decode; sid:2100580; rev:10;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap nlockmgr request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B5\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,1372; reference:cve,2000-0508; classtype:rpc-portmap-decode; sid:2102079; rev:7;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap pcnfsd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 02\|I\|F1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,22; classtype:rpc-portmap-decode; sid:2100581; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap proxy attempt UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 05\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101923; rev:7;) @@ -41678,46 +41693,46 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL EXPLOIT portmap proxy integer overflow attempt UDP"; content:"\|00 01 86 A0 00\|"; depth:5; offset:12; content:"\|00 00 00 05\|"; within:4; distance:3; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,2048,12,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,7123; reference:cve,2003-0028; classtype:rpc-portmap-decode; sid:2102092; rev:6;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rexd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,23; classtype:rpc-portmap-decode; sid:2100582; rev:9;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rpc.xfsmd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 05 F7\|h"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102081; rev:10;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rstatd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A1\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,10; classtype:rpc-portmap-decode; sid:2100583; rev:10;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:584; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rusers request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A2\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,133; reference:cve,1999-0626; classtype:rpc-portmap-decode; sid:2100584; rev:12;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap rwalld request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101732; rev:10;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap sadmind request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 88\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,20; classtype:rpc-portmap-decode; sid:2100585; rev:8;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap selection_svc request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 AF\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,25; classtype:rpc-portmap-decode; sid:2100586; rev:9;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1279; rev:14;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap snmpXdmi request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 87 99\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,2417; reference:cve,2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2101279; rev:15;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap status request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 B8\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,15; classtype:rpc-portmap-decode; sid:2100587; rev:9;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:588; rev:17;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ttdbserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 F3\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,24; reference:bugtraq,122; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:2100588; rev:18;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap yppasswd request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A9\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,14; classtype:rpc-portmap-decode; sid:2100589; rev:9;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:590; rev:12;) +alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypserv request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 A4\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:arachnids,12; reference:bugtraq,5914; reference:bugtraq,6016; reference:cve,2000-1042; reference:cve,2000-1043; reference:cve,2002-1232; classtype:rpc-portmap-decode; sid:2100590; rev:13;) # alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"GPL RPC portmap ypupdated request UDP"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 03\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|00 01 86 BC\|"; within:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101277; rev:10;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"GPL EXPLOIT ntpdx overflow attempt"; dsize:>128; reference:bugtraq,2540; reference:cve,2001-0414; classtype:attempted-admin; sid:2100312; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 135 (msg:"GPL NETBIOS DCERPC Messenger Service buffer overflow attempt"; content:"\|04 00\|"; depth:2; byte_test:1,>,15,2,relative; byte_jump:4,86,little,align,relative; byte_jump:4,8,little,align,relative; byte_test:4,>,1024,0,little,relative; reference:bugtraq,8826; reference:cve,2003-0717; reference:nessus,11888; reference:nessus,11890; reference:url,www.microsoft.com/technet/security/bulletin/MS03-043.mspx; classtype:attempted-admin; sid:2102257; rev:10;) @@ -41738,7 +41753,7 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"GPL SQL ping attempt"; content:"\|02\|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2102049; rev:5;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+\|06 10\|@\|14 D1 02 19\|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:516; rev:7;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP SNMP NT UserList"; content:"+\|06 10\|@\|14 D1 02 19\|"; fast_pattern:only; reference:nessus,10546; classtype:attempted-recon; sid:2100516; rev:8;) # alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP missing community string attempt"; content:"\|04 00\|"; depth:15; offset:5; reference:bugtraq,2112; reference:cve,1999-0517; classtype:misc-attack; sid:2101893; rev:5;) @@ -41747,28 +41762,28 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP null community string attempt"; content:"\|04 01 00\|"; depth:15; offset:5; reference:bugtraq,2112; reference:bugtraq,8974; reference:cve,1999-0517; classtype:misc-attack; sid:2101892; rev:7;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern:only; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1413; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP private access udp"; content:"private"; fast_pattern:only; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:bugtraq,7212; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101413; rev:12;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1411; rev:11;) +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP public access udp"; content:"public"; fast_pattern:only; reference:bugtraq,2112; reference:bugtraq,4088; reference:bugtraq,4089; reference:cve,1999-0517; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101411; rev:12;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417; rev:10;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"GPL SNMP request udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101417; rev:11;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" \|04 82 01 00\|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1422; rev:10;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP community string buffer overflow attempt with evasion"; content:" \|04 82 01 00\|"; depth:5; offset:7; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101422; rev:11;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL EXPLOIT community string buffer overflow attempt"; content:"\|02 01 00 04 82 01 00\|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:1409; rev:10;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 161:162 (msg:"GPL SNMP SNMP community string buffer overflow attempt"; content:"\|02 01 00 04 82 01 00\|"; offset:4; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; reference:url,www.cert.org/advisories/CA-2002-03.html; classtype:misc-attack; sid:2101409; rev:11;) # alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP SNMP trap Format String detected"; content:"%s"; fast_pattern:only; reference:bugtraq,16267; reference:cve,2006-0250; reference:url,www.osvdb.org/displayvuln.php?osvdb_id=22493; classtype:attempted-recon; sid:100000227; rev:3;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08\|02 01 00 04 06\|public\|A4\|+\|06\|"; fast_pattern:only; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:1427; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP PROTOS test-suite-trap-app attempt"; content:"08\|02 01 00 04 06\|public\|A4\|+\|06\|"; fast_pattern:only; reference:url,www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html; classtype:misc-attack; sid:2101427; rev:6;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419; rev:9;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"GPL SNMP trap udp"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101419; rev:10;) # alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL RPC xdmcp info query"; content:"\|00 01 00 02 00 01 00\|"; reference:nessus,10891; classtype:attempted-recon; sid:2101867; rev:2;) @@ -41777,16 +41792,16 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET 177 (msg:"GPL MISC xdmcp query"; content:"\|00 01 00 03 00 01 00\|"; classtype:attempted-recon; sid:2100517; rev:2;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location\|3A\|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:1388; rev:12;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP Location overflow"; content:"Location\|3A\|"; nocase; isdataat:128,relative; pcre:"/^Location\x3a[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; classtype:misc-attack; sid:2101388; rev:14;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:1384; rev:8;) +alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP malformed advertisement"; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:2101384; rev:9;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"GPL MISC UPnP service discover attempt"; content:"M-SEARCH "; depth:9; content:"ssdp\|3A\|discover"; classtype:network-scan; sid:2101917; rev:7;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"\|00 00 00 08\|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:2;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"GPL MISC squid WCCP I_SEE_YOU message overflow attempt"; content:"\|00 00 00 08\|"; depth:4; byte_test:4,>,32,16; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:2103089; rev:3;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 2305 (msg:"GPL GAMES Halocon Denial of Service Empty UDP Packet"; dsize:0; reference:bugtraq,12281; classtype:attempted-dos; sid:100000102; rev:2;) @@ -41798,7 +41813,7 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET 29000 (msg:"GPL GAMES FlatFrag game dos exploit"; fragbits:D; id:1; content:"\|61 61 61\|"; dsize:99; reference:bugtraq,15287; reference:cve,2005-3492; classtype:attempted-dos; sid:100000181; rev:2;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL TROJAN BackOrifice access"; content:"\|CE\|c\|D1 D2 16 E7 13 CF\|9\|A5 A5 86\|"; reference:arachnids,399; classtype:misc-activity; sid:116; rev:5;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"GPL TROJAN BackOrifice access"; content:"\|CE\|c\|D1 D2 16 E7 13 CF\|9\|A5 A5 86\|"; reference:arachnids,399; classtype:misc-activity; sid:2100116; rev:6;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"GPL RPC portmap listing UDP 32771"; content:"\|00 01 86 A0\|"; depth:4; offset:12; content:"\|00 00 00 04\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:rpc-portmap-decode; sid:2101281; rev:9;) @@ -41810,28 +41825,28 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET 49 (msg:"GPL DELETED xtacacs login attempt"; content:"\|80 01\|"; depth:2; content:"\|00\|"; distance:4; classtype:misc-activity; sid:2102040; rev:4;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"\|05\|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:5;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP invalid identification payload attempt"; content:"\|05\|"; depth:1; offset:16; byte_test:2,>,4,30; byte_test:2,<,8,30; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2102486; rev:6;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"\|08\|"; depth:1; offset:16; content:"\|0C\|"; depth:1; offset:28; content:"\|00 04\|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2413; rev:9;) +alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP delete hash with empty hash attempt"; content:"\|08\|"; depth:1; offset:16; content:"\|0C\|"; depth:1; offset:28; content:"\|00 04\|"; depth:2; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102413; rev:10;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"\|07\|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2380; rev:4;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP fifth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; byte_jump:2,-2,relative; byte_jump:2,-2,relative; content:"\|07\|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102380; rev:5;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"\|07\|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2376; rev:3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP first payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"\|07\|"; depth:1; offset:16; byte_test:2,>,2043,30; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102376; rev:4;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"\|07\|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2379; rev:6;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP forth payload certificate request length overflow attempt"; flow:to_server; byte_test:4,>,2043,24; byte_jump:2,30; content:"\|07\|"; within:1; distance:-4; byte_jump:2,1,relative; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102379; rev:7;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"\|0B\|"; depth:1; offset:16; content:"\|00 0C 00 00 00 01 01 00 06 02\|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2414; rev:9;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP initial contact notification without SPI attempt"; content:"\|0B\|"; depth:1; offset:16; content:"\|00 0C 00 00 00 01 01 00 06 02\|"; depth:10; offset:30; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102414; rev:10;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"\|07\|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2377; rev:3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload certificate request length overflow attempt"; byte_test:4,>,2043,24; content:"\|07\|"; depth:1; offset:28; byte_jump:2,30; byte_test:2,>,2043,-2,relative; reference:bugtraq,9582; reference:cve,2004-0040; classtype:attempted-admin; sid:2102377; rev:4;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"\|0B\|"; depth:1; offset:28; byte_jump:2,30; content:"\|00 0C 00 00 00 01 01 00\|`\|02\|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2415; rev:9;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL EXPLOIT ISAKMP second payload initial contact notification without SPI attempt"; content:"\|0B\|"; depth:1; offset:28; byte_jump:2,30; content:"\|00 0C 00 00 00 01 01 00\|`\|02\|"; within:10; distance:-2; reference:bugtraq,9416; reference:bugtraq,9417; reference:cve,2004-0164; classtype:misc-attack; sid:2102415; rev:10;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"GPL POLICY IPSec PGPNet connection attempt"; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 10 02 00 00 00 00 00 00 00 00 88 0D 00 00 5C 00 00 00 01 00 00 00 01 00 00 00\|P\|01 01 00 02 03 00 00 24 01 01 00 00 80 01 00 06 80 02 00 02 80 03 00 03 80 04 00 05 80 0B 00 01 00 0C 00 04 00 01\|Q\|80 00 00 00 24 02 01 00 00 80 01 00 05 80 02 00 01 80 03 00 03 80 04 00 02 80 0B 00 01 00 0C 00 04 00 01\|Q\|80 00 00 00 10\|"; classtype:protocol-command-decode; sid:2101771; rev:7;) @@ -41861,10 +41876,10 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 5632 (msg:"GPL POLICY PCAnywhere server response"; content:"ST"; depth:2; classtype:misc-activity; sid:2100566; rev:5;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^\|B0 02 89 06 FE C8 89\|F\|04 B0 06 89\|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:315; rev:6;) +alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"GPL EXPLOIT x86 Linux mountd overflow"; content:"^\|B0 02 89 06 FE C8 89\|F\|04 B0 06 89\|F"; reference:bugtraq,121; reference:cve,1999-0002; classtype:attempted-admin; sid:2100315; rev:7;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90\|C0 A8 01 01\|/bin/sh\|00\|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:319; rev:5;) +alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL EXPLOIT bootp x86 linux overflow"; content:"A90\|C0 A8 01 01\|/bin/sh\|00\|"; reference:cve,1999-0389; reference:cve,1999-0798; reference:cve,1999-0799; classtype:attempted-admin; sid:2100319; rev:6;) # alert udp $EXTERNAL_NET any -> $HOME_NET 67 (msg:"GPL MISC bootp hardware address length overflow"; content:"\|01\|"; depth:1; byte_test:1,>,6,2; reference:cve,1999-0798; classtype:misc-activity; sid:2101939; rev:5;) @@ -41879,7 +41894,7 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP MISC TFTP32 Get Format string attempt"; content:"\|00 01 25 2E\|"; depth:4; reference:url,www.securityfocus.com/archive/1/422405/30/0/threaded; reference:url,www.critical.lt/?vulnerabilities/200; classtype:attempted-admin; sid:100000222; rev:1;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"\|00 01\|"; depth:2; classtype:bad-unknown; sid:1444; rev:3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP Get"; content:"\|00 01\|"; depth:2; classtype:bad-unknown; sid:2101444; rev:4;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 69 (msg:"GPL TFTP NULL command attempt"; content:"\|00 00\|"; depth:2; reference:bugtraq,7575; classtype:bad-unknown; sid:2102336; rev:4;) @@ -41900,16 +41915,16 @@ alert udp $EXTERNAL_NET any -> $HOME_NET 7649 (msg:"GPL GAMES Breed Game Server Denial of Service Empty UDP Packet"; dsize:0; reference:bugtraq,12262; classtype:attempted-dos; sid:100000103; rev:2;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"\|5C\|secure\|5C\|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:2;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"GPL GAMES Unreal Tournament secure overflow attempt"; content:"\|5C\|secure\|5C\|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:2103080; rev:3;) # -alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"\|01 A1\|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:3;) +#alert udp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"GPL RPC kerberos principal name overflow UDP"; content:"j"; depth:1; content:"\|01 A1\|"; asn1:oversize_length 1024,relative_offset -1; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2102578; rev:4;) # #alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"GPL MISC Ascend Route"; content:"NAMENAME"; depth:50; offset:25; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:2100281; rev:6;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:270; rev:6;) +#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL MISC Teardrop attack"; fragbits:M; id:242; reference:bugtraq,124; reference:cve,1999-0015; reference:nessus,10279; reference:url,www.cert.org/advisories/CA-1997-28.html; classtype:attempted-dos; sid:2100270; rev:7;) # #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC CMSD UDP CMSD_CREATE array buffer overflow attempt"; content:"\|00 01 86 E4\|"; depth:4; offset:12; content:"\|00 00 00 15\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; byte_test:4,>,1024,20,relative; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5356; reference:cve,2002-0391; classtype:attempted-admin; sid:2102094; rev:7;) @@ -41951,7 +41966,7 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC rpc.xfsmd xfs_export attempt UDP"; content:"\|00 05 F7\|h"; depth:4; offset:12; content:"\|00 00 00 0D\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,5072; reference:bugtraq,5075; reference:cve,2002-0359; classtype:rpc-portmap-decode; sid:2102083; rev:9;) # -#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"\|00 01 86 A2\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:612; rev:6;) +#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN rusers query UDP"; content:"\|00 01 86 A2\|"; depth:4; offset:12; content:"\|00 00 00 02\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:cve,1999-0626; classtype:attempted-recon; sid:2100612; rev:7;) # #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC sadmind UDP PING"; content:"\|00 01 87 88\|"; depth:4; offset:12; content:"\|00 00 00 00\|"; within:4; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; reference:bugtraq,866; classtype:attempted-admin; sid:2101957; rev:6;) @@ -41981,7 +41996,7 @@ #alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL RPC ypupdated arbitrary command attempt UDP"; content:"\|00 01 86 BC\|"; depth:4; offset:12; content:"\|00 00 00 01\|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"\|7C\|"; distance:4; content:"\|00 00 00 00\|"; depth:4; offset:4; classtype:misc-attack; sid:2102088; rev:6;) # -alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"\|0A\|help\|0A\|quite\|0A\|"; classtype:attempted-recon; sid:2100637; rev:4;) +#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"GPL SCAN Webtrends Scanner UDP Probe"; content:"\|0A\|help\|0A\|quite\|0A\|"; classtype:attempted-recon; sid:2100637; rev:4;) # #alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"GPL SQL probe response overflow attempt"; content:"\|05\|"; depth:1; byte_test:2,>,512,1; content:"\|3B\|"; distance:0; isdataat:512,relative; content:!"\|3B\|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2102329; rev:7;) @@ -41999,33 +42014,36 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"GPL WORM Slammer Worm propagation attempt OUTBOUND"; content:"\|04\|"; depth:1; content:"\|81 F1 03 01 04 9B 81 F1\|"; content:"sock"; content:"send"; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2102004; rev:8;) # -#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415; rev:9;) +#alert udp any any -> 255.255.255.255 161 (msg:"GPL SNMP Broadcast request"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101415; rev:10;) # -#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416; rev:9;) +#alert udp any any -> 255.255.255.255 162 (msg:"GPL SNMP broadcast trap"; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132; reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:2101416; rev:10;) # #alert udp any any -> any 53 (msg:"GPL POLICY MISC Tunneling IP over DNS with NSTX"; byte_test: 1,>,32,12; content: "\|00 10 00 01\|"; offset: 12; rawbytes; threshold: type threshold, track by_src, count 50, seconds 60; reference:url,nstx.dereference.de/nstx/; reference:url,slashdot.org/articles/00/09/10/2230242.shtml; classtype:policy-violation; sid:100000208; rev:1;) # -alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"\|00 01\|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:1289; rev:4;) +alert udp any any -> any 69 (msg:"GPL TFTP GET Admin.dll"; content:"\|00 01\|"; depth:2; content:"admin.dll"; offset:2; nocase; reference:url,www.cert.org/advisories/CA-2001-26.html; classtype:successful-admin; sid:2101289; rev:5;) # alert udp any any -> any 69 (msg:"GPL TFTP GET filename overflow attempt"; content:"\|00 01\|"; depth:2; isdataat:100,relative; content:!"\|00\|"; within:100; reference:bugtraq,5328; reference:cve,2002-0813; classtype:attempted-admin; sid:2101941; rev:10;) # -alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"\|00 01\|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:1441; rev:4;) +alert udp any any -> any 69 (msg:"GPL TFTP GET nc.exe"; content:"\|00 01\|"; depth:2; content:"nc.exe"; offset:2; nocase; classtype:successful-admin; sid:2101441; rev:5;) # -alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"\|00 01\|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:1443; rev:4;) +alert udp any any -> any 69 (msg:"GPL TFTP GET passwd"; content:"\|00 01\|"; depth:2; content:"passwd"; offset:2; nocase; classtype:successful-admin; sid:2101443; rev:5;) # -alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"\|00 01\|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:1442; rev:4;) +alert udp any any -> any 69 (msg:"GPL TFTP GET shadow"; content:"\|00 01\|"; depth:2; content:"shadow"; offset:2; nocase; classtype:successful-admin; sid:2101442; rev:5;) # #alert udp any any -> any 69 (msg:"GPL TFTP PUT filename overflow attempt"; content:"\|00 02\|"; depth:2; isdataat:100,relative; content:!"\|00\|"; within:100; reference:bugtraq,7819; reference:bugtraq,8505; reference:cve,2003-0380; classtype:attempted-admin; sid:2102337; rev:9;) # +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Adobe PDF in HTTP Flowbit Set"; flow:from_server,established; file_data; content:"%PDF-"; within:5; flowbits:set,ET.pdf.in.http; flowbits:noalert; reference:cve,CVE-2008-2992; reference:bugtraq,30035; reference:secunia,29773; classtype:not-suspicious; sid:2015671; rev:6;) + +# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET EXPLOIT HP OpenView NNM snmpviewer.exe CGI Stack Buffer Overflow 1"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/OvCgi/snmpviewer.exe"; http_uri; nocase; content:"act="; nocase; content:"app="; nocase; isdataat:257,relative; content:!"\|0A\|"; within:257; pcre:"/app\x3D[^\x26\s\r\n]{257}/i"; reference:cve,CVE-2010-1552; reference:bugtraq,40068; classtype:attempted-admin; sid:2012682; rev:7;) # @@ -42050,7 +42068,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.5.x Detected"; flow:established,to_server; content:" Java/1.5."; nocase; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011581; rev:9;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"31"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:19;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.6.x Detected"; flow:established,to_server; content:" Java/1.6.0_"; http_header; content:!"37"; within:2; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2011582; rev:23;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Euchia CMS catalogo.php id_livello Parameter Cross Site Scripting Attempt"; flow:established,to_server; uricontent:"/catalogo.php?"; nocase; uricontent:"id_livello="; nocase; pcre:"/id_livello\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,inj3ct0r.com/exploits/13028; classtype:web-application-attack; sid:2011571; rev:1;) @@ -42251,19 +42269,19 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Group Office json.php fingerprint Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET "; depth:4; uricontent:"/modules/gnupg/json.php?"; nocase; uricontent:"task=send_key"; nocase; uricontent:"fingerprint="; nocase; pcre:"/fingerprint=\w\;/Ui"; reference:url,inj3ct0r.com/exploits/13365; classtype:web-application-attack; sid:2011413; rev:1;) # -#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|com\|02\|ru"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.ru Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|com\|02\|ru\|00\|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011407; rev:3;) # -#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|com\|02\|cn"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .com.cn Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|com\|02\|cn\|00\|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011408; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|co\|02\|cc"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.cc Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|co\|02\|cc\|00\|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011409; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|cz\|02\|cc"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .cz.cc Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|cz\|02\|cc\|00\|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011410; rev:3;) # -#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|co\|02\|kr"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:2;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for Suspicious .co.kr Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|co\|02\|kr\|00\|"; fast_pattern; nocase; distance:0; reference:url,sign.kaffenews.com/?p=104; classtype:bad-unknown; sid:2011411; rev:3;) # alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN w3af Scan Remote File Include Retrieval"; flow:established,to_server; content:"/w3af/remoteFileInclude.html"; http_uri; nocase; content:"Host\|3A\| w3af.sourceforge.net"; http_header; nocase; reference:url,w3af.sourceforge.net; classtype:web-application-activity; sid:2011389; rev:3;) @@ -42383,7 +42401,7 @@ alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (KRMAK) Butterfly Bot download"; flow:to_server,established; content:"User-Agent\|3a\| KRMAK"; http_header; classtype:trojan-activity; sid:2011297; rev:2;) # -alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"\|18\|"; depth:1; content:"\|00 00\|"; distance:16; flowbits:set,ET.ButterflyJoin; flowbits:noalert; classtype:trojan-activity; sid:2011295; rev:5;) +alert udp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Butterfly/Mariposa Bot client init connection"; dsize:21; content:"\|18\|"; depth:1; content:"\|00 00\|"; distance:16; flowbits:set,ET.ButterflyJoin; classtype:trojan-activity; sid:2011295; rev:7;) # alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Butterfly/Mariposa Bot Join Acknowledgment"; dsize:21; content:"\|38\|"; depth:1; flowbits:isset,ET.ButterflyJoin; classtype:trojan-activity; sid:2011296; rev:2;) @@ -42500,10 +42518,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .cz.cc domain"; flow: to_server,established; content:".cz.cc\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2011375; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; content:"@"; http_uri; content:"Referer\|3a\| http\|3a\|//www.google.com\|0d 0a\|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN indux.php check-in"; flow:established,to_server; content:"/indux.php?U="; nocase; http_uri; fast_pattern:only; content:"@"; http_uri; content:"Referer\|3a\| http\|3a\|//www.google.com\|0d 0a\|"; nocase; http_header; classtype:trojan-activity; sid:2011387; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"\|0d 0a 0d 0a\|command="; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE web shell detected"; flow:established,to_server; content:"POST"; nocase; http_method; content:"\|0d 0a 0d 0a\|command="; fast_pattern; content:"&result="; within:12; classtype:trojan-activity; sid:2011391; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (http-get-demo) Possible Reverse Web Shell"; flow:established,to_server; content:"User-Agent\|3a\| http-get-demo"; http_header; classtype:trojan-activity; sid:2011392; rev:2;) @@ -42533,10 +42551,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"ET TROJAN Yoyo-DDoS Bot Unknown Command From CnC Server"; flow:established,from_server; dsize:124; content:"\|C1 00 00 00\|"; nocase; depth:4; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:trojan-activity; sid:2011401; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"\|0d 0a\|Accept-Encoding\|3A\| g\|7b\|ip\|2C\| deflate\|0d 0a\|"; content:"\|0d 0a\|Connection\|3A\| Keep\|2D\|Alivf\|0d 0a\|"; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Inbound"; flow:established,to_server; content:"\|0d 0a\|Accept-Encoding\|3A\| g\|7b\|ip\|2C\| deflate\|0d 0a\|"; http_header; content:"\|0d 0a\|Connection\|3A\| Keep\|2D\|Alivf\|0d 0a\|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011402; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"\|0d 0a\|Accept-Encoding\|3A\| g\|7b\|ip\|2C\| deflate\|0d 0a\|"; content:"\|0d 0a\|Connection\|3A\| Keep\|2D\|Alivf\|0d 0a\|"; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Yoyo-DDoS Bot HTTP Flood Attack Outbound"; flow:established,to_server; content:"\|0d 0a\|Accept-Encoding\|3A\| g\|7b\|ip\|2C\| deflate\|0d 0a\|"; http_header; content:"\|0d 0a\|Connection\|3A\| Keep\|2D\|Alivf\|0d 0a\|"; fast_pattern:14,12; http_header; threshold:type limit, count 5, seconds 60, track by_src; reference:url,asert.arbornetworks.com/2010/08/yoyoddos-a-new-family-of-ddos-bots/; classtype:denial-of-service; sid:2011403; rev:3;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED General Trojan Downloader Request Observed"; flow:established,to_server; content:".php?id="; http_uri; nocase; content:"&x="; nocase; http_uri; content:"&os="; nocase; http_uri; content:"&n="; http_uri; nocase; reference:url,www.threatexpert.com/report.aspx?md5=3dd8193692b62a875985349b67da38c6; reference:url,www.threatexpert.com/report.aspx?md5=6c9ad4d06f72edcd2b301d66b25ad101; reference:url,www.threatexpert.com/report.aspx?md5=91fa03240b5a59853d0dad708055a7a8; classtype:trojan-activity; sid:2011415; rev:3;) @@ -42602,7 +42620,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_CLIENT PROPFIND Flowbit Set"; flow:established,to_server; content:"PROPFIND"; http_method; nocase; flowbits:set,ET_PROPFIND; flowbits:noalert; classtype:misc-activity; sid:2011456; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT DLL or EXE File From Possible WebDAV Share, Possible DLL Preloading Exploit Attempt"; flowbits:isset,ET_PROPFIND; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,blog.metasploit.com/2010/08/exploiting-dll-hijacking-flaws.html; reference:url,www.us-cert.gov/cas/techalerts/TA10-238A.html; reference:url,www.microsoft.com/technet/security/advisory/2269637.mspx; reference:url,blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx; reference:url,blog.metasploit.com/2010/08/better-faster-stronger.html; reference:url,blog.rapid7.com/?p=5325; classtype:attempted-user; sid:2011457; rev:3;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING trafficbiztds.com - client requesting redirect to exploit kit"; flow:established,to_server; content:"/tds/in.cgi?"; http_uri; depth:12; classtype:bad-unknown; sid:2011468; rev:3;) @@ -42752,7 +42770,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Carberp checkin task"; flow:established,to_server; content:"/task.php?id="; http_uri; content:"&task="; http_uri; pcre:"/\/task.php\?id=[^&]{32,64}&task=\d/U"; reference:url,www.trustdefender.com/blog/2010/10/06/carberp-%E2%80%93-a-new-trojan-in-the-making/; reference:url,www.honeynet.org/node/578; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-101313-5632-99&tabid=2; reference:url,www.eset.com/threat-center/encyclopedia/threats/win32trojandownloadercarberpb; reference:url,www.threatexpert.com/report.aspx?md5=31a4bc4e9a431d91dc0b368f4a76ee85; reference:url,www.threatexpert.com/report.aspx?md5=1d0d38dd63551a30eda664611ed4958b; reference:url,www.threatexpert.com/report.aspx?md5=6f89b98729483839283d04b82055dc44; reference:url,www.threatexpert.com/report.aspx?md5=07d3fbb124ff39bd5c1045599f719e36; classtype:trojan-activity; sid:2011799; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent\|3A\|Mozilla"; http_header; content:!"BlackBerry\|3b\|"; http_header; content:!"PlayBook\|3b\|"; http_header; content:!"master conn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Abnormal User-Agent No space after colon - Likely Hostile"; flow:established,to_server; content:"User-Agent\|3A\|Mozilla"; http_header; content:!"BlackBerry\|3b\|"; http_header; content:!"PlayBook\|3b\|"; http_header; content:!"masterconn.qq.com"; http_header; content:!"Konfabulator"; http_header; classtype:trojan-activity; sid:2011800; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX AoA Audio Extractor ActiveX Control Buffer Overflow Attempt"; flow:to_client,established; content:"<OBJECT "; nocase; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"125C3F0B-1073-4783-9A7B-D33E54269CA5"; nocase; distance:0; content:"InitLicenKeys"; nocase; reference:url,exploit-db.com/exploits/14599/; reference:url,packetstormsecurity.org/1010-exploits/aoaae-rop.txt; classtype:web-application-attack; sid:2011801; rev:1;) @@ -42770,7 +42788,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER ScriptResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"ScriptResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&amp\|3b\|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011806; rev:6;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&amp\|3b\|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:3;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebResource.axd access without t (time) parameter - possible ASP padding-oracle exploit"; flow:established,to_server; content:"GET"; http_method; content:"/WebResource.axd"; http_uri; nocase; fast_pattern; content:!"&t="; http_uri; nocase; content:!"&amp\|3b\|t="; http_uri; nocase; detection_filter:track by_src,count 15,seconds 2; reference:url,netifera.com/research/; reference:url,www.microsoft.com/technet/security/advisory/2416728.mspx; classtype:web-application-attack; sid:2011807; rev:4;) #by kevin ross alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Inspathx Path Disclosure Scanner User-Agent Detected"; flow:established,to_server; content:"User-Agent\|3A\| inspath [path disclosure finder"; http_header; threshold:type limit, count 1, seconds 30, track by_src; reference:url,code.google.com/p/inspathx/; reference:url,www.darknet.org.uk/2010/09/inspathx-tool-for-finding-path-disclosure-vulnerabilities/; classtype:attempted-recon; sid:2011808; rev:2;) @@ -43004,6 +43022,9 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS iGaming CMS loadplugin.php load Parameter Local File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/loadplugin.php?"; nocase; http_uri; content:"load="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/1010-exploits/igamingcms-lfi.txt; classtype:web-application-attack; sid:2011884; rev:2;) # +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Logmein.com/Join.me SSL Remote Control Access"; flow:established,from_server; content:"\|16 03\|"; depth:2; content:"\|55 04 0a\|"; distance:0; content:"\|0d\|LogMeIn, Inc."; distance:1; within:14; content:".app"; classtype:policy-violation; sid:2014756; rev:5;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Webspell wCMS-Clanscript staticID Parameter SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"site=static"; nocase; http_uri; content:"staticID="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; http_uri; nocase; pcre:"/ASCII\(.+SELECT/Ui"; reference:url,exploit-db.com/exploits/15152/; classtype:web-application-attack; sid:2011886; rev:2;) # @@ -43025,7 +43046,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Firefox Interleaving document.write and appendChild Overflow (POC SPECIFIC)"; flow:from_server,established; content:"document.body.appendChild(cobj)"; content:"document.getElementById\|28 22\|suv\|22 29\|.innerHTML"; content:"new\|20\|Array\|28\|"; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=607222; reference:url,blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/; classtype:attempted-user; sid:2011893; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"\|0d 0a\|Accept-Language\|3a\| "; distance:1; within:19; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE"; fast_pattern:23,18; http_header; content:"Host\|3a\| "; distance:0; http_header; content:"\|3a\| no-cache"; distance:0; http_header; content:!"Accept\|3a\| "; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:15;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TDSS/TDL/Alureon MBR rootkit Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:!"Accept\|3a\| "; http_header; content:" HTTP/1."; content:"\|0d 0a\|Accept-Language\|3a\| "; distance:1; within:19; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE"; fast_pattern:23,18; http_header; content:"Host\|3a\| "; distance:0; http_header; content:"\|3a\| no-cache"; distance:0; http_header; pcre:"/^\/[a-z0-9+\/=]{16,400}$/Ui"; classtype:trojan-activity; sid:2011894; rev:16;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby leads to exploits aaitsol1/networks.php"; flow:established,to_server; content:"GET"; http_method; content:"~aaitsol1/networks.php"; nocase; http_uri; classtype:bad-unknown; sid:2011895; rev:1;) @@ -43115,7 +43136,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Outbound"; flow:established,to_server; content:"\|29\| Havij\|0d 0a\|Connection\|3a\| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2011924; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d+/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Rogue AV Downloader concat URI"; flow:established,to_server; content:".php?id="; http_uri; content:"x="; http_uri; content:"os="; http_uri; content:"n="; http_uri; pcre:"/\.php\?id=[a-zA-Z]{15,}&?x=\d+&?os=[0-9.]+&?n=\d/U"; reference:url,malwareurl.com; classtype:trojan-activity; sid:2011925; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN X-Tag Zeus Mitmo user agent"; flow:established,to_server; content:"\|29 20\|X-Tag/"; nocase; reference:url,eternal-todo.com/blog/thoughts-facts-zeus-mitmo; classtype:trojan-activity; sid:2011926; rev:4;) @@ -43226,7 +43247,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED FAKEAV client requesting fake scanner page"; flow:established,to_server; content:"/scaner/?id="; http_uri; depth:12; classtype:bad-unknown; sid:2011962; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013090; rev:7;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A/DarkRat Checkin Outbound"; flow:to_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^\x7c?\d/R"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; reference:url,www.eff.org/deeplinks/2012/08/syrian-malware-post; reference:md5,a2f58a4215441276706f18519dae9102; classtype:trojan-activity; sid:2013090; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan downloader (AS8514)"; flow:established,to_server; content:"GET"; http_method; content:"/tube/Adobe__Flash__Player.exe"; nocase; http_uri; reference:url,www.malwareurl.com/listing.php?domain=1001jimm.ru; classtype:trojan-activity; sid:2011966; rev:1;) @@ -43469,7 +43490,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"ET SMTP Potential Exim HeaderX with run exploit attempt"; flow:established,to_server; content:"\|0d 0a\|HeaderX\|3a 20\|"; nocase; content:"run{"; distance:0; reference:url,www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html; reference:url,eclists.org/fulldisclosure/2010/Dec/221; classtype:attempted-admin; sid:2012054; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"\|d0 cf 11 e0 a1 b1 1a e1\|"; distance:0; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft OLE Compound File Magic Bytes Flowbit Set"; flow:to_client,established; file_data; content:"\|d0 cf 11 e0 a1 b1 1a e1\|"; within:8; content:!".msi"; flowbits:set,OLE.CompoundFile; flowbits:noalert; classtype:protocol-command-decode; sid:2012520; rev:7;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Microsoft Publisher Array Indexing Memory Corruption SET"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; content:"MSPublisher"; flowbits:set,ms.publisher.file; flowbits:noalert; reference:cve,2010-3995; reference:url,www.microsoft.com/technet/security/bulletin/MS10-103.mspx; classtype:attempted-user; sid:2012519; rev:4;) @@ -43604,7 +43625,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET 8899 (msg:"ET EXPLOIT Oracle Virtual Server Agent Command Injection Attempt"; flow: to_server,established; content:"POST"; http_method; content:"\|0d 0a 0d 0a 3c 3f\|xml\|20\|version"; nocase; content:"\|3c\|methodCall\|3e\|"; distance:0; content:"\|3c\|methodName\|3e\|"; distance:0; within:25; content:"\|3c\|params\|3e\|"; content:"\|3c 2f\|value\|3e\|"; distance:0; within:400; content:"\|3c\|param\| 3e\|"; distance:0; content:"\|3c\|value\|3e\|"; within:50; content:"\|3c\|string\|3e\|"; content:"\|27\|"; distance:0; within:50; content:"\|3b\|"; within:10; content:"\|3b\|"; content:"\|27\|"; distance:0; within:100; reference:url,exploit-db.com/exploits/15244/; classtype:attempted-user; sid:2012101; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"\|2e\|Image2PDF"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\sE589DA78-AD4C-4FC5-B6B9-9E47B110679E\s}?\s(.)(\s\|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Image Viewer CP Gold Image2PDF Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"E589DA78-AD4C-4FC5-B6B9-9E47B110679E"; nocase; content:"\|2e\|Image2PDF"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\sE589DA78-AD4C-4FC5-B6B9-9E47B110679E\s}?\s(.)(\s\|>)/si"; reference:url,www.exploit-db.com/exploits/15658/; classtype:attempted-user; sid:2012102; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET EXPLOIT D-Link bsc_wlan.php Security Bypass"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/bsc_wlan.php"; nocase; http_uri; content:"ACTION_POST=final&"; nocase; http_client_body; content:"&f_ssid="; nocase; http_client_body; content:"&f_authentication=7&"; nocase; http_client_body; within:135; content:"f_cipher=2&"; nocase; http_client_body; content:"f_wep_len=&f_wep_format=&f_wep_def_key=&"; nocase; http_client_body; within:40; content:"&f_wep=&f_wpa_psk_type=1&f_wpa_psk="; nocase; http_client_body; content:"&f_radius_ip1=&f_radius_port1=&f_radius_secret1="; nocase; http_client_body; within:70; reference:url,packetstormsecurity.org/files/view/96100/dlinkwlan-bypass.txt; classtype:web-application-attack; sid:2012103; rev:5;) @@ -43613,7 +43634,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (AdVantage)"; flow:established,to_server; content:"User-Agent\|3A\| AdVantage"; http_header; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012104; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdVantage Malware URL Infection Report"; flow:established,to_server; content:"cfg_ver="; http_uri; nocase; content:"hwd="; http_uri; nocase; content:"campaign="; http_uri; nocase; content:"ver="; http_uri; nocase; reference:url,www.siteadvisor.com/sites/config.poweredbyadvantage.com; classtype:trojan-activity; sid:2012105; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Hex Obfuscation of arguments.callee %u UTF-16 Encoding"; flow:established,to_client; content:"%u6172%u6775%u6d65%u6e74%u732e%u6361%u6c6c%u6565"; nocase; reference:url,cansecwest.com/slides07/csw07-nazario.pdf; reference:url,www.sophos.com/security/technical-papers/malware_with_your_mocha.html; classtype:bad-unknown; sid:2012106; rev:2;) @@ -43721,22 +43742,22 @@ #alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Malware Related Numerical .co Domain Lookup"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|co\|00\|"; fast_pattern; nocase; distance:0; pcre:"/\x00[0-9]{4,7}\x02co\x00/i"; reference:url,sign.kaffenews.com/?p=104; reference:url,www.isc.sans.org/diary.html?storyid=10165; classtype:bad-unknown; sid:2012144; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document\|2e\|getElementById\|28\|"; distance:0; content:"\|2e\|MapZone\|28\|"; distance:0; within:20; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\s73F57628-B458-11D4-9673-00A0D212FC63\s}?\s(.)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Netcraft Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"73F57628-B458-11D4-9673-00A0D212FC63"; nocase; distance:0; content:"document\|2e\|getElementById\|28\|"; distance:0; content:"\|2e\|MapZone\|28\|"; distance:0; within:20; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\s73F57628-B458-11D4-9673-00A0D212FC63\s}?\s(.)\>/si"; reference:url,www.exploit-db.com/exploits/15600; classtype:attempted-user; sid:2012145; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript\|3a\|document\|2e\|getElementById\|28 27\|"; content:"\|2e\|strategy"; distance:0; within:20; content:"javascript\|3a\|document.getElementById\|28 27\|"; distance:0; content:"\|2e\|target"; distance:0; within:20; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\sDC922B67-FF61-455E-9D79-959925B6695C\s}?\s(.)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX ImageShack Toolbar Remote Code Execution"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"DC922B67-FF61-455E-9D79-959925B6695C"; nocase; distance:0; content:"javascript\|3a\|document\|2e\|getElementById\|28 27\|"; content:"\|2e\|strategy"; distance:0; within:20; content:"javascript\|3a\|document.getElementById\|28 27\|"; distance:0; content:"\|2e\|target"; distance:0; within:20; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\sDC922B67-FF61-455E-9D79-959925B6695C\s}?\s(.)\>/si"; reference:url,www.exploit-db.com/exploits/15601; classtype:attempted-user; sid:2012146; rev:7;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; content:"\|2e\|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\s25982EAA-87CC-4747-BE09-9913CF7DD2F1\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Advanced File Vault Activex Heap Spray Attempt"; flow:established,to_client; file_data; content:"\|2e\|GetWebStoreURL"; content:"clsid"; nocase; content:"25982EAA-87CC-4747-BE09-9913CF7DD2F1"; nocase; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\s25982EAA-87CC-4747-BE09-9913CF7DD2F1\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14580/; classtype:attempted-user; sid:2012147; rev:6;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"\|2e\|Enque"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\sBECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX dBpowerAMP Audio Player 2 FileExists Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"BECB8EE1-6BBB-4A85-8DFD-099B7A60903A"; nocase; distance:0; content:"\|2e\|Enque"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\sBECB8EE1-6BBB-4A85-8DFD-099B7A60903A\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14586/; classtype:attempted-user; sid:2012148; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"\|2e\|EnumFiles"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\s62A989CE-D39A-11D5-86F0-B9C370762176\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX FathFTP 1.8 EnumFiles Method ActiveX Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"62A989CE-D39A-11D5-86F0-B9C370762176"; nocase; distance:0; content:"\|2e\|EnumFiles"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\s62A989CE-D39A-11D5-86F0-B9C370762176\s}?(.)\>/si"; reference:url,www.exploit-db.com/exploits/14552/; classtype:attempted-user; sid:2012133; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"\|2e\|LCDWriteString"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\s69A40DA3-4D42-11D0-86B0-0000C025864A\s}?(.)\>/si"; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\sD27CDB6E-AE6D-11cf-96B8-444553540000\s}?(.)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX SigPlus Pro 3.74 ActiveX LCDWriteString Method Remote Buffer Overflow"; flow:established,to_client; file_data; content:"clsid"; nocase; content:"69A40DA3-4D42-11D0-86B0-0000C025864A"; nocase; distance:0; content:"clsid"; nocase; distance:0; content:"D27CDB6E-AE6D-11cf-96B8-444553540000"; nocase; distance:0; content:"\|2e\|LCDWriteString"; distance:0; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\|\x27]\sclsid\s\x3a\s{?\s69A40DA3-4D42-11D0-86B0-0000C025864A\s}?(.)\>/si"; pcre:"/<object\s[^>]\sclassid\s=\s[\x22\x27]\sclsid\s\x3a\s{?\sD27CDB6E-AE6D-11cf-96B8-444553540000\s}?(.)\>/si"; reference:cve,2010-2931; reference:url,www.exploit-db.com/exploits/14514/; classtype:attempted-user; sid:2012134; rev:3;) # alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET SMTP IBM Lotus Domino iCalendar Email Address Stack Buffer Overflow Attempt"; flow:to_server,established; content:"\|0d 0a\|ORGANIZER"; content:"mailto\|3a\|"; nocase; within:50; isdataat:2000,relative; content:!"\|0a\|"; within:2000; reference:url,www.exploit-db.com/exploits/15005/; reference:cve,2010-3407; classtype:attempted-user; sid:2012135; rev:3;) @@ -43805,7 +43826,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET GAMES Blizzard Web Downloader Install Detected"; flow: established,to_server; content: "User-Agent\|3a\| Blizzard Web Client"; nocase; classtype:policy-violation; sid:2012170; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 3322.org Likely Malware Related"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|3322\|03\|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.org Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|3322\|03\|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=3266; reference:url,isc.sans.edu/diary.html?storyid=5710; reference:url,google.com/safebrowsing/diagnostic?site=3322.org/; reference:url,www.mywot.com/en/scorecard/3322.org; classtype:misc-activity; sid:2012171; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE User-Agent (mrgud)"; flow:established,to_server; content:"User-Agent\|3a\| mrgud"; http_header; nocase; classtype:trojan-activity; sid:2012172; rev:3;) @@ -43841,6 +43862,9 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus media.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/media.php?"; http_uri; nocase; content:"DIR_LIBS="; http_uri; nocase; pcre:"/DIR_LIBS=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012182; rev:3;) # +alert udp $EXTERNAL_NET any -> $HOME_NET 5060 (msg:"ET SCAN Possible Open SIP Relay scanner Fake Eyebeam User-Agent Detected"; content:"User-Agent\|3A\| eyeBeam release"; nocase; reference:url,honeynet.org.au/?q=open_sip_relay_scanner; classtype:attempted-recon; sid:2012183; rev:2;) + +# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nucleus server.php Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nucleus/xmlrpc/server.php?"; nocase; http_uri; content:"DIR_LIBS="; nocase; http_uri; pcre:"/DIR_LIBS=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15907/; classtype:web-application-attack; sid:2012184; rev:2;) # @@ -43988,6 +44012,9 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Oracle Document Capture File Overwrite or Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"NCSECWLib.NCSRenderer"; nocase; distance:0; content:"WriteJPG"; nocase; distance:0; reference:cve,2010-3599; classtype:attempted-user; sid:2012234; rev:1;) # +##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Spam Inbound Variant 4"; flow:established,to_server; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip\|22\|"; nocase; within:100; classtype:trojan-activity; sid:2012235; rev:3;) + +# alert tcp $EXTERNAL_NET 900:11000 -> $HOME_NET any (msg:"ET TROJAN x0Proto Init"; flow:established,from_server; dsize:2; content:"x0"; depth:2; flowbits:noalert; flowbits:set,et.x0proto; classtype:trojan-activity; sid:2012236; rev:1;) # @@ -44030,7 +44057,7 @@ alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious Win32 User Agent"; flow:to_server,established; content:"User-Agent\|3a\| Win32"; http_header; classtype:trojan-activity; sid:2012249; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Unknown Web Backdoor Keep-Alive"; flow:established,to_server; content:"POST /bbs/info.asp "; depth:19; dsize:<170; classtype:trojan-activity; sid:2012250; rev:1;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Google Android Device HTTP Request"; flow:established,to_server; content:"\|3B 20\|Android\|20\|"; http_header; classtype:policy-violation; sid:2012251; rev:6;) @@ -44117,16 +44144,16 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download request"; flow:established,to_server; content:"/forum/load.php?file="; http_uri; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012281; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection activity multi-stage download confirmed success"; flow:established,to_server; content:"/load.php?file="; http_uri; content:"&luck="; http_uri; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012282; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEye Post_Express_Label infection check-in"; flow:established,to_server; content:"/inst.php?id="; http_uri; content:"&lang="; http_uri; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012283; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye Post_Express_Label ftpgrabber check-in"; flow:established,to_server; content:"grabbers.php"; http_uri; content:"&module=ftpgrabber"; http_client_body; content:!"Referer\|3a\| "; http_header; reference:url,nakedsecurity.sophos.com/2011/02/01/outbreak-post-express-service-malware-attack-spammed-out; classtype:trojan-activity; sid:2012284; rev:3;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH\|3b\|"; http_uri; content:"loc=100\|3b\|"; http_uri; content:"target=_blank\|3b\|"; http_uri; content:"grp\|3d 5b\|group\|5d 3b\|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan/Win32.CodecPack Reporting"; flow:to_server,established; content:"GET"; nocase; http_method; content:"ADTECH\|3b\|"; http_uri; content:"loc=100\|3b\|"; http_uri; content:"target=_blank\|3b\|"; http_uri; content:"grp\|3d 5b\|group\|5d 3b\|"; http_uri; content:"misc="; classtype:trojan-activity; sid:2012285; rev:3;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Automated Site Scanning for backupdata"; flow:established,to_server; content:"backupdata"; nocase; http_uri; content:"\|0d 0a\|User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; classtype:attempted-recon; sid:2012286; rev:3;) @@ -44234,7 +44261,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .rr.nu domain"; flow:established,to_server; content:".rr.nu\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2012330; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD3"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 1.0\|3b\| Windows NT\|3b\| CMD"; http_header; fast_pattern:36,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible TDSS User-Agent CMD"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 1.0\|3b\| Windows NT\|3b\| CMD"; http_header; fast_pattern:36,20; reference:url,www.kernelmode.info/forum/viewtopic.php?f=16&t=19; reference:url,www.securelist.com/en/analysis/204792180/TDL4_Top_Bot; classtype:trojan-activity; sid:2012322; rev:6;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious Advertizing URL in.cgi/antibot_hash"; flow:to_server,established; content:"/in.cgi?"; nocase; http_uri; content:"ab_iframe="; nocase; http_uri; content:"ab_badtraffic="; nocase; http_uri; content:"antibot_hash="; nocase; http_uri; content:"ur="; nocase; http_uri; content:"HTTP_REFERER="; nocase; http_uri; classtype:bad-unknown; sid:2012323; rev:2;) @@ -44243,7 +44270,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Unknown Exploit Pack URL Detected"; flow:to_server,established; content:"/imgurl"; nocase; http_uri; content:".php"; distance:0; nocase; http_uri; content:"hl="; distance:0; nocase; http_uri; classtype:bad-unknown; sid:2012324; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; content:"//\|3a\|ptth"; classtype:bad-unknown; sid:2012325; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth"; flow:from_server,established; content:"200"; http_stat_code; file_data; content:"//\|3a\|ptth"; classtype:bad-unknown; sid:2012325; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Obfuscated Javascript // ptth (escaped)"; flow:from_server,established; content:"200"; http_stat_code; content:"%2F%2F%3A%70%74%74%68"; classtype:bad-unknown; sid:2012326; rev:2;) @@ -44411,16 +44438,16 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ITechBids productid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/itechd.php?"; nocase; http_uri; content:"productid="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.substring\(/Ui"; reference:url,exploit-db.com/exploits/9497; classtype:web-application-attack; sid:2012381; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery output Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"output="; nocase; http_uri; pcre:"/output=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012382; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Coppermine Photo Gallery retva Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/include/picmgmt.inc.php?"; nocase; http_uri; content:"retva="; nocase; http_uri; pcre:"/retva=\w/Ui"; reference:url,packetstormsecurity.org/files/view/98347/cpg15x-exec.txt; classtype:web-application-attack; sid:2012383; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Purported MSIE 7 with terse HTTP Headers GET to PHP likely check-in to CnC"; flow:established,to_server; content:".php"; http_uri; nocase; content:"\|20\|HTTP/1.1\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE 7.0\|3b 20\|Windows NT 5.1)\|0d 0a\|Host\|3a 20\|"; fast_pattern; content:"\|0d 0a\|Cache-Control\|3a 20\|no-cache\|0d 0a 0d 0a\|"; within:50; classtype:trojan-activity; sid:2012384; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Purported MSIE 7 with terse HTTP Headers GET to PHP"; flow:established,to_server; content:".php"; http_uri; nocase; content:"\|20\|HTTP/1.1\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE 7.0\|3b 20\|Windows NT 5.1)\|0d 0a\|Host\|3a 20\|"; fast_pattern; content:"\|0d 0a\|Cache-Control\|3a 20\|no-cache\|0d 0a 0d 0a\|"; within:50; classtype:trojan-activity; sid:2012384; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent\|3a 20\|HTTP Client\|0d 0a\|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; http_method; content:".php"; nocase; http_uri; content:"User-Agent\|3a 20\|HTTP Client\|0d 0a\|"; http_header; fast_pattern; classtype:trojan-activity; sid:2012385; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent VCTestClient"; flow:to_server,established; content:"\|0d 0a\|User-Agent\|3a\| VCTestClient"; nocase; http_header; classtype:trojan-activity; sid:2012386; rev:1;) @@ -44492,7 +44519,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Potential Wordpress local file disclosure vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/options-view_log-iframe.php?wpabs=/"; nocase; http_uri; content:"%00&logfile=/"; depth:250; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2011-February/079568.html; classtype:web-application-attack; sid:2012408; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server; content:"User-Agent\|3a\| "; http_header; content:"\|3b\| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Avzhan DDoS Bot User-Agent MyIE"; flow:established,to_server;content:"User-Agent\|3a\|Mozilla"; http_header; content:"\|3b\| MyIE "; fast_pattern; http_header; within:100; reference:url,asert.arbornetworks.com/2010/09/another-family-of-ddos-bots-avzhan/; reference:url,blog.fireeye.com/research/2010/10/avzhan-botnet-the-story-of-evolution.html; classtype:trojan-activity; sid:2013258; rev:8;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET 81 (msg:"ET DELETED Unknown Malware Keepalive"; flow:established,to_server; content:"keepalive"; nocase; depth:9; pcre:"/keepalive([0-9]{4}\|\x7c[0-9]{4})/i"; threshold: type limit, track by_src, count 1, seconds 60; classtype:trojan-activity; sid:2012409; rev:3;) @@ -44594,6 +44621,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Downloader.Win32.Banload Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/avisa.php?"; nocase; http_uri; content:"usuario="; nocase; http_uri; content:"pc="; nocase; http_uri; content:"serial="; nocase; http_uri; content:"versao="; nocase; http_uri; reference:url,threatexpert.com/report.aspx?md5=43b0ddf87c66418053ee055501193abf; reference:url,scumware.org/report/89.108.68.81; classtype:trojan-activity; sid:2012441; rev:3;) # +##alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET DELETED UPS Inbound bad attachment v.4"; flow:established,to_server; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|UPS_AIR_CARGO_bar-coded-lot-labels-EXAMPLE.zip\|22\| "; nocase; within:100; classtype:trojan-activity; sid:2012442; rev:2;) + +# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Inbound bad attachment v.6"; flow:established,to_server; content:"From\|3a\| \|22\|United Parcel Service\|22\|"; nocase; content:"\|40\|ups.com"; nocase; content:"Content-Disposition\|3a\| attachment\|3b\|"; nocase; content:"filename=\|22\|document.zip\|22\|"; nocase; classtype:trojan-activity; sid:2012444; rev:2;) # @@ -44681,7 +44711,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin folder.php type Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/folder.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,htbridge.ch/advisory/xss_in_1_flash_gallery_wordpress_plugin.html; reference:url,packetstormsecurity.org/files/view/99086/1flashgal-sqlxss.txt; classtype:web-application-attack; sid:2012476; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; fast_pattern:35,20; nocase; http_uri; content:"gall_id="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012477; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Flash Gallery wordpress plugin SQL Injection Attempt -- massedit_album.php gall_id UNION SELECT"; flow:established,to_server; content:"/wp-content/plugins/1-flash-gallery/massedit_album.php?"; nocase; http_uri; content:"gall_id="; nocase; http_uri; content:"UNION"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/UNION.+SELECT/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_1_flash_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2012478; rev:2;) @@ -44756,7 +44786,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Constructr CMS SQL Injection Attempt -- constructrXmlOutput.content.xml.php page_id ASCII"; flow:established,to_server; content:"/xmlOutput/constructrXmlOutput.content.xml.php?"; nocase; http_uri; content:"page_id="; nocase; http_uri; content:"ASCII"; nocase; http_uri; content:"SELECT"; nocase; http_uri; pcre:"/ASCII\(.+SELECT/Ui"; reference:bugtraq,46842; reference:url,packetstormsecurity.org/files/99204; reference:url,exploit-db.com/exploits/16963/; classtype:web-application-attack; sid:2012502; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\|45 57 73 09\|"; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compressed Adobe Flash File Embedded in XLS FILE Caution - Could be Exploit"; flow:established,from_server; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\|45 57 73 09\|"; distance:0; reference:url,blogs.adobe.com/asset/2011/03/background-on-apsa11-01-patch-schedule.html; reference:url,bugix-security.blogspot.com/2011/03/cve-2011-0609-adobe-flash-player.html; reference:bid,46860; reference:cve,2011-0609; classtype:attempted-user; sid:2012503; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excel with Embedded .emf object downloaded"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\| 50 4B 03 04 \|"; content:"\|2F 6D 65 64 69 61 2F 69 6D 61 67 65 \|"; within:64; content:"\| 2E 65 6D 66 \|"; within:15; rawbytes; classtype:bad-unknown; sid:2012504; rev:6;) @@ -44768,7 +44798,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Exploit Attempt Often to Install Monkif"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/frame.php?pl=Win32"; nocase; http_uri; classtype:trojan-activity; sid:2012506; rev:5;) # -##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Monkif CnC response in fake JPEG"; flow:established,from_server; content:"JFIF\|00 01 01 01 00\|"; content:"\|7c 30 7c 30 7c 30 7c\|"; fast_pattern; classtype:trojan-activity; sid:2012507; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Monkif CnC response in fake JPEG"; flow:established,from_server; file_data; content:"\|ff d8 ff e0\|"; within:4; content:"JFIF\|00 01 01\|"; distance:2; content:"lppt>++"; fast_pattern; within:50; content:"bm\|60\|95"; distance:0; content:"\|7c\|0"; distance:0; reference:url,2009.brucon.org/material/Julia_Wolf_Brucon_final.pdf; reference:url,research.zscaler.com/2010/03/trojan-monkif-is-still-active-and.html; reference:url,blogs.mcafee.com/mcafee-labs/monkif-botnet-hides-commands-in-jpegs; classtype:trojan-activity; sid:2012507; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET POLICY Akamai NetSession Interface PUTing data"; flow:established,to_server; content:"PUT\|20\|"; depth:4; content:"user-agent\|3a\|netsession_win_"; fast_pattern; reference:url,www.akamai.com/html/misc/akamai_client/netsession_interface_faq.html; classtype:policy-violation; sid:2012508; rev:1;) @@ -44810,10 +44840,10 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DNS Query For XXX Adult Site Top Level Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|xxx\|00\|"; fast_pattern; nocase; distance:0; reference:url,mashable.com/2011/03/19/xxx-tld-porn/; reference:url,mashable.com/2010/06/24/dot-xxx-porn-domain/; classtype:policy-violation; sid:2012522; rev:1;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language\|3A\| ru"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; classtype:trojan-activity; sid:2012523; rev:3;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language\|3A\| ru"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:trojan-activity; sid:2012523; rev:4;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language\|3A\| zh-cn"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; classtype:trojan-activity; sid:2012524; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From Chinese Content-Language Website"; flow:established,to_client; content:"Content-Language\|3A\| zh-cn"; nocase; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:trojan-activity; sid:2012524; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Download of Microsft Office File From Russian Content-Language Website"; flow:established,to_client; content:"Content-Language\|3A\| ru"; nocase; http_header; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; distance:0; classtype:trojan-activity; sid:2012525; rev:1;) @@ -45047,7 +45077,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ardeaCore PHP Framework CURRENT_BLOG_PATH Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/ardeaCore/lib/core/ardeaBlog.php?"; nocase; http_uri; content:"CURRENT_BLOG_PATH="; http_uri; nocase; pcre:"/CURRENT_BLOG_PATH=\s(ftps?\|https?\|php)\x3a\//Ui"; reference:url,exploit-db.com/exploits/15840/; reference:url,securityreason.com/wlb_show/WLB-2011010005; classtype:web-application-attack; sid:2012605; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A Checkin UA"; flow:to_server,established; content:"User-Agent\|3a\| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Backdoor.Win32.Vertexbot.A User-Agent (VERTEXNET)"; flow:to_server,established; content:"User-Agent\|3a\| VERTEXNET"; http_header; reference:url,www.symantec.com/business/security_response/writeup.jsp?docid=2011-032315-2902-99&tabid=2; classtype:trojan-activity; sid:2012740; rev:6;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Havij SQL Injection Tool User-Agent Inbound"; flow:established,to_server; content:"\|29\| Havij\|0d 0a\|Connection\|3a\| "; http_header; reference:url,itsecteam.com/en/projects/project1.htm; classtype:web-application-attack; sid:2012606; rev:2;) @@ -45059,7 +45089,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Java Exploit Attempt applet via file URI"; flow:established,from_server;content:"applet\|20\|"; nocase; content:"codebase"; nocase; distance:0; content:"\|3a\|C\|3a 5c\|Progra"; fast_pattern; nocase; distance:0; content:"\|5c\|java\|5c\|jre6\|5c\|lib\|5c\|ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012608; rev:6;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class\|20\|HTTP/1.1\|0d 0a\|"; fast_pattern; content:"\|20\|Java/"; http_header; content:"Host\|3a 20\|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]+/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Phoenix Java Exploit Attempt Request for .class from octal host"; flow:established,to_server; content:".class\|20\|HTTP/1.1\|0d 0a\|"; fast_pattern; content:"\|20\|Java/"; http_header; content:"Host\|3a 20\|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012609; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit io.exe download served"; flow:established,from_server; content:"\|3b 20\|filename=io.exe\|0d 0a\|"; fast_pattern; classtype:trojan-activity; sid:2012610; rev:1;) @@ -45113,7 +45143,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV Check-in purporting to be MSIE with invalid terse HTTP headers"; flow:established,to_server; content:"HTTP/1.1\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|Content-Type\|3a 20\|application/x-www-form-urlencoded\|0d 0a\|Host\|3a 20\|"; content:"\|0d 0a\|User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE\|20\|"; distance:0; content:")\|0d 0a\|Content-Length"; distance:0; content:"\|0d 0a 0d 0a\|data="; fast_pattern; classtype:trojan-activity; sid:2012627; rev:1;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id\|20\|HTTP/1.1\|0d 0a\|"; fast_pattern; content:"\|20\|Java/"; http_header; content:"Host\|3a 20\|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]+/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Java Exploit Attempt Request for .id from octal host"; flow:established,to_server; content:".id\|20\|HTTP/1.1\|0d 0a\|"; fast_pattern; content:"\|20\|Java/"; http_header; content:"Host\|3a 20\|"; pcre:"/Host\x3a \d{4,}[^A-Za-z\.]/D"; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012628; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Unknown Trojan User-Agent IE6 on Windows XP"; flow:established,to_server; content:"User-Agent\|3a\| IE6 on Windows XP"; fast_pattern:12,10; http_header; classtype:trojan-activity; sid:2012629; rev:3;) @@ -45182,7 +45212,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Malware Related Numerical .cn Domain"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".cn\|0d 0a\|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z][0-9]{4,30}\x2Ecn\x0D\x0A/Hi"; classtype:misc-activity; sid:2012650; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".ru\|0d 0a\|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z][0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE All Numerical .ru Domain HTTP Request Likely Malware Related"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".ru\|0d 0a\|"; within:25; http_header; fast_pattern; pcre:"/Host\x3A\x20[^a-z]?[0-9]{2,30}\x2Eru\x0d\x0a/Hi"; classtype:misc-activity; sid:2012649; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andy PHP Knowledgebase SQL Injection Attempt pdfgen.php pdfa SELECT"; flow:established,to_server; content:"/plugins/pdfClasses/pdfgen.php?"; nocase; http_uri; content:"pdfa="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,exploit-db.com/exploits/17061/; reference:url,vupen.com/english/advisories/2011/0823; classtype:web-application-attack; sid:2012672; rev:3;) @@ -45227,7 +45257,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012654; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; classtype:trojan-activity; sid:2012684; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Office File With Embedded Executable"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"MZ"; distance:0; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:trojan-activity; sid:2012684; rev:5;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-Nuke Surveys pollID parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/modules/Surveys/modules.php?"; nocase; http_uri; content:"name=Surveys"; nocase; http_uri; content:"op="; nocase; http_uri; content:"pollID="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/view/100119/phpnukesurveys-sql.txt; classtype:web-application-attack; sid:2012655; rev:2;) @@ -45296,7 +45326,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host visiting Showmyipaddress.com - Possible Trojan"; flow:established,to_server; content:"Host\|3a\| www.showmyipaddress.com"; nocase; http_header; classtype:policy-violation; sid:2012691; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to infected request"; flow:established,from_server; file_data; content:"<p>Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Microsoft user-agent automated process response to automated request"; flow:established,from_server; file_data; content:"<p>Your current User-Agent string appears to be from an automated process,"; distance:0; classtype:trojan-activity; sid:2012692; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE overtls.com adware request"; flow:to_server,established; content:"/sidebar.asp?bn=0&qy="; http_uri; content:"EmbeddedWB"; http_header; classtype:trojan-activity; sid:2012693; rev:2;) @@ -45383,7 +45413,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS I-Escorts Directory country_id parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/country_escorts.php?"; nocase; http_uri; content:"country_id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,exploit-db.com/exploits/10809; classtype:web-application-attack; sid:2012719; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simploo CMS x parameter Remote PHP Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/config/custom/base.ini.php?"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x=\w/Ui"; reference:url,exploit-db.com/exploits/16016; classtype:web-application-attack; sid:2012720; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS LightNEasy File Manager language Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/filemanager/get_file.php?"; nocase; http_uri; content:"language="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/39517; classtype:web-application-attack; sid:2012721; rev:2;) @@ -45434,13 +45464,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .cw.cm domain"; flow:established,to_server; content:".cw.cm\|0d 0a\|"; http_header; classtype:bad-unknown; sid:2012737; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS Lookup of Chinese Dynamic DNS Provider 8866.org Likely Malware Related"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|8866\|03\|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .8866.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|8866\|03\|org"; fast_pattern; distance:0; nocase; reference:url,isc.sans.edu/diary.html?storyid=6739; reference:url,google.com/safebrowsing/diagnostic?site=8866.org/; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2012738; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WORM Rimecud Worm checkin"; flow:established,to_server; content:"GET"; http_method; content:"User-Agent\|3a\| Mozilla/3.0 (compatible\|3b\| Indy Library)"; http_header; content:"/taskx.txt"; http_uri; fast_pattern; reference:url,www.threatexpert.com/report.aspx?md5=9623efa133415d19c941ef92a4f921fc; classtype:trojan-activity; sid:2012739; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent\|3a\| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Vertex Trojan UA (VERTEXNET)"; flow:to_server,established; content:"User-Agent\|3a\| VERTEXNET"; http_header; classtype:trojan-activity; sid:2012752; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Gesytec ElonFmt ActiveX Component GetItem1 member Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"<OBJECT"; nocase; distance:0; content:"classid"; nocase; distance:0; content:"CLSID"; nocase; distance:0; content:"824C4DC5-8DA4-11D6-A01F-00E098177CDC"; nocase; distance:0; content:".GetItem1"; nocase; pcre:"/<OBJECT\s+[^>]classid\s=\s[\x22\x27]?\sclsid\s\x3a\s\x7B?\s824C4DC5-8DA4-11D6-A01F-00E098177CDC/si"; reference:url,exploit-db.com/exploits/17196; classtype:web-application-attack; sid:2012741; rev:2;) @@ -45482,7 +45512,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:"UNION ALL SELECT NULL, NULL, NULL, NULL"; http_uri; content:"-- AND"; http_uri; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012754; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9[{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:1;) +#alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Possible SQLMAP Scan"; flow:established,to_server; content:" AND "; http_uri; content:"AND ("; http_uri; pcre:"/\x20AND\x20[0-9]{6}\x3D[0-9]{4}/U"; detection_filter:track by_dst, count 4, seconds 20; reference:url,sqlmap.sourceforge.net; reference:url,www.darknet.org.uk/2011/04/sqlmap-0-9-released-automatic-blind-sql-injection-tool/; classtype:attempted-recon; sid:2012755; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Windows Help and Support Center XSS Attempt"; flow:established,to_client; content:"hcp\|3A\|//"; fast_pattern; nocase; content:"script"; nocase; distance:0; content:"defer"; nocase; reference:cve,2010-1885; classtype:attempted-user; sid:2012756; rev:1;) @@ -45491,7 +45521,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS suspicious user agent string (CholTBAgent)"; flow:to_server,established; content:"User-Agent\|3a 20\|CholTBAgent"; http_header; detection_filter:track by_dst, count 4, seconds 20; classtype:trojan-activity; sid:2012757; rev:4;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET POLICY DYNAMIC_DNS .dyndns.org DNS Lookup - Possible Malware"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|dyndns\|03\|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to .dyndns. Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|dyndns\|03\|"; fast_pattern; distance:0; nocase; classtype:misc-activity; sid:2012758; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Cisco Unified Communications Manager xmldirectorylist.jsp SQL Injection Attempt"; flow:established,to_server; content:"/ccmcip/xmldirectorylist.jsp?f=vsr\|27 7C 7C\|"; nocase; http_uri; pcre:"/f\x3Dvsr\x27\x7C\x7C.+(or\|and\|select\|delete\|union\|delete\|update\|insert)/Ui"; reference:url,www.cisco.com/en/US/products/products_security_advisory09186a0080b79904.shtml; reference:bid,47607; reference:cve,2011-1609; classtype:web-application-attack; sid:2012760; rev:2;) @@ -45617,7 +45647,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Spoofed MSIE 8 User-Agent Likely Ponmocup"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/5.0 (Windows\|3b\| U\|3b\| MSIE 8.0\|3b\| Windows NT 6.0\|3b\| en-US)\|0d 0a\|"; http_header; fast_pattern:20,20; reference:url,malwaresurvival.net/2011/04/21/media-site-pimping-malware/; reference:url,community.websense.com/forums/p/10728/23862.aspx; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?ThreatID=146443; classtype:trojan-activity; sid:2012802; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; content:"Mozilla/5.0 (Windows\|3b\| U\|3b\| Windows NT 5.1\|3b\| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf Alms backdoor checkin"; flow:to_server,established; content:"/getnewv.php?keyword=google&id="; http_uri; fast_pattern; content:"Mozilla/5.0 (Windows\|3b\| U\|3b\| Windows NT 5.1\|3b\| en-US)"; http_header; classtype:trojan-activity; sid:2012803; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE Possible Windows executable sent ASCII-hex-encoded"; flow:established,from_server; content:"ascii"; http_header; nocase; file_data; content:"4d5a"; within:4; nocase; reference:url,www.xanalysis.blogspot.com/2008/11/cve-2008-2992-adobe-pdf-exploitation.html; reference:url,www.threatexpert.com/report.aspx?md5=513077916da4e86827a6000b40db95d5; classtype:trojan-activity; sid:2012804; rev:3;) @@ -45653,7 +45683,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Adobe Audition Session File Handling Memory Corruption Attempt"; flow:established,to_client; flowbits:isset,ET_Assassin.ses; content:"\|43 4F 4F 4C 4E 45 53 53 50 F2 08 00\|"; fast_pattern:only; reference:url,exploit-db.com/exploits/17278/; reference:url,securitytracker.com/id/1025530; classtype:attempted-user; sid:2012814; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN EXE Using Suspicious IAT ZwUnmapViewOfSection Possible Malware Process Hollowing"; flow:established,to_client; file_data; content:"MZ"; distance:0; isdataat:76,relative; content:"This program cannot be run in DOS mode."; distance:0; content:"ZwUnmapViewOfSection"; fast_pattern; nocase; distance:0; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012816; rev:4;) # ##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Using Suspicious IAT NtUnmapViewOfSection Possible Malware Process Hollowing"; flowbits:isset,ET.http.binary; flow:established,to_client; content:"NtUnmapViewOfSection"; nocase; fast_pattern:only; reference:url,blog.spiderlabs.com/2011/05/analyzing-malware-hollow-processes.html; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; classtype:bad-unknown; sid:2012817; rev:3;) @@ -45692,7 +45722,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .vv.cc domain"; flow:to_server,established; content:".vv.cc\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2012827; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Zeus POST Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; classtype:trojan-activity; sid:2013934; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin"; flow:to_server,established; content:"CRYPTED0"; depth:8; nocase; http_client_body; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2013934; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Rimecud download"; flow:established,to_server; content:"/peca"; nocase; http_uri; content:".exe"; nocase; http_uri; content:"User-Agent\|3a 20\|SKOLOVANI"; nocase; http_header; pcre:"/\x2fpeca\d+\x2eexe/Ui"; reference:url,www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan%3aWin32/Rimecud.A; classtype:trojan-activity; sid:2012828; rev:2;) @@ -45719,13 +45749,13 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS f-fileman direkt Parameter Directory Traversal Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/ffileman.cgi?"; nocase; http_uri; content:"direkt="; nocase; http_uri; content:"../"; depth:200; reference:url,packetstormsecurity.org/files/view/101212/ffileman-traversal.txt; classtype:web-application-attack; sid:2012835; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Slooze Web Photo Album file Parameter Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/src/slooz.php?"; nocase; http_uri; content:"file="; nocase; http_uri; pcre:"/file=\w/Ui"; reference:url,1337day.com/exploits/12148; classtype:web-application-attack; sid:2012836; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_mgm Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/components/com_mgm/help.mgm.php?"; nocase; http_uri; content:"mosConfig_absolute_path="; nocase; http_uri; pcre:"/mosConfig_absolute_path=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/94593/joomlamgm-rfi.txt; reference:url,securityreason.com/wlb_show/WLB-2010100045; classtype:web-application-attack; sid:2012837; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Is-human type Parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/plugins/is-human/engine.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type=\w/Ui"; reference:url,exploit-db.com/exploits/17299; classtype:web-application-attack; sid:2012838; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 27889 (msg:"ET TROJAN Trojan-Downloader.Win32.Small Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"\|2e\|ashx\|3f\|m\|3d\|"; content:"\|2d\|"; distance:2; within:1; content:"\|26\|mid\|3d\|"; distance:0; content:"\|26\|tid\|3d\|"; distance:0; content:"\|26\|d\|3d\|"; distance:0; content:"\|26\|uid\|3d\|"; distance:0; content:"\|26\|t\|3d\|"; distance:0; reference:url,threatexpert.com/report.aspx?md5=48432bdd116dccb684c8cef84579b963; classtype:trojan-activity; sid:2012839; rev:3;) @@ -45788,7 +45818,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a Worm Sending Data to Server"; flow:established,to_server; content:"/cot?ID="; http_uri; content:"&DLType="; http_uri; content:"&SD="; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012859; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent\|3A\| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012860; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent SimpleClient 1.0"; flow:established,to_server; content:"User-Agent\|3A\| SimpleClient "; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:bad-unknown; sid:2012860; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE SymbOS.Sagasi.a User Agent LARK/1.3.0"; flow:established,to_server; content:"User-Agent\|3A\| LARK/"; http_header; reference:url,www.fortiguard.com/encyclopedia/virus/symbos_sagasi.a!tr.html; classtype:trojan-activity; sid:2012861; rev:3;) @@ -45854,7 +45884,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Poison.AU checkin"; flow:established,to_server; content:"\|4D 53 47 20 35 20 4E 20 31 33 30 0D 0A 4D 49 4d 45 2d 56 65 72 73 69 6f 6e 3a 20 31 2e 30 0d 0a\|"; depth:32; fast_pattern; content:"\|f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6 f6\|"; reference:url,www.threatexpert.com/report.aspx?md5=4b8adc7612e984d12b77f197c59827a2; classtype:trojan-activity; sid:2012882; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:4;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED MALVERTISING Malicious Advertizing URL in.cgi"; flow:to_server,established; content:"/in.cgi?"; http_uri; classtype:bad-unknown; sid:2012883; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Attempt applet via file URI param"; flow:established,from_server; content:"applet"; nocase; content:"file\|3a\|C\|3a 5c\|Progra"; fast_pattern; nocase; distance:0; content:"java"; nocase; distance:0; content:"jre6"; nocase; distance:0; content:"lib"; nocase; distance:0; content:"ext"; nocase; distance:0; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2012884; rev:2;) @@ -45911,7 +45941,7 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious .noc.su domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|noc\|02\|su"; fast_pattern:only; classtype:bad-unknown; sid:2012901; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious .be.ma domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|be\|02\|ma"; fast_pattern:only; classtype:bad-unknown; sid:2012902; rev:1;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious .be.ma domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|be\|02\|ma"; fast_pattern; distance:0; classtype:bad-unknown; sid:2012902; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS DNS Query for a Suspicious .qc.cx domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|qc\|02\|cx"; fast_pattern:only; classtype:bad-unknown; sid:2012903; rev:1;) @@ -45983,10 +46013,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Javascript Split String Unicode Heap Spray Attempt"; flow:established,to_client; content:"\|22\|u\|22 20\|+\|20 22\|0\|22 20\|+\|20 22\|"; content:"\|22 20\|+\|20 22\|"; distance:1; within:5; pcre:"/\x220\x22\x20\x2B\x20\x22[a-d]\x22\x20\x2B\x20\x22/smi"; classtype:shellcode-detect; sid:2012925; rev:1;) # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a .dyndns-.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home\|at-work\|blog\|free\|home\|ip\|mail\|office\|pics\|remote\|server\|web\|wiki\|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:5;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a .dyndns-.com domain"; flow:established,to_server; content:".dyndns-"; http_header; nocase; pcre:"/\.dyndns-(?=(at-home\|at-work\|blog\|free\|home\|ip\|mail\|office\|pics\|remote\|server\|web\|wiki\|work))\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2012928; rev:7;) # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a .dyndns.* domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz\|info\|org\|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DYNAMIC_DNS HTTP Request to a .dyndns. domain"; flow:established,to_server; content:".dyndns."; http_header; nocase; pcre:"/\.dyndns\.(?=(biz\|info\|org\|tv))\x0d\x0a/iH"; classtype:bad-unknown; sid:2012927; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Cisco AnyConnect VPN Secure Mobility Client Arbitrary Program Execution Attempt"; flow:established,to_client; file_data; content:"55963676-2F5E-4BAF-AC28-CF26AA587566"; nocase; distance:0; content:"url"; nocase; distance:0; pcre:"/<OBJECT\s+[^>]classid\s=\s[\x22\x27]?\sclsid\s\x3a\s\x7B?\s55963676-2F5E-4BAF-AC28-CF26AA587566/si"; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=909; reference:bid,48081; reference:cve,2011-2039; reference:cve,2011-2040; classtype:attempted-user; sid:2012929; rev:1;) @@ -46043,7 +46073,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress inline-gallery do parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/plugins/inline-gallery/browser/browser.php?"; nocase; http_uri; content:"do="; nocase; http_uri; pcre:"/do\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:bugtraq,46781; classtype:web-application-attack; sid:2012946; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WebC.be Fichier_a_telecharger Parameter Local File Disclosure Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/telecharger.php?"; nocase; http_uri; content:"Fichier_a_telecharger="; nocase; http_uri; pcre:"/Fichier_a_telecharger=\w/Ui"; reference:url,1337day.com/exploits/16237; classtype:web-application-attack; sid:2012947; rev:2;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jmsfileseller view Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"view="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/17338; classtype:web-application-attack; sid:2012948; rev:1;) @@ -46085,7 +46115,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MacShield User-Agent Likely Malware"; flow:established,to_server; content:"User-Agent\|3a 20\|MacShield"; http_header; reference:url,blog.spiderlabs.com/2011/06/analysis-and-evolution-of-macdefender-os-x-fake-av-scareware.html; classtype:trojan-activity; sid:2012959; rev:2;) # -alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:"1.rar"; http_uri; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:5;) +alert tcp $HOME_NET 1024: -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Request"; flow:to_server,established; content:".rar HTTP/1."; pcre:"/\x2f\d+?\x2erar$/U"; flowbits:set,et.trojan.valkik.kku; flowbits:noalert; reference:url,threatexpert.com/report.aspx?md5=47a6dd02ee197f82b28cee0ab2b9bd35; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012960; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET 1024: (msg:"ET TROJAN Trojan.Vaklik.kku Checkin Response"; flow:from_server,established; flowbits:isset,et.trojan.valkik.kku; content:"Content-Length\|3a 20\|88\|0d 0a\|"; nocase; content:"\|0d 0a 0d 0a\|"; distance:0; content:"\|48 00 00 00\|"; distance:4; within:4; flowbits:unset,et.trojan.valkik.kku; reference:url,threatexpert.com/report.aspx?md5=81d8a235cb5f7345b5796483abe8145f; reference:url,www.threatexpert.com/report.aspx?md5=9688d1d37a7ced200c53ec2b9332a0ad; classtype:trojan-activity; sid:2012961; rev:2;) @@ -46184,10 +46214,10 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS People Joomla Component controller Parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_people"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"../"; depth:200; reference:url,exploit-db.com/exploits/16001; classtype:web-application-attack; sid:2012995; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AWStats Totals sort parameter Remote Code Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/awstatstotals.php?"; nocase; http_uri; content:"sort="; nocase; http_uri; pcre:"/sort=\w/Ui"; reference:url,packetstormsecurity.org/files/view/101698/awstatstotals_multisort.rb.txt; classtype:web-application-attack; sid:2012996; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"\|0d 0a\|Referer\|3a\|"; pcre:"/\/info.php\?n=\d+/U"; classtype:trojan-activity; sid:2013010; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious info.php drive-by landing"; flow:established,to_server; content:"/info.php?n="; http_uri; fast_pattern:only; content:!"&"; http_uri; content:!"\|0d 0a\|Referer\|3a\|"; pcre:"/\/info.php\?n=\d/U"; classtype:trojan-activity; sid:2013010; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malicious PHP 302 redirect response with avtor URI and cookie"; flow:established,from_server; content:"302"; http_stat_code; content:".php?avtor="; http_header; fast_pattern:only; content:"Set-Cookie\|3a\| "; http_header; content:"avtor="; http_header; within:40; classtype:trojan-activity; sid:2013011; rev:2;) @@ -46286,7 +46316,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Java User Agent"; flow:established,to_server; content:"User-Agent\|3a\| Java/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013029; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libww-perl User-Agent"; flow:established,to_server; content:"User-Agent\|3a\| libww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY libwww-perl User-Agent"; flow:established,to_server; content:"User-Agent\|3a\| libwww-perl/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013030; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Python-urllib/ Suspicious User Agent"; flow:established,to_server; content:"User-Agent\|3a\| Python-urllib/"; nocase; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013031; rev:1;) @@ -46307,7 +46337,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; file_data; content:"MZ"; within:2; content:"\|00 00\|"; distance:0; content:"PE\|00\|"; distance:0; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013036; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Java EXE Download"; flowbits:isset,ET.http.javaclient; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2013037; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Shipping Invoice Request to JPG.exe Executable"; flow:established,to_server; content:"/invoice"; nocase; http_uri; content:".JPG.exe"; nocase; fast_pattern; classtype:trojan-activity; sid:2013048; rev:4;) @@ -46415,13 +46445,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Meredrop Checkin"; flow:established, to_server; content:"POST"; nocase; http_method; content:"praquem="; http_client_body; content:"&titulo="; http_client_body; reference:url,www.virustotal.com/file-scan/report.html?id=14c8e9f054d6f7ff4d59b71b65933d73027fe39a2a62729257712170e36f32c5-1308250070; classtype:trojan-activity; sid:2013073; rev:3;) # -alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; dsize:>300; content:!"youtube\|03\|com\|00\|"; content:!"sophosxl\|03\|net\|00\|"; content:!"\|0a\|hashserver\|02\|cs\|0a\|trendmicro\|03\|com\|00\|"; classtype:bad-unknown; sid:2013075; rev:5;) +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Large DNS Query possible covert channel"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; fast_pattern; depth:10; offset:2; dsize:>300; content:!"youtube\|03\|com\|00\|"; content:!"sophosxl\|03\|net\|00\|"; content:!"\|0a\|hashserver\|02\|cs\|0a\|trendmicro\|03\|com\|00\|"; content:!"spamhaus\|03\|org\|00\|"; classtype:bad-unknown; sid:2013075; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity"; flow:established,to_server; content:"GET"; nocase; http_method; content:" HTTP/1."; content:"\|0d 0a\|Accept\|3a\| /\|0d 0a\|Connection\|3a\| Close\|0d 0a\|User-Agent\|3a\| "; distance:1; within:46; content:"\|0d 0a\|Host\|3a\| "; distance:0; content:!"\|0d 0a\|Referer\|3a\| "; nocase; content:"/webhp"; http_uri; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013076; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; pcre:"/hcp_asx\.php\?f=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP overflow Media Player lt 10"; flow:established,to_server; content:"/hcp_asx.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013077; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.YzhcSms CnC Keepalive Message"; flow:established,to_server; content:"/android/android.dbug.php?action=heart"; http_uri; reference:url,www.fortiguard.com/encyclopedia/virus/android_yzhcsms.a!tr.html; classtype:trojan-activity; sid:2013078; rev:1;) @@ -46460,7 +46490,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS impressCMS dhtmltextarea root_path Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/editors/dhtmltextarea/editor_registry.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,1337day.com/exploits/16001; classtype:web-application-attack; sid:2013089; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d+/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:4;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Checkin Inbound"; flow:from_server,established; content:"KEEPALIVE"; depth:9; pcre:"/^KEEPALIVE\x7c?\d/"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,www.contextis.com/research/blog/darkcometrat/; classtype:trojan-activity; sid:2013091; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN VBKrypt.cmtp Login to Server"; flow:to_server,established; content:"USER\|20\|lodosxxx"; reference:url,vil.nai.com/vil/content/v_377875.htm; classtype:trojan-activity; sid:2013092; rev:4;) @@ -46475,10 +46505,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios Expand Parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/nagios/cgi-bin/config.cgi"; nocase; http_uri; content:"type=command&expand="; fast_pattern; http_uri; nocase; pcre:"/expand\x3D.+(script\|alert\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange)/Ui"; reference:bid,48087; reference:cve,2011-2179; classtype:web-application-attack; sid:2013095; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .dyndns-.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home\|at-work\|blog\|free\|home\|ip\|mail\|office\|pics\|remote\|server\|web\|wiki\|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .dyndns-.com domain"; flow:established,to_server; content:".dyndns-"; http_header; pcre:"/\.dyndns-(at-home\|at-work\|blog\|free\|home\|ip\|mail\|office\|pics\|remote\|server\|web\|wiki\|work)\.com\x0d\x0a/iH"; classtype:bad-unknown; sid:2013096; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .dyndns. domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz\|info\|org\|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .dyndns. domain"; flow:established,to_server; content:".dyndns."; fast_pattern; http_header; content:!" checkip.dyndns."; http_header; pcre:"/Host\x3a [^\n]+\.dyndns\.(biz\|info\|org\|tv)\x0d\x0a/iH"; classtype:bad-unknown; sid:2013097; rev:5;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Driveby Exploit Kit Browser Progress Checkin - Binary Likely Previously Downloaded"; flow:established,to_server; content:"/?"; http_uri; content:!" Java/"; http_header; pcre:"/\/\?[a-f0-9]{64}\;\d\;\d/U"; classtype:trojan-activity; sid:2013098; rev:2;) @@ -46646,10 +46676,10 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Acrobat Reader FlateDecode Stream Predictor Exploit Attempt"; flow:established,to_client; content:"Colors 1073741838"; fast_pattern:only; pcre:"/<<[^>]\x2FPredictor[^>]\x2FColors\x201073741838/smi"; reference:url,www.fortiguard.com/analysis/pdfanalysis.html; reference:bid,36600; reference:cve,2009-3459; classtype:attempted-user; sid:2013153; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SpyEye POSTing data"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept\|3a\| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Gbod.dv Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"Opera/"; http_header; content:"Presto/"; http_header; content:!"Accept\|3a\| "; http_header; content:"a="; http_client_body; content:"&b="; http_client_body; content:"&c="; http_client_body; classtype:trojan-activity; sid:2013154; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"SELECT"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/SELECT.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter SELECT FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; fast_pattern:19,20; content:"pid="; distance:0; nocase; http_uri; content:"SELECT"; nocase; http_uri; distance:0; content:"FROM"; nocase; http_uri; distance:0; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013155; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress plugin Flash Album Gallery pid Parameter DELETE FROM SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/flash-album-gallery/lib/hitcounter.php?"; nocase; http_uri; content:"pid="; nocase; http_uri; content:"DELETE"; nocase; http_uri; content:"FROM"; nocase; http_uri; pcre:"/DELETE.+FROM/Ui"; reference:url,htbridge.ch/advisory/sql_injection_in_grand_flash_album_gallery_wordpress_plugin.html; classtype:web-application-attack; sid:2013156; rev:1;) @@ -46709,7 +46739,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Atomic_Email_Hunter User-Agent Outbound"; flow:established,to_server; content:"User-Agent\|3a\| Atomic_Email_Hunter/"; fast_pattern:12,20; http_header; reference:url,www.useragentstring.com/pages/useragentstring.php; classtype:attempted-recon; sid:2013174; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d+/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:2013175; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely EgyPack Exploit kit landing page (EGYPACK_CRYPT)"; flow:established,from_server; content:"EGYPACK_CRYPT"; pcre:"/EGYPACK_CRYPT\d/"; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; classtype:trojan-activity; sid:2013175; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN EgyPack Exploit Kit Post-Infection Request"; flow:established,to_server; content:"User-Agent\|3a\| Egypack"; nocase; http_header; flowbits:set,et.exploitkitlanding; reference:url,www.kahusecurity.com/2011/new-exploit-kit-egypack/; reference:url,www.vbulletin.com/forum/showthread.php/338741-vBulletin-Footer-SQL-Injection-Hack; classtype:trojan-activity; sid:2013176; rev:4;) @@ -46733,7 +46763,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sidetab or Related Trojan Checkin"; flow:established,to_server; content:"/install.asp?"; http_uri; content:"version="; http_uri; content:"&id="; http_uri; content:"&mac="; http_uri; content:".co.kr\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013182; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=\|5C 22\|http\|3A\|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Facebook Iframe Phishing Attempt"; flow:established,to_client; content:"FB.IframeUtil.CanvasUtil"; nocase; content:"iframe_canvas"; nocase; distance:0; content:"action=\|5C 22\|http\|3A\|"; nocase; distance:0; content:"canvas_iframe_post"; nocase; distance:0; content:"onsubmit="; nocase; distance:0; reference:url,www.f-secure.com/weblog/archives/00002196.html; classtype:bad-unknown; sid:2013183; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Banker.Win32.Agent Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"User-Agent\|3A\| Mozilla/4.0 (compatible\|3B\| ICS)"; fast_pattern:20,20; http_header; content:"para="; http_client_body; depth:5; content:"&subject="; http_client_body; content:"&dados="; http_client_body; reference:url,www.sunbeltsecurity.com/partnerresources/cwsandbox/md5.aspx?id=1bcc87209703cf73c80f9772935e47b0; reference:url,www.threatexpert.com/report.aspx?md5=c8b3d2bc407b0260b40b7f97e504faa5; classtype:trojan-activity; sid:2013185; rev:5;) @@ -46817,7 +46847,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Meciv Checkin"; flow:established,to_server; content:"/trandocs/netstat"; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-070516-5325-99&tabid=2; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2013212; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DYNAMIC_DNS HTTP Connection to 3322.org Possible Malware Related"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".3322.org\|0D 0A\|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .3322.org"; flow:established,to_server; content:"Host\|3a\| "; http_header; content:".3322.org\|0D 0A\|"; within:50; http_header; classtype:misc-activity; sid:2013213; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN GhOst Remote Access Trojan Encrypted Session To CnC Server"; flow:established,to_server; content:"GhOst"; depth:5; reference:url,www.scribd.com/doc/13731776/Tracking-GhostNet-Investigating-a-Cyber-Espionage-Network; reference:url,www.symantec.com/connect/blogs/inside-back-door-attack; classtype:trojan-activity; sid:2013214; rev:1;) @@ -46832,16 +46862,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Specfix Checkin"; flow:established,to_server; content:"/AWS"; http_uri; content:".jsp?"; http_uri; content:"x-bigfix-client-string\|3A\|"; http_header; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062203-3150-99&tabid=2; classtype:trojan-activity; sid:2013218; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Android.Ggtracker Ggtrack.org Checkin"; flow:established,to_server; content:"device_id="; nocase; http_uri; content:"adv_sub="; nocase; http_uri; reference:url,us.norton.com/security_response/writeup.jsp?docid=2011-062208-5013-99&tabid=2; classtype:trojan-activity; sid:2013219; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DYNAMIC_DNS HTTP Connection to 8866.org Possible Malware Related"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .8866.org"; flow:established,to_server; content:"8866.org"; nocase; http_header; fast_pattern:only; pcre:"/Host\x3A[^\r\n]\x2E8866.org/Hi"; reference:url,www.mywot.com/en/scorecard/8866.org; classtype:misc-activity; sid:2013220; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Sefnit Initial Checkin"; flow:established,to_server; content:"/version.php?ver="; http_uri; content:"&app="; http_uri; content:"User-Agent\|3A\| NSISDL"; http_header; classtype:trojan-activity; sid:2013221; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; content:"Heap\|2E\|"; nocase; content:"Heap\|2E\|"; nocase; distance:0; content:"Heap\|2E\|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt"; flow:established,to_client; file_data; content:"Heap\|2E\|"; nocase; distance:0; content:"Heap\|2E\|"; nocase; distance:0; content:"Heap\|2E\|"; nocase; distance:0; classtype:shellcode-detect; sid:2013222; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious User-Agent Containing .exe"; flow:to_server,established; content:"User-Agent\|3a\|"; http_header; content:".exe\|0d 0a\|"; fast_pattern; http_header; within:50; pcre:"/User-Agent\x3a[^\n]+\.exe/iH"; content:!"\|5C\|Citrix\|5C\|ICA Client\|5C\|"; nocase; http_header; content:!"vsee.exe\|0d 0a\|"; nocase; http_header; classtype:trojan-activity; sid:2013224; rev:5;) @@ -46877,7 +46907,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ActivDesk cid Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/kbcat.cgi?"; nocase; http_uri; content:"cid="; nocase; http_uri; content:"or"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/or.substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/102537/activdesk-sqlxss.txt; classtype:web-application-attack; sid:2013234; rev:1;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Palevo (OUTBOUND)"; dsize:21; content:"\|18\|"; depth:1; content:"\|80 00 00\|"; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:1;) +#alert udp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Palevo (OUTBOUND)"; dsize:21; content:"\|18\|"; depth:1; content:"\|80 00 00\|"; reference:url,threatexpert.com/report.aspx?md5=5f1296995c7ccba13c0c0655baf03a3a; classtype:trojan-activity; sid:2013236; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript Often Used in Drivebys"; flow:established,from_server; content:"Content-Type\|3a 20\|text/html"; content:"\|0d 0a\|<html><body><div\|20\|"; fast_pattern; within:500; pcre:"/\x7b?(visibility\x3ahidden\|display\x3anone)\x3b?\x7d?\x22><div>\d{16}/R"; classtype:trojan-activity; sid:2013237; rev:6;) @@ -46913,7 +46943,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a .uni.cc domain"; flow:to_server,established; content:".uni.cc\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013248; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN Vega Web Application Scan"; flow:established,to_server; content:"Vega/"; http_header; pcre:"/User-Agent\x3A[^\r\n]+Vega\x2F/H"; detection_filter:track by_src, count 5, seconds 40; reference:url,www.subgraph.com/products.html; reference:url,www.darknet.org.uk/2011/07/vega-open-source-cross-platform-web-application-security-assessment-platform/; classtype:attempted-recon; sid:2013249; rev:2;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Word RTF pFragments Stack Buffer Overflow Attempt"; flow:established,to_client; file_data; content:"\|D0 CF 11 E0 A1 B1 1A E1\|"; within:8; content:"\|5C\|sp"; nocase; content:"\|5C\|sn"; nocase; within:80; content:"pFragments"; nocase; within:80; content:"\|5C\|sv"; nocase; within:80; isdataat:100,relative; content:!"\|0A\|"; distance:1; within:100; reference:url,labs.m86security.com/2011/07/resurrection-of-cve-2010-3333-in-the-wild/; reference:bid,44652; reference:cve,2010-3333; classtype:attempted-user; sid:2013250; rev:2;) @@ -46925,7 +46955,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer Time Element Uninitialized Memory Remote Code Execution Attempt"; flow:established,to_client; content:"\|2e\|location\|2e\|reload\|28 29\|"; content:"implementation=\|22 23\|default\|23\|time"; nocase; content:"contenteditable=\|22\|true\|22\|"; nocase; distance:0; reference:url,labs.m86security.com/2011/06/0-day-exploit-used-in-a-targeted-attack-cve-2011-1255/; reference:bid,48206; reference:cve,2011-1255; classtype:attempted-user; sid:2013252; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent\|3a\| Agent"; http_header; pcre:"/User-Agent\x3a Agent\d{5,6}$/Hi"; classtype:trojan-activity; sid:2013315; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (Agent and 5 or 6 digits)"; flow:established,to_server; content:"User-Agent\|3a\| Agent"; http_header; pcre:"/^User-Agent\x3a Agent\d{5,6}\r?$/Hmi"; classtype:trojan-activity; sid:2013315; rev:10;) # #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY Yandexbot Request Inbound"; flow:established,to_server; content:"User-Agent\|3a\| YandexBot"; http_header; classtype:policy-violation; sid:2013253; rev:3;) @@ -47081,7 +47111,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin page Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"page="; nocase; http_uri; content:"../"; depth:200; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013309; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:1;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PHP Speedy Plugin title parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/php_speedy_wp/libs/php_speedy/view/admin_container.php?"; fast_pattern:55,20; nocase; http_uri; content:"title="; nocase; http_uri; pcre:"/title\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,secunia.com/advisories/43652; classtype:web-application-attack; sid:2013310; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .dlinkddns.com domain"; flow:established,to_server; content:".dlinkddns.com\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013311; rev:2;) @@ -47231,7 +47261,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS HTran/SensLiceld.A Checkin 2 (unicode)"; flow:established,from_server; dsize:<120; content:"\|5b00\|S\|00\|E\|00\|R\|00\|V\|00\|E\|00\|R\|005d00\|c\|00\|o\|00\|n\|00\|n\|00\|e\|00\|c\|00\|t\|00\|i\|00\|o\|00\|n\|002000\|t\|00\|o\|002000\|"; depth:44; reference:url,www.secureworks.com/research/threats/htran/; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2010-120716-4344-99&tabid=2; reference:url,www.securelist.com/en/descriptions/10120120/Trojan-Spy.Win32.Agent.bptu; classtype:trojan-activity; sid:2013362; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]+/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2013363; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS windows_security_update Fake AV download"; flow:established,from_server; file_data; content:"filename=\|22\|windows_security_update_"; distance:0; classtype:trojan-activity; sid:2013364; rev:4;) @@ -47303,7 +47333,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent Ryeol HTTP Client Class"; flow:established,to_server; content:"User-Agent\|3A 20\|Ryeol HTTP Client Class"; http_header; classtype:trojan-activity; sid:2013387; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent MM 1.0"; flow:established,to_server; content:"User-Agent\|3A\| MM "; http_header; classtype:trojan-activity; sid:2013388; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adrevmedia Related Media Manager Spyware Checkin"; flow:established,to_server; content:"User-Agent\|3A\| MM "; http_header; pcre:"/User-Agent\x3a MM \d\.\d+\x0d\x0a/H"; classtype:trojan-activity; sid:2013388; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Adware/CommonName Reporting"; flow:established,to_server; content:"/report.asp?TB="; http_uri; content:"&status="; http_uri; content:"&data="; http_uri; content:"&BABE="; http_uri; content:"&BATCH="; http_uri; content:"&UDT="; http_uri; content:"&GRP="; http_uri; classtype:trojan-activity; sid:2013389; rev:1;) @@ -47357,7 +47387,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent ksdl_1_0"; flow:established,to_server; content:"User-Agent\|3A 20\|ksdl_"; http_header; classtype:trojan-activity; sid:2013404; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Baigoo User Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|BaiGoo Agent"; http_header; classtype:trojan-activity; sid:2013405; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY SSL MiTM Vulnerable or EOL iOS 3.x device"; flow:established,to_server; content:"Mozilla/5.0 \|28\|iP"; http_header; content:" OS 3_"; http_header; distance:0; threshold: type limit, count 1, seconds 600, track by_src; reference:url,support.apple.com/kb/HT1222; reference:url,support.apple.com/kb/HT4824; reference:url,en.wikipedia.org/wiki/IOS_version_history; reference:url,github.com/jan0/isslfix; reference:cve,CVE-2011-0228; classtype:not-suspicious; sid:2013406; rev:4;) @@ -47387,7 +47417,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page Checking firewall status"; flow:established,from_server; content:"\|5c\|r\|5c\|n Checking firewall status\|5c\|r\|5c\|n"; fast_pattern:only; classtype:trojan-activity; sid:2013413; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server\|3A\| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable served from Amazon S3"; flow:established,to_client; content:"Server\|3A\| AmazonS3"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,blog.trendmicro.com/cybercriminals-using-amazon-web-services-aws-to-host-malware/; reference:url,www.securelist.com/en/blog/208188099/Financial_data_stealing_Malware_now_on_Amazon_Web_Services_Cloud; classtype:bad-unknown; sid:2013414; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .cz.tf domain"; flow:to_server,established; content:".cz.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013415; rev:1;) @@ -47459,10 +47489,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .uni.cc domain"; flow:to_server,established; content:".uni.cc\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013438; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"\|7C\|"; distance:2; within:1; content:"\|7c\|"; distance:2; within:4; content:"http\|3A 2F 2F\|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/DirtJumper CnC Server Providing DDOS Targets"; flow:established,from_server; file_data; content:"\|7C\|"; distance:2; within:1; content:"\|7c\|"; distance:2; within:4; content:"http\|3A 2F 2F\|"; distance:3; within:7; pcre:"/\d{2}\x7C\d{1,3}\x7C\d{1,3}http\x3A\x2F\x2F/Ai"; reference:url,asert.arbornetworks.com/2011/08/dirt-jumper-caught/; classtype:trojan-activity; sid:2013440; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; classtype:trojan-activity; sid:2013441; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE EXE Download When Server Claims To Send Audio File - Must Be Win32"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; fast_pattern; distance:-64; within:4; classtype:trojan-activity; sid:2013441; rev:4;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED EXE Download When Server Claims To Send Audio File - DOS Mode"; flow:established,to_client; content:"Content-Type\|3A 20\|audio\|2F\|"; http_header; nocase; file_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode"; distance:0; content:"PE"; distance:0; classtype:trojan-activity; sid:2013442; rev:2;) @@ -47573,7 +47603,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS .doc.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition\|3a\| attachment\|3b\| filename="; nocase; http_header; content:".doc.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013477; rev:6;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS .pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition\|3a\| attachment\|3b\| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; classtype:bad-unknown; sid:2013478; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY SUSPICIOUS .pdf.exe in HTTP HEADER"; flow:from_server,established; content:"Content-Disposition\|3a\| attachment\|3b\| filename="; nocase; http_header; content:".pdf.exe"; nocase; distance:0; http_header; fast_pattern; classtype:bad-unknown; sid:2013478; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 3389 (msg:"ET SCAN Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src, count 20, seconds 360; reference:url,threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811; classtype:misc-activity; sid:2013479; rev:2;) @@ -47636,7 +47666,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Netflix Streaming Player Access"; flow:to_server,established; content:"/WiPlayer?movieid="; http_uri; content:"Host\|3a\| movies.netflix.com\|0d 0a\|"; http_header; nocase; reference:url,netflix.com; classtype:policy-violation; sid:2013498; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IncrediMail Install Callback"; flow:established,to_server; content:"POST"; http_method; content:"s=PFNCIHhtbG5zPSJTdGF0aXN0aWNzTlMiPjxBIGlkPSIxIj4"; fast_pattern; reference:url,www.incredimail.com; classtype:policy-violation; sid:2013499; rev:2;) # alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Known Fraudulent DigiNotar SSL Certificate for google.com"; flow:established,from_server; content:"\|0C 76 DA 9C 91 0C 4E 2C 9E FE 15 D0 58 93 3C 4C\|"; content:"google.com"; within:250; reference:url,www.vasco.com/company/press_room/news_archive/2011/news_diginotar_reports_security_incident.aspx; classtype:misc-activity; sid:2013500; rev:2;) @@ -47651,7 +47681,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OS X Software Update Request Outbound"; flow:established,to_server; content:"User-Agent\|3A\| Software Update\|2F\|"; http_header; content:" Darwin\|2F\|"; http_header; within:48; reference:url,www.apple.com/softwareupdate/; classtype:policy-violation; sid:2013503; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP\|2F\|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:policy-violation; sid:2013504; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management"; flow:established,to_server; content:"APT-HTTP\|2F\|"; http_header; reference:url,help.ubuntu.com/community/AptGet/Howto; classtype:not-suspicious; sid:2013504; rev:3;) # alert tcp $HOME_NET any -> 11.11.11.11 55611 (msg:"ET TROJAN W32/Badlib Connectivity Check To Department of Defense Intelligence Information Systems"; flow:to_server; flags:S; reference:url,blog.eset.com/2011/08/03/win32delf-qcztrust-me-i%E2%80%99m-your-anti-virus; reference:url,www.eset.com/about/blog/blog/article/win32delf-qcz-additional-details; classtype:trojan-activity; sid:2013506; rev:1;) @@ -47699,7 +47729,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Driveby Loader Request sn.php"; flow:established,to_server; content:"/sn.php?c="; http_uri; depth:10; content:"&t="; http_uri; pcre:"/c\x3d[0-9a-f]{100}/Ui"; classtype:trojan-activity; sid:2013519; rev:1;) # -#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader .jpg?t=0. in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d+/U"; classtype:trojan-activity; sid:2013520; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader .jpg?t=0. in http_uri"; flow:established,to_server; content:".jpg?t=0."; http_uri; pcre:"/\.jpg\?t\x3d\d\.\d/U"; classtype:trojan-activity; sid:2013520; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Spyeye Data Exfiltration 0"; flow:established,to_server; content:"\|B4 B4 B4 B4 BC BF BF BF BF BD BD BD BD B3 B3 B3 B3\|"; offset:5; depth:17; classtype:trojan-activity; sid:2013521; rev:4;) @@ -47741,7 +47771,7 @@ alert tcp $HOME_NET 1024: -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.Win32.Fynloski.A Command Response"; flow:to_server,established; content:"#botCommand%"; depth:12; pcre:"/^\x23botCommand\x25(close\x20command\|Error\|Finish\|Http\x20Flood\|Mass\x20Download\|Respond\x20\x5bOK\|Syn\x20Flood\|UDP\x20Flood\|uninstall\|Update\|)/i"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3aWin32%2fFynloski.A&ThreatID=-2147327112; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=570863; classtype:trojan-activity; sid:2013533; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; http_uri; content:"&log="; http_uri; content:"User-Agent\|3a\| IE7.0"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VirTool.Win32/VBInject.gen!DM Checkin"; flow:established,to_server; content:"/iLog.php?dl="; fast_pattern:only; http_uri; content:"&log="; http_uri; content:"User-Agent\|3a\| IE"; http_header; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=VirTool%3aWin32/VBInject.gen!DM; classtype:trojan-activity; sid:2013534; rev:8;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .tc domain"; flow:to_server,established; content:".tc\|0d 0a\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013535; rev:1;) @@ -47759,7 +47789,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN BKDR_BTMINE.MNR BitCoin Miner Server Checkin"; flow:established,to_server; content:"knock.php?ver="; http_uri; content:"&sid="; http_uri; content:" HTTP/1.1\|0d 0a\|Connection\|3a\| close\|0d 0a\|Host\|3a\| "; content:!"User-Agent\|3a\| "; http_header; reference:url,about-threats.trendmicro.com/malware.aspx?language=us&name=BKDR_BTMINE.MNR; classtype:trojan-activity; sid:2013539; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013540; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Kraddare.FJ Checkin"; flow:to_server,established; content:".php?pi="; fast_pattern:only; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; content:"User-Agent\|3a\| Mozilla/4.0(compatible\|3b\| MSIE 6.0)\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013540; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Daemonize Trojan Proxy Initial Checkin"; flow:established,to_server; content:"/command.php?IP="; http_uri; content:"&P1="; http_uri; content:"&P2="; http_uri; content:"&ID="; http_uri; content:"&SP="; http_uri; content:"&CT="; http_uri; content:"&L1="; http_uri; content:"&L2="; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanProxy%3AWin32%2FDaemonize.A&ThreatID=-2147464655; classtype:trojan-activity; sid:2013541; rev:1;) @@ -47774,7 +47804,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TROJ_VB.FJP Generic Dowbnloader Connectivity Check to Google"; flow:established,to_server; content:"/whatever.exe"; fast_pattern; http_uri; content:"Host\|3A 20\|google.com\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013544; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent\|3A 20\|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Helpexpress Spyware User-Agent HXLogOnly"; flow:established,to_server; content:"User-Agent\|3A 20\|HXLogOnly"; http_header; classtype:trojan-activity; sid:2013545; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Gagolino Banking Trojan Reporting to CnC"; flow:established,to_server; content:"?op="; http_uri; content:"&macaddress="; http_uri; content:"&pcname="; http_uri; content:"&nomeusuario="; http_uri; content:"&serialhd="; http_uri; content:"&versaowindows="; http_uri; content:"&versaoatual="; http_uri; content:"&arquivosplugins="; http_uri; content:"&origem="; http_uri; classtype:trojan-activity; sid:2013546; rev:1;) @@ -47789,7 +47819,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 2"; flow:established,to_server; content:"/hcp_vbs.php?f="; http_uri; pcre:"/hcp_vbs\.php\?f=\d+&d=\d+$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013549; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a\|"; http_header; content:"Host\|3a\|"; http_header; distance:0; pcre:"/\.php\?e=\d+&f=\d+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potential Blackhole Exploit Pack Binary Load Request 2"; flow:established,to_server; content:".php?e="; fast_pattern; nocase; http_uri; content:"&f="; nocase; http_uri; content:!"Referer\|3a\|"; http_header; content:"User-Agent\|3a\|"; http_header; content:"Host\|3a\|"; http_header; distance:0; pcre:"/\.php\?e=\w+&f=\w+$/U"; flowbits:set,et.exploitkitlanding; reference:url,krebsonsecurity.com/2010/10/java-a-gift-to-exploit-pack-makers/; classtype:bad-unknown; sid:2013550; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Driveby Generic Java Exploit Attempt"; flow:established,to_client; content:" codebase=\|22\|C\|3a 5c\|Program Files\|5c\|java\|5c\|jre6\|5c\|lib\|5c\|ext\|22\| code="; nocase; reference:url,fhoguin.com/2011/03/oracle-java-unsigned-applet-applet2classloader-remote-code-execution-vulnerability-zdi-11-084-explained/; reference:cve,CVE-2010-4452; classtype:trojan-activity; sid:2013551; rev:2;) @@ -47855,19 +47885,19 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Reporting Successful Java Compromise"; flow:established,to_server; content:".php?spl="; fast_pattern:only; http_uri; pcre:"/\.php\?spl=[A-Z]{3}/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013652; rev:4;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf\|3a\|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Get File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"gf\|3a\|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013653; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf\|3a\|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Put File Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"pf\|3a\|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013654; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http\|3a\|{"; fast_pattern:only; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Retrieve and Execute Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"http\|3a\|{"; content:"}.exe"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013655; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi\|3a\|"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Relay Command"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"taxi\|3a\|"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013656; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp\|3a\|{"; fast_pattern:only; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:1;) +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Shady RAT Send Status Result"; flow:established,from_server; flowbits:isset,et.shadyratinit; content:"slp\|3a\|{"; content:"}"; within:50; reference:url,www.symantec.com/connect/blogs/truth-behind-shady-rat; classtype:trojan-activity; sid:2013657; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Zugo Toolbar Spyware/Adware download request"; flow:established,to_server; content:".exe?filename="; http_uri; content:"&dddno="; http_uri; fast_pattern; content:"&channel="; http_uri; content:"&go="; http_uri; reference:url,zugo.com/privacy-policy/; classtype:bad-unknown; sid:2013658; rev:1;) @@ -47933,7 +47963,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component com_jr_questionnaire Directory Traversal Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_jr_questionnaire"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/102784/joomlajrqn-traversal.txt; classtype:web-application-attack; sid:2013678; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; nocase; http_uri; pcre:"/lien_2=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BbZL.PhP lien_2 Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"type="; http_uri; content:"lien_2="; fast_pattern:only; nocase; http_uri; pcre:"/lien_2=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17495; classtype:web-application-attack; sid:2013679; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla EZ Realty id Parameter Blind SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"option=com_ezrealty"; nocase; http_uri; content:"task="; nocase; http_uri; content:"id="; nocase; http_uri; content:"and"; nocase; http_uri; content:"substring"; nocase; http_uri; pcre:"/and.substring\(/Ui"; reference:url,packetstormsecurity.org/files/view/104017/joomlarealestate-sql.txt; classtype:web-application-attack; sid:2013680; rev:2;) @@ -47957,12 +47987,15 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess/Max++ Rootkit C&C Activity 2"; flow:established,to_server; content:".php?w="; http_uri; content:"&fail="; http_uri; content:"&i="; http_uri; pcre:"/\.php\?w=\d+&fail=\d+&i=[0-9a-f]{32}$/U"; reference:url,resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3aWin32%2fSirefef.B; classtype:trojan-activity; sid:2013686; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w+/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shylock Module Data POST"; flow:established,to_server; content:"id="; http_client_body; content:"&bid="; http_client_body; content:"&query="; http_client_body; content:"&data="; http_client_body; pcre:"/id=\d+&bid=[^&]+&query=\w+&data=\w/P"; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013687; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Shylock Module Server Response"; flow:established,from_server; content:"\|0d 0a 0d 0a 23 23 23\|ERROR_SRC\|23 23 23\|"; content:"\|23 23 23\|ERROR_SRC_END\|23 23 23\|"; distance:0; reference:url,anubis.iseclab.org/index.php?action=result&task_id=86c6da9437e65c94990ddd85d87299f1; reference:url,www.threatexpert.com/report.aspx?md5=4fda5e7e8e682870e993f97ad26ba6b2; classtype:trojan-activity; sid:2013688; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st Checkin (5-12 Byte keyword)"; flow:to_server,established; dsize:<900; content:"\|00 00\|"; offset:7; depth:9; content:"\|00 00 78 9C\|"; distance:2; within:4; pcre:"/^[a-z0-9\x40\x2d\x5f]{5,12}..\x00\x00..\x00\x00\x78\x9c/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; reference:url,www.norman.com/about_norman/press_center/news_archive/2012/the_many_faces_of_gh0st_rat/en; classtype:trojan-activity; sid:2015624; rev:8;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Aldibot.A Checkin"; flow:to_server,established; content:"/gate.php?hwid="; nocase; http_uri; content:"&pc="; nocase; http_uri; content:"&localip="; nocase; http_uri; content:"&winver="; nocase; http_uri; reference:url,www.asert.arbornetworks.com/2011/10/ddos-aldi-bot/; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fAbot.gen!A; classtype:trojan-activity; sid:2013748; rev:3;) # @@ -47984,7 +48017,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Netisend.A Posting Information to CnC"; flow:established,to_server; content:"POST"; http_method; content:"/netsend/nmsm_json.jsp"; http_uri; content:"\|22\|model\|22 3A\|"; http_client_body; content:"\|22\|imsi\|22 3A\|"; within:50; http_client_body; content:"\|22\|manufacture\|22 3A\|"; within:50; http_client_body; content:"\|22\|imei\|22 3A\|"; within:50; http_client_body; reference:url,www.fortiguard.com/latest/mobile/2959807; classtype:trojan-activity; sid:2013694; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D\|3b 20\|cc2="; http_raw_cookie; content:"%3D\|3b 20\|cc3="; http_raw_cookie; content:"%3D\|3b 20\|cc4="; http_raw_cookie; content:"\|20\|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Java Exploit Kit cc exploit progress status cookie"; flow:established,to_server; content:"%3D\|3b 20\|cc2="; http_raw_cookie; content:"%3D\|3b 20\|cc3="; http_raw_cookie; content:"%3D\|3b 20\|cc4="; http_raw_cookie; content:"\|20\|Java/"; http_header; classtype:trojan-activity; sid:2013695; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit x.jar?o="; flow:established,to_server; content:"/x.jar?o="; http_uri; content:"\|20\|Java/"; http_header; classtype:trojan-activity; sid:2013696; rev:2;) @@ -47999,7 +48032,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit applet landing"; flow:established,from_server; file_data; content:"<html>\|0d 0a\|<body>\|0d 0a\|<applet archive="; distance:0; content:"width=\|22\|0\|22\| height=\|22\|0\|22\|></applet>\|0d 0a\|</body>\|0d 0a\|</body></html>"; distance:0; classtype:trojan-activity; sid:2013699; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; distance:0; content:"code="; distance:0; content:".jar"; distance:0; content:"e00oMDD"; distance:0; content:"</applet>"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole landing page with malicious Java applet"; flow:established,from_server; file_data; content:"<applet"; distance:0; content:"code="; distance:0; content:".jar"; distance:0; content:"e00oMDD"; distance:0; fast_pattern; content:"</applet>"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2013700; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Agent-TMF Checkin"; flow:to_server,established; content:!"User-Agent\|3a 20\|"; http_header; content:!"Referer\|3a 20\|"; http_header; content:"GET"; http_method; nocase; content:".php?gd="; http_uri; pcre:"/.php\?gd=\d+_\d+_\d+$/U"; classtype:trojan-activity; sid:2013701; rev:4;) @@ -48029,7 +48062,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Annonces Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/annonces/includes/lib/photo/uploadPhoto.php?"; nocase; http_uri; content:"abspath="; nocase; http_uri; pcre:"/abspath=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/view/105224/wpannonces-rfi.txt; classtype:web-application-attack; sid:2013709; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TrojWare.Win32.Trojan.Agent.Gen Reporting"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent\|3a\| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY FreeRide Games Some AVs report as TrojWare.Win32.Trojan.Agent.Gen"; flow:to_server,established; content:"/do/SDM"; nocase; http_uri; content:"action="; nocase; http_uri; content:"User-Agent\|3a\| AHTTPConnection"; nocase; http_header; reference:url,forums.comodo.com/av-false-positivenegative-detection-reporting/trojwarewin32trojanagentgen-t55152.0.html; classtype:trojan-activity; sid:2013710; rev:6;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TinyWebGallery workaround_dir parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/admin/upload/tfu_upload.php?"; nocase; http_uri; content:"workaround_dir="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/view/104631/tinywebgallery-lfishellsql.txt; classtype:web-application-attack; sid:2013711; rev:2;) @@ -48068,7 +48101,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (WindowsNT) With No Separating Space"; flow:established,to_server; content:"WindowsNT"; http_header; pcre:"/User-Agent\x3A[^\r\n]WindowsNT/H"; classtype:trojan-activity; sid:2013721; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/OpenCapture CnC Checkin"; flow:established,to_server; content:"/check_counter.php?pi="; http_uri; content:"&gu="; http_uri; content:"&ac="; http_uri; classtype:trojan-activity; sid:2013722; rev:1;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGames User-Agent (LockXLS)"; flow:established,to_server; content:"User-Agent\|3A 20\|LockXLS"; http_header; classtype:trojan-activity; sid:2013724; rev:1;) @@ -48128,10 +48161,10 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Google Chrome Multiple Iframe PDF File Handling Memory Corruption Attempt"; flow:established,to_client; content:".pdf\|22\|><\|2F\|iframe>"; nocase; content:".pdf\|22\|><\|2F\|iframe>"; nocase; distance:0; content:".pdf\|22\|><\|2F\|iframe>"; nocase; distance:0; content:".pdf\|22\|><\|2F\|iframe>"; nocase; distance:0; content:".pdf\|22\|><\|2F\|iframe>"; nocase; distance:0; content:".pdf\|22\|><\|2F\|iframe>"; nocase; distance:0; reference:bid,49933; reference:cve,2011-2841; classtype:attempted-user; sid:2013742; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for a Suspicious no-ip Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|no-ip\|03\|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|no-ip\|03\|"; distance:0; fast_pattern; classtype:bad-unknown; sid:2013743; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a no-ip Dynamic DNS Domain"; flow:established,to_server; content:".no-ip.com\|0d 0a\|"; http_header; nocase; content:!"www.no-ip.com\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNMAIC_DNS HTTP Request to a no-ip Domain"; flow:established,to_server; content:".no-ip.com\|0d 0a\|"; http_header; nocase; content:!"www.no-ip.com\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013744; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Outbound - Likely Infected or Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1\|20\|HTTP/1.1\|0d 0a\|"; depth:300; classtype:bad-unknown; sid:2013745; rev:3;) @@ -48230,7 +48263,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN NMAP SQL Spider Scan"; flow:established,to_server; content:"GET"; http_method; content:" OR sqlspider"; http_uri; reference:url,nmap.org/nsedoc/scripts/sql-injection.html; classtype:web-application-attack; sid:2013778; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a[^\n]+PTX/H"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Positive Technologies XSpider Security Scanner User-Agent (PTX)"; flow:to_server,established; content:"PTX\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\n]+PTX\r$/Hm"; reference:url,www.securitylab.ru/forum/forum16/topic26800/; classtype:attempted-recon; sid:2013779; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious HTTP Request for gift.exe"; flow:established,to_server; content:"/gift.exe"; http_uri; classtype:trojan-activity; sid:2013780; rev:1;) @@ -48242,7 +48275,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32.Duqu User-Agent"; flow:to_server,established; content:"User-Agent\|3A\| Mozilla/5.0 (Windows\|3B\| U\|3B\| Windows NT 6.0\|3B\| en-US\|3B\| rv\|3A\|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:trojan-activity; sid:2013782; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/5.0 (Windows\|3b\| U\|3b\| Windows NT 6.0\|3b\| en-US\|3b\| rv\|3a\|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition\|3A\| form-data\|3b\| name=\|22\|DSC00001.jpg\|22\|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:3;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Duqu UA and Filename Requested"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/5.0 (Windows\|3b\| U\|3b\| Windows NT 6.0\|3b\| en-US\|3b\| rv\|3a\|1.9.2.9) Gecko/20100824 Firefox/3.6.9 (.NET CLR 3.5.30729)"; http_header; fast_pattern:20,20; content:"Content-Disposition\|3A\| form-data\|3b\| name=\|22\|DSC00001.jpg\|22\|"; http_header; reference:url,www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf; classtype:policy-violation; sid:2013783; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Windows Mobile 7.0 User-Agent detected"; flow:to_server,established; content:"User-Agent\|3A\| ZDM/4.0\|3B\| Windows Mobile 7.0\|3B\|"; http_header; classtype:not-suspicious; sid:2013784; rev:2;) @@ -48278,10 +48311,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin"; flow:established,to_server; content:"?sv="; fast_pattern; http_uri; content:"&tq="; http_uri; content:"User-Agent\|3A 20\|chrome/9.0\|0D 0A\|"; http_header; pcre:"/\x2e(png\|gif\|jpeg\|jpg)\x3fsv\x3d/U"; classtype:trojan-activity; sid:2013795; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type\|3A 20\|image/jpeg"; http_header; file_data; content:"\|54 48 00 F7 20 10 72 6F 67 52\|"; distance:0; content:"\|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53\|"; within:50; classtype:trojan-activity; sid:2013796; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS W32/Bifrose Second Stage Obfuscated Binary Download Claiming to Be JPEG"; flow:established,to_client; content:"Content-Type\|3A 20\|image/jpeg"; http_header; file_data; content:"\|54 48 00 F7 20 10 72 6F 67 52\|"; distance:0; content:"\|61 6E 6E 4F 1D A4 62 05 20 72 75 4E 49 ED 6E 40 44 4F 53\|"; fast_pattern; within:50; classtype:trojan-activity; sid:2013796; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.307674628 Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LogProc.php?mac="; nocase; http_uri; content:"&mode="; nocase; http_uri; content:"&pCode="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/Adware.Winggo.AB Checkin"; flow:established,to_server; content:"/LogProc.php?"; fast_pattern:only; http_uri; content:"mac="; http_uri; content:"mode="; http_uri; content:"&pCode="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=2700d3fcdd4b8a7c22788db1658d9163; reference:url,www.threatcenter.crdf.fr/?More&ID=46606&D=CRDF.Malware.Win32.PEx.Delphi.307674628; classtype:trojan-activity; sid:2013797; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.PEx.Delphi.1151005043 Post-infection Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/boot.php?ptr="; nocase; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=b58485c9a221e8bd5b4725e7e19988b0; reference:url,www.threatcenter.crdf.fr/?More&ID=49992&D=CRDF.Malware.Win32.PEx.Delphi.1151005043; classtype:trojan-activity; sid:2013798; rev:2;) @@ -48344,19 +48377,25 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHMCompleteSolution templatefile Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/cart.php?"; nocase; http_uri; content:"a="; nocase; http_uri; content:"templatefile="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1110-exploits/whmcompletesolution-disclose.txt; classtype:web-application-attack; sid:2013818; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/cgi-bin/g.php"; http_uri; content:!"User-Agent\|3a\|"; http_header; content:"\|CE FA AD DE 03 00\|"; http_client_body; depth:6; classtype:trojan-activity; sid:2013819; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Tatanga/Win32.Kexject.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:".php"; http_uri; content:!"User-Agent\|3a\|"; http_header; content:"\|CE FA AD DE 03 00\|"; http_client_body; depth:6; reference:url,securityblog.s21sec.com/2011/02/tatanga-new-banking-trojan-with-mitb.html; classtype:trojan-activity; sid:2013819; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin"; flow:established,to_server; content:"User-Agent\|3a\| proscan-down"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013821; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent\|3a\| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Trojan.Kryptik/proscan.co.kr Checkin 2"; flow:established,to_server; content:"User-Agent\|3a\| test_hInternet"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=bf156b649cb5da6603a5f665a7d8f13b; classtype:trojan-activity; sid:2013822; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a Suspicious .myftp.biz Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|myftp\|03\|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Set"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=c&n="; http_uri; content:"_"; distance:0; http_uri; content:"@"; distance:0; http_uri; content:"\|0D 0A\|Content-Length\|3a\| 0\|0D 0A\|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; reference:md5,61474931882dce7b1c67e1f22d26187e; classtype:trojan-activity; sid:2014803; rev:6;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .myftp.biz Dynamic DNS Domain"; flow:established,to_server; content:".myftp.biz\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN VBS/Wimmie.A Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/count.php?m=w&n="; http_uri; content:"_"; distance:0; http_uri; content:"@."; distance:0; http_uri; content:"\|16 00 00 00\|down"; http_client_body; depth:8; reference:url,www.threatexpert.com/report.aspx?md5=6fd7493e56fdc3b0dd8ecd24aea20da1; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AVBS%2FWimmie.A; reference:md5,61474931882dce7b1c67e1f22d26187e; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014804; rev:5;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious .myftp.biz Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|myftp\|03\|biz"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013823; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .myftp.biz Domain"; flow:established,to_server; content:".myftp.biz\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013824; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .eu.tf domain"; flow: to_server,established; content:".eu.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013828; rev:1;) @@ -48368,7 +48407,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .int.tf domain"; flow:to_server,established; content:".int.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013829; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"\|0D 0A\|Content-Disposition\|3a\| attachment\|3B\| filename=\|22\|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; classtype:trojan-activity; sid:2013827; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN AntiVirus exe Download Likely FakeAV Install"; flow:established,from_server; content:"\|0D 0A\|Content-Disposition\|3a\| attachment\|3B\| filename=\|22\|"; http_header; content:"AntiVirus"; nocase; http_header; within:24; content:".exe"; http_header; within:24; http_header; classtype:trojan-activity; sid:2013827; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .edu.tf domain"; flow:to_server,established; content:".edu.tf\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013830; rev:1;) @@ -48416,10 +48455,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .orge.pl Domain"; flow:established,to_server; content:".orge.pl\|0d 0a\|"; http_header; nocase; classtype:bad-unknown; sid:2013844; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a Suspicious .ez-dns.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|ez-dns\|03\|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:1;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious .ez-dns.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|ez-dns\|03\|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013845; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .ez-dns.com Dynamic DNS Domain"; flow:established,to_server; content:".ez-dns.com\|0d 0a\|"; http_header; classtype:bad-unknown; sid:2013846; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .ez-dns.com Domain"; flow:established,to_server; content:".ez-dns.com\|0d 0a\|"; http_header; classtype:bad-unknown; sid:2013846; rev:2;) # alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .net.tf Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|net\|02\|tf"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013847; rev:1;) @@ -48470,10 +48509,10 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .xe.cx Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|xe\|02\|cx"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013862; rev:1;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query to a Suspicious .dyndns-web.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|dyndns-web\|03\|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a Suspicious .dyndns-web.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0a\|dyndns-web\|03\|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013863; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .dyndns-web.com Dynamic DNS Domain"; flow:to_server,established; content:".dyndns-web.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2013864; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .dyndns-web.com Domain"; flow:to_server,established; content:".dyndns-web.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2013864; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptor/Cycbot Trojan Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"?tq="; http_uri; content:!"Accept\|3a\|"; http_header; pcre:"/\.(jpg\|png\|gif\|cgi)\?tq=/U"; classtype:trojan-activity; sid:2013865; rev:4;) @@ -48542,7 +48581,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress disclosure policy plugin Remote File Inclusion Attempt"; flow:to_server,established; content:"GET"; http_method; content:"/wp-content/plugins/disclosure-policy-plugin/functions/action.php?"; nocase; http_uri; pcre:"/abspath=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,exploit-db.com/exploits/17865; classtype:web-application-attack; sid:2013886; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; classtype:trojan-activity; sid:2013887; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Fullstuff Initial Checkin"; flow:established,to_server; content:"/version.txt?type="; http_uri; content:"&GUID="; http_uri; content:"&rfr="; http_uri; content:"&bgn="; http_uri; content:"User-Agent\|3a\| FULLSTUFF"; http_header; classtype:trojan-activity; sid:2013887; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Cnet App Download and Checkin"; flow:established,to_server; content:"POST"; http_method; content:"/v"; http_uri; content:"/?v="; http_uri; content:"&c="; http_uri; pcre:"/\/v\d\.\d\.\d/U"; pcre:"/\/\?v=\d/U"; classtype:trojan-activity; sid:2013888; rev:6;) @@ -48599,7 +48638,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User Agent banderas"; flow:established,to_server; content:"User-Agent\|3A 20\|banderas"; http_header; classtype:trojan-activity; sid:2013905; rev:1;) # -#alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET CURRENT_EVENTS Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:3;) +##alert udp !$DNS_SERVERS any -> [85.255.112.0/20,67.210.0.0/20,93.188.160.0/21,77.67.83.0/24,213.109.64.0/20,64.28.176.0/20] 53 (msg:"ET DELETED Ghost Click DNSChanger DNS Request (UDP)"; threshold:type threshold, track by_src, seconds 2, count 2; reference:url,www.fbi.gov/news/stories/2011/november/malware_110911/DNS-changer-malware.pdf; classtype:trojan-activity; sid:2013906; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZAccess/Sirefef/MAX++/Jorik/Smadow Checkin"; flow:established,to_server; content:"/stat"; http_uri; content:".php?w="; http_uri; content:"&i=00000000000"; http_uri; fast_pattern; content:"&a="; http_uri; content:"User-Agent\|3a 20\|Opera/6 (Windows NT 5.1\|3b 20\|"; http_header; classtype:trojan-activity; sid:2013907; rev:3;) @@ -48614,7 +48653,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Second Life setup download"; flow:established,to_server; content:"/Second_Life_Setup.exe"; reference:url,en.wikifur.com/wiki/Second_Life; reference:url,wiki.secondlife.com/wiki/Furry; classtype:policy-violation; sid:2013910; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus Request To CnC"; flow:established,to_server; dsize:20; content:"\|E5 AA C0 31\|"; depth:4; content:"\|5B 74 08 4D 9B 39 C1\|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013911; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN P2P Zeus or ZeroAccess Request To CnC"; flow:established,to_server; dsize:20; content:"\|E5 AA C0 31\|"; depth:4; content:"\|5B 74 08 4D 9B 39 C1\|"; distance:5; within:7; reference:url,www.abuse.ch/?p=3499; reference:url,www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf; classtype:trojan-activity; sid:2013911; rev:9;) # alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN P2P Zeus Response From CnC"; flow:established,from_server; content:"\|E5 AA C0 31\|"; depth:4; content:"\|5B 74\|"; distance:5; within:2; content:"\|C1\|"; distance:4; within:2; reference:url,www.abuse.ch/?p=3499; classtype:trojan-activity; sid:2013912; rev:4;) @@ -48758,7 +48797,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Java Exploit to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"<applet"; nocase; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013961; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013962; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Delivering Executable to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013962; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Mozilla / 4.0 CNC traffic"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla / 4.0\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2013964; rev:2;) @@ -48770,7 +48809,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/Ozotshielder.A Checkin"; flow:established,to_server; content:"/AndroidService.aspx?imsi="; http_uri; content:"&mobile="; http_uri; content:"&pid="; http_uri; content:"&ownerid="; http_uri; content:"&testchlid="; http_uri; content:"&androidver="; http_uri; reference:url,www.fortiguard.com/latest/mobile/3302951; classtype:trojan-activity; sid:2013966; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu User-Agent (adlib)"; flow:established,to_server; content:"User-Agent\|3A 20\|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS Suspicious User-Agent (adlib)"; flow:established,to_server; content:"User-Agent\|3A 20\|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013967; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/KungFu Package Delete Command"; flow:established,to_server; content:"/search/isavailable"; http_uri; content:".php?imei="; http_uri; content:"&ch="; http_uri; content:"&ver="; http_uri; content:"User-Agent\|3A 20\|adlib/"; http_header; reference:url,blog.trendmicro.com/connections-between-droiddreamlight-and-droidkungfu/; classtype:trojan-activity; sid:2013968; rev:1;) @@ -48782,7 +48821,7 @@ alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .noip.cn Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|03\|noip\|02\|cn\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013970; rev:1;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Query for Suspicious .dyndns-at-home.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|dyndns-at-home\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:2;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query for Suspicious .dyndns-at-home.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|dyndns-at-home\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2013971; rev:3;) # #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Wait Please"; flow:established,from_server; content:"Wait Please"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; reference:url,isc.sans.org/diary/Updates+on+ZeroAccess+and+BlackHole+front+/12079; classtype:trojan-activity; sid:2013972; rev:4;) @@ -48791,10 +48830,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Suspicious Invalid HTTP Accept Header of ?"; flow:established,to_server; content:"Accept\|3a 20\|?"; http_header; classtype:trojan-activity; sid:2013974; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Neosploit Java Exploit Kit request to /? plus hex 32"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; content:" Java/"; http_header; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:trojan-activity; sid:2013975; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"\|0D 0A\|Accept\|3a\| /\|0D 0A\|User-Agent\|3a\| Mozilla"; distance:1; within:34; fast_pattern; content:"\|0D 0A\|"; distance:0; content:"Content-Length\|3a\| "; distance:0; content:!"0"; within:1; content:"Connection\|3a\| Keep-Alive\|0D 0A\|"; distance:0; content:"\|3a\| no-cache"; distance:0; content:"\|0D 0A 0D 0A\|"; distance:0; content:!"Content-Type\|3a\| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:10;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus POST Request to CnC - URL agnostic"; flow:established,to_server; content:"POST"; nocase; http_method; content:" HTTP/1."; content:"\|0D 0A\|Accept\|3a\| /\|0D 0A\|User-Agent\|3a\| Mozilla"; distance:1; within:34; fast_pattern; content:"\|0D 0A\|"; distance:0; content:"Content-Length\|3a\| "; distance:0; content:!"0"; within:1; content:"Connection\|3a\| Keep-Alive\|0D 0A\|"; distance:0; content:"\|3a\| no-cache"; distance:0; content:"\|0D 0A 0D 0A\|"; distance:0; content:!"Content-Type\|3a\| "; http_header; content:!"NetflixId="; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2013976; rev:11;) # alert udp $HOME_NET any -> 8.8.8.8 53 (msg:"ET TROJAN TDSS DNS Based Internet Connectivity Check"; dsize:34; content:"\|33 33 01 00 00 01 00 00 00 00 00 00 07\|counter\|05\|yadro\|02\|ru\|00 00 01 00 01\|"; classtype:trojan-activity; sid:2013977; rev:1;) @@ -48851,7 +48890,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT PDF With Embedded U3D"; flow:established,to_client; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"/U3D"; within:64; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013995; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?u="; http_uri; content:"&first_run="; http_uri; content:"User-Agent\|3a\| FDMuiless\|0d 0a\|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32/SWInformer.B Checkin"; flow:to_server,established; content:"log.php?"; http_uri; content:"User-Agent\|3a\| FDMuiless\|0d 0a\|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014004; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Adobe PDF Universal 3D file corrupted download 1"; flow:established,from_server; file_data; content:"/Subtype /U3D"; distance:0; content:"<</Author (Fo) /email (fo@gmail.com) /web (fo.googlepages.com)"; distance:0; reference:url,www.adobe.com/support/security/advisories/apsa11-04.html; classtype:bad-unknown; sid:2013996; rev:1;) @@ -48896,9 +48935,6 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smokeloader getload Command"; flow:established,to_server; content:"cmd=getload&login="; http_uri; classtype:trojan-activity; sid:2014012; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/SWInformer.B User-Agent (FDMuiless)"; flow:to_server,established; content:"User-Agent\|3a\| FDMuiless\|0d 0a\|"; http_header; reference:url,www.threatexpert.com/report.aspx?md5=0f90568d86557d62f7d4e1c0f7167431; classtype:trojan-activity; sid:2014013; rev:1;) - -# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Checkin Header Pattern"; flow:established,to_server; content:"POST"; nocase; http_method; content:"HTTP/1.1\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|X-ID\|3a 20\|"; fast_pattern:23,6; content:"User-Agent\|3a 20\|Mozilla/4.0 (compatible\|3b 20\|MSIE"; distance:0; pcre:"/^X-ID\x3a\x20\d+$/H"; classtype:trojan-activity; sid:2014014; rev:4;) # @@ -48914,7 +48950,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Kargany Loader Obfuscated Payload Download"; flow:established,from_server; content:"Content-Disposition\|3a\| "; http_header; nocase; content:"windows-update-"; distance:0; http_header; content:".exe"; distance:0; http_header; file_data; content:!"MZ"; within:2; classtype:trojan-activity; sid:2014019; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log\|3d\|"; content:"pwd\|3d\|"; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Wordpress Login Bruteforcing Detected"; flow:to_server,established; content:"/wp-login.php"; nocase; fast_pattern; http_uri; content:"POST"; http_method; content:"log\|3d\|"; http_client_body; content:"pwd\|3d\|"; http_client_body; threshold: type both, track by_src, count 5, seconds 60; classtype:attempted-recon; sid:2014020; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Gootkit Checkin User-Agent 2"; flow:established,to_server; content:"Gootkit ldr"; http_header; classtype:trojan-activity; sid:2014021; rev:1;) @@ -48962,7 +48998,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole PDF Exploit Request /fdp2.php"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014035; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014036; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic Java Exploit Obfuscated With Allatori"; flow:established,from_server; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2014036; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .osa.pl domain"; flow:established,to_server; content:".osa.pl\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014037; rev:1;) @@ -48989,7 +49025,7 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack"; flow:established,to_server; content:"Content-Type\|3A\| application\|2F\|x-www-form-urlencoded"; nocase; http_header; isdataat:1500; pcre:"/([\w\x25]+=[\w\x25]&){500}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014045; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type\|3A\| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:2;) +#alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Generic Web Server Hashing Collision Attack 2"; flow:established,to_server; content:"Content-Type\|3A\| multipart/form-data"; nocase; http_header; isdataat:5000; pcre:"/(\r\nContent-Disposition\x3a\s+form-data\x3b[^\r\n]+\r\n\r\n.+?){250}/OPsmi"; reference:cve,2011-3414; reference:url,events.ccc.de/congress/2011/Fahrplan/events/4680.en.html; reference:url,technet.microsoft.com/en-us/security/advisory/2659883; reference:url,blogs.technet.com/b/srd/archive/2011/12/29/asp-net-security-update-is-live.aspx; classtype:attempted-dos; sid:2014046; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Double HTTP/1.1 Header Inbound - Likely Hostile Traffic"; flow:established,to_server; content:" HTTP/1.1\|20\|HTTP/1.1\|0d 0a\|"; depth:300; classtype:bad-unknown; sid:2014047; rev:1;) @@ -49001,7 +49037,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Bluecoat Proxy in use"; flow:established,to_server; content:"X-BlueCoat-Via\|3A\|"; http_header; classtype:not-suspicious; sid:2014049; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/v1.jar"; flow:established,to_server; content:"/content/v1.jar"; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014050; rev:2;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Acrobat 8/9.3 PDF exploit download request 3"; flow:established,to_server; content:"/fdp2.php?f="; http_uri; reference:md5,8a33d1d36d097ca13136832aa10ae5ca; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014051; rev:2;) @@ -49022,10 +49058,10 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN PoisonIvy.Eu5 Keepalive from CnC"; flow:established,from_server; content:"\|3a 62 26 fd 44 34 01 ed a1 ed 88 48 7e f4 6e ca 0d 81 aa 70 c7 da e0 1c fc f2 f1 d2 94 f6 d9 44 f6 c1 92 c4 4f d4 2d 53 a7 5f 59 fd f6 1e 9b 6f\|"; depth:48; dsize:48; reference:md5,d8edad03f5524369e60c69a7483f8365; classtype:trojan-activity; sid:2014057; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent\|3a\| "; http_header; content:" HTTP/1.1\|0d 0a\|Host\|3a\| "; classtype:trojan-activity; sid:2014058; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Loader EXE Payload Request"; flow:established,to_server; urilen:34; content:"/?"; depth:2; http_uri; pcre:"/^\/\?[a-f0-9]{32}$/U"; content:!"User-Agent\|3a\| "; http_header; content:" HTTP/1.1\|0d 0a\|Host\|3a\| "; classtype:trojan-activity; sid:2014058; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Agent.elbb Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/GAME/36/LavaGame_2.2.exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; classtype:trojan-activity; sid:2014059; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Spyware.Agent.elbb lava.cn Game Exe Download"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/LavaGame_"; http_uri; nocase; content:".exe"; nocase; http_uri; reference:url,securelist.com/en/descriptions/17601150/Trojan-Dropper.Win32.Agent.elbb?print_mode=1; reference:md5,c2b4f8abc742bf048f3856525c1b2800; reference:md5,4937dc6e111996dbe331327e7e9a4a12; reference:url,www.amada.abuse.ch/?search=download.lava.cn; classtype:trojan-activity; sid:2014059; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Tool.InstallToolbar.24 Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/cr_confirm.asmx/GetXMLLog?"; nocase; http_uri; content:"TbId="; nocase; http_uri; content:"TUID="; nocase; http_uri; content:"Action_Type="; nocase; http_uri; reference:url,virustotal.com/file-scan/report.html?id=1439d4061659a8534435352274b72dc2fe03c3deeb84e32fc90d40380c35cab1-1322189076; classtype:trojan-activity; sid:2014060; rev:3;) @@ -49049,7 +49085,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Clicker.Win32.VB.gnf Reporting"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/channel/onSale.htm?"; nocase; http_uri; content:"pid="; nocase; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanClicker%3AWin32%2FVB.GE; classtype:trojan-activity; sid:2014066; rev:3;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:3;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Plone and Zope cmd Parameter Remote Command Execution Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/xmltools/minidom/xml/sax/saxutils/os/popen2?"; nocase; http_uri; content:"cmd="; nocase; http_uri; pcre:"/cmd=\w/Ui"; reference:url,exploit-db.com/exploits/18262; classtype:web-application-attack; sid:2014068; rev:4;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Booking Calendar page_info_message parameter Cross-Site Scripting Vulnerability "; flow:established,to_server; content:"/details_view.php?"; nocase; http_uri; content:"event_id="; nocase; http_uri; content:"date="; nocase; http_uri; content:"view="; nocase; http_uri; content:"loc="; nocase; http_uri; content:"page_info_message="; nocase; http_uri; pcre:"/page_info_message\x3d.+(script\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|style\x3D)/Ui"; reference:url,packetstormsecurity.org/files/107995; classtype:web-application-attack; sid:2014067; rev:2;) @@ -49106,7 +49142,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter UPDATE SET SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; http_uri; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014080; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; uricontent:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Mambo Zorder zorder Parameter INSERT INTO SQL Injection Vulnerability"; flow:established,to_server; content:"GET"; http_method; content:"/administrator/index2.php?"; nocase; http_uri; content:"limit="; nocase; content:"limitstart="; nocase; http_uri; content:"zorder="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,dl.packetstormsecurity.net/1111-exploits/zorder-sql.txt; classtype:web-application-attack; sid:2014081; rev:3;) # alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SourceBans ajaxargs Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/index.php?"; nocase; http_uri; content:"xajax=SelTheme"; nocase; http_uri; content:"ajaxargs[]="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,dl.packetstormsecurity.net/1112-exploits/sourcebans-lfisql.txt; classtype:web-application-attack; sid:2014082; rev:2;) @@ -49130,16 +49166,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole-like Java Exploit request to .jar?t="; flow:established,to_server; content:".jar?t="; http_uri; nocase; fast_pattern; content:"&h="; http_uri; distance:0; content:"\|29\| Java/1."; http_header; pcre:"/\.jar\?t=\d+&h=[^&]+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014094; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"\|3b\| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d+/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Kindle Fire Browser User-Agent Outbound"; flow:from_client,established; content:"\|3b\| Silk/"; http_header; fast_pattern:only; pcre:"/User-Agent\x3a [^\n]+ Silk\/\d+\.\d/Hi"; reference:url,www.amazon.com/gp/product/B0051VVOB2%23silk; classtype:policy-violation; sid:2014095; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write\|28 22 5C\|u"; nocase; fast_pattern:only; isdataat:100,relative; content:!"\|29\|"; within:100; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:70; content:"\|5C\|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:5;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Document.write Long Backslash UTF-16 Encoded Content - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:"document.write\|28 22 5C\|u"; nocase; isdataat:100,relative; content:!"\|29\|"; within:100; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:4; within:2; content:"\|5C\|u"; nocase; distance:70; content:"\|5C\|u"; nocase; distance:4; within:2; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014096; rev:6;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array\|28 29 3B\|"; fast_pattern:only; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; content:" = new Array\|28 29 3B\|"; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; content:" = new Array\|28 29 3B\|"; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive new Array With Newline - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; content:" = new Array\|28 29 3B\|"; fast_pattern; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; content:" = new Array\|28 29 3B\|"; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; content:" = new Array\|28 29 3B\|"; nocase; content:" = new Array\|28 29 3B\|"; nocase; within:100; flowbits:set,et.exploitkitlanding; flowbits:noalert; reference:url,www.kahusecurity.com/2011/elaborate-black-hole-infection/; classtype:bad-unknown; sid:2014097; rev:3;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; file_data; content:"replace\|28 2F\|"; nocase; distance:0; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; flowbits:set,et.exploitkitlanding; flowbits:noalert; classtype:bad-unknown; sid:2014098; rev:2;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Excessive JavaScript replace /g - Exploit Kit Behavior Flowbit Set"; flow:established,to_client; file_data; content:"replace\|28 2F\|"; nocase; distance:0; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; content:"replace\|28 2F\|"; within:80; nocase; content:"\|2F\|g"; distance:1; within:5; classtype:bad-unknown; sid:2014098; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Exploit Kit Delivering Office File to Client"; flowbits:isset,et.exploitkitlanding; flow:established,to_client; file_data; content:"\|d0 cf 11 e0 a1 b1 1a e1\|"; distance:0; content:!".msi"; content:!"This program cannot"; classtype:trojan-activity; sid:2014099; rev:1;) @@ -49157,7 +49193,7 @@ #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"\|20\|HTTP/1."; content:"\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|Content-Type\|3a 20\|application/x-www-form-urlencoded"; distance:1; within:62; content:"\|3a 20\|no-cache\|0d 0a\|User-Agent\|3a 20\|Mozilla"; distance:0; content:"\|0d 0a\|Host\|3a 20\|"; distance:0; content:"Content-Length\|3a 20\|"; distance:0; content:!"0"; within:1; content:"\|0d 0a 0d 0a\|"; distance:0; content:!"Referer\|3a 20\|"; http_header; content:!"Accept-Language\|3a 20\|"; http_header; classtype:trojan-activity; sid:2014104; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; depth:6; content:"\|0d 0a\|Accept\|3a\| /\|0d 0a\|Pragma\|3a\| no-cache\|0d 0a\|User-Agent\|3a\| "; depth:65; content:"\|0d 0a\|Host\|3a\| "; distance:0; content:!"Referer\|3a\| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus Bot GET to Google checking Internet connectivity using proxy"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/webhp"; http_uri; fast_pattern:only; content:"Accept\|3a\| /\|0d 0a\|Pragma\|3a\| no-cache\|0d 0a\|User-Agent\|3a\| "; depth:43; http_header; content:"\|0d 0a\|Host\|3a\| "; distance:0; http_header; content:!"Referer\|3a\| "; http_header; reference:url,www.secureworks.com/research/threats/zeus/?threat=zeus; reference:url,lists.emergingthreats.net/pipermail/emerging-sigs/2010-October/009807.html; classtype:trojan-activity; sid:2014105; rev:5;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus POST Request to CnC - content-type variation"; flow:established,to_server; content:"POST"; http_method; content:"\|20\|HTTP/1."; content:"\|0d 0a\|Accept\|3a 20\|/\|0d 0a\|Content-Type\|3a 20\|application/x-www-form-urlencoded"; distance:1; within:62; content:"\|3a 20\|no-cache\|0d 0a\|User-Agent\|3a 20\|Mozilla"; distance:0; content:"\|0d 0a\|Host\|3a 20\|"; distance:0; content:"Content-Length\|3a 20\|"; distance:0; content:!"0"; within:1; content:"\|0d 0a 0d 0a\|"; distance:0; content:!"Referer\|3a 20\|"; http_header; content:!"Accept-Language\|3a 20\|"; http_header; content:!"Host\|3a 20\|update.cooliris.com\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2014106; rev:3;) @@ -49169,10 +49205,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN PoisonIvy.Eu6 Keepalive to CnC"; flow:established,to_server; content:"\|29 a7 7b 28 9b c5 b8 b6 10 d7 d7 6b e1 3e 62 f1\|"; offset:16; depth:16; dsize:48; classtype:trojan-activity; sid:2014108; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ\|3a\|124971919"; depth:12; content:"\|00 00\|"; distance:2; within:2; content:"\|00 00 78 9C\|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin"; flow:to_server,established; content:"QQ\|3a\|124971919"; depth:12; content:"\|00 00\|"; distance:2; within:2; content:"\|00 00 78 9C\|"; distance:2; within:4; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014109; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"\|00 00\|"; offset:14; depth:2; content:"\|00 00 78 9C\|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st.QQ Checkin 2"; flow:to_server,established; content:"QQ\|3a\|"; depth:3; content:"\|00 00\|"; distance:11; within:2; content:"\|00 00 78 9C\|"; distance:2; within:4; byte_test:2,>,15,12,little; reference:url,www.threatexpert.com/report.aspx?md5=899feda736be77a39d05f0a5002048f0; classtype:trojan-activity; sid:2014110; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Menti/TrojanClicker.Agent.NII Checkin"; flow:established,to_server; content:"/njob.php?num="; http_uri; content:"&rev="; http_uri; content:"&ncrp="; http_uri; reference:url,blog.eset.com/2012/03/17/drive-by-ftp-a-new-view-of-cve-2011-3544; classtype:trojan-activity; sid:2014112; rev:2;) @@ -49187,7 +49223,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Delf/Troxen/Zema Reporting 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php?s="; http_uri; content:"&m="; http_uri; content:"User-Agent\|3a\| build"; http_header; pcre:"/\.php\?s=\d&m=[A-F0-9]{16}$/Ui"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014115; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent\|3a\| build"; http_header; pcre:"/User-Agent\x3a build\d+/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent build - possibly Delf/Troxen/Zema"; flow:established,to_server; content:"User-Agent\|3a\| build"; http_header; pcre:"/User-Agent\x3a build\d/H"; reference:md5,3d18363a20882bd74ae7e0f68d3ed8ef; classtype:trojan-activity; sid:2014116; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan-Dropper.Win32.Dapato Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"User-Agent\|3a\| tabtoolbarup"; http_header; content:"/ins_proc.asp?kind="; http_uri; content:"&ist_yn="; http_uri; content:"&ptn_name="; http_uri; reference:url,www.threatexpert.com/report.aspx?md5=8eaf3b7b72a9af5a85d01b674653ccac; reference:url,camas.comodo.com/cgi-bin/submit?file=31c027c13105e23af64b1b02882fb2b8300fdf7f511bb4c63c71f9b09c75dd6c; classtype:trojan-activity; sid:2014117; rev:2;) @@ -49238,10 +49274,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Common Adware Library ISX User Agent Detected"; flow:established,to_server; content:"User-Agent\|3A 20\|ISX Download DLL"; fast_pattern:12,16; http_header; reference:url,www.dateiliste.com/d3files/tools/mphider/isxdl.htm; classtype:trojan-activity; sid:2014137; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent\|3a 20\|Internet Explorer"; http_header; content:!"Referer\|3a 20\|"; http_header; pcre:"/Host\x3a (\d+\.){3}\d+/D"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Reveton checkin to /images.rar"; flow:established,to_server; content:"/images.rar"; fast_pattern; depth:11; http_uri; content:"User-Agent\|3a 20\|Internet Explorer"; http_header; content:!"Referer\|3a 20\|"; http_header; pcre:"/^Host\x3a (\d+\.){3}\d+$/Dm"; reference:md5,2697e2b81ba1c90fcd32e24715fcf40a; classtype:trojan-activity; sid:2014135; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck\|28\|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]+/i"; classtype:trojan-activity; sid:2014136; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Exploit Version Check with hidden applet"; flow:established,from_server; file_data; content:"deployJava.versionCheck\|28\|"; distance:0; content:"<applet"; nocase; distance:0; content:"hidden"; within:200; nocase; pcre:"/\x3capplet[^\x3e]+visibility[^\x3e]+hidden[^\x3e]/i"; classtype:trojan-activity; sid:2014136; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY IP Geo Location Request"; flow:to_server,established; content:"/geo/txt/city.php"; http_uri; flowbits:set,ETPRO.IP.geo.loc; reference:md5,0e2c46dc89dceb14e7add66cbfe8a2f8; classtype:policy-violation; sid:2014264; rev:5;) @@ -49253,7 +49289,7 @@ ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED DRIVEBY Generic Java Rhino Scripting Engine Exploit Previously Requested class.class"; flow:established,to_server; content:" Java/1"; http_header; content:"/class.class"; http_uri; classtype:trojan-activity; sid:2014138; rev:1;) # -alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"nicaze\|03\|net"; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:2;) +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Query to Known CnC Domain msnsolution.nicaze.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"nicaze\|03\|net"; fast_pattern; distance:0; reference:md5,89332c92d0360095e2dda8385d400258; classtype:trojan-activity; sid:2014139; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE AdWare.Win32.Sushi.au Checkin"; flow:to_server,established; content:"/inst.php?"; http_uri; content:"User-Agent\|3a\| psi"; http_header; reference:md5,3aad2075e00d5169299a0a8889afa30b; reference:url,www.securelist.com/en/descriptions/24412036/not-a-virus%3aAdWare.Win32.Sushi.au; classtype:trojan-activity; sid:2014262; rev:3;) @@ -49274,7 +49310,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Binary Load Request"; flow:established,to_server; content:"/load.php?spl="; http_uri; pcre:"/\/load\.php\?spl=[-_\w]+$/U"; classtype:attempted-user; sid:2014148; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"http\|3a\|//"; within:7; content:"\|7C\|http\|3a\|//"; distance:0; content:"\|0D 0A\|http\|3a\|//"; distance:0; content:"\|7C\|http\|3a\|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:1;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Possible URL List or Clickfraud URLs Delivered To Client"; flow:established,from_server; file_data; content:"http\|3a\|//"; within:7; content:"\|7C\|http\|3a\|//"; distance:0; content:"\|0D 0A\|http\|3a\|//"; distance:0; content:"\|7C\|http\|3a\|//"; distance:0; classtype:trojan-activity; sid:2014149; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Suspicious executable download possible Trojan NgrBot"; flow:established,to_server; content:"GET"; http_method; content:"/adobe-flash.exe"; http_uri; classtype:bad-unknown; sid:2014150; rev:1;) @@ -49289,10 +49325,10 @@ #alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS High Orbit Ion Cannon (HOIC) Attack Inbound Generic Detection Double Spaced UA"; flow:established,to_server; content:"User-Agent\|3a 20 20\|"; http_header; fast_pattern:9,4; content:"HTTP/1\|2e\|0"; threshold: type both, track by_src, count 15, seconds 30; reference:url,blog.spiderlabs.com/2012/01/hoic-ddos-analysis-and-detection.html; classtype:attempted-dos; sid:2014153; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"<subform"; nocase; distance:0; fast_pattern; content:"javascript"; nocase; distance:0; classtype:attempted-user; sid:2014154; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY PDF Containing Subform with JavaScript"; flow:established,to_client; file_data; content:"%PDF"; within:4; content:"subform"; nocase; distance:0; fast_pattern; content:"script"; nocase; distance:0; classtype:attempted-user; sid:2014154; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation Using Dadong JSXX Script"; flow:established,to_client; file_data; content:"Encrypt By Dadong\|27\|s JS"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014155; rev:2;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS JavaScript Obfuscation JSXX Script"; flow:established,to_client; file_data; content:"Encrypt "; content:"JSXX"; fast_pattern; distance:0; content:"VIP"; within:100; reference:cve,2012-0003; reference:url,eromang.zataz.com/2012/10/22/gong-da-gondad-exploit-pack-evolutions/; classtype:attempted-user; sid:2014155; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Microsoft Windows Media component specific exploit"; flow:established,to_client; file_data; content:"bang()"; distance:0; content:"cloned"; distance:0; content:"unescape(\|22\|%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c%u0c0c\|22\|)"; distance:0; reference:cve,2012-0003; classtype:attempted-user; sid:2014156; rev:3;) @@ -49304,10 +49340,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 1-7 PDF exploit download request 4"; flow:established,to_server; content:"/addfp1.php?f="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014158; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Rhino Java Exploit request to /content/rino.jar"; flow:established,to_server; content:"/content/rino.jar"; http_uri; reference:cve,CVE-2011-0611; classtype:trojan-activity; sid:2014159; rev:3;) # -##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole OBE Java Exploit request to /content/obe.jar"; flow:established,to_server; content:"/content/obe.jar"; http_uri; reference:cve,CVE-2010-0840; reference:cve,CVE-2010-0842; classtype:trojan-activity; sid:2014160; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/FakeTimer.A Reporting to CnC"; flow:established,to_server; content:"/send.php?a_id="; http_uri; content:"&telno="; http_uri; content:"&m_addr="; http_uri; content:"&usr_id="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_FAKETIMER.A; classtype:trojan-activity; sid:2014161; rev:1;) @@ -49316,7 +49352,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MOBILE_MALWARE Android/SndApps.SM Sending Information to CnC"; flow:established,to_server; content:"/android_notifier/notifier.php?h="; http_uri; reference:url,about-threats.trendmicro.com/Malware.aspx?language=uk&name=ANDROIDOS_SNDAPPS.SM; classtype:trojan-activity; sid:2014162; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"?pr="; http_uri; fast_pattern; content:"User-Agent\|3A 20\|chrome/9.0"; http_header; pcre:"/\x2E(png\|gif\|jpeg)\x3Fpr\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bifrose/Cycbot Checkin 2"; flow:established,to_server; content:"?pr="; http_uri; fast_pattern; content:"User-Agent\|3A 20\|chrome/9.0"; http_header; pcre:"/\x2E(png\|gif\|jpeg)\x3Fpr\x3D/U"; reference:md5,8c4f90bb59c05269c6c6990ec434eab6; classtype:trojan-activity; sid:2014163; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/DelfInject.A CnC Checkin 2"; flow:established,to_server; content:"/gate.php?username="; http_uri; content:"&country="; http_uri; content:"&OS="; http_uri; reference:md5,d8c2f31493692895c45d620723e9a8c3; classtype:trojan-activity; sid:2014164; rev:1;) @@ -49355,10 +49391,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.MSUpdater C&C traffic GET"; flow:from_client,established; content:".aspx?ID="; http_uri; content:"para1="; distance:0; http_uri; content:"para2="; distance:0; http_uri; content:"para3="; distance:0; http_uri; reference:url,www.seculert.com/reports/MSUpdaterTrojanWhitepaper.pdf; reference:url,research.zscaler.com/2012/01/msupdater-trojan-and-link-to-targeted.html; reference:url,blog.seculert.com/2012/01/msupdater-trojan-and-conference-invite.html; classtype:trojan-activity; sid:2014175; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; file_data; content:"<applet"; within:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014176; rev:4;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Incognito/Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; file_data; content:"<applet"; within:500; content:"lxxt>33"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014176; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato\|obe\|rhino\|lib)$/U"; classtype:trojan-activity; sid:2014177; rev:7;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Incognito/Sakura exploit kit binary download request"; flow:established,to_server; content:"/load.php?showforum="; http_uri; pcre:"/^\/load.php\?showforum=(ato\|obe\|rhino\|lib)$/U"; classtype:trojan-activity; sid:2014177; rev:8;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown Malware Checkin Possibly ZeuS"; flow:established,to_server; content:"POST"; http_method; content:"/rssfeed.php"; http_uri; content:"bn1="; http_client_body; content:"&sk1="; http_client_body; reference:url,anubis.iseclab.org/?action=result&task_id=1c19710e150ee00941148dee842a02976; classtype:trojan-activity; sid:2014178; rev:2;) @@ -49370,7 +49406,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SAPID get_infochannel.inc.php Remote File inclusion Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/usr/extensions/get_infochannel.inc.php?"; nocase; http_uri; content:"root_path="; nocase; http_uri; pcre:"/root_path=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/108488/sapidstable-rfi.txt; classtype:web-application-attack; sid:2014180; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET VIRUS Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious file BaiduPlayer1.0.21.25.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/BaiduPlayer/BaiduPlayer1.0.21.25.exe"; nocase; http_uri; content:"dl.client.baidu.com"; http_header; nocase; classtype:trojan-activity; sid:2014181; rev:3;) # #alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Malicious getpvstat.php file Reporting"; flow:established,to_server; content:"GET"; http_method; content:"/getpvstat.php"; nocase; http_uri; content:"p="; nocase; http_uri; content:"jss.155game.com"; http_header; nocase; classtype:trojan-activity; sid:2014182; rev:2;) @@ -49391,7 +49427,7 @@ alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter INSERT INTO SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"INSERT"; nocase; http_uri; content:"INTO"; nocase; http_uri; pcre:"/INSERT.+INTO/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014187; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; uricontent:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:2;) +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS IBBY nouvelles.php id Parameter UPDATE SET SQL Injection Attempt"; flow:established,to_server; content:"GET"; http_method; content:"/nouvelles.php?"; nocase; http_uri; content:"id="; nocase; http_uri; content:"UPDATE"; nocase; http_uri; content:"SET"; nocase; http_uri; pcre:"/UPDATE.+SET/Ui"; reference:url,packetstormsecurity.org/files/109169/IBBY-SQL-Injection.html; classtype:web-application-attack; sid:2014188; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely Blackhole Exploit Kit Driveby ?id Download Secondary Request"; flow:established,to_server; content:".php?id"; http_uri; pcre:"/^[^?#]+?\.php\?id[a-z0-9]=[a-f0-9]{16}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014189; rev:1;) @@ -49406,7 +49442,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 5"; flow:established,to_server; content:"/adp"; http_uri; content:".php?f="; http_uri; pcre:"/\/adp\d\.php\?=[0-9a-z]{2,6}/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014195; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/rin.jar"; flow:established,to_server; content:"/content/rin.jar"; http_uri; classtype:trojan-activity; sid:2014196; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/118GotYourNo Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/count"; http_uri; content:"appTitle="; http_client_body; content:"&strLink="; distance:0; content:"&proFirstTime="; distance:0; content:"&proLastTime="; distance:0; content:"&appName="; distance:0; content:"&KillList="; distance:0; classtype:trojan-activity; sid:2014191; rev:2;) @@ -49421,7 +49457,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yang Pack Exploit Kit Landing Page Known JavaScript Function Detected"; flow:established,to_client; content:"function booom"; nocase; fast_pattern:only; pcre:"/function\x20booom[1-3]{1}\x28\x29/smi"; reference:url,www.kahusecurity.com/2012/chinese-exploit-packs/; classtype:trojan-activity; sid:2014197; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"\|0D 0A\|Cookie\|3a\| cid="; pcre:"/cid=\d\d\d\d/"; classtype:trojan-activity; sid:2014198; rev:5;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN ZeuS - ICE-IX cid= in cookie"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"\|0D 0A\|Cookie\|3a\| cid="; pcre:"/^\d{4}\r$/Rm"; classtype:trojan-activity; sid:2014198; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato/Cleaman Checkin"; flow:established,to_server; content:".php?rnd="; http_uri; fast_pattern; content:"GET"; http_method; pcre:"/\?rnd=\d{5,7}\x20HTTP1\/1\.[01]\x0d\x0aHost\x3a\x20/"; content:!"User-Agent\|3a\|"; http_header; content:!"Accept\|3a\|"; http_header; reference:md5,1d26f4c1cfedd3d34b5067726a0460b0d; reference:md5,45b3b6fcb666c93e305dba35832e1d42; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWin32%2FCleaman.G; classtype:trojan-activity; sid:2014200; rev:3;) @@ -49481,7 +49517,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN TSPY_SPCESEND.A Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/log.php"; http_uri; content:"id="; depth:3; http_client_body; content:"&link="; http_client_body; content:"&password="; http_client_body; content:"&debug="; http_client_body; content:!"User-Agent\|3a 20\|"; http_header; reference:url,blog.trendmicro.com/malware-uses-sendspace-to-store-stolen-documents/; classtype:trojan-activity; sid:2014219; rev:2;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_\|3b\| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:trojan-activity; sid:2014220; rev:5;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED TDS Sutra Exploit Kit Redirect Received"; flow:established,from_server; content:"302"; http_stat_code; content:"=_"; http_header; content:"_\|3b\| domain="; http_header; distance:1; within:10; pcre:"/^[a-z]{5}\d=\x5f\d\x5f/C"; classtype:trojan-activity; sid:2014220; rev:6;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Graybird Checkin"; flow:to_server,established; content:"/count.asp?mac="; http_uri; content:"&os="; http_uri; content:"&av="; http_uri; content:"User-Agent\|3a\| Post\|0d 0a\|"; http_header; reference:md5,0fd68129ecbf68ad1290a41429ee3e73; reference:md5,11353f5bdbccdd59d241644701e858e6; classtype:trojan-activity; sid:2014365; rev:2;) @@ -49520,13 +49556,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on non-http ports 2"; flow:to_server,established; content:"POST "; nocase; depth:5; content:"/update?id="; distance:0; content:"X-Status\|3A\|"; offset:16; content:"X-Size\|3A\|"; offset:16; content:"X-Sn\|3A\|"; fast_pattern; offset:16; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\|SV1\|3b 0d 0a\|"; offset:16; classtype:trojan-activity; sid:2014231; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status\|3A\|"; http_header; content:"X-Size\|3A\|"; http_header; content:"X-Sn\|3A\|"; http_header; fast_pattern; content:"User-Agent\|3a\| Mozilla/4.0 \|28\|compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\|SV1\|3b 0d 0a\|"; http_header; classtype:trojan-activity; sid:2014232; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN UPDATE Protocol Trojan Communication detected on http ports 2"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/update?id="; http_uri; content:"X-Status\|3A\|"; http_header; content:"X-Size\|3A\|"; http_header; content:"X-Sn\|3A\|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014232; rev:4;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET POLICY ASafaWeb Scan User-Agent (asafaweb.com)"; flow:established,to_server; content:"User-Agent\|3a\| asafaweb.com\|0d 0a\|"; http_header; reference:url,asafaweb.com; classtype:network-scan; sid:2014233; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit!IK/Kazy/PWS.Siggen.33210 Checkin"; flow:established,to_server; content:"GET"; nocase; http_method; content:"\|20\|HTTP/1.0\|0d 0a\|Host\|3a 20\|"; content:"Accept\|3a 20\|/\|0d 0a\|"; http_header; content:"Connection\|3a\| close\|0d 0a\|User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0"; http_header; content:"\|3b\| Windows 98)"; within:13; fast_pattern; http_header; reference:md5,dcc2c110e509fa777ab1460f665bd137; classtype:trojan-activity; sid:2014234; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 3"; flow:established,to_server; content:"GET"; nocase; http_method; content:"\|20\|HTTP/1.0\|0d 0a\|Host\|3a 20\|"; content:"Accept\|3a 20\|/\|0d 0a\|"; http_header; content:"Connection\|3a\| close\|0d 0a\|User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 5.0"; http_header; content:"\|3b\| Windows 98)"; within:13; fast_pattern; http_header; reference:md5,dcc2c110e509fa777ab1460f665bd137; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014234; rev:8;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - info.exe"; flow:established,to_client; content:"attachment\|3b\|"; http_header; content:"info.exe"; http_header; distance:0; content:"\|0d 0a\|"; http_header; within:3; classtype:bad-unknown; sid:2014235; rev:4;) @@ -49547,7 +49583,7 @@ alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Win32/Cridex.B Self Signed SSL Certificate (root@ks310208.kimsufi.com)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"root@ks310208.kimsufi.com"; content:"SomeOrganizationalUnit1"; classtype:trojan-activity; sid:2014240; rev:3;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:5;) +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED DRIVEBY Generic - Java Exploit Obfuscated With Allatori"; flow:established,to_client; flowbits:isset,ET.http.javaclient; file_data; content:"PK"; within:2; content:"Allatori"; nocase; classtype:bad-unknown; sid:2014241; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS TDS Trojan Stream request /stream?"; flow:established,to_server; urilen:9; content:"/stream?"; http_uri; pcre:"/^\/stream\?\d$/U"; classtype:bad-unknown; sid:2014242; rev:5;) @@ -49559,10 +49595,10 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Java applet with obfuscated URL 2"; flow:established,from_server; content:"<applet"; depth:500; content:"vssMlgg"; fast_pattern; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014244; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request similar to /content/jav.jar"; flow:established,to_server; content:"/content/jav"; http_uri; content:".jar"; http_uri; pcre:"/\/content\/jav\d?\.jar$/U"; classtype:trojan-activity; sid:2014245; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Sefnit Checkin 3"; flow:established,to_server; content:"?re="; http_uri; content:"&r="; distance:0; http_uri; content:"&u="; distance:0; http_uri; content:"&cid="; distance:0; http_uri; content:"&rc="; distance:0; http_uri; content:"&pa="; distance:0; http_uri; content:"&ref1="; distance:0; http_uri; content:"&ref2="; distance:0; http_uri; classtype:trojan-activity; sid:2014246; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Sefnit Checkin 4"; flow:established,to_server; content:"?aid="; http_uri; content:"&url="; http_uri; pcre:"/\?aid=\d{9}&url=[\w\.\-]{23}$/Ui"; classtype:trojan-activity; sid:2014247; rev:1;) @@ -49631,6 +49667,9 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Cutwail.BE Checkin 2"; flow:established,from_client; dsize:32; content:"\|00 00 00 00 FF FF FF FF 3F 57\|"; depth:10; content:"\|FE FF FF FF FF FF FF FF FF FF FF\|"; distance:3; within:11; reference:md5,3d766c4d53188eb8173a5dc3cfc4e317; reference:md5,289f457083e8f59520b31a7ea13d16ec; classtype:trojan-activity; sid:2014272; rev:1;) # +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install"; flow:to_server,established; content:"/api/stats/install/?affid="; content:"&ver=30"; http_uri; content:"&group="; http_uri; reference:md5,c527fb441e204baa28a7dcbcd3d91cd1; classtype:trojan-activity; sid:2015653; rev:3;) + +# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/DarkComet Second Stage Download Request"; flow:established,to_server; content:"GET"; http_method; content:"/Update/Update.bin"; http_uri; reference:url,blog.trendmicro.com/darkcomet-surfaced-in-the-targeted-attacks-in-syrian-conflict/; classtype:trojan-activity; sid:2014273; rev:1;) # @@ -49646,7 +49685,7 @@ alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query for try2check.me Carder Tool"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|09\|try2check\|02\|me\|00\|"; fast_pattern; nocase; reference:url,cert.xmco.fr/blog/index.php?post/2012/02/23/Try2check.me%2C-le-maillon-fort; classtype:bad-unknown; sid:2014277; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/jav2.jar"; flow:established,to_server; content:"/content/jav2.jar"; http_uri; classtype:trojan-activity; sid:2014278; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Acrobat 8/9.3 PDF exploit download request 6"; flow:established,to_server; content:"/data/ap2.php"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014279; rev:4;) @@ -49667,7 +49706,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Pack HCP exploit 4"; flow:established,to_server; content:"/hhcp.php?c="; http_uri; pcre:"/hhcp.php?c=[a-f0-9]{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014284; rev:2;) # -alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|ch\|02\|vu"; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:3;) +alert udp $HOME_NET any -> any 53 (msg:"ET DNS DNS Query for Suspicious .ch.vu Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|02\|ch\|02\|vu"; fast_pattern; nocase; distance:0; reference:url,google.com/safebrowsing/diagnostic?site=ch.vu; classtype:bad-unknown; sid:2014285; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Java Archive sent when remote host claims to send an image"; flow:established,from_server; content:"Content-Type\|3a\| image"; nocase; http_header; content:"\|0d 0a 0d 0a\|PK"; fast_pattern; content:"META-INF/MANIFEST"; distance:0; classtype:trojan-activity; sid:2014288; rev:1;) @@ -49706,13 +49745,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FlashBack Mac OSX malware Checkin"; flow:to_server,established; content:"GET"; nocase; http_method; content:"/aaupdate/"; fast_pattern; http_uri; content:"User-Agent\|3a\| "; http_header; content:!"Mozilla"; within:7; http_header; content:!"\|0d 0a\|"; within:124; http_header; reference:url,blog.intego.com/flashback-mac-trojan-horse-infections-increasing-with-new-variant/; classtype:trojan-activity; sid:2014596; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_header; content:!"3"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Vulnerable Java Version 1.7.x Detected"; flow:established,to_server; content:" Java/1.7.0_0"; http_header; content:!"9"; within:1; http_header; flowbits:set,ET.http.javaclient.vulnerable; threshold: type limit, count 2, seconds 300, track by_src; reference:url,javatester.org/version.html; classtype:bad-unknown; sid:2014297; rev:12;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Yakes.pwo Checkin"; flow:to_server,established; content:"/stat.php?w="; http_uri; content:"&i="; http_uri; content:"&a="; http_uri; content:"User-Agent\|3A\| Opera/6"; http_header; content:"\|3B\| LangID="; http_header; reference:md5,d40927e8c4b59a1c2af4f981ef295321; classtype:trojan-activity; sid:2014604; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /content/viewer.jar"; flow:established,to_server; content:"/content/viewer.jar"; http_uri; classtype:trojan-activity; sid:2014299; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kryptik.ABUD Checkin"; flow:established,to_server; content:"/imagedump/image.php?size="; http_uri; content:"&thumbnail="; http_uri; reference:md5,00b714468f1bc2254559dd8fd84186f1; classtype:trojan-activity; sid:2014300; rev:2;) @@ -49745,7 +49784,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/LockScreen Scareware Geolocation Request"; flow:established,to_server; content:"/loc/gate.php?getpic=getpic"; http_uri; reference:url,www.abuse.ch/?p=3610; reference:url,www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_police_trojan.pdf; classtype:trojan-activity; sid:2014309; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"000000/log"; http_uri; pcre:"/\/\d\d[A-F0-9]000000\/log$/U"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RegSubsDat Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:"000000/log"; http_uri; fast_pattern:only; pcre:"/\/\d\d[A-F0-9]000000\/log$/U"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014310; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RegSubsDat Checkin Off Ports"; flow:established,to_server; content:"POST "; nocase; depth:5; content:"000000/log"; fast_pattern; pcre:"/\/\d\d[A-F0-9]000000\/log /"; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; reference:url,www.secureworks.com/research/threats/sindigoo/; classtype:trojan-activity; sid:2014311; rev:3;) @@ -49754,7 +49793,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN W32/NSIS.TrojanDownloader Second Stage Download Instructions from Server"; flow:established,to_client; file_data; content:"\|3B 20\|Ini download file modue"; nocase; distance:0; content:"DownUrl="; nocase; distance:0; content:"FileName="; nocase; distance:0; content:"SaveType="; nocase; distance:0; pcre:"/FileName\x3D[^\r\n]\x2E(dll\|exe)/i"; reference:md5,3ce5da32903b52394cff2517df51f599; classtype:trojan-activity; sid:2014312; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server\|3A 20\|dbws\|0d 0a\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; classtype:not-suspicious; sid:2014313; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Executable Download From DropBox"; flow:established,to_client; content:"Server\|3A 20\|dbws\|0d 0a\|"; http_header; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; classtype:not-suspicious; sid:2014313; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Download /load/exe"; flow:established,from_server; content:"Content-Disposition\|3a\| inline"; nocase; http_header; content:".exe"; http_header; content:"load/"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:attempted-user; sid:2014314; rev:4;) @@ -49769,7 +49808,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ZeuS Clickfraud List Delivered To Client"; flow:established,from_server; file_data; content:"<xml>"; within:5; content:"<time>"; distance:0; content:"<doc>"; distance:0; content:"<url>http\|3a\|//"; distance:0; content:"<ref>"; distance:0; content:"<n>"; distance:0; classtype:trojan-activity; sid:2014317; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to .clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; within:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Clickpayz redirection to .clickpayz.com"; flow:established,from_server; content:"30"; http_stat_code; depth:2; content:"clickpayz.com/"; http_header; classtype:bad-unknown; sid:2014318; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Dadong Java Exploit Requested"; flow:established,to_server; content:"/Gondad.jpg"; nocase; http_uri; content:" Java/1"; http_header; classtype:bad-unknown; sid:2014319; rev:1;) @@ -49841,7 +49880,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Suspicious User-Agent Toys File"; flow:established,to_server; content:"User-Agent\|3A 20\|toys\|3A 3A\|file"; http_header; reference:md5,22d3165c0e80ba50bc6a42a2e82b2874; classtype:trojan-activity; sid:2014341; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Snad User-Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Snadboy.com Products User-Agent"; flow:established,to_server; content:"User-Agent\|3A 20\|SnadBoy"; http_header; reference:md5,26a813eadbf11a1dfc2e63dc7dc87480; classtype:trojan-activity; sid:2014342; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN SMTP Subject Line Contains C Path and EXE Possible Trojan Reporting Execution Path/Binary Name"; flow:established,to_server; content:"Subject\|3A 20\|"; content:"C\|3A 5C\|"; nocase; fast_pattern; within:100; content:".exe"; within:40; pcre:"/Subject\x3A\x20[^\r\n]C\x3A\x5C[^\r\n]\x2Eexe/i"; reference:md5,24e937b9f3fd6a04dde46a2bc75d4b18; classtype:bad-unknown; sid:2014343; rev:2;) @@ -49859,7 +49898,16 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Peed Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; http_uri; content:"\|20\|HTTP/1.1\|0d 0a\|Host\|3a 20\|"; content:"Content-Type\|3a\| application/x-www-form-urlencoded\|3b 20\|charset=UTF-8\|0d 0a\|Connection\|3a\| close\|0d 0a 0d 0a\|"; http_header; content:!"User-Agent\|3a\|"; http_header; content:"aa1020R0="; depth:9; fast_pattern; http_client_body; content:"%3D%0D%0A"; offset:109; http_client_body; reference:md5,142ff7d3d931ecfa9a06229842ceefc4; reference:md5,df690cbf6e33e9ee53fdcfc456dc4c1f; classtype:trojan-activity; sid:2014347; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN RevProxy ClientHello"; flow:established,to_server; dsize:13; content:"\|04 00 00 01 05 00 00 00 00 07 00 01 00\|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014348; rev:2;) + +# +##alert tcp $EXTERNAL_NET 1024: -> $HOME_NET any (msg:"ET DELETED RevProxy ServerRespone"; flow:established,to_client; dsize:9; content:"\|04 00 00 01 01 00 00 00 04\|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014349; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET DELETED RevProxy ClientPing"; flow:established,to_server; dsize:9; content:"\|04 00 00 01 01 00 00 00 05\|"; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014350; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED RevProxy CnC List Request"; flow:established,to_server; content:"?net=gnutella2&get=1&client=RAZA2.5.0.0"; http_uri; reference:md5,5d6f186f10acf5f21a3498601465cf40; classtype:trojan-activity; sid:2014351; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible SQL Injection Attempt char() Danmec related"; flow:established,to_server; content:"CHAR("; http_uri; nocase; pcre:"/CHAR$[0-9]{2,3}$char\([^\x0d\x0a\x20]{98,}/Ui"; classtype:attempted-admin; sid:2014352; rev:1;) @@ -49886,7 +49934,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Win32/Protux.B Download Update"; flow:from_client,established; content:"Mozilla/4.2.20 (compatible\|3B\| MSIE 5.0.2\|3B\| Win32)\|0D 0A\|"; http_header; reference:md5,53105ecf3cf6040039e16abb382fb836; classtype:trojan-activity; sid:2014361; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Win32/Protux.B dnswatch check for CnC IP"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent\|3a\| Mozilla/5.0 (compatible\|3B\| MSIE 6.0.1\|3B\| "; http_header; content:"WININET 5.0)\|0D 0A\|"; http_header; fast_pattern; content:"Host\|3a\| www.dnswatch.info\|0D 0A\|Cache-Control\|3a\| no-cache\|0D 0A\|"; http_header; classtype:trojan-activity; sid:2014359; rev:6;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY DNSWatch.info IP Check"; flow:from_client,established; content:"/dns/dnslookup?la=en&host="; http_uri; content:"&type=A&submit=Resolve"; distance:0; http_uri; content:"User-Agent\|3a\| Mozilla/5.0 (compatible\|3B\| MSIE 6.0.1\|3B\| "; http_header; content:"WININET 5.0)\|0D 0A\|"; http_header; fast_pattern; content:"Host\|3a\| www.dnswatch.info\|0D 0A\|Cache-Control\|3a\| no-cache\|0D 0A\|"; http_header; classtype:trojan-activity; sid:2014359; rev:7;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Scalaxy Exploit Kit URL template download"; flow:established,from_server; content:"<script>a=\|22\|http\|3a\|//"; content:"/tttttt"; fast_pattern; within:50; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014362; rev:2;) @@ -49904,7 +49952,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Blocker Checkin"; flow:established,to_server; content:"/gate.php?cmd="; http_uri; content:"&botnet="; http_uri; content:"&userid="; http_uri; content:"&os="; http_uri; reference:md5,1d8841128e63ed7e26200d4ed3bc8e05; classtype:trojan-activity; sid:2014364; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent\|3A 20\|Post\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2014366; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent Post"; flow:established,to_server; content:"User-Agent\|3A 20\|Post\|0d 0a\|"; http_header; fast_pattern:only; content:!"/uup.php"; http_uri; content:!".360.cn\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2014366; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Banload Trojan Downloader Dropped Binary"; flow:established,to_client; content:"C\|00\|o\|00\|m\|00\|p\|00\|a\|00\|n\|00\|y\|00\|N\|00\|a\|00\|m\|00\|e\|00\|"; content:"m\|00\|i\|00\|l\|00\|k\|00\|"; fast_pattern; within:30; content:"I\|00\|n\|00\|t\|00\|e\|00\|r\|00\|n\|00\|a\|00\|l\|00\|N\|00\|a\|00\|m\|00\|e\|00\|"; distance:0; content:"m\|00\|i\|00\|l\|00\|k\|00\|"; within:30; content:"L\|00\|e\|00\|g\|00\|a\|00\|l\|00\|C\|00\|o\|00\|p\|00\|y\|00\|r\|00\|i\|00\|g\|00\|h\|00\|t\|00\|"; distance:0; content:"m\|00\|i\|00\|l\|00\|k\|00\|"; within:30; reference:md5,31bb4e0d67a5af96d5b5691966e25d73; classtype:trojan-activity; sid:2014367; rev:1;) @@ -49919,7 +49967,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/GamesForum.InfoStealer Reporting to CnC"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/forum/"; http_uri; pcre:"/\/forum\/[0-9a-f]{32}\x2ephp/U"; content:"HTTP/1.0"; content:!"User-Agent\|3A\|"; nocase; http_header; content:"Data="; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2014370; rev:2;) # -alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"\|00 00 07\|"; depth:16; content:"\|02\|eu\|00\|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type limit, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:5;) +##alert udp $HOME_NET any -> any 53 (msg:"ET DELETED Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup Detected"; byte_test:1,!&,0xF8,2; content:"\|00 00 07\|"; depth:16; content:"\|02\|eu\|00\|"; fast_pattern:only; pcre:"/\x00\x07[a-z]{7}\x02eu\x00/"; threshold: type both, count 5, seconds 120, track by_src; classtype:trojan-activity; sid:2014371; rev:7;) # alert udp any 53 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Kelihos .eu CnC Domain Generation Algorithm (DGA) Lookup NXDOMAIN Response"; byte_test:1,&,128,2; byte_test:1,&,1,3; byte_test:1,&,2,3; content:"\|02\|eu\|00\|"; fast_pattern:only; pcre:"/\x00\x07[a-z0-9]{7}\x02eu\x00/"; threshold: type both, track by_src, count 2, seconds 60; classtype:trojan-activity; sid:2014372; rev:4;) @@ -49943,7 +49991,7 @@ #alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole/Cutwail Redirection Page 1"; flow:established,from_server; file_data; content:"document.location="; distance:0; content:".php?"; fast_pattern; within:100; pcre:"/\.php\?[^&]{1,8}=[a-f0-9]{16}[\x22\x27\x3b]/"; classtype:bad-unknown; sid:2014378; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP GET invalid method case outbound"; flow:established,to_server; content:"get "; depth:4; nocase; content:!"GET "; depth:4; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014379; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY HTTP HEAD invalid method case outbound"; flow:established,to_server; content:"head "; depth:5; nocase; content:!"HEAD "; depth:5; reference:url,www.w3.org/Protocols/rfc2616/rfc2616-sec9.html; classtype:bad-unknown; sid:2014381; rev:2;) @@ -50003,10 +50051,10 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/PaPaPaEdge.Adware/Gambling Poker-Edge Checkin"; flow:established,to_server; content:"/xml_action.php?user="; http_uri; content:"&appid="; http_uri; content:"&hwid="; http_uri; content:"&id="; http_uri; content:".poker-edge.com\|0d 0a\|"; http_header; reference:md5,f9d226bf9807c72432050f7dcb396b06; classtype:trojan-activity; sid:2014403; rev:1;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:12;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt Negative INT"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_test:1,&,0x80,1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014430; rev:13;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:13;) +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds DoS Attempt"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_test:1,<,0x80,0,relative,big; byte_jump:1,0,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020-vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014431; rev:15;) # ##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED W32/Bifrose.Backdoor Checkin Attempt via Facebook"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/omaha/update.php?"; http_uri; content:"User-Agent\|3A 20\|Facebook Update/"; http_header; content:"winhttp\|3b\|"; http_header; reference:md5,61661202e320dd91e4f7e4a10616eefc; classtype:trojan-activity; sid:2014404; rev:2;) @@ -50021,13 +50069,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY EgyPack Exploit Kit Cookie Present"; flow:established,to_server; content:"visited=TRUE\|3b\| mutex="; http_header; content:"visited=TRUE\|3b\| mutex="; http_cookie; depth:20; classtype:bad-unknown; sid:2014408; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Alureon Primary CnC Checkin"; flow:established,to_server; content:"= HTTP/1.1\|0D 0A\|Host\|3a\| "; fast_pattern; content:!"User-Agent\|3a\| "; http_header; content:"\|0D 0A\|Cache-Control\|3a\| no-cache\|0D 0A 0D 0A\|"; content:!"&"; http_uri; classtype:trojan-activity; sid:2014409; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAV.dfze/FakeAV!IK Checkin"; flow:established,to_server; urilen:>150; content:"= HTTP/1.1\|0D 0A\|Host\|3a\| "; fast_pattern; content:!"User-Agent\|3a\| "; http_header; content:"\|0D 0A\|Cache-Control\|3a\| no-cache\|0D 0A 0D 0A\|"; content:!"&"; http_uri; content:!"."; http_uri; reference:md5,fe1e735ec10fb8836691fe2f2ac7ea44; classtype:trojan-activity; sid:2014409; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Ixeshe"; flow:to_server,established; content:"User-Agent\|3a\| User-Agent\|3a\| "; nocase; http_header; fast_pattern:only; content:"/ym/Attachments?YY="; nocase; http_uri; reference:url,blog.spiderlabs.com/2012/03/dirty-rat.html; classtype:trojan-activity; sid:2014410; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit!IK/Kazy/PWS.Siggen.33210 Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/pony/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows 98)"; http_header; reference:md5,99FAB94FD824737393F5184685E8EDF2; classtype:trojan-activity; sid:2014411; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Fareit/Pony Downloader Checkin 2"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/pony/gate.php"; http_uri; fast_pattern; content:"Mozilla/4.0 (compatible\|3b\| MSIE 5.0\|3b\| Windows 98)"; http_header; reference:md5,99FAB94FD824737393F5184685E8EDF2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2014411; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole client=done Cookie Set"; flow:established,from_server; content:"client=done\|3b\|"; content:"client=done\|3b\|"; http_cookie; depth:12; classtype:bad-unknown; sid:2014412; rev:1;) @@ -50093,7 +50141,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Rhino Exploit Attempt - evilcode.class"; flow:established,to_client; content:"code=\|22\|evilcode.class\|22\|"; nocase; fast_pattern:only; reference:cve,2011-3544; classtype:attempted-user; sid:2014429; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Pol.jar"; flow:established,to_server; content:"/Pol.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014436; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Initializing Protection System"; flow:established,from_server; content:">Initializing Protection System...</"; fast_pattern; content:">System Tasks</"; distance:0; classtype:trojan-activity; sid:2014437; rev:4;) @@ -50102,7 +50150,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Unknown - news=1 in http_cookie"; flow:established,to_client; content:" news=1"; content:"news=1"; http_cookie; within:6; classtype:bad-unknown; sid:2014438; rev:5;) ##by Pedro Marinho -alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN \|3a\|#"; nocase; content:"!dl\|20\|http\|3a 2f 2f\|"; distance:0; content:"\|2e\|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:3;) +alert tcp $EXTERNAL_NET !6661:6668 -> $HOME_NET any (msg:"ET TROJAN IRC Bot Download http Command"; flow:established,from_server; content:"JOIN \|3a\|#"; nocase; content:"dl\|20\|http\|3a 2f 2f\|"; distance:0; content:"\|2e\|exe"; distance:0; reference:md5,fa6ae89b101a0367cc98798c7333e3a4; classtype:trojan-activity; sid:2014439; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Payload Download - scandsk.exe"; flow:established,from_server; content:"attachment\|3b\|"; http_header; content:"scandsk"; http_header; fast_pattern; within:20; content:".exe\|0d 0a\|"; http_header; distance:0; classtype:bad-unknown; sid:2014440; rev:7;) @@ -50156,19 +50204,19 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX TRENDnet TV-IP121WN UltraMJCam ActiveX Control OpenFileDlg Access Potential Remote Stack Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"UltraMJCam.UltraMJCam.1"; nocase; distance:0; content:".OpenFileDlg"; nocase; distance:0; reference:url,www.exploit-db.com/exploits/18675/; classtype:attempted-user; sid:2014456; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014457; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit JAR from //Home/"; flow:established,to_server; content:"GET //Home/"; depth:11; fast_pattern; content:".jar"; http_uri; nocase; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014457; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Italian Spam Campaign"; flow:established,to_server; content:"/Dettagli.zip"; http_uri; reference:md5,c64504b68d34b18a370f5e77bd0b0337; classtype:trojan-activity; sid:2014458; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected"; flow:established,from_client; content:"POST /service HTTP/1"; depth:20; content:"\|13\|QVOD protocol\|00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; classtype:policy-violation; sid:2014459; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET P2P QVOD P2P Sharing Traffic detected (tcp)"; flow:established,from_client; content:"POST /service HTTP/1"; depth:20; content:"\|13\|QVOD protocol\|00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; classtype:policy-violation; sid:2014459; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/config.php"; http_uri; fast_pattern; content:"Accept\|3A\| /"; http_header; content:"Content-Type\|3A\| application/x-www-form-urlencoded"; http_header; content:"User-Agent\|3A\| Mozilla/4.0 \|28\|compatible\|3B\| MSIE 8.0\|3B\| Windows NT 5.1\|3B\|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:trojan-activity; sid:2014460; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Zeus CnC Checkin POST to Config.php"; flow:established,to_server; content:"POST"; nocase; http_method; urilen:11; content:"/config.php"; http_uri; fast_pattern; content:"Accept\|3A\| /"; http_header; content:"Content-Type\|3A\| application/x-www-form-urlencoded"; http_header; content:"User-Agent\|3A\| Mozilla/4.0 \|28\|compatible\|3B\| MSIE 8.0\|3B\| Windows NT 5.1\|3B\|"; http_header; reference:url,blog.fireeye.com/research/2012/04/zeus-takeover-leaves-undead-remains.html#more; classtype:trojan-activity; sid:2014460; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"\|3c\|applet archive=\|22\|"; distance:0; content:".jar\|22\|"; distance:0; within:14; content:"code=\|22\|msf.x.Exploit.class\|22\|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:6;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Java Atomic Reference Exploit Attempt Metasploit Specific"; flow:established,from_server; file_data; content:"\|3c\|applet archive=\|22\|"; distance:0; content:".jar\|22\|"; distance:0; within:14; content:"code=\|22\|msf.x.Exploit.class\|22\|"; distance:0; fast_pattern:6,19; reference:cve,CVE-2012-0507; reference:url,www.metasploit.com/modules/exploit/multi/browser/java_atomicreferencearray; classtype:bad-unknown; sid:2014461; rev:7;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN LuckyCat/TROJ_WIMMIE Checkin"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php?m="; http_uri; content:"&n="; http_uri; within:4; content:"_"; http_uri; distance:0; content:"@"; http_uri; distance:0; pcre:"/\.php\?m=\w&n=\w+_\w+(@\|@.c\|@.t)$/U"; reference:url,blog.trendmicro.com/luckycat-redux-inside-an-apt-campaign/; reference:url,trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf; classtype:trojan-activity; sid:2014462; rev:2;) @@ -50198,7 +50246,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Likely Blackhole PDF served from iframe"; flow:established,from_server; content:".pdf\|27\|/></iframe>"; fast_pattern:only; reference:url,community.websense.com/blogs/securitylabs/pages/black-hole-exploit-kit.aspx; classtype:trojan-activity; sid:2014470; rev:1;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:3;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DRIVEBY Generic - EXE Download by Java"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; threshold:type limit,track by_src,count 1,seconds 3; classtype:trojan-activity; sid:2014471; rev:4;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - Java Archive Download"; flow:from_server,established; flowbits:isnotset,ET.http.javaclient.vulnerable; flowbits:isset,ET.http.javaclient; content:"\|0D 0A 0D 0A\|PK"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2014472; rev:4;) @@ -50219,106 +50267,106 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN HTTP Request to Zaletelly CnC Domain atserverxx.info"; flow:established,to_server; content:"Host\|3a\| atserver"; http_header; nocase; content:".info\|0d 0a\|"; http_header; within:11; nocase; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Worm%3aWin32/Gamarue.F; classtype:trojan-activity; sid:2014477; rev:1;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .3d-game.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|3d-game\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014478; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .3d-game.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|3d-game\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014478; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .3d-game.com Dynamic DNS Domain"; flow:established,to_server; content:".3d-game.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014479; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .3d-game.com Domain"; flow:established,to_server; content:".3d-game.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014479; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .4irc.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|4irc\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014480; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .4irc.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|4irc\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014480; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .4irc.com Dynamic DNS Domain"; flow:established,to_server; content:".4irc.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014481; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .4irc.com Domain"; flow:established,to_server; content:".4irc.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014481; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .b0ne.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|b0ne\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014482; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .b0ne.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|b0ne\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014482; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .b0ne.com Dynamic DNS Domain"; flow:established,to_server; content:".b0ne.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014483; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .b0ne.com Domain"; flow:established,to_server; content:".b0ne.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014483; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .bbsindex.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|bbsindex\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014484; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .bbsindex.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|bbsindex\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014484; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .bbsindex.com Dynamic DNS Domain"; flow:established,to_server; content:".bbsindex.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014485; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .bbsindex.com Domain"; flow:established,to_server; content:".bbsindex.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014485; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .chatnook.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|chatnook\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014486; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .chatnook.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|chatnook\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014486; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .chatnook.com Dynamic DNS Domain"; flow:established,to_server; content:".chatnook.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014487; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .chatnook.com Domain"; flow:established,to_server; content:".chatnook.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014487; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .darktech.org Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|darktech\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014488; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .darktech.org Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|darktech\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014488; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .darktech.org Dynamic DNS Domain"; flow:established,to_server; content:".darktech.org\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014489; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .darktech.org Domain"; flow:established,to_server; content:".darktech.org\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014489; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .deaftone.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|deaftone\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014490; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .deaftone.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|deaftone\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014490; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .deaftone.com Dynamic DNS Domain"; flow:established,to_server; content:".deaftone.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014491; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .deaftone.com Domain"; flow:established,to_server; content:".deaftone.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014491; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .dtdns.net Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|dtdns\|03\|net\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014492; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .dtdns.net Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|dtdns\|03\|net\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014492; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .dtdns.net Dynamic DNS Domain"; flow:established,to_server; content:".dtdns.net\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014493; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .dtdns.net Domain"; flow:established,to_server; content:".dtdns.net\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014493; rev:5;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .effers.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|effers\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014494; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .effers.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|effers\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014494; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .effers.com Dynamic DNS Domain"; flow:established,to_server; content:".effers.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014495; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .effers.com Domain"; flow:established,to_server; content:".effers.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014495; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .etowns.net Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|etowns\|03\|net\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014496; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .etowns.net Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|etowns\|03\|net\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014496; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .etowns.net Dynamic DNS Domain"; flow:established,to_server; content:".etowns.net\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014497; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .etowns.net Domain"; flow:established,to_server; content:".etowns.net\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014497; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .etowns.org Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|etowns\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014498; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .etowns.org Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|etowns\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014498; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .etowns.org Dynamic DNS Domain"; flow:established,to_server; content:".etowns.org\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014499; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .etowns.org Domain"; flow:established,to_server; content:".etowns.org\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014499; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .flnet.org Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|flnet\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014500; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .flnet.org Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|flnet\|03\|org\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014500; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .flnet.org Dynamic DNS Domain"; flow:established,to_server; content:".flnet.org\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014501; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .flnet.org Domain"; flow:established,to_server; content:".flnet.org\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014501; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .gotgeeks.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|gotgeeks\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014502; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .gotgeeks.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|gotgeeks\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014502; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .gotgeeks.com Dynamic DNS Domain"; flow:established,to_server; content:".gotgeeks.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014503; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .gotgeeks.com Domain"; flow:established,to_server; content:".gotgeeks.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014503; rev:2;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .scieron.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|scieron\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014504; rev:3;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .scieron.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|scieron\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014504; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .scieron.com Dynamic DNS Domain"; flow:established,to_server; content:".scieron.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014505; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .scieron.com Domain"; flow:established,to_server; content:".scieron.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014505; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .slyip.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|slyip\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014506; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .slyip.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|slyip\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014506; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .slyip.com Dynamic DNS Domain"; flow:established,to_server; content:".slyip.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014507; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .slyip.com Domain"; flow:established,to_server; content:".slyip.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014507; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .slyip.net Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:4; content:"\|05\|slyip\|03\|net\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014508; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .slyip.net Dynamic DNS Domain"; flow:established,to_server; content:".slyip.net\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014509; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .slyip.net Domain"; flow:established,to_server; content:".slyip.net\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014509; rev:3;) # -alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to a .suroot.com Dynamic DNS Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|suroot\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014510; rev:4;) +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to a .suroot.com Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|suroot\|03\|com\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014510; rev:5;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .suroot.com Dynamic DNS Domain"; flow:established,to_server; content:".suroot.com\|0D 0A\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2014511; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a .suroot.com Domain"; flow:established,to_server; content:".suroot.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2014511; rev:3;) # alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN DNS Request for Zaletelly CnC Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"zaletelly"; fast_pattern; nocase; distance:0; content:"\|02\|be\|00\|"; nocase; reference:url,www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~MDrop-EAB/detailed-analysis.aspx; classtype:trojan-activity; sid:2014513; rev:1;) @@ -50360,7 +50408,7 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE - Served Attached HTTP"; flow:to_client,established; content:"Content-Disposition"; nocase; http_header; content:"attachment"; nocase; http_header; file_data; content:"MZ"; within:2; classtype:misc-activity; sid:2014520; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.html"; http_uri; urilen:20; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]\/index\.html$/U"; classtype:bad-unknown; sid:2014521; rev:3;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Possible Blackhole Landing to 8 chr folder plus index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:20<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]\/index\.html?$/U"; classtype:bad-unknown; sid:2014521; rev:5;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Exploit Kit Delivering JAR Archive to Client"; flow:established,to_client; flowbits:isset,et.exploitkitlanding; file_data; content:"\|50 4B 03 04 14 00 08 00 08 00\|"; within:10; classtype:bad-unknown; sid:2014526; rev:1;) @@ -50387,16 +50435,19 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Metasploit Meterpreter core_channel_ Command Response"; flow:established; content:"\|00 01 00 01\|core_channel_"; offset:11; depth:17; classtype:successful-user; sid:2014533; rev:4;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:">BitcoinPlusMiner("; distance:0; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET 88 (msg:"ET TROJAN Virus.Win32.Sality.aa Checkin"; flow:established,to_server; content:".txt"; offset:4; depth:9; content:"User-Agent\|3a\| Download\|0d 0a\|"; within:64; reference:md5,1e0e6717f72b66f6fc83f2ef6c00dcb7; classtype:trojan-activity; sid:2014826; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET MALWARE BitCoinPlus Embedded site forcing visitors to mine BitCoins"; flow:established,from_server; file_data; content:"BitcoinPlusMiner("; fast_pattern:only; reference:url,www.bitcoinplus.com/miner/embeddable; reference:url,www.bitcoinplus.com/miner/whatsthis; classtype:bad-unknown; sid:2014535; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:2;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Klot.jar"; flow:established,to_server; content:"/Klot.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014536; rev:3;) # alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing .prototype.q catch with split"; flow:established,from_server; content:".prototype.q}catch("; fast_pattern:only; content:".split("; classtype:trojan-activity; sid:2014537; rev:1;) # -#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:2;) +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing Loading... Please Wait"; flow:established,from_server; content:"Please Wait"; fast_pattern:only; content:">Loading..."; content:"<script"; distance:0; classtype:trojan-activity; sid:2014538; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious TDS /indigo?"; flow:to_server,established; content:"/indigo?"; http_uri; pcre:"/\/indigo\?\d+/U"; classtype:bad-unknown; sid:2014539; rev:1;) @@ -50465,13 +50516,13 @@ alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Modified Metasploit Jar"; flow:from_server,established; flowbits:isset,ET.http.javaclient.vulnerable; file_data; content:"msf\|2f\|x\|2f\|Payload"; distance:0; classtype:trojan-activity; sid:2014560; rev:4;) ##by Nathan Fowler -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN - Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE 5.0\|3b 20\|Windows 98)"; http_header; fast_pattern:37,20; content:"\|3b\|q=0"; http_header; content:"HTTP/1.0\|0d 0a\|Host\|3a 20\|"; classtype:trojan-activity; sid:2014562; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Known Trojan Downloader HTTP Library MSIE 5 Win98 seen with ZeuS"; flow:established,to_server; content:"User-Agent\|3a 20\|Mozilla/4.0\|20\|(compatible\|3b 20\|MSIE 5.0\|3b 20\|Windows 98)"; http_header; fast_pattern:37,20; content:"\|3b\|q=0"; http_header; content:"HTTP/1.0\|0d 0a\|Host\|3a 20\|"; classtype:trojan-activity; sid:2014562; rev:3;) ##by Nathan Fowler -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN - Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:4;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pony Downloader check-in response STATUS-IMPORT-OK"; flow:established,from_server; file_data; content:"STATUS-IMPORT-OK"; within:16; classtype:trojan-activity; sid:2014563; rev:5;) # -alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:".Exploit.class"; distance:2; within:14; classtype:bad-unknown; sid:2014561; rev:1;) +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS landing page with malicious Java applet"; flow:established,from_server; file_data; content:"code="; distance:0; content:"xploit.class"; distance:2; within:18; classtype:bad-unknown; sid:2014561; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN OS X Backdoor Checkin"; flow:established,to_server; content:"Accept-Encoding\|3a 20\|base64,gzip"; http_header; fast_pattern; content:"\|20\|Mac\|20\|OS\|20\|X\|3a\|"; http_header; reference:url,www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Exploits_Targeted_Attacks_and_Possible_APT_link; classtype:trojan-activity; sid:2014564; rev:1;) @@ -50516,7 +50567,7 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Likely Infected HTTP POST to PHP with User-Agent of HTTP Client"; flow:established,to_server; content:"POST"; nocase; http_method; content:".php"; nocase; http_uri; content:"User-Agent\|3a 20\|HTTP Client\|0d 0a\|"; http_header; fast_pattern; classtype:trojan-activity; sid:2014579; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Suspicious User-Agent (OINC)"; flow:established,to_server; content:"User-Agent\|3a 20\|OINC\|0d 0a\|"; http_header; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:trojan-activity; sid:2014581; rev:2;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Hoax.Win32.BadJoke/DownLoader1.57593 Checkin"; flow:established,to_server; content:"/agent.htm"; http_uri; content:"User-Agent\|3a 20\|OINC\|0d 0a\|"; http_header; reference:url,malwr.com/analysis/5ee02601d265a9a88f03a5465a99b190/; classtype:trojan-activity; sid:2014581; rev:3;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Adware/FakeAV.Kraddare Checkin UA"; flow:established,to_server; content:"pcsetup_"; http_header; pcre:"/User-Agent\x3a \w+pcsetup_\w+/H"; reference:url,www.scumware.org/report/update.best-pc.co.kr; classtype:trojan-activity; sid:2014583; rev:4;) @@ -50567,13 +50618,13 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 1"; flow:established,to_server; content:"GET"; http_method; content:"/owncheck/"; http_uri; classtype:trojan-activity; sid:2014597; rev:1;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/scheck/"; http_uri; classtype:trojan-activity; sid:2014598; rev:1;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 2"; flow:established,to_server; content:"GET"; http_method; content:"/scheck/"; http_uri; fast_pattern:only; pcre:"/^User-Agent\x3a\s?[A-Za-z0-9+\/=]+?\r?$/Hm"; classtype:trojan-activity; sid:2014598; rev:7;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:trojan-activity; sid:2014599; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mac Flashback Checkin 3"; flow:to_server,established; content:"GET"; http_method; content:"/search?q="; http_uri; content:"&ua="; http_uri; distance: 0; content:"==&al="; http_uri; distance: 0; content:"&cv="; http_uri; distance:0; classtype:trojan-activity; sid:2014599; rev:4;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"\|01 00 00 00\|"; depth:4; fast_pattern; content:!"\|00\|"; distance:0; within:1; content:"\|00\|"; distance:1; within:1; content:"\|00\|"; distance:61; within:1; content:"Windows\|20\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:4;) +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.A Checkin"; flow:from_client,established; dsize:1028; content:"\|01 00 00 00\|"; depth:4; content:!"\|00\|"; distance:0; within:1; content:"\|00\|"; distance:1; within:1; content:"\|00\|"; distance:61; within:1; content:"Windows\|20\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:0; content:"\|00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; distance:12; within:20; classtype:trojan-activity; sid:2014600; rev:5;) # alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Nitol.B Checkin"; flow:from_client,established; dsize:536<>1028; content:"\|01 00 00 00\|"; depth:4; content:!"\|26\|"; distance:0; within:1; content:"\|26\|"; distance:1; within:1; content:"\|26\|"; distance:61; within:1; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:204; within:20; content:"\|26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26\|"; distance:12; within:20; classtype:trojan-activity; sid:2014601; rev:3;) @@ -50591,7 +50642,7 @@ alert tcp $HOME_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Nikjju Mass Injection Internal WebServer Compromised"; flow:established,from_server; file_data; content:"</title><script src="; nocase; distance:0; content:"http\|3a\|//"; nocase; within:8; content:"/r.php"; fast_pattern; within:100; content:"></script>"; distance:1; within:10; classtype:attempted-user; sid:2014608; rev:5;) ##by Kevin Ross -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downvision.A Initial Checkin"; flow:established,to_server; content:"/up.php?id=201"; http_uri; content:"User-Agent\|3A\| /n software IPWorks HTTP/S Component - www.nsoftware.com"; http_header; reference:url,www.fortiguard.com/av/VID3309956; classtype:trojan-activity; sid:2014610; rev:3;) +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Downvision.A Initial Checkin"; flow:established,to_server; content:"/up.php?id=201"; http_uri; content:"software IPWorks HTTP/S Component - www.nsoftware.com"; http_header; reference:url,www.fortiguard.com/av/VID3309956; classtype:trojan-activity; sid:2014610; rev:4;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit Java request to images.php?t="; flow:established,to_server; content:"/images.php?t="; http_uri; content:"\|29 20\|Java/"; http_header; pcre:"/^\/images\.php\?t=\d+$/Ui"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014609; rev:1;) @@ -50606,7 +50657,7 @@ alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (file upload)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"jembot"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014613; rev:2;) # -alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;) +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (system command)"; flow:established,to_server; content:"GET"; nocase; http_method; content:".php"; http_uri; nocase; content:"empix="; http_uri; fast_pattern:only; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014614; rev:2;) # alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Jembot PHP Webshell (hell.php)"; flow:established,to_server; content:"/hell.php"; http_uri; nocase; reference:url,lab.onsec.ru/2012/04/find-new-web-bot-jembot.html?m=1; classtype:web-application-activity; sid:2014615; rev:6;) @@ -50681,11 +50732,3956 @@ alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit payload request to images.php?t=N"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:15; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014640; rev:2;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t=4"; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:1;) +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito Exploit Kit landing page request to images.php?t=4xxxxxxx"; flow:established,to_server; content:"/images.php?t="; http_uri; urilen:22; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014641; rev:3;) # -alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:1;) +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Edu.jar"; flow:established,to_server; content:"/Edu.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014642; rev:2;) # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ConstructorWin32/Agent.V"; flow:to_server,established; content:"GET http\|3A\|//"; depth:11; content:"\|0D 0A\|Pragma\|3A\| no-catch\|0D 0A\|"; http_header; content:"\|0D 0A\|X-HOST\|3a\| "; http_header; content:"\|0D 0A\|Content-Length\|3A\| 0\|0D 0A\|"; http_header; reference:md5,3305ad96bcfd3a406dc9daa31e538902; classtype:trojan-activity; sid:2014643; rev:6;) +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Landing Page Recieved - applet PluginDetect and 10hexchar title"; flow:established,to_client; file_data; content:"PluginDetect"; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2014644; rev:1;) + +# +alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS RuggedCom Banner with MAC"; flow:to_client,established; content:"Rugged Operating System"; content:"Copyright \|28\|c\|29\| RuggedCom"; distance:0; content:"MAC Address\|3A\|"; distance:0; flowbits:set,ET.RUGGED.BANNER; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014645; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"ET CURRENT_EVENTS RuggedCom factory account backdoor"; flow:to_server,established; content:"factory"; fast_pattern:only; flowbits:isset,ET.RUGGED.BANNER; pcre:"/factory[\r\n\x00]+[0-9]{9}/"; reference:url,www.exploit-db.com/exploits/18779/; reference:url,arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars; classtype:attempted-admin; sid:2014646; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP Volunteer Management id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/mods/hours/data/get_hours.php?"; http_uri; nocase; content:"take="; http_uri; nocase; content:"skip="; http_uri; nocase; content:"pageSize="; http_uri; nocase; content:"id="; http_uri; nocase; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112219/PHP-Volunteer-Management-1.0.2-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2014647; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014648; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX StoreInRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"StoreInRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014649; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"2EE01CFA-139F-431E-BB1D-5E56B4DCEC18"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014650; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Tracker Software pdfSaver ActiveX InitFromRegistry Method Access Potential Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"pdfxctrlLib.PdfPrinterPreferences"; nocase; distance:0; content:"InitFromRegistry"; nocase; distance:0; reference:url,exploit-db.com/exploits/18427/; classtype:attempted-user; sid:2014651; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"F7014877-6F5A-4019-A3B2-74077F2AE126"; nocase; distance:0; content:".SaveToFile\|28\|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014652; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Quest Explain Plan Display ActiveX Control SaveToFile Insecure Method Access 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"QExplain2.ExplainPlanDisplayX"; nocase; distance:0; content:".SaveToFile\|28\|"; nocase; distance:0; reference:url,secunia.com/advisories/48681/; classtype:attempted-user; sid:2014653; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_videogallery controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_videogallery"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"\|2e 2e 2f\|"; http_raw_uri; reference:url,packetstormsecurity.org/files/112161/Joomla-Video-Gallery-Local-File-Inclusion-SQL-Injection.html; classtype:web-application-attack; sid:2014654; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_some controller Parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; http_uri; nocase; content:"option=com_some"; http_uri; nocase; content:"controller="; http_uri; nocase; content:"\|2e 2e 2f\|"; http_raw_uri; reference:url,packetstormsecurity.org/files/108906/Joomla-Some-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014655; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Skysa Official submit parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/skysa-official/skysa.php?"; http_uri; nocase; content:"submit="; http_uri; nocase; pcre:"/submit\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/107342/WordPress-Skysa-Official-1.01-1.02-1.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014656; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit pdf download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".pdf"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014657; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unkown exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014658; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Please wait Message"; flow:established,to_client; file_data; content:"Please\|3A\|wait\|3A\|page\|3A\|is\|3A\|loading"; distance:0; flowbits:set,et.exploitkitlanding; reference:url,isc.sans.edu/diary.html?storyid=13051; classtype:trojan-activity; sid:2014659; rev:1;) + +##by Pedro Marinho +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Ponmocup.A Checkin"; flow:to_server,established; content:"GET"; http_method; urilen:10; content:"/space.php"; http_uri; fast_pattern; content:"Accept\|3a\| /\|0d 0a\|Cookie\|3a\| uid="; offset:25; depth:25; content:"\|3b 20\|VISITOR="; distance:0; content:"User-Agent\|3a\| "; distance:0; content:"Host\|3a\| "; distance:0; reference:md5,97a1acc085849c0b9af19adcf44607a7; classtype:trojan-activity; sid:2014660; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing for prototype catch substr"; flow:established,from_server; content:"try{prototype\|3b\|}catch("; fast_pattern; content:"substr"; distance:0; classtype:trojan-activity; sid:2014661; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Integer indef DoS Attempt"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,<,0x06,-1,relative,big; reference:url,www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014662; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; file_data; content:"PK"; within:2; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014664; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg:"ET DOS Microsoft Remote Desktop Protocol (RDP) maxChannelIds Negative Integer indef DoS Attempt"; flow:to_server,established; content:"\|03 00\|"; depth:2; content:"\|e0\|"; distance:3; within:1; content:"\|03 00\|"; distance:0; content:"\|f0\|"; distance:3; within:1; content:"\|7f 65\|"; distance:1; within:2; content:"\|04 01 01 04 01 01 01 01 ff 30\|"; distance:3; within:10; content:"\|02\|"; distance:1; within:1; byte_test:1,>,0x80,0,relative; byte_test:1,<,0xFF,0,relative; byte_jump:1,0,relative, post_offset -128; byte_jump:1,-1,relative; byte_test:1,&,0x80,-1,relative,big; reference:url, www.msdn.microsoft.com/en-us/library/cc240836.aspx; reference:cve,2012-0002; reference:url,technet.microsoft.com/en-us/security/bulletin/ms12-020; reference:url,stratsec.blogspot.com.au/2012/03/ms12-020 vulnerability-for-breakfast.html; reference:url,aluigi.org/adv/termdd_1-adv.txt; reference:url,blog.binaryninjas.org/?p=58; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; classtype:attempted-dos; sid:2014663; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - Redirection to Kit - BrowserDetect with var stopit"; flow:established,from_server; file_data; content:"var stopit = BrowserDetect.browser"; classtype:trojan-activity; sid:2014665; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/Dialer.Adultchat Checkin"; flow:established,to_server; content:"/getclientid.wnk?srv="; http_uri; content:"&ver="; http_uri; content:"&pin="; http_uri; content:"&OSInfo2="; http_uri; content:"&cinfo="; http_uri; content:"retryattempt="; http_uri; reference:url,microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDownloader%3AWin32%2FDluca.AN&ThreatID=-2147365813; reference:md5,fd2c949dc20b651a53326a3d571641ec; classtype:trojan-activity; sid:2014667; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED SpyEyeV1.3.48 Data Post to CnC - lol.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/lol.php"; http_uri; content:"data="; depth:5; http_client_body; reference:url,blogs.mcafee.com/mcafee-labs/latest-spyeye-botnet-active-and-cheaper; classtype:trojan-activity; sid:2014669; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET CURRENT_EVENTS W32/Backdoor.BAT.Agent.W User Botnet"; flow:established,to_server; content:"USER botnet"; depth:11; reference:md5,fc7059ec1e3e86fd0a664c3747f09725; classtype:trojan-activity; sid:2014700; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole - Injected Page Leading To Driveby"; flow:established,to_client; file_data; content:"/images.php?t="; fast_pattern; content:"width=\"1\" height=\"1\""; within:100; classtype:trojan-activity; sid:2014666; rev:1;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 6 or 7 set"; byte_test:1,!&,64,2; byte_test:1,&,32,2; byte_test:1,&,16,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014701; rev:7;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set"; byte_test:1,&,64,2; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014702; rev:6;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Reserved Bit Set"; byte_test:1,&,64,3; reference:md5,a56ec0f9bd46f921f65e4f6e598e5ed0; reference:url,www.emergingthreatspro.com/bot-of-the-day/kazy-part-deux-revenge-of-the-clear-plastic-tarp/; reference:url,vrt-blog.snort.org/2008/08/checking-multiple-bits-in-flag-field_29.html; classtype:policy-violation; sid:2014703; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PHP-CGI query string parameter vulnerability"; flow:to_server,established; content:"?"; http_uri; content:"-"; http_uri; distance:0; content:!"="; http_raw_uri; pcre:"/(\.php\|\/)\?[\s\+]\-[A-Za-z]/Ui"; reference:cve,2012-1823; reference:url,eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/; reference:url,varanoid.com/research-alerts/us-cert/vu520827-php-cgi-query-string-parameter-vulnerability/; classtype:web-application-attack; sid:2014704; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack exploit request"; flow:to_server,established; content:"/load_module.php?e="; http_uri; priority:1; classtype:trojan-activity; sid:2014705; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload request (exploit successful!)"; flow:established,to_server; content:"/download_file.php?e="; http_uri; priority:1; classtype:trojan-activity; sid:2014706; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Bleeding Life 2 GPLed Exploit Pack payload download"; flow:established,from_server; content:"filename=payload.exe.exe\|0d 0a\|"; http_header; priority:1; classtype:trojan-activity; sid:2014707; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014708; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible McAfee Virtual Technician MVT.MVTControl.6300 ActiveX Control GetObject method Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MVT.MVTControl.6300"; nocase; distance:0; content:".GetObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/18805/; classtype:attempted-user; sid:2014709; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Samsung NET-i Viewer Active-X SEH Overwrite"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"FA6E2EA9-D816-4F00-940B-609C9E8847A4"; nocase; distance:0; content:"RequestScreenOptimization"; nocase; distance:0; reference:url,packetstormsecurity.org/files/112363/Samsung-NET-i Viewer-Active-X-SEH-Overwrite.html; classtype:attempted-user; sid:2014710; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS maxxweb Cms kategorie parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/anzeigen_neu.php?"; nocase; http_uri; content:"bereich="; nocase; http_uri; content:"kat_id="; nocase; http_uri; content:"kategorie="; nocase; http_uri; pcre:"/kategorie\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112289/Maxxweb-CMS-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014711; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress WPsc-MijnPress plugin rwflush parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wpsc-mijnpress/mijnpress_plugin_framework.php?"; nocase; http_uri; content:"rwflush="; nocase; http_uri; pcre:"/rwflush\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112324/WordPress-WPsc-MijnPress-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014712; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WebexUCFObject.WebexUCFObject"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014713; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32E26FD9-F435-4A20-A561-35D4B987CFDC"; nocase; distance:0; content:"NewObject("; nocase; distance:0; reference:url,exploit-db.com/exploits/16604/; classtype:attempted-user; sid:2014714; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_obsuggest controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_obsuggest"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103598/Joomla-obSuggest-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014715; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_joomtouch controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_joomtouch"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/104112/Joomla-JoomTouch-1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014716; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Custom Pages url parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-custom-pages/wp-download.php?"; nocase; http_uri; content:"url="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/100047/WordPress-WP-Custom-Pages-0.5.0.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014717; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET GAMES Nintendo Wii User-Agent"; flow:established,to_server; content:"(Nintendo Wii"; http_header; reference:url,www.useragentstring.com/pages/Opera/; classtype:policy-violation; sid:2014718; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Simbot.Backdoor Checkin"; flow:established,to_server; content:"GET /rclgx.php?id="; depth:18; reference:md5,a4edc9d31bc0ad763b3424e9306f4d7c; classtype:trojan-activity; sid:2014719; rev:1;) + +# +alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN W32/Downloader/Agent.dxh.1 Reporting to CnC"; flow:established,to_server; dsize:80<>110; content:"!"; depth:1; content:"\|5C 7C 3F 2F\|"; within:6; content:".exe\|5C 7C 3F 2F\|"; distance:0; reference:md5,ded49b8c92d7ab6725649f04f30df8ce; classtype:trojan-activity; sid:2014720; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Boatz Checkin"; flow:to_server,established; content:"/clients.php?os="; http_uri; content:"&name="; distance:0; http_uri; content:"&id="; distance:0; http_uri; content:"&loc="; distance:0; http_uri; reference:url,blogs.mcafee.com/mcafee-labs/pastebin-shares-botnet-source-code; classtype:trojan-activity; sid:2014721; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Medfos/Midhos Checkin"; flow:to_server,established; content:"/id="; http_uri; content:"&rt="; distance:0; http_uri; content:"AAAAAAAAAAA"; http_uri; content:!"Accept\|3a 20\|"; http_header; content:!"Connection\|3a 20\|"; http_header; reference:md5,00da8acc14d0e827dbb1326c023fc720; reference:md5,8f561f46fb262cac6bb4cacf3e4e78a6; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014722; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Suspicious lcon http header in response seen with Medfos/Midhos downloader"; flow:to_client,established; content:"\|0d 0a\|lcon\|3a 20\|"; http_header; reference:md5,63491dcc8e897bf442599febe48b824d; classtype:trojan-activity; sid:2014723; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Cal.jar"; flow:established,to_server; content:"/Cal.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014724; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Request for Blackhole Exploit Kit Landing Page - src.php?case="; flow:established,to_server; content:"/src.php?case="; http_uri; pcre:"/\x2Fsrc\x2Ephp\x3Fcase\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2014725; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Windows Flash Version IE"; flow:established,to_server; content:"x-flash-version\|3a\| "; http_header; content:!"11,5,502,135\|0d 0a\|"; distance:0; within:14; http_header; content:"MSIE"; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?MSIE/Hm"; threshold: type limit, count 1, seconds 60, track by_src; reference:url,www.adobe.com/software/flash/about/; classtype:policy-violation; sid:2014726; rev:12;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Outdated Mac Flash Version"; flow:established,to_server; content:"x-flash-version\|3a 20\|"; http_header; content:!"11,5,502,136\|0d 0a\|"; distance:0; within:14; http_header; content:"Macintosh"; http_header; pcre:"/^User-Agent\x3a.+?Macintosh/Hm"; threshold: type limit, count 1, seconds 60, track by_src; classtype:policy-violation; sid:2014727; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smoke Loader Checkin r=gate"; flow:established,to_server; content:".php?r=gate&"; http_uri; content:"&group="; http_uri; distance:0; content:"&debug="; http_uri; distance:0; content:"5.0 (Windows\|3b\| U\|3b\| MSIE 9"; http_header; reference:md5,fafada188ce47a1459f4fcea487f06b5; classtype:trojan-activity; sid:2014728; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeAV Landing Page - Viruses were found"; flow:established,from_server; file_data; content:">Viruses were found on your computer!</"; fast_pattern; content:"images/alert.png"; classtype:bad-unknown; sid:2014729; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Potential FAKEAV Download a-f0-9 x16 download"; flow:to_server,established; content:"/pr2/"; http_uri; fast_pattern:only; pcre:"/\/[a-f0-9]{16}\/.+?\.(exe\|zip)$/U"; classtype:bad-unknown; sid:2014730; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Snap Bot Checkin"; flow:to_server,established; content:"id="; depth:3; http_client_body; content:"&s5_uidx="; distance:0; http_client_body; content:"&os="; distance:0; http_client_body; content:"&s5="; distance:0; http_client_body; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014731; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving Download Command"; flow:to_client,established; file_data; content:"\|7c\|dlexec\|7c\|"; nocase; distance:1; within:12; content:"\|7c\|"; distance:0; content:"\|7c\|"; distance:0; content:"\|7c\|"; distance:0; pcre:"/^\d+\x7cdlexec\x7c([^\x7c]+\x7c){3}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014732; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Snap Bot Receiving DDoS Command"; flow:to_client,established; file_data; content:"\|7c\|ddos\|7c\|"; distance:1; within:10; nocase; pcre:"/^\d+\x7cddos\x7c([^\x7c]+\x7c){5}[^\x7c]+$/mi"; reference:md5,a45a1ccf6842b032b7f2ef2f2255c81c; reference:md5,e070ce714e343052d19a7e3213ee2a9a; reference:url,ddanchev.blogspot.com/2011/05/peek-inside-new-ddos-bot-snap.html; classtype:trojan-activity; sid:2014733; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY BitTorrent - Torrent File Downloaded"; flow:established,to_client; file_data; content:"d8\|3a\|announce"; within:11; classtype:policy-violation; sid:2014734; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious file bitdefender_isecurity.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/programas/bitdefender-internet-security/2011/bitdefender_isecurity.exe"; http_uri; nocase; reference:md5,283ae10839fff3e183193efde3e633eb; classtype:trojan-activity; sid:2014735; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Andromeda Streaming MP3 Server andromeda.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/andromeda.php?"; http_uri; nocase; content:"q="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112549/Andromeda-Streaming-MP3-Server-1.9.3.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014736; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014737; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdSave Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdSave"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014738; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014739; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdExport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdExport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014740; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014741; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdImport Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdImport"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014742; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"32B165C1-AD31-11D5-8889-0010A4C62D06"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014743; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Potential ThreeDify Designer ActiveX Control cmdOpen Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ThreeDify.ThreeDifyDesigner.1"; nocase; distance:0; content:"cmdOpen"; nocase; distance:0; reference:url,secunia.com/advisories/45511; classtype:attempted-user; sid:2014744; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch May 11 2012"; flow:from_server,established; content:"\|3b\|try{prototype\|3b\|}catch("; content:"){"; within:6; classtype:trojan-activity; sid:2014745; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to /Set.jar"; flow:established,to_server; content:"/Set.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014746; rev:5;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Try Prototype Catch May 14 2012"; flow:from_server,established; content:"try{"; content:"=prototype\|3b\|}catch("; within:30; classtype:trojan-activity; sid:2014747; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Repeated Exploit Request Pattern"; flow:established,to_server; content:".php?t="; nocase; http_uri; pcre:"/\.php\?t=\d{2,7}$/U"; threshold:type both, track by_src, count 5, seconds 15; reference:url,blog.spiderlabs.com/2012/05/a-wild-exploit-kit-appears.html; reference:url,malware.dontneedcoffee.com/2012/05/inside-redkit.html; reference:url,malware.dontneedcoffee.com/2012/05/redkit-not-so-red-anymore.html; reference:url,www.malwaredomainlist.com/forums/index.php?topic=4855.msg23470; classtype:trojan-activity; sid:2014748; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to /24842.jar"; flow:established,to_server; content:"/24842.jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014749; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito/RedKit Exploit Kit vulnerable Java payload request to /1digit.html"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; urilen:7; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]\.html$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014750; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET TROJAN Win32/Comrerop Checkin to FTP server"; flow:established,to_server; content:"USER griptoloji\|0d 0a\|"; depth:17; fast_pattern:5,12; reference:md5,6b16290b05afd1a9d638737924f2ab5c; classtype:trojan-activity; sid:2014757; rev:2;) + +##by Pedro Marinho +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Trojan.BAT.Qhost - SET"; flow:established,to_server; content:"GET "; depth:4; content:"/stat/tuk/"; within:10; flowbits:set,ETPRO.Trojan.BAT.Qhost; flowbits:noalert; reference:md5,8174d42fd82457592c573fe73bdc0cd5; classtype:trojan-activity; sid:2014758; rev:3;) + +##by Pedro Marinho +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Trojan.BAT.Qhost Response from Controller"; flow:established,from_server; flowbits:isset,ETPRO.Trojan.BAT.Qhost; content:"Set-Cookie\|3a\| ci_session="; content:"session_id"; distance:0; content:"ip_address"; distance:0; content:"user_agent"; distance:0; content:"last_activity"; distance:0; content:"user_data"; distance:0; reference:md5,8174d42fd82457592c573fe73bdc0cd5; classtype:trojan-activity; sid:2014759; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack - Java Request - 32char hex-ascii"; flow:to_server,established; content:".jar"; offset:32; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/\/[a-z0-9]{32}\.jar$/U"; classtype:bad-unknown; sid:2014751; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Win32.HLLW.Autoruner USA_Load UA"; flow:established,to_server; content:"User-Agent\|3A 20\|USA_Load"; http_header; reference:url,news.drweb.com/show/?i=2440&lng=en&c=5; classtype:trojan-activity; sid:2014752; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED probable malicious Glazunov Javascript injection"; flow:established,from_server; content:"\|22\|,\|22\|"; content:"\|22\|)\|3b\|</script></body>"; distance:64; within:83; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014753; rev:5;) + +##by Kevin Ross +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Mepaow.Backdoor Initial Checkin to Intermediary Pre-CnC"; flow:established,to_server; content:"/PostView.nhn?blogId="; fast_pattern; http_uri; content:"&logNo="; http_uri; content:"&parentCategoryNo="; http_uri; content:"&userTopListOpen="; http_uri; content:"&userTopListManageOpen="; http_uri; content:"User-Agent\|3A 20\|Mozilla/4.0 (compatible\|3B\| Win32\|3B\| WinHttp.WinHttpRequest.5)\|0d 0a\|"; http_header; reference:url,home.mcafee.com/virusinfo/virusprofile.aspx?key=1072862; reference:url,8af17164500aac1c0965b842aca3fed7; classtype:trojan-activity; sid:2014754; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS W32/HupigonUser.Backdoor Rabclib UA Checkin"; flow:established,to_server; content:".txt"; http_uri; content:"User-Agent\|3A 20\|RAbcLib\|0D 0A\|"; http_header; reference:md5,65467e7ff3140f42f4758eca7b76185c; classtype:trojan-activity; sid:2014755; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Votwup.Backdoor Checkin"; flow:established,to_server; content:"/ddos?uid="; http_uri; content:"&ver="; http_uri; reference:md5,1325e4e44b5bf2f8dfe550dec016da53; classtype:trojan-activity; sid:2014760; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Internal Host Getting External IP Address - ip2city.asp"; flow:established,to_server; content:"/ip2city.asp"; http_uri; classtype:misc-activity; sid:2014761; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN W32/SpyBanker Infection Confirmation Email 2"; flow:established,to_server; content:"From\|3A 20 22\|Infected\|22\|"; reference:md5,f091e8ed0e8f4953ff10ce3bd06dbe54; classtype:trojan-activity; sid:2014762; rev:1;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"302124C4-30A0-484A-9C7A-B51D5BA5306B"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014763; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Chilkat Software FTP2 ActiveX Component GetFile Access Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ChilkatFtp2.ChilkatFtp2.1"; nocase; distance:0; content:".GetFile"; nocase; distance:0; reference:url,packetstormsecurity.org/files/97160/Chilkat-Software-FTP2-ActiveX-Code-Execution.html; classtype:attempted-user; sid:2014764; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"8F085BC0-363D-4219-95BA-DC8A5E06D295"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014765; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Windows Live Writer ActiveX BlogThisLink Method Access Denail of Service Attack 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"WindowsLiveWriterApplicationLib.WindowsLiveWriterApplication"; nocase; distance:0; content:"BlogThisLink"; nocase; distance:0; reference:url,1337day.com/exploits/17583; classtype:attempted-user; sid:2014766; rev:3;) + +##by StillSecure +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Win32.Bublik.B/Birele/Variant.Kazy.66443 Checkin"; flow:established,to_server; urilen:12; content:"POST"; http_method; content:"/rdc/rnd.php"; http_uri; reference:md5,48352e3a034a95845864c0f6aad07d39; classtype:trojan-activity; sid:2014767; rev:5;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress WP Survey and Quiz Tool plugin rowcount Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-survey-and-quiz-tool/javascript/survey_section.php?"; nocase; http_uri; content:"rowcount="; nocase; http_uri; pcre:"/rowcount\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112685/WordPress-WP-Survey-And-Quiz-Tool-2.9.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014768; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014769; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor plugin uploader.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; content:"tab="; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014770; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Appointment Booking Pro view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rsappt_pro2"; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103172/Joomla-Appointment-Booking-Pro-Arbitrary-File-Reading.html; classtype:web-application-attack; sid:2014771; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_media file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/com_media/helpers/media.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99775/Joomla-Media-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014772; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Split String Obfuscation of CharCode"; flow:established,to_client; content:"\|22\|h\|22\|+\|22\|arCode\|22 3B\|"; classtype:trojan-activity; sid:2014773; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF qweqwe="; flow:established,to_client; content:"><qwe qweqwe="; reference:url,jsunpack.jeek.org/dec/go?report=4d25f4f01ff5cdbee35a23fcd9e047b69d917b47; classtype:trojan-activity; sid:2014774; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014775; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole PDF Payload Request With Double Colon"; flow:established,to_server; content:"/content/"; http_uri; content:".php?f="; http_uri; content:"\|3A 3A\|"; http_uri; pcre:"/\x2Fcontent\x2F[a-z0-9]{1,6}\x2Ephp\x3Ff\x3D[0-9]{1,5}\x3A\x3A[0-9]{1,5}$/Ui"; classtype:trojan-activity; sid:2014776; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Kazy/Kryptic Checkin with Opera/9 User-Agent"; flow:established,to_server; content:"/count.php?id="; http_uri; content:"&c="; http_uri; content:"&d="; http_uri; content:"\|0d 0a\|User-Agent\|3a 20\|Opera/9 (Windows"; fast_pattern:14,16; http_header; reference:url,malwr.com/analysis/18c5b31198777f93a629a0357b22f2f8/; reference:md5,18c5b31198777f93a629a0357b22f2f8; reference:url,www.virustotal.com/file/94cf780fa829c16cd0b09a462b5419cd1175bac01ba935e906a109d97b4dadaa/; classtype:trojan-activity; sid:2014777; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Bebloh connectivity check"; flow:established,to_server; content:"GET"; http_method; content:"Host\|3a 20\|"; depth:6; http_header; content:"Content-Length\|3a 20\|0\|0d 0a\|"; distance:0; http_header; content:"\|3a 20\|no-cache"; distance:0; http_header; content:!"\|0d 0a\|User-Agent"; http_header; content:!"\|0d 0a\|Accept"; http_header; reference:md5,3f9ef604b68da32062ef27e15eb71715; reference:md5,ccb463b2dadaf362a03c8bbf34dc247e; classtype:trojan-activity; sid:2014778; rev:1;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .2288.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|2288\|03\|org\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014779; rev:6;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .3322.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|3322\|03\|net\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014781; rev:6;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .6600.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|6600\|03\|org\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014782; rev:6;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .7766.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|7766\|03\|org\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014783; rev:6;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .8800.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|8800\|03\|org\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014784; rev:5;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to 3322.net Domain .9966.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|9966\|03\|org\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2014786; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .2288.org"; flow:established,to_server; content:".2288.org\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014787; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .3322.net"; flow:established,to_server; content:".3322.net\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014788; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .6600.org"; flow:established,to_server; content:".6600.org\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014789; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .7766.org"; flow:established,to_server; content:".7766.org\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014790; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .8800.org"; flow:established,to_server; content:".8800.org\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014791; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a 3322.net Domain .9966.org"; flow:established,to_server; content:".9966.org\|0D 0A\|"; http_header; classtype:misc-activity; sid:2014792; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"ET TROJAN Win32/MultiPasswordRecovery.A cs-crash PWS"; flow:to_server,established; content:"X-Mailer\|3a\| Blat "; content:"Subject\|3A 20\|Contents of file\|3A 20\|stdin.txt"; content:"name\|3D\|"; distance:0; content:".mpf"; within:24; classtype:trojan-activity; sid:2014793; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST Get CMD Checkin"; flow:established,to_server; content:"POST"; http_method; content:"CONTENT-TYPE\|3a\| application/x-www-form-urlencoded"; fast_pattern; http_header; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| Win32\|3b\| WinHttp.WinHttpRequest.5)"; http_header; content:"cstype="; http_client_body; depth:7; content:"&authname="; distance:0; http_client_body; classtype:trojan-activity; sid:2014794; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Thetatic.A Client POST CMD result"; flow:established,to_server; content:"POST"; http_method; content:".php?cstype="; http_uri; content:"&authname="; distance:0; http_uri; content:"CONTENT-TYPE\|3a\| file\|0D 0A\|"; http_header; classtype:trojan-activity; sid:2014795; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Win32/Thetatic.A Checkin"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/5.0 (Windows\|3B\| U\|3B\| Windows NT 5.1\|3B\| rv\|3a\|1.9.1) Gecko/20090624 Firefox/3.5\|0D 0A\|Accept\|3a\| /\|0D 0A\|Host\|3a\| "; http_header; depth:110; fast_pattern:72,20; classtype:trojan-activity; sid:2014796; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS ZeuS Ransomware win_unlock"; flow:established,to_server; content:"/locker/lock.php?id="; http_uri; reference:url,www.f-secure.com/weblog/archives/00002367.html; reference:md5,14a1d23b5a8b4f5c186bc5082ede4596; classtype:trojan-activity; sid:2014797; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE PCMightyMax Agent PCMM.Installer"; flow:to_server; content:"User-Agent\|3A 20\|PCMM.Installer"; http_header; classtype:bad-unknown; sid:2014798; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY OpenVPN Update Check"; flow:established,to_server; content:"Host\|3a\| swupdate.openvpn.net\|0d 0a\|"; fast_pattern:14,14; http_header; content:"User-Agent\|3a\| Twisted PageGetter\|0d 0a\|"; http_header; classtype:policy-violation; sid:2014799; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page getElementByID Qwe - May 22nd 2012"; flow:established,to_client; file_data; content:"getElementById']('qwe')"; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014800; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try App.title Catch - May 22nd 2012"; flow:established,to_client; file_data; content:"try{app.title}catch("; distance:0; reference:url,blog.spiderlabs.com/2012/05/catch-me-if-you-can-trojan-banker-zeus-strikes-again-part-2-of-5-1.html; classtype:trojan-activity; sid:2014801; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fragus Exploit jar Download"; flow:established,to_server; content:"_.jar?"; http_uri; pcre:"/\w_\.jar\?[a-f0-9]{8}$/U"; classtype:trojan-activity; sid:2014802; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown java_ara Bin Download"; flow:established,to_server; content:"java_ara&name="; http_uri; content:"/forum/"; http_uri; content:".php?"; http_uri; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014805; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Rogue.Win32/Winwebsec Install 2"; flow:to_server,established; content:"/api/urls/?ts="; http_uri; content:"&affid="; http_uri; content:"GTB0.0\|3b\|"; http_header; reference:md5,181999985de5feae6f44f9578915417f; classtype:trojan-activity; sid:2014816; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"B9D38E99-5F6E-4C51-8CFD-507804387AE9"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014806; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SkinCrafter ActiveX Control InitLicenKeys Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SKINCRAFTERLib.SCSkin3"; nocase; distance:0; content:"InitLicenKeys"; nocase; distance:0; reference:url,exploit-db.com/exploits/18892/; classtype:attempted-user; sid:2014807; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Attachment_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014808; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible IBM Lotus Quickr for Domino ActiveX control Import_Times Method Access buffer overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"05D96F71-87C6-11d3-9BE4-00902742D6E0"; nocase; distance:0; content:"Import_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49285/; classtype:attempted-user; sid:2014809; rev:2;) + +##by StillSecure +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE Malicious pusk.exe download"; flow:established,to_server; content:"GET"; http_method; content:"/pusk.exe"; nocase; http_uri; reference:md5,eae75c0e34d11e6daef216cfc3fbbb04; classtype:trojan-activity; sid:2014810; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Dynamic Widgets plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/themes.php?"; nocase; http_uri; content:"page=dynwid-config"; nocase; http_uri; content:"action="; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112706/WordPress-Dynamic-Widgets-1.5.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014811; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin group parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri; content:"subpage="; nocase; http_uri; content:"league_id="; nocase; http_uri; content:"group="; nocase; http_uri; pcre:"/group\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014812; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LeagueManager plugin season parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaguemanager"; nocase; http_uri; content:"subpage="; nocase; http_uri; content:"edit="; nocase; http_uri; content:"season="; nocase; http_uri; pcre:"/season\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112698/WordPress-LeagueManager-3.7-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014813; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Component JE Story Submit view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jesubmit"; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/103214/Joomla-JE-K2-Story-Submit-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014814; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_acooldebate controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_acooldebate"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/102422/Joomla-A-Cool-Debate-1.0.3-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014815; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET USER_AGENTS W32/Renos.Downloader User Agent zeroup"; flow:established,to_server; content:"User-Agent\|3A 20\|zeroup"; http_header; reference:url,www.f-secure.com/v-descs/trojan_w32_renos_h.shtml; reference:md5,35ba53f6aeb6b38c1107018f271189af; classtype:trojan-activity; sid:2014817; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame UA"; flow:established,to_server; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 6.0\|3b\| Windows NT 5.1\|3b\| .NET CLR 1.1.2150)\|0d 0a\|"; http_header; fast_pattern:52,20; reference:url,crysys.hu/skywiper/skywiper.pdf; classtype:trojan-activity; sid:2014818; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI"; flow:to_server,established; content:"/timthumb.php?"; http_uri; content:!"webshot=1"; http_uri; distance:0; content:"src="; http_uri; distance:0; content:"http"; http_uri; distance:0; pcre:"/src\s=\shttps?\x3A\x2F.?(((static)?flickr\|picasa\|img\.youtube\|photobucket\|imgur\|tinypic\|blogger\|wordpress)\.com\|upload\.wikimedia\.org\|imageshack\.us)[^\x2f]/Ui"; reference:url,code.google.com/p/timthumb/issues/detail?id=212; classtype:web-application-attack; sid:2014846; rev:9;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Packed Executable Download"; flow:established,to_client; file_data; content:"MZ"; within:2; isdataat:100,relative; content:"This program "; distance:0; content:"PE\|00 00\|"; distance:0; content:!"data"; within:400; content:!"text"; within:400; content:!"rsrc"; within:400; classtype:misc-activity; sid:2014819; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Obfuscated Javascript Blob"; flow:established,to_client; file_data; content:"<pre id=\|22\|"; within:80; content:"style=\|22\|display\|3A\|none\|3B 22 3E\|"; within:100; isdataat:400,relative; content:!"\|20\|"; within:400; content:!"pre\|3E\|"; within:400; content:"\|2C\|"; distance:2; within:2; content:"\|2C\|"; distance:2; within:2; content:"\|2C\|"; distance:2; within:2; content:"\|2C\|"; distance:2; within:2; content:"\|3C 2F\|pre\|3E\|3Cscript\|3E\|"; fast_pattern; distance:400; pcre:"/display\x3Anone\x3B\x22\x3E[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}\x2C[0-9]{2,3}[^\r\n]\x3C\x2Fpre\x3E\x3Cscript\x3E/sm"; classtype:trojan-activity; sid:2014820; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Specific Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"\|2E\|rawValue\|5D 5B\|0\|5D 2E\|split\|28 27 2D 27 29 3B\|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014821; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SKyWIper/Win32.Flame POST"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/wp-content/rss.php"; http_uri; content:"UNIQUE_NUMBER="; depth:14; fast_pattern; http_client_body; content:"&PASSWORD="; distance:0; http_client_body; content:"&ACTION="; distance:0; http_client_body; reference:url,blog.cuckoobox.org/2012/05/29/cuckoo-in-flame/; classtype:trojan-activity; sid:2014822; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Malicious PDF asdvsa"; flow:established,from_server; file_data; content:"obj"; distance:0; content:"<<"; within:4; content:"(asdvsa"; within:80; classtype:trojan-activity; sid:2014823; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Script Profile ASD"; flow:established,to_client; file_data; content:"pre id=\|22\|asd\|22\|"; within:80; classtype:trojan-activity; sid:2014825; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Redkit Java Exploit request to b.class"; flow:established,to_server; urilen:10; content:"/b.class"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014824; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS FedEX Spam Inbound"; flow:established,to_server; content:"name=\|22\|FEDEX"; nocase; content:".zip\|22\|"; within:47; nocase; pcre:"/name=\x22FEDEX(\s\|_\|\-)?[a-z0-9\-_\.\s]{0,42}\.zip\x22/i"; classtype:trojan-activity; sid:2014827; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"ET CURRENT_EVENTS UPS Spam Inbound"; flow:established,to_server; content:"name=\|22\|"; nocase; content:"UPS"; nocase; within:11; content:".zip\|22\|"; within:74; nocase; pcre:"/name=\x22([a-z_]{0,8})?UPS(\s\|_\|\-)?[a-z0-9\-_\.\s]{0,69}\.zip\x22/i"; classtype:trojan-activity; sid:2014828; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redkit Java Exploit request to .class file"; flow:established,to_server; content:".class"; http_uri; pcre:"/\/\w{1,2}\/\w{1,2}\.class$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014830; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS php with eval/gzinflate/base64_decode possible webshell"; flow:to_client,established; file_data; content:"<?"; distance:0; content:"eval(gzinflate(base64_decode("; distance:0; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014847; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO SetTmpProfileOption Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"SetTmpProfileOption"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014831; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible Wireless Manager Sony VAIO ConnectToNetwork Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"92E7DDED-BBFE-4DDF-B717-074E3B602D1B"; nocase; distance:0; content:"ConnectToNetwork"; nocase; distance:0; reference:url,packetstormsecurity.org/files/113131/Wireless-Manager-Sony-VAIO-4.0.0.0-Buffer-Overflows.html; classtype:attempted-user; sid:2014832; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"00165752-B1BA-11CE-ABC6-F5B2E79D9E3F"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014833; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible LEADTOOLS ActiveX Raster Twain AppName Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"LTRASTERTWAINLib_U.LEADRasterTwain_U"; nocase; distance:0; content:".AppName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/93252/LEADTOOLS-ActiveX-Raster-Twain-16.5-Buffer-Overflow.html; classtype:attempted-user; sid:2014834; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible SonicWALL SSL-VPN End-Point Interrogator/Installer ActiveX Control Install3rdPartyComponent Method Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInstaller"; nocase; distance:0; content:"Install3rdPartyComponent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/95286/SonicWALL-SSL-VPN-End-Point-Interrogator-Installer-ActiveX-Control.html; classtype:attempted-user; sid:2014835; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS DynPG CMS PathToRoot Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/plugins/DPGguestbook/guestbookaction.php?"; nocase; http_uri; content:"PathToRoot="; nocase; http_uri; pcre:"/PathToRoot=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/87907/DynPG-CMS-4.1.0-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014836; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Jotloader component section parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jotloader"; nocase; http_uri; content:"section="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96812/Joomla-Jotloader-2.2.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014837; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin type parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/joliprint/joliprint_options_upload.php?"; nocase; http_uri; content:"type="; nocase; http_uri; pcre:"/type\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014838; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress PDF and Print Button Joliprint plugin opt parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=joliprint/joliprint_admin_options.php"; nocase; http_uri; content:"opt="; nocase; http_uri; pcre:"/opt\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112700/WordPress-PDF-And-Print-Button-Joliprint-1.3.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014839; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Exponent file parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/framework/modules/pixidou/download.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/101230/Exponent-2.0.0-Beta-1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014840; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible Feodo/Cridex Traffic Detected"; flow:established,to_server; content:"POST"; http_method; nocase; content:"/zb/v_01_a/in/"; http_uri; classtype:trojan-activity; sid:2014841; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Blackhole Exploit Kit Request tkr"; flow:established,to_server; content:".php?"; http_uri; content:"src="; http_uri; distance:0; content:"&gpr="; http_uri; distance:0; content:"&tkr="; http_uri; fast_pattern; distance:0; pcre:"/[\?&]src=\d+&gpr=\d+&tkr[ib]?=[a-f0-9]/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014843; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable Golfhole exploit kit landing page #2"; flow:established,to_server; content:"/index.php?"; http_uri; depth:11; urilen:43; pcre:"/index.php\?[0-9a-f]{32}$/U"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014844; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Probable Golfhole exploit kit binary download #2"; flow:established,to_server; content:"/o/"; http_uri; depth:3; urilen:47; pcre:"/o/\d{9}\/[0-9a-f]{32}\/[0-9]$/U"; classtype:trojan-activity; sid:2014845; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET CURRENT_EVENTS webshell used In timthumb attacks GIF98a 16129xX with PHP"; flow:to_client,established; file_data; content:"GIF89a\|01 3f\|"; within:8; content:"<?"; within:720; reference:url,blog.sucuri.net/2012/05/list-of-domains-hosting-webshells-for-timthumb-attacks.html; classtype:web-application-attack; sid:2014848; rev:1;) + +# +alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 1"; flow:established,to_server; content:"?mp=1"; http_uri; content:"&jz="; http_uri; distance:0; content:"&fd="; http_uri; distance:0; content:"&am="; http_uri; distance:0; content:"&ef="; http_uri; distance:0; content:"&pr="; http_uri; distance:0; content:"&ec="; http_uri; distance:0; content:"&ov="; http_uri; distance:0; content:"&pl="; http_uri; distance:0; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014849; rev:3;) + +# +alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"ET TROJAN Flamer WuSetupV module traffic 2"; flow:established,to_server; content:"?ac=1"; http_uri; content:"&fd="; http_uri; distance:0; content:"&gb="; http_uri; distance:0; content:"&rt="; http_uri; reference:md5,1f61d280067e2564999cac20e386041c; classtype:trojan-activity; sid:2014850; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Archive Request"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; pcre:"/\x2Fgetfile\x2Ephp\x3Fi\x3D[0-9]\x26key\x3D[a-f0-9]{32}$/Ui"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014851; rev:1;) + +##Kevin Ross +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible Sakura Exploit Kit Version 1.1 document.write Fake 404 - Landing Page"; flow:established,to_client; content:"document.write(\|22\|404\|22 3B\|"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014852; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura Exploit Kit Version 1.1 Applet Value lxxt"; flow:established,to_client; content:"value=\|22\|lxxt>"; reference:url,blog.spiderlabs.com/2012/05/sakura-exploit-kit-11.html; classtype:trojan-activity; sid:2014853; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Likely TDS redirecting to exploit kit"; flow:established,to_server; content:".php?go="; http_uri; pcre:"/\.php\?go=\d$/U"; classtype:bad-unknown; sid:2014854; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 1"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/s"; http_uri; fast_pattern:only; urilen:10; content:"User-Agent\|3a\| Internet Explorer\|0d 0a\|"; http_header; classtype:trojan-activity; sid:2014855; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 2"; flow:established,to_server; content:"GET"; http_method; nocase; content:"/support/sr"; http_uri; fast_pattern:only; urilen:11; classtype:trojan-activity; sid:2014856; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN FakeAvCn-A Checkin 3"; flow:established,to_server; content:"GET"; http_method; nocase; content:".php?0Q9oBPXEN0uECUg"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2014857; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Fraudulent Paypal Mailing Server Response June 04 2012"; flow:from_server,established; content:"<html>\|0d 0a\|<title>Paypal"; fast_pattern; content:"\|3a 20\|Loading<"; distance:0; classtype:trojan-activity; sid:2014858; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dakotavolandos.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0e\|dakotavolandos\|03\|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014859; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dak1otavola1ndos.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dak1otavola1ndos\|03\|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014860; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - dako22tavol2andos.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|11\|dako22tavol2andos\|03\|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014861; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d3akotav33olandos.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|11\|d3akotav33olandos\|03\|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014862; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS W32.Tinba/Zusy Banking Trojan Hardcoded CnC Domain Request - d4ak4otavolandos.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|d4ak4otavolandos\|03\|com"; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-060111-3803-99&om_rssid=sr-latestthreats30days; classtype:trojan-activity; sid:2014863; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32.Gimemo/Aldibot CnC POST"; flow:established,to_server; content:"POST"; http_method; content:"ukashcode="; http_client_body; depth:10; content:"&euro="; http_client_body; distance:0; content:"&submitukash="; http_client_body; distance:0; reference:url,www.evild3ad.com/?p=1693; classtype:trojan-activity; sid:2014864; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT MP4 Embedded in PDF File - Potential Flash Exploit"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"stream"; distance:0; content:"\|00 00 00 18 66 74 79 70\|mp4"; within:13; reference:cve,2012-0754; reference:url,blog.9bplus.com/observing-the-enemy-cve-2012-0754-pdf-interac; classtype:bad-unknown; sid:2014865; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Redirect to driveby sid=mix"; flow:to_server,established; content:"/go.php?sid=mix"; http_uri; classtype:bad-unknown; sid:2014866; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to a dns-stuff.com Domain .dns-stuff.com"; flow:established,to_server; content:"dns-stuff.com\|0d 0a\|"; http_header; classtype:bad-unknown; sid:2014867; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to dns-stuff.com Domain .dns-stuff.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|09\|dns-stuff\|03\|com"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2014868; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET SCAN Arachni Scanner Web Scan"; flow:established,to_server; content:"Arachni/"; http_header; pcre:"/User-Agent\x3a[^\r\n]+Arachni\/\d\.\d\.\d$/iH"; threshold: type threshold, track by_src, count 1, seconds 300; reference:url,arachni-scanner.com; reference:url,github.com/Zapotek/arachni; classtype:attempted-recon; sid:2014869; rev:2;) + +# +alert tcp any $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SN and CN From MS TS Revoked Cert Chain Seen"; flow:established,from_server; content:"\|c1 00 8b 3c 3c 88 11 d1 3e f6 63 ec df 40\|"; content:"Microsoft Root Authority"; distance:105; within:24; content:"Microsoft Enforced Licensing Intermediate PCA"; distance:0; content:"\|61 1a 02 b7 00 02 00 00 00 12\|"; distance:0; content:"Microsoft Enforced Licensing Registration Authority CA"; distance:378; within:54; reference:url,blog.crysys.hu/2012/06/the-flame-malware-wusetupv-exe-certificate-chain/; reference:url,rmhrisk.wpengine.com/?p=52; reference:url,msdn.microsoft.com/en-us/library/aa448396.aspx; reference:md5,1f61d280067e2564999cac20e386041c; classtype:bad-unknown; sid:2014870; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (Reaserch)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"Security Reaserch WWEB Group\|2c\| LLC"; classtype:trojan-activity; sid:2014871; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN Self Signed SSL Certificate (John Doe)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"\|08\|John Doe0"; classtype:trojan-activity; sid:2014872; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to Blackhole June 7 2012"; flow:established,from_server; file_data; content:"st=\"no3"; content:"3rxtc\"\;Date"; distance:12; within:60; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2014873; rev:1;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014874; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control BackupToAvi Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"208650B1-3CA1-4406-926D-45F2DBB9C299"; nocase; distance:0; content:"BackupToAvi"; nocase; distance:0; reference:url,secunia.com/advisories/48966/; classtype:attempted-user; sid:2014875; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"EEDBA32E-5C2D-48f1-A58E-0AAB0BC230E3"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014876; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET ACTIVEX Possible NET-i viewer ActiveX Control ConnectDDNS Method Access Code Execution Vulnerability 2"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"17A7F731-C9EC-461C-B813-2F42A1BB58EB"; nocase; distance:0; content:"ConnectDDNS"; nocase; distance:0; reference:url,secunia.com/advisories/48965/; classtype:attempted-user; sid:2014877; rev:4;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeauto view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeauto"; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96803/Joomla-JE-Auto-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014878; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jradio controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jradio"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96751/Joomla-JRadio-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014879; rev:2;) + +##by Still Secure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress wp-livephp plugin wp-live.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/wp-livephp/wp-live.php?"; nocase; http_uri; content:"s="; nocase; http_uri; pcre:"/s\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/108282/WordPress-LivePHP-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014880; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Mingle Forum groupid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=mfstructure"; nocase; http_uri; content:"mingleforum_action="; nocase; http_uri; content:"groupid="; nocase; http_uri; pcre:"/groupid\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112696/WordPress-Mingle-Forum-1.0.33-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014881; rev:2;) + +##by Still Secure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_catalogue controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_catalogue"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/96190/Joomla-Catalogue-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014882; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jvb_bridge Itemid Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jvb_bridge"; nocase; http_uri; content:"Itemid="; nocase; http_uri; pcre:"/Itemid=(.+)?(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/90844/Joomla-JVB-Bridge-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014883; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to malicious SutraTDS - lonly= in cookie"; flow:established,to_server; content:" lonly="; fast_pattern:only; content:" lonly="; http_cookie; classtype:bad-unknown; sid:2014884; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SutraTDS (enema) used in Blackhole campaigns"; flow:to_server,established; content:"/top2.html"; http_uri; content:"\|0d 0a\|Host\|3a\| enema."; http_header; classtype:bad-unknown; sid:2014885; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER IIS INDEX_ALLOCATION Auth Bypass Attempt"; flow:established,to_server; content:"\|3a\|$INDEX_ALLOCATION"; http_uri; nocase; reference:url,lists.grok.org.uk/pipermail/full-disclosure/2012-June/087269.html; classtype:bad-unknown; sid:2014886; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN W32/Bakcorox.A ProxyBot CnC Server Connection"; flow:established,to_server; content:"GET favicon.ico HTTP/1.1"; depth:24; content:"Host\|3A 20\|bcProxyBot.com"; fast_pattern; distance:0; reference:url,contagioexchange.blogspot.co.uk/2012/06/022-crime-win32bakcoroxa-proxy-bot-web.html; classtype:trojan-activity; sid:2014887; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Try Prototype Catch June 11 2012"; flow:from_server,established; content:"try{"; content:"=prototype"; within:25; content:"\|3b\|}catch("; within:15; classtype:bad-unknown; sid:2014888; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Internet Explorer SameID Use-After-Free "; flow:established,from_server; file_data; content:"<DIV id="; nocase; distance:0; content:"<img id="; nocase; distance:0; content:".innerHTML"; distance:0; pcre:"/<DIV\s?id[\s\r\n]?\x3d[\s\r\n]?(?P<divid>[^>]+).+?<img\sid=\s?\x22(?P<imgid>[^\x22]+).+?\<a\s?href=\x22javascript\x3a(?P<firstfunction>[^\x28]+).+?\>.?\<div[^\>]+?id=\x22(?P=imgid)\x22[^>]+?on[A-Za-z]+?\s?=\s?\x22(?P<secondfunction>[^\x28]+)\x3b\s?\x22.+?function[\s\r\n]?(?P=firstfunction)[\s\r\n]?$.?$.?\x7b.?(?P=divid)\x2einnerHTML\s?\x3d\s?(?P=divid)\x2einnerHTML[\s\r\n]?\x3b.?\x7d.?function[\s\r\n]?(?P=secondfunction)[\s\r\n]?$.?$.?\x7b.?\x28\x22(?P=imgid)\x22\x29\x2esrc\s?\x3d/si"; reference:cve,CVE-2012-1875; classtype:attempted-user; sid:2014911; rev:10;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible attempt to enumerate MS SQL Server version"; flow:established,to_server; content:"@@version"; nocase; http_uri; reference:url,support.microsoft.com/kb/321185; classtype:attempted-admin; sid:2014890; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Java Exploit Requested - 5 digit jar"; flow:established,to_server; urilen:10; content:".jar"; http_uri; pcre:"/^\/[0-9]{5}\.jar$/U"; classtype:trojan-activity; sid:2014891; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Jar File Naming Algorithm"; flow:established,to_client; content:"Content-Disposition: inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; content:"\|0D 0A 0D 0A\|PK"; pcre:"/=[0-9a-f]{8}\.jar/H"; classtype:trojan-activity; sid:2014892; rev:3;) + +# +alert tcp [184.154.42.194,50.116.22.209,69.64.43.135,69.64.43.137,69.64.43.142,216.17.107.104,216.17.102.194,216.17.106.90,216.17.107.174,64.6.100.124,46.17.98.214] any -> $HOME_NET any (msg:"ET SCAN critical.io Scan"; flags:S; threshold: type limit, track by_src, seconds 3600, count 1; reference:url,critical.io/; classtype:network-scan; sid:2014893; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and 5digit jar"; flow:established,to_client; content:"<applet"; fast_pattern; content:".jar"; distance:0; pcre:"/\W[0-9]{5}\.jar/"; classtype:trojan-activity; sid:2014894; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and code"; flow:established,to_client; content:"<applet"; content:"code="; pcre:"/code=\"[a-z]\.[a-z][\.\"][ c]/"; classtype:trojan-activity; sid:2014895; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Lotus iNotes Upload Module possible ActiveX Control Attachment_Times Method Access Buffer Overflow Attempt"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"0F2AAAE3-7E9E-4b64-AB5D-1CA24C6ACB9C"; nocase; distance:0; content:"Attachment_Times"; nocase; distance:0; reference:url,secunia.com/advisories/49443/; classtype:attempted-user; sid:2014896; rev:4;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jmsfileseller view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jmsfileseller"; nocase; http_uri; content:"cat_id="; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/101770/Joomla-JMSFileSeller-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014897; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mscomment controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mscomment"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,1337day.com/exploits/12246; classtype:web-application-attack; sid:2014898; rev:4;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Tinymce Thumbnail Gallery href parameter Remote File Disclosure Attempt"; flow:established,to_server; content:"/wp-content/plugins/tinymce-thumbnail-gallery/php/download-image.php?"; nocase; http_uri; fast_pattern:19,20; content:"href="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/113417/WordPress-Tinymce-Thumbnail-Gallery-1.0.7-File-Disclosure.html; classtype:web-application-attack; sid:2014899; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin pinterest-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/pinterest.php?"; nocase; http_uri; fast_pattern:19,20; content:"pinterest-url="; nocase; http_uri; pcre:"/pinterest-url\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014900; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress 2 Click Social Media Buttons plugin xing-url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/2-click-socialmedia-buttons/libs/xing.php?"; nocase; http_uri; fast_pattern:19,20; content:"xing-url="; nocase; http_uri; pcre:"/xing-url\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112711/WordPress-2-Click-Social-Media-Buttons-0.32.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014901; rev:4;) + +##by StillSecure +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"721700FE-7F0E-49C5-BDED-CA92B7CB1245"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014902; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Camera Stream Client Possible ActiveX Control SetDirectory Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"DcsCliCtrl.DCSStrmControl.1"; nocase; distance:0; content:"SetDirectory"; nocase; distance:0; reference:url,secunia.com/advisories/48602/; classtype:attempted-user; sid:2014903; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Sharebar plugin status parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/sharebar/sharebar-admin.php?"; nocase; http_uri; fast_pattern:19,20; content:"status="; nocase; http_uri; pcre:"/status\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112690/WordPress-Sharebar-1.2.1-SQL-Injection-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014904; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_ckforms controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_ckforms"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/95623/Joomla-CKForms-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014905; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO .exe File requested over FTP"; flow:established,to_server; content:"RETR"; depth:4; content:".exe\|0d 0a\|"; distance:0; pcre:"/^RETR\s+[^\r\n]+?\x2eexe\r?$/m"; classtype:policy-violation; sid:2014906; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - UPS Number Loading.. Jun 15 2012"; flow:established,from_server; content:"\|20\|Number\|3A 20 09\|Loading\|2E 2E 3C\|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014907; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Initial Blackhole Landing - Verizon Balance Due Jun 15 2012"; flow:established,from_server; content:"\|20\|Balance Due\|3a\| Loading\|2c 20\|please wait\|2e 2e 2e\|"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014908; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole obfuscated Java EXE Download by Vulnerable Version - Likely Driveby"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_client; content:"\|0d 0a 9c 62 d8 66 66 66 66 54\|"; classtype:trojan-activity; sid:2014909; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET CURRENT_EVENTS MySQL mysql.user Dump (Used in Metasploit Auth-Bypass Module)"; flow:established,to_server; content:"SELECT\|20\|user\|2c\|password\|20\|from\|20\|mysql\|2e\|user"; classtype:bad-unknown; sid:2014910; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request - gt 60char hex-ascii"; flow:established,to_server; urilen:>60; content:" Java/1."; http_header; pcre:"/[\/\?][a-z0-9]{60,66}[\;0-9]/Ui"; classtype:trojan-activity; sid:2014912; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; pcre:"/=[.\"]\w{8}\.jar/Hi"; content:"\|0D 0A 0D 0A\|PK"; fast_pattern; classtype:trojan-activity; sid:2014913; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - PDF Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".pdf"; http_header; pcre:"/=\w{8}\.pdf/Hi"; content:"\|0D 0A 0D 0A\|%PDF"; fast_pattern; content:"/Filter/FlateDecode"; classtype:trojan-activity; sid:2014914; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - applet archive=32CharHex"; flow:established,to_client; content:"<applet"; content:"archive=\|22\|"; pcre:"/^\?[a-f0-9]{32}\" /R"; classtype:trojan-activity; sid:2014915; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Landing Page Requested - 8Digit.html"; flow:established,to_server; urilen:14; content:".html"; http_uri; pcre:"/^\/[0-9]{8}\.html$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2014916; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit - Landing Page Received - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.redkit.uri; file_data; content:"<applet"; classtype:trojan-activity; sid:2014917; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Java Exploit request to Half.jar"; flow:established,to_server; content:"/Half.jar"; http_uri; nocase; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2014918; rev:2;) + +#Rob Fisher +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)"; flow:established,to_client; content:"\|16 03 01\|"; depth:3; content:".storage.msn.com"; nocase; distance:0; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014919; rev:2;) + +#Rob Fisher +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)"; flow:established,to_client; content:"\|16 03 01\|"; depth:3; content:".storage.live.com"; nocase; reference:url,skydrive.live.com; classtype:policy-violation; sid:2014920; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012"; flow:established,from_server; content:"try{prototype"; content:"\|3B\|}catch("; distance:0; within:12; classtype:trojan-activity; sid:2014921; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOM Document.3.0 Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f5078f3"; content:"-c551-11d3-89b9-0000f81fe221"; nocase; distance:1; within:28; content:"definition"; nocase; pcre:"/clsid\s\x3a\s\x7B?\sf5078f3(2\|3)-c551-11d3-89b9-0000f81fe221/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015554; rev:19;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument.4-6.0 Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"88d96"; nocase; content:"-f192-11d4-a65f-0040963251e5"; distance:3; within:28; nocase; content:"definition"; nocase; pcre:"/clsid\s\x3a\s\x7B?\s88d96(9c(0\|1)\|9e(5\|6)\|a0(5\|6))-f192-11d4-a65f-0040963251e5/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2015555; rev:17;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument ActiveXObject Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; content:"MSXML2."; content:"DOMDocument"; within:23; content:"definition"; nocase; pcre:"/MSXML2\.(FreeThreaded)?DOMDocument(\.[3-6]\.0)?/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-user; sid:2015556; rev:16;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Requested .php?showtopic=6digit"; flow:established,to_server; flowbits:noalert; flowbits:set,ET.http.driveby.incognito.uri; urilen:25<>45; content:".php?showtopic="; http_uri; pcre:"/\.php\?showtopic=[0-9]{6}$/U"; classtype:trojan-activity; sid:2014922; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Landing Page Received applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.incognito.uri; content:"<applet"; classtype:attempted-user; sid:2014923; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY Incognito Payload Requested /getfile.php by Java Client"; flow:established,to_server; content:"/getfile.php?"; http_uri; content:"Java/1"; http_header; classtype:attempted-user; sid:2014924; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF embedded in XDP file (Possibly Malicious)"; flow:established, to_client; content:"<xdp\|3a\|xdp"; nocase; fast_pattern; content:"<pdf"; nocase; distance:0; pcre:"/\<xdp\x3axdp(\s+[^\>])?\>((?!\<\/xdp[^\>]\>).)?\<pdf/si"; reference:url,blog.9bplus.com/av-bypass-for-malicious-pdfs-using-xdp; classtype:misc-attack; sid:2014926; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown Java Malicious Jar /eeltff.jar"; flow:to_server,established; content:"/eeltff.jar"; nocase; http_uri; classtype:trojan-activity; sid:2014927; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Request .jar from dl.dropbox.com"; flow:established,to_server; content:"dl.dropbox.com\|0D 0A\|"; http_header; content:" Java/1"; http_header; content:".jar"; http_uri; classtype:bad-unknown; sid:2014928; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request to .in FakeAV Campaign June 19 2012 exe or zip"; flow:established,to_server; content:"setup."; fast_pattern:only; http_uri; content:".in\|0d 0a\|"; http_header; pcre:"/\/[a-f0-9]{16}\/([a-z0-9]{1,3}\/)?setup\.(exe\|zip)$/U"; pcre:"/^Host\x3a\s.+\.in\r?$/Hmi"; metadata:stage,hostile_download; reference:url,isc.sans.edu/diary/+Vulnerabilityqueerprocessbrittleness/13501; classtype:trojan-activity; sid:2014929; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness 21 June 2012"; flow:established,from_server; file_data; content:"javascript'>var wow="; content:"Date&&"; distance:12; within:60; classtype:bad-unknown; sid:2014930; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Please wait a moment Jun 20 2012"; flow:established,to_client; file_data; content:"Please wait a moment. You will be forwarded..."; fast_pattern:26,20; distance:0; classtype:trojan-activity; sid:2014931; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY DynDNS CheckIp External IP Address Server Response"; flow:established,to_client; content:"Server\|3A 20\|DynDNS-CheckIP/"; http_header; classtype:bad-unknown; sid:2014932; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Win32/Bicololo.Dropper ne_unik CnC Server Response"; flow:established,to_client; file_data; content:"ne_unik"; within:7; classtype:trojan-activity; sid:2014933; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page - eval(function(p,a,c,"; flow:established,to_client; content:"eval(function(p,a,c,"; content:"\|7C\|zzz\|7C\|"; distance:0; classtype:trojan-activity; sid:2014934; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - foxxysoftware"; flow:established,to_client; content:"\|7C\|foxxysoftware\|7C\|"; classtype:trojan-activity; sid:2014935; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Landing Page Received - applet and 0px"; flow:established,to_client; content:"<applet"; content:"'0px'"; within:20; classtype:trojan-activity; sid:2014936; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to Trop.jar"; flow:established,to_server; content:"/Trop.jar"; http_uri; nocase; classtype:trojan-activity; sid:2014937; rev:18;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.DOMDocument Uninitialized Memory Corruption CVE-2012-1889"; flow:to_client,established; file_data; content:"f6d90f11-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s\x3a\s\x7B?\sf6d90f11-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,CVE-2012-1889; classtype:attempted-admin; sid:2014938; rev:10;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET POLICY DNS Query for TOR Hidden Domain .onion Accessible Via TOR"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|onion\|00\|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014939; rev:1;) + +##by Kevin Ross +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole RawValue Exploit PDF"; flow:established,to_client; file_data; content:"%PDF-"; within:5; content:"\|2E\|rawValue\|5D 5B\|0\|5D 2E\|split\|28 27 2D 27 29 3B 26 23\|"; distance:0; reference:cve,2010-0188; classtype:trojan-activity; sid:2014940; rev:2;) + +##by Kevin Ross +alert udp $HOME_NET any -> any 53 (msg:"ET POLICY TOR .exit Pseudo TLD DNS Query"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|exit\|00\|"; fast_pattern; distance:0; reference:url,en.wikipedia.org/wiki/.onion; classtype:policy-violation; sid:2014941; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"62789780-B744-11D0-986B-00609731A21D"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014942; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Autodesk MapGuide Viewer ActiveX LayersViewWidth Method Access Denial of Service 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"MGMapControl.MGMap"; nocase; distance:0; content:"LayersViewWidth"; nocase; distance:0; reference:url,1337day.com/exploits/13938; classtype:attempted-user; sid:2014943; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/includes/smarty/internals/core.write_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014944; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS banco Parameter Remote File inclusion Attempt"; flow:established,to_server; content:"/modules/gateways/boleto/boleto.php?"; nocase; fast_pattern:17,19; http_uri; content:"banco="; nocase; http_uri; pcre:"/banco=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014945; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WHCMS smarty Parameter Remote File inclusion Attempt 2"; flow:established,to_server; content:"/includes/smarty/internals/core.process_compiled_include.php?"; nocase; http_uri; fast_pattern:26,20; content:"smarty="; nocase; http_uri; pcre:"/smarty=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/113912/WHCMS-5.0.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014946; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Thinkun Remind Plugin dirPath Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/thinkun-remind/exportData.php?"; nocase; http_uri; fast_pattern:19,20; content:"dirPath="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,secunia.com/advisories/49461; classtype:web-application-attack; sid:2014947; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Simple Download Button Shortcode Plugin Arbitrary File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/simple-download-button-shortcode/simple-download-button_dl.php?"; nocase; http_uri; fast_pattern:52,20; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,secunia.com/advisories/49462; classtype:web-application-attack; sid:2014948; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugins Wp-ImageZoom file parameter Remote File Disclosure Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/wp-imagezoom/download.php?"; nocase; http_uri; fast_pattern:19,20; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,1337day.com/exploits/18685; classtype:web-application-attack; sid:2014949; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI div parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/includes/components/graphexplorer/visApi.php?"; nocase; http_uri; fast_pattern:20,20; content:"type="; nocase; http_uri; content:"div="; nocase; http_uri; pcre:"/div\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014950; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI view parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/perfgraphs/index.php?"; nocase; http_uri; content:"start="; nocase; http_uri; content:"end="; nocase; http_uri; content:"view="; nocase; http_uri; pcre:"/view\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,secunia.com/advisories/49544; classtype:web-application-attack; sid:2014951; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (register machine)"; flow:to_server,established; content:"GET"; http_method; nocase; content:"/registraMaquina"; http_uri; content:"User-Agent\|3a\| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014952; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Capfire4 Checkin (update machine status)"; flow:to_server,established; content:"POST"; nocase; http_method; content:"/updMaqStatus"; http_uri; content:"User-Agent\|3a\| Clickteam"; http_header; reference:url,labs.alienvault.com/labs/index.php/2012/capfire4-malware-rat-software-and-cc-service-together/; classtype:trojan-activity; sid:2014953; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Vulnerable iTunes Version 10.6.x"; flow:established,to_server; content:"User-Agent\|3a\| iTunes/"; http_header; content:!"10.7"; http_header; within:4; flowbits:set,ET.iTunes.vuln; classtype:policy-violation; sid:2014954; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Checkin"; flow:to_server,established; content:"\|00 00 00 18 01 00 00\|"; offset:1; depth:7; fast_pattern; content:"\|78 9c\|"; distance:5; within:2; classtype:trojan-activity; sid:2014955; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Checkin"; flow:to_client,established; content:"\|00 00 00 01 00 00 00\|"; offset:1; depth:7; fast_pattern; content:"\|78 9c\|"; distance:5; within:2; content:"\|00 00 01 00 01\|"; distance:2; within:5; classtype:trojan-activity; sid:2014956; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Client Idle"; flow:to_server,established; content:"\|00 00 00 02 00 00 00\|"; offset:1; depth:7; fast_pattern; content:"\|78 9c\|"; distance:5; within:2; content:"\|00 00\|"; distance:3; within:2; content:"\|00\|"; distance:1; within:1; classtype:trojan-activity; sid:2014957; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Backdoor Win32/Hupigon.CK Server Idle"; flow:to_client,established; content:"\|00 00 00 01 00 00 00\|"; offset:1; depth:7; fast_pattern; content:"\|78 9c\|"; distance:5; within:2; content:"\|00 00 1f 00 1f\|"; distance:2; within:5; classtype:trojan-activity; sid:2014958; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Base64 - Java Exploit Requested - /1Digit"; flow:established,to_server; urilen:2; content:" Java/1"; http_header; pcre:"/^\/[0-9]$/U"; classtype:trojan-activity; sid:2014959; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Base64 - Landing Page Received - base64encode(GetOs()"; flow:established,to_client; content:"base64encode(GetOs()"; classtype:trojan-activity; sid:2014960; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Scar CnC Checkin"; flow:established,to_server; content:"/yeni_urunler.php?hdd="; http_uri; reference:md5,b345634df53511c7195d661ac755b320; classtype:trojan-activity; sid:2014961; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Nutiliers.A Downloader CnC Checkin - Request Encrypted Response"; flow:established,to_server; content:"/js/data/encryptedtest.dll"; http_uri; reference:md5,7b2bfb9d270a5f446f32502d2ed34d67; classtype:trojan-activity; sid:2014962; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Armageddon CnC Checkin"; flow:established,to_server; content:"POST"; http_method; content:"User-Agent\|3A\| ArmageddoN"; nocase; http_header; content:"GetList="; http_client_body; depth:8; reference:md5,3f4c5649d66fc5befc0db47930edb9f6; classtype:trojan-activity; sid:2014963; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response '/km0ae9gr6m/' Jun 25 2012"; flow:established,from_server; file_data; content:"/km0ae9gr6m/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014964; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response '/qhk6sa6g1c/' Jun 25 2012"; flow:established,from_server; file_data; content:"/qhk6sa6g1c/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014965; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Generic - PDF with NEW PDF EXPLOIT"; flow:established,to_client; file_data; content:"%PDF"; within:4; fast_pattern; content:"NEW PDF EXPLOIT"; classtype:trojan-activity; sid:2014966; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Landing Page Requested - 15Alpha1Digit.php"; flow:established,to_server; urilen:21; content:"GET"; http_method; content:".php"; http_uri; pcre:"/^\/[a-z]{15}[0-9]\.php$/U"; classtype:trojan-activity; sid:2014967; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Unknown - Payload Download - 9Alpha1Digit.exe"; flow:established,to_client; content:"attachment"; http_header; content:".exe"; fast_pattern:only; http_header; pcre:"/[a-z]{9}[0-9]\.exe/H"; file_data; content:"MZ"; within:2; classtype:trojan-activity; sid:2014968; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown - Java Exploit Requested - 13-14Alpha.jar"; flow:established,to_server; urilen:16<>19; content:".jar"; http_uri; fast_pattern; content:" Java/1"; http_header; pcre:"/^\/[a-z]{13,14}\.jar$/U"; classtype:trojan-activity; sid:2014969; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website"; flow:established,to_client; content:"setAttribute\|28 22\|src\|22\|, \|22\|http\|3A\|//\|22\| + "; nocase; content:"+ \|22\|/runforestrun?sid="; fast_pattern; nocase; distance:0; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014970; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS JS.Runfore Malware Campaign Request"; flow:established,to_server; content:"/runforestrun?"; http_uri; fast_pattern:only; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-062103-1655-99; reference:url,isc.sans.edu/diary/Run+Forest+/13540; reference:url,isc.sans.edu/diary/Run+Forest+Update+/13561; classtype:trojan-activity; sid:2014971; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS HeapLib JS Library"; flow:established,to_client; file_data; content:"heapLib.ie\|28\|"; nocase; reference:url,www.blackhat.com/presentations/bh-europe-07/Sotirov/Presentation/bh-eu-07-sotirov-apr19.pdf; classtype:bad-unknown; sid:2014972; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /.php?=16HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:23<>60; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{16}$/U"; pcre:"/[0-9]{1,16}[a-f]{1,16}[0-9]{1,16}$/U"; classtype:trojan-activity; sid:2014973; rev:17;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /.php?=8HexChar"; flow:established,to_server; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; urilen:15<>52; content:".php?"; http_uri; content:"="; within:8; http_uri; pcre:"/\?[a-z]{1,10}=[a-f0-9]{8}$/U"; pcre:"/[0-9]{1,8}[a-f]{1,8}[0-9]{1,8}$/U"; classtype:trojan-activity; sid:2014974; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Landing Page Requested - /Home/index.php"; flow:established,to_server; content:"/Home/index.php"; http_uri; depth:15; flowbits:set,ET.http.driveby.blackhole.uri; flowbits:noalert; classtype:trojan-activity; sid:2014975; rev:3;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Recieved - applet and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"<applet"; classtype:trojan-activity; sid:2014977; rev:7;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole - Landing Page Received - catch and flowbit"; flow:established,to_client; flowbits:isset,ET.http.driveby.blackhole.uri; content:"}catch("; classtype:trojan-activity; sid:2014976; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/versions.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/versions.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014979; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC GET /lost.dat"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/lost.dat"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014980; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Try Renamed Prototype Catch - June 28th 2012"; flow:established,to_client; file_data; content:"try {"; distance:0; content:"=prototype\|2d\|"; within:80; content:"} catch"; within:80; reference:url,research.zscaler.com/2012/06/cleartripcom-infected-with-blackhole.html; classtype:trojan-activity; sid:2014981; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot UA POST to /uploadify.php"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern; content:"User-Agent\|3a\| Mozilla/5.0 (compatible\|3b\| Googlebot/2.1\|3b\|"; http_header; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2014982; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Scalaxy Jar file"; flow:to_client,established; file_data; content:"PK"; within:2; content:"C1.class"; fast_pattern; distance:0; content:"C2.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2014983; rev:2;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /km0ae9gr6m/ Jun 25 2012"; flow:established,from_server; file_data; content:"/km0ae9gr6m/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014984; rev:3;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS Hacked Website Response /qhk6sa6g1c/ Jun 25 2012"; flow:established,from_server; file_data; content:"/qhk6sa6g1c/"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014985; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href browser redirect"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014986; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible IBM Rational Directory Server (RDS) Help system href Cross Site Scripting Attempt"; flow:established,to_server; content:"/rds-help/advanced/deferredView.jsp?"; nocase; http_uri; content:"href="; nocase; http_uri; pcre:"/href\x3D.+(script\|alert\|onmouse[a-z]+\|onkey[a-z]+\|onload\|onunload\|ondragdrop\|onblur\|onfocus\|onclick\|ondblclick\|onsubmit\|onreset\|onselect\|onchange\|javascript)/Ui"; reference:url,secunia.com/advisories/49627/; classtype:web-application-attack; sid:2014987; rev:1;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pliggCMS src parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/modules/thumbnail_plus/thumbs/grab.php?"; nocase; http_uri; content:"src="; nocase; http_uri; pcre:"/src=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,1337day.com/exploits/18854; classtype:web-application-attack; sid:2014988; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor thumbnail parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"thumbnail="; nocase; http_uri; pcre:"/thumbnail\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014989; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Monitor tags parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/download-monitor/uploader.php?"; nocase; http_uri; fast_pattern:19,20; content:"tab="; nocase; http_uri; content:"tags="; nocase; http_uri; pcre:"/tags\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112707/WordPress-Download-Monitor-3.3.5.4-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2014990; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"Aventail.EPInterrogator.10.0.4.018"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014991; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible SonciWALL Aventail AuthCredential Format String Exploit"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"2A1BE1E7-C550-4D67-A553-7F2D3A39233D"; nocase; distance:0; content:"AuthCredential"; nocase; distance:0; reference:url,packetstormsecurity.org/files/92931/SonciWALL-Aventail-epi.dll-AuthCredential-Format-String-Exploit.html; classtype:attempted-user; sid:2014992; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS AdaptCMS sitepath parameter Remote File Inclusion Vulnerability"; flow:established,to_server; content:"/inc/smarty/libs/init.php?"; nocase; http_uri; content:"sitepath="; nocase; http_uri; pcre:"/sitepath=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/91022/AdaptCMS-2.0.0-Beta-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2014993; rev:1;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_profile controller parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_profile"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95609/Joomla-Profile-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014994; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress jRSS Widget url parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/wp-content/plugins/jrss-widget/proxy.php?"; nocase; http_uri; fast_pattern:19,12; content:"url="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95638/WordPress-jRSS-Widget-1.1.1-Local-File-Inclusion.html; classtype:web-application-attack; sid:2014995; rev:2;) + +# +#alert icmp any any -> any any (msg:"ET DOS Microsoft Windows 7 ICMPv6 Router Advertisement Flood"; itype:134; icode:0; byte_test:1,&,0x08,2; content:"\|03\|"; offset:20; depth:1; byte_test:1,&,0x40,2,relative; byte_test:1,&,0x80,2,relative; threshold:type threshold, track by_src, count 10, seconds 1; reference:url,www.samsclass.info/ipv6/proj/proj8x-124-flood-router.htm; classtype:attempted-dos; sid:2014996; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Pandora Usage"; flow:established,to_server; content:"POST"; http_method; content:"/radio/xmlrpc/"; http_uri; content:"pandora.com\|0d 0a\|"; http_header; threshold: type threshold, track by_src, count 1, seconds 3600; reference:url,www.pandora.com; classtype:policy-violation; sid:2014997; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Runforestrun Malware Campaign Infected Website Landing Page Obfuscated String JavaScript DGA"; flow:established,to_client; file_data; content:"/window.eval(String.fromCharCode("; distance:0; isdataat:80,relative; content:!")"; within:80; pcre:"/\x2A[a-z0-9]{10}\x2A\x2Fwindow\x2Eeval\x28String\x2EfromCharCode\x28[0-9]{1,3}\x2C[0-9]{1,3}\x2C/sm"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2014998; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zbot CnC POST /common/timestamps.php"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/common/timestamps.php"; http_uri; reference:md5,43d8afa89bd6bf06973af62220d6c158; classtype:trojan-activity; sid:2014999; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NuclearPack Java exploit binary get request"; content:"GET"; http_method; nocase; content:"Java/1."; fast_pattern:only; http_header; pcre:"/[a-f0-9]{32,64}\/[a-f0-9]{32,64}/\w$/U"; classtype:trojan-activity; sid:2015000; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole - Blackhole Java Exploit request to spn.jar"; flow:established,to_server; content:"/spn.jar"; http_uri; nocase; classtype:trojan-activity; sid:2015001; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pushbot User-Agent"; flow:to_server,established; content:"User-Agent\|3A 20\|cvc_v105"; fast_pattern:only; http_header; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015002; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Pushbot server response"; flow:to_client,established; file_data; content:"ZG%\|20\|!GX"; within:7; reference:url,www.cert.pl/news/5587/langswitch_lang/en; classtype:trojan-activity; sid:2015003; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Compressed Executable SZDD Compress.exe Format Over HTTP"; flow:established,to_client; file_data; content:"SZDD"; fast_pattern; within:4; content:"PE\|00 00\|"; distance:0; reference:url,blog.fireeye.com/research/2012/07/inside-customized-threat.html#more; reference:url,www.cabextract.org.uk/libmspack/doc/szdd_kwaj_format.html; classtype:bad-unknown; sid:2015004; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 3"; flow:established,from_server; content:"\|3c\|applet"; fast_pattern; content:"56\|3a\|14\|3a\|14\|3a\|19\|3a\|27\|3a\|50\|3a\|50\|3a\|"; within:100; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015005; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit jar download"; flow:established,to_server; content:"GET"; http_method; content:"files.php?"; http_uri; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&file="; http_uri; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015006; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit version check"; flow:established,to_server; content:"GET"; http_method; content:"&u="; http_uri; content:"&s="; http_uri; content:"&t="; http_uri; content:"&java"; http_uri; fast_pattern:only; content:"&pdf="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015007; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO exploit kit payload download"; flow:established,to_server; content:"GET"; http_method; content:".php?"; http_uri; content:"x=x"; http_uri; fast_pattern:only; content:"&u="; http_uri; content:"&s="; http_uri; content:"&id="; http_uri; content:"&spl="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015009; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ Java exploit"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".jar"; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015010; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 1"; flow:established,to_client; file_data; content:"e\|22\|+\|22\|va"; distance:0; pcre:"/(\x3D\|\x5B\x22])e\x22\x2B\x22va/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015012; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 2"; flow:established,to_client; file_data; content:"e\|22\|+\|22\|v\|22\|+\|22\|a"; distance:0; pcre:"/(\x3D\|\x5B\x22])e\x22\x2B\x22v\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015013; rev:2;) + +# +#alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Split String Obfuscation of Eval 3"; flow:established,to_client; file_data; content:"ev\|22\|+\|22\|a"; distance:0; pcre:"/(\x3D\|\x5B\x22])ev\x22\x2B\x22a/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015014; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Download Request to Hotfile.com"; flow:established,to_server; content:"GET"; http_method; content:"/dl/"; http_uri; content:"hotfile.com\|0d 0a\|"; fast_pattern:only; http_header; classtype:policy-violation; sid:2015015; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"ET INFO FTP STOR to External Network"; flow:established,to_server; content:"STOR "; depth:5; classtype:misc-activity; sid:2015016; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames Checkin"; flow:established,to_server; content:"/game"; http_uri; content:"/diary/item/"; http_uri; content:"User-Agent\|3A\| getURLDown\|0D 0A\|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015017; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE W32/OnlineGames User Agent loadMM"; flow:established,to_server; content:"User-Agent\|3A\| loadMM\|0D 0A\|"; http_header; reference:md5,60763078b8860fd59a1d8bea2bf8900b; classtype:trojan-activity; sid:2015018; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Icoo CnC Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/tUrl.xml?num="; http_uri; fast_pattern:only; content:"Accept-Language\|3A\| de-at"; http_header; reference:md5,1d2ddece4cd5cff3658c59e20d40dd8b; classtype:trojan-activity; sid:2015019; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 1"; flow:established,to_server; content:"/counter/mac_proc.php?cid="; fast_pattern; http_uri; content:"&mid="; http_uri; content:"User-Agent\|3A\| internet\|0D 0A\|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015020; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Numnet.Downloader CnC Checkin 2"; flow:established,to_server; content:"/check_counter.php?pid="; http_uri; content:"&mid="; http_uri; content:"User-Agent\|3A\| internet\|0D 0A\|"; http_header; reference:md5,fbc732c7cd1bbd84956b1e76b53384da; classtype:trojan-activity; sid:2015021; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Zusy Gettime Checkin"; flow:established,to_server; content:"/gettime.html?"; fast_pattern:only; http_uri; content:"HTTP/1.0"; http_header; content:"If-None-Match\|3A 20\|"; http_header; reference:md5,a152772516cef409ddd58f90917a3b44; classtype:trojan-activity; sid:2015022; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER IIS 8.3 Filename With Wildcard (Possible File/Dir Bruteforce)"; flow:established,to_server; content:"~1"; http_uri; fast_pattern:only; pcre:"/([\\?]~1\|~1\.?[\\?]\|\/~1\/)/U"; reference:url,soroush.secproject.com/downloadable/microsoft_iis_tilde_character_vulnerability_feature.pdf; classtype:network-scan; sid:2015023; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Malicious PDF Requested - /getfile.php"; flow:established,to_server; content:"/getfile.php?i="; http_uri; content:"&key="; http_uri; content:!" Java/1"; http_header; classtype:trojan-activity; sid:2015024; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack exploit pack /mix/ payload"; flow:established,to_server; content:"/mix/"; http_uri; depth:5; content:".php"; http_uri; content:"fid="; http_uri; content:"quote="; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015011; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 1"; flow:established,to_client; file_data; content:"=\|22\|ev\|22 3B\|"; distance:0; content:"+\|22\|al\|22\|"; distance:0; pcre:"/\x2B\x22al\x22(\x3B\|\x5D)/"; classtype:trojan-activity; sid:2015025; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 2"; flow:established,to_client; file_data; content:"=\|22\|e\|22 3B\|"; distance:0; content:"+\|22\|val\|22\|"; distance:0; pcre:"/\x2B\x22val\x22(\x3B\|\x5D)/"; classtype:trojan-activity; sid:2015026; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Eval Variable Obfuscation 3"; flow:established,to_client; file_data; content:"=\|22\|eva\|22 3B\|"; distance:0; content:"+\|22\|l\|22\|"; distance:0; pcre:"/\x2B\x22l\x22(\x3B\|\x5D)/"; classtype:trojan-activity; sid:2015027; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Cridex Post to CnC"; flow:established,to_server; content:"\|0d 0a 0d 0a de ad be ef\|"; content:"POST"; http_method; reference:url,vrt-blog.snort.org/2012/07/banking-trojan-spread-via-ups-phish.html; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015028; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Java Exploit Requested - /gotit.php by Java Client"; flow:established,to_server; content:"/gotit.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015030; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Incognito - Payload Request - /load.php by Java Client"; flow:established,to_server; content:"/load.php?"; http_uri; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015031; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible IBM Rational ClearQuest Activex Control RegisterSchemaRepoFromFileByDbSet Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"RegisterSchemaRepoFromFileByDbSet"; nocase; distance:0; reference:url,11337day.com/exploits/18917; classtype:attempted-user; sid:2015032; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS approveImmediately parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php/tools/required/edit_collection_popup.php?"; nocase; http_uri; content:"ctask="; nocase; http_uri; content:"approveImmediately="; nocase; http_uri; pcre:"/approveImmediately\x3d.+?(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change\|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015033; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Concrete CMS btask parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"arHandle="; nocase; http_uri; content:"method="; nocase; http_uri; content:"btask="; nocase; http_uri; pcre:"/btask\x3d.+?(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change\|error))/Ui"; reference:url,www.securityfocus.com/bid/53268/info; classtype:web-application-attack; sid:2015034; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER possible SAP Crystal Report Server 2008 path parameter Directory Traversal vulnerability"; flow:established,to_server; content:"/PerformanceManagement/jsp/qa.jsp?"; nocase; http_uri; content:"func="; nocase; http_uri; content:"root="; nocase; http_uri; content:"path="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,1337day.com/exploits/15332; classtype:web-application-attack; sid:2015035; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access"; flow:to_client,established; content:"CLSID"; nocase; content:"88DD90B6-C770-4CFF-B7A4-3AFD16BB8824"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015036; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Crystal Reports Viewer Activex Control ServerResourceVersion Insecure Method Access 2"; flow:to_client,established; content:"ActiveXObject"; nocase; content:"CrystalPrintControlLib.CrystalPrintControl"; nocase; distance:0; content:"ServerResourceVersion"; nocase; distance:0; reference:url,1337day.com/exploits/15098; classtype:attempted-user; sid:2015037; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Count Per Day Plugin page parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/count-per-day/userperspan.php?"; nocase; http_uri; fast_pattern:19,15; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,secunia.com/advisories/49692/; classtype:web-application-attack; sid:2015038; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_wisroyq controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_wisroyq"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95508/Joomla-Wisroyq-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015039; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_rssreader controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_rssreader"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95430/Joomla-RSSReader-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015040; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Custom Contact Forms options-general.php Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/options-general.php?"; nocase; http_uri; content:"page=bb2_options"; nocase; http_uri; content:"x="; nocase; http_uri; pcre:"/x\x3d.+?(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112616/WordPress-Custom-Contact-Forms-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015041; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack - 32Char.php by Java Client"; flow:established,to_server; urilen:52<>130; content:".php?"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z]{1,10}\/[a-z0-9]{32}\.php\?/U"; classtype:trojan-activity; sid:2015042; rev:1;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole Exploit Kit Applet Code Rafa.Rafa 6th July 2012"; flow:established,to_client; file_data; content:"<applet/code=\|22\|Rafa.Rafa\|22\|"; classtype:trojan-activity; sid:2015043; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Obfuscated Applet Value 6th July 2012"; flow:established,to_client; content:"<applet"; content:"value=\|22\|&#"; isdataat:50,relative; distance:0; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; content:"\|3B\|&#"; distance:4; within:3; pcre:"/value\x3D\x22\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23[0-9]{4}\x3B\x26\x23/"; classtype:trojan-activity; sid:2015044; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO Potential Common Malicious JavaScript Loop"; flow:established,to_client; file_data; content:"for("; distance:0; content:"\|3B\|"; within:20; content:">=0\|3B\|"; fast_pattern; within:10; content:"--)"; within:10; pcre:"/for\x28[^\x3D\r\n][0-9]{1,6}\x2D[0-9]{1,5}\x3B[^\x3D\r\n]\x3E\x3D0\x3B[^\29\r\n]\x2D\x2D\x29/"; classtype:bad-unknown; sid:2015045; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole Exploit Kit Java Exploit request to /Set1.jar 6th July 2012"; flow:established,to_server; content:"/Set1.jar"; http_uri; classtype:trojan-activity; sid:2015046; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Redirect.php Port 8080 Request"; flow:established,to_server; content:"/redirect.php?d="; fast_pattern:only; http_uri; content:"\|3A\|8080\|0D 0A\|"; http_header; pcre:"/\x2Fredirect\x2Ephp\x3Fd\x3D[0-9a-f]{8}$/U"; classtype:trojan-activity; sid:2015047; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Potential MSXML2.FreeThreadedDOMDocument Uninitialized Memory Corruption Attempt"; flow:to_client,established; file_data; content:"f6d90f12-9c73-11d3-b32e-00c04f990bb4"; nocase; content:"definition"; nocase; pcre:"/clsid\s\x3a\s\x7B?\sf6d90f12-9c73-11d3-b32e-00c04f990bb4/si"; pcre:"/(?:\[\s[\x22\x27]definition[\x22\x27]\s\]\|\.definition)\(/"; reference:cve,2012-1889; classtype:attempted-user; sid:2015557; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 09 July 2012 Blackhole Landing Page - Please Wait Loading"; flow:established,from_server; file_data; content:"Please wait, the page is loading..."; distance:0; nocase; content:"x-java-applet"; distance:0; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015048; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Request For Blackhole Landing Page Go.php"; flow:established,to_server; content:"/go.php?d="; http_uri; fast_pattern:only; pcre:"/\x2Fgo\x2Ephp\x3Dd\x3D[a-f0-9]{16}$/U"; classtype:trojan-activity; sid:2015049; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:trojan-activity; sid:2015050; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 1)"; flow:established,to_client; file_data; content:"#c3284d#"; distance:0; content:"#/c3284d#"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015051; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 2)"; flow:established,to_client; file_data; content:"<!--c3284d-->"; distance:0; content:"<!--/c3284d-->"; distance:0; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015052; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 10HexChar Title and applet"; flow:established,to_client; file_data; content:"<applet"; pcre:"/<title>[a-f0-9]{10}<\/title>/"; classtype:trojan-activity; sid:2015053; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Unknown_s=1 - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; content:"value=\""; pcre:"/value=.[a-f0-9]{100}/"; classtype:trojan-activity; sid:2015054; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown_s=1 - Payload Requested - 32AlphaNum?s=1 Java Request"; flow:established,to_server; urilen:37; content:"?s=1"; http_uri; content:" Java/1"; http_header; pcre:"/^\/[a-z0-9]{32}\?s=1$/Ui"; classtype:trojan-activity; sid:2015055; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; file_data; content:"<html><body><script>"; distance:0; content:"Math.floor"; fast_pattern; distance:0; content:"try{"; distance:0; content:"prototype"; within:20; content:"}catch("; within:20; classtype:trojan-activity; sid:2015056; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d malware network iframe"; flow:established,to_client; file_data; content:"\|22\| name=\|22\|Twitter\|22\| scrolling=\|22\|auto\|22\| frameborder=\|22\|no\|22\| align=\|22\|center\|22\| height=\|22\|2\|22\| width=\|22\|2\|22\|></iframe>"; distance:0; classtype:trojan-activity; sid:2015057; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdvkpbuldslsapeb.ru"; flow:established,to_server; content:"\|3a\| bdvkpbuldslsapeb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015061; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eilqnjkoytyjuchn.ru"; flow:established,to_server; content:"\|3a\| eilqnjkoytyjuchn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015062; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru"; flow:established,to_server; content:"\|3a\| npxsiiwpxqqiihmo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015063; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru"; flow:established,to_server; content:"\|3a\| qtmyeslmsoxkjbku.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015064; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain adbjjkquyyhyqknf.ru"; flow:established,to_server; content:"\|3a\| adbjjkquyyhyqknf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015065; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru"; flow:established,to_server; content:"\|3a\| ciqmhuwgvfsxdtrw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015066; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mocrafrewsdjztbj.ru"; flow:established,to_server; content:"\|3a\| mocrafrewsdjztbj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015067; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain otruvbidvikzhlop.ru"; flow:established,to_server; content:"\|3a\| otruvbidvikzhlop.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015068; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yafzvancybuwmnno.ru"; flow:established,to_server; content:"\|3a\| yafzvancybuwmnno.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015069; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bhujzorkulhkpwob.ru"; flow:established,to_server; content:"\|3a\| bhujzorkulhkpwob.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015070; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru"; flow:established,to_server; content:"\|3a\| lohnrnnpvvtxedfl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015071; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru"; flow:established,to_server; content:"\|3a\| ntvrnrdpyoadopbo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015072; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wakvnkyzkyietkdr.ru"; flow:established,to_server; content:"\|3a\| wakvnkyzkyietkdr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015073; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru"; flow:established,to_server; content:"\|3a\| zfyafrjmmajqfvbh.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015074; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru"; flow:established,to_server; content:"\|3a\| jnlkttkruqsdjqlx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015075; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lsbppxhgckolsnap.ru"; flow:established,to_server; content:"\|3a\| lsbppxhgckolsnap.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015076; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vznrahwzgntmfcqk.ru"; flow:established,to_server; content:"\|3a\| vznrahwzgntmfcqk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015077; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xeeypppxswpquvrf.ru"; flow:established,to_server; content:"\|3a\| xeeypppxswpquvrf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015078; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru"; flow:established,to_server; content:"\|3a\| inqgvoeohpcsfxmn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015079; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ksgmckchdppqeicu.ru"; flow:established,to_server; content:"\|3a\| ksgmckchdppqeicu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015080; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uyrorwlibbjeasoq.ru"; flow:established,to_server; content:"\|3a\| uyrorwlibbjeasoq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015081; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain wejungvnykczyjam.ru"; flow:established,to_server; content:"\|3a\| wejungvnykczyjam.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015082; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru"; flow:established,to_server; content:"\|3a\| gmvdnpqbblixlgxj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015083; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jrkjelzwleadyxsd.ru"; flow:established,to_server; content:"\|3a\| jrkjelzwleadyxsd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015084; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sywleisrsstsqoic.ru"; flow:established,to_server; content:"\|3a\| sywleisrsstsqoic.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015085; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain venrfhmthwpqlqge.ru"; flow:established,to_server; content:"\|3a\| venrfhmthwpqlqge.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015086; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fmacqvmqafqwmebl.ru"; flow:established,to_server; content:"\|3a\| fmacqvmqafqwmebl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015087; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hrpgglxvqwjesffr.ru"; flow:established,to_server; content:"\|3a\| hrpgglxvqwjesffr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015088; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru"; flow:established,to_server; content:"\|3a\| rxbkqfydlnzopqrn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015089; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain tdsorylshsxjeawf.ru"; flow:established,to_server; content:"\|3a\| tdsorylshsxjeawf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015090; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain elfxqghdubihhsgd.ru"; flow:established,to_server; content:"\|3a\| elfxqghdubihhsgd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015091; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru"; flow:established,to_server; content:"\|3a\| gqtcxunxhyujqjkf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015092; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sdxkjaophbtufumx.ru"; flow:established,to_server; content:"\|3a\| sdxkjaophbtufumx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015094; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain clkujrjqvexvbmoi.ru"; flow:established,to_server; content:"\|3a\| clkujrjqvexvbmoi.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015095; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru"; flow:established,to_server; content:"\|3a\| fqyyxagzkrpvxtki.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015096; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain owldagkyzrkhqnjo.ru"; flow:established,to_server; content:"\|3a\| owldagkyzrkhqnjo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015097; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rccjvgsgffokiwze.ru"; flow:established,to_server; content:"\|3a\| rccjvgsgffokiwze.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015098; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain blorcdyiipxcwyxv.ru"; flow:established,to_server; content:"\|3a\| blorcdyiipxcwyxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015099; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dpewaddpoewiycnj.ru"; flow:established,to_server; content:"\|3a\| dpewaddpoewiycnj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015100; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nwpykqeizraqthry.ru"; flow:established,to_server; content:"\|3a\| nwpykqeizraqthry.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015101; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain pchgijctfprxhnje.ru"; flow:established,to_server; content:"\|3a\| pchgijctfprxhnje.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015102; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zisiiogqigzzqqeq.ru"; flow:established,to_server; content:"\|3a\| zisiiogqigzzqqeq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015103; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cpittmwbqtjrjpql.ru"; flow:established,to_server; content:"\|3a\| cpittmwbqtjrjpql.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015104; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mvuvchtcxxibeubd.ru"; flow:established,to_server; content:"\|3a\| mvuvchtcxxibeubd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015105; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain oblcasnhxbbocpfj.ru"; flow:established,to_server; content:"\|3a\| oblcasnhxbbocpfj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015106; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xixftoplsduqqorx.ru"; flow:established,to_server; content:"\|3a\| xixftoplsduqqorx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015107; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru"; flow:established,to_server; content:"\|3a\| bpnqmxkpxxgbdnby.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015108; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru"; flow:established,to_server; content:"\|3a\| kvzstpqmeoxtcwko.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015109; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru"; flow:established,to_server; content:"\|3a\| nbqypqrjiqxlfvdj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015110; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain whddmvrxufbkkoew.ru"; flow:established,to_server; content:"\|3a\| whddmvrxufbkkoew.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015111; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ymrhcvphevonympo.ru"; flow:established,to_server; content:"\|3a\| ymrhcvphevonympo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015112; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jveqgnmjxkocqifr.ru"; flow:established,to_server; content:"\|3a\| jveqgnmjxkocqifr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015113; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain lavvckpordclbduy.ru"; flow:established,to_server; content:"\|3a\| lavvckpordclbduy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015114; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru"; flow:established,to_server; content:"\|3a\| vhhzcvbegxbjsxke.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015115; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru"; flow:established,to_server; content:"\|3a\| xmwettbvtbhvrjuo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015116; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain iujniiokeyjbmerc.ru"; flow:established,to_server; content:"\|3a\| iujniiokeyjbmerc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015117; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain kzxrowftdocgyghs.ru"; flow:established,to_server; content:"\|3a\| kzxrowftdocgyghs.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015118; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain gacdiuwnhonuulpe.ru"; flow:established,to_server; content:"\|3a\| gacdiuwnhonuulpe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015119; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru"; flow:established,to_server; content:"\|3a\| ifrhgnqeeotnzrmz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015120; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru"; flow:established,to_server; content:"\|3a\| rmdlgyreitjsjkfq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015121; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain uqspvdwyltgcyhft.ru"; flow:established,to_server; content:"\|3a\| uqspvdwyltgcyhft.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015122; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ezfydrexncoidbus.ru"; flow:established,to_server; content:"\|3a\| ezfydrexncoidbus.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015123; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain hfveiooumeyrpchg.ru"; flow:established,to_server; content:"\|3a\| hfveiooumeyrpchg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015124; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qlihxnncwioxkdls.ru"; flow:established,to_server; content:"\|3a\| qlihxnncwioxkdls.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015125; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain sqwlonyduvpowdgy.ru"; flow:established,to_server; content:"\|3a\| sqwlonyduvpowdgy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015126; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain dyjvewshptsboygd.ru"; flow:established,to_server; content:"\|3a\| dyjvewshptsboygd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015127; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain febcbuyswmishvpl.ru"; flow:established,to_server; content:"\|3a\| febcbuyswmishvpl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015128; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain plmekaayiholtevt.ru"; flow:established,to_server; content:"\|3a\| plmekaayiholtevt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015129; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru"; flow:established,to_server; content:"\|3a\| rpckbgrziwbdrmhr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015130; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain cyosongjihugkjbg.ru"; flow:established,to_server; content:"\|3a\| cyosongjihugkjbg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015131; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain eefysywrvkgxuqdf.ru"; flow:established,to_server; content:"\|3a\| eefysywrvkgxuqdf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015132; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru"; flow:established,to_server; content:"\|3a\| nkrbvqxzfwicmhwb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015133; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain qphhsudsmeftdaht.ru"; flow:established,to_server; content:"\|3a\| qphhsudsmeftdaht.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015134; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain axtopsbtntqnfdyk.ru"; flow:established,to_server; content:"\|3a\| axtopsbtntqnfdyk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015135; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru"; flow:established,to_server; content:"\|3a\| ddkudnuklgiwtdyw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015136; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mkwwclogcvgeekws.ru"; flow:established,to_server; content:"\|3a\| mkwwclogcvgeekws.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015137; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain opldkflyvlkywuec.ru"; flow:established,to_server; content:"\|3a\| opldkflyvlkywuec.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015138; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yvxfekhokspfuwqr.ru"; flow:established,to_server; content:"\|3a\| yvxfekhokspfuwqr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015139; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain bdprvpxdejpohqpt.ru"; flow:established,to_server; content:"\|3a\| bdprvpxdejpohqpt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015140; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru"; flow:established,to_server; content:"\|3a\| ljbvfrsvcevyfhor.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015141; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain noqzuukouyfuyrmd.ru"; flow:established,to_server; content:"\|3a\| noqzuukouyfuyrmd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015142; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain xvcewyydwsmdgaju.ru"; flow:established,to_server; content:"\|3a\| xvcewyydwsmdgaju.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015143; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain zatiscwwtipqlycd.ru"; flow:established,to_server; content:"\|3a\| zatiscwwtipqlycd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015144; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain jjgshrjdcynohyuk.ru"; flow:established,to_server; content:"\|3a\| jjgshrjdcynohyuk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015145; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain mouwwvcwwlilnxub.ru"; flow:established,to_server; content:"\|3a\| mouwwvcwwlilnxub.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015146; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru"; flow:established,to_server; content:"\|3a\| vuhaojpwxgsxuitu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015147; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain yayfefhrwawquwcw.ru"; flow:established,to_server; content:"\|3a\| yayfefhrwawquwcw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015148; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiloishkjwvqldlq.ru"; flow:established,to_server; content:"\|3a\| iiloishkjwvqldlq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015149; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain knauycqgsdhgbwjo.ru"; flow:established,to_server; content:"\|3a\| knauycqgsdhgbwjo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015150; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru"; flow:established,to_server; content:"\|3a\| uumwyzhctrwdsrdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015151; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wzbdwenwshfzglwt.ru"; flow:established,to_server; content:"\|3a\| wzbdwenwshfzglwt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015152; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hiplksflttfkpsxn.ru"; flow:established,to_server; content:"\|3a\| hiplksflttfkpsxn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015153; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jnfrqmekhoevppvw.ru"; flow:established,to_server; content:"\|3a\| jnfrqmekhoevppvw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015154; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ttqtkmthptxvwiku.ru"; flow:established,to_server; content:"\|3a\| ttqtkmthptxvwiku.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015155; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vygzhvfiuommkqfj.ru"; flow:established,to_server; content:"\|3a\| vygzhvfiuommkqfj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015156; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru"; flow:established,to_server; content:"\|3a\| fhuidtlqttqxgjvn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015157; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain imjosxuhbcdonrco.ru"; flow:established,to_server; content:"\|3a\| imjosxuhbcdonrco.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015158; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru"; flow:established,to_server; content:"\|3a\| rtvqcdpbqxgwnrcn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015159; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru"; flow:established,to_server; content:"\|3a\| tykvyflnjhbnqpnr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015160; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehyewyqydfpidbdp.ru"; flow:established,to_server; content:"\|3a\| ehyewyqydfpidbdp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015161; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gmokuosvnbkshdtd.ru"; flow:established,to_server; content:"\|3a\| gmokuosvnbkshdtd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015162; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qsbourrdxgxgwepy.ru"; flow:established,to_server; content:"\|3a\| qsbourrdxgxgwepy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015163; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru"; flow:established,to_server; content:"\|3a\| sxpskxdgoczvcjgp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015164; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dhedppigtpbwrmpc.ru"; flow:established,to_server; content:"\|3a\| dhedppigtpbwrmpc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015165; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain flthmyjeuhdygshf.ru"; flow:established,to_server; content:"\|3a\| flthmyjeuhdygshf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015166; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain osflhkaowydftniw.ru"; flow:established,to_server; content:"\|3a\| osflhkaowydftniw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015167; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rxupwhkznihnxzqx.ru"; flow:established,to_server; content:"\|3a\| rxupwhkznihnxzqx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015168; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru"; flow:established,to_server; content:"\|3a\| bgjzhlasdrwwnenj.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015169; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain elxegvkalqvkyoxc.ru"; flow:established,to_server; content:"\|3a\| elxegvkalqvkyoxc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015170; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nrkhysgoltauclop.ru"; flow:established,to_server; content:"\|3a\| nrkhysgoltauclop.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015171; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pwyloytoagndnrex.ru"; flow:established,to_server; content:"\|3a\| pwyloytoagndnrex.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015172; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain zenquqdskekaudbe.ru"; flow:established,to_server; content:"\|3a\| zenquqdskekaudbe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015173; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru"; flow:established,to_server; content:"\|3a\| cldcrgtnuwvgnbfd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015174; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mroeqjdaukskbgua.ru"; flow:established,to_server; content:"\|3a\| mroeqjdaukskbgua.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015175; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain owekhoeuhmdiehrw.ru"; flow:established,to_server; content:"\|3a\| owekhoeuhmdiehrw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015176; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru"; flow:established,to_server; content:"\|3a\| ydrngsmrdiiyvoiy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015177; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru"; flow:established,to_server; content:"\|3a\| bkhyiqitpoxewhmt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015178; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain krtbityuhlewigfe.ru"; flow:established,to_server; content:"\|3a\| krtbityuhlewigfe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015179; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nvjgyermzsmynaeq.ru"; flow:established,to_server; content:"\|3a\| nvjgyermzsmynaeq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015180; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jwkpdxqbemsmclal.ru"; flow:established,to_server; content:"\|3a\| jwkpdxqbemsmclal.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015181; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lccwpflcdjrdfjib.ru"; flow:established,to_server; content:"\|3a\| lccwpflcdjrdfjib.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015182; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain uinyjmxfqinkxbda.ru"; flow:established,to_server; content:"\|3a\| uinyjmxfqinkxbda.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015183; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xndfbivuonkxfxrq.ru"; flow:established,to_server; content:"\|3a\| xndfbivuonkxfxrq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015184; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru"; flow:established,to_server; content:"\|3a\| hvpmffxpfnlquqxo.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015185; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru"; flow:established,to_server; content:"\|3a\| kbgsbqjugdqrgtdw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015186; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tisubmfvqrgnloxr.ru"; flow:established,to_server; content:"\|3a\| tisubmfvqrgnloxr.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015187; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vmibswhnpqhqwyih.ru"; flow:established,to_server; content:"\|3a\| vmibswhnpqhqwyih.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015188; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru"; flow:established,to_server; content:"\|3a\| gvujhzvjxwptrtdg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015189; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru"; flow:established,to_server; content:"\|3a\| iblpdiqdmmsbnuxb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015190; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain shxrsvasoncjnxpn.ru"; flow:established,to_server; content:"\|3a\| shxrsvasoncjnxpn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015191; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ummxjwieppswcnrg.ru"; flow:established,to_server; content:"\|3a\| ummxjwieppswcnrg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015192; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fuyfrockpfclxccd.ru"; flow:established,to_server; content:"\|3a\| fuyfrockpfclxccd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015193; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain haqmuqqukywrcxfa.ru"; flow:established,to_server; content:"\|3a\| haqmuqqukywrcxfa.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015194; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qhcplcuugevvyham.ru"; flow:established,to_server; content:"\|3a\| qhcplcuugevvyham.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015195; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru"; flow:established,to_server; content:"\|3a\| tmrtbcienxrbnsjc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015196; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dueebwwdllfburag.ru"; flow:established,to_server; content:"\|3a\| dueebwwdllfburag.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015197; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fzsirujgdbvabrjm.ru"; flow:established,to_server; content:"\|3a\| fzsirujgdbvabrjm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015198; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru"; flow:established,to_server; content:"\|3a\| pghnrmkoeoetfwsm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015199; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru"; flow:established,to_server; content:"\|3a\| rlvqmipovrqbmvqd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015200; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ctjbmgjudwisgshv.ru"; flow:established,to_server; content:"\|3a\| ctjbmgjudwisgshv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015201; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain eyxejlabqaytqmjx.ru"; flow:established,to_server; content:"\|3a\| eyxejlabqaytqmjx.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015202; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru"; flow:established,to_server; content:"\|3a\| ogmjjmqdhlbyabzg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015203; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru"; flow:established,to_server; content:"\|3a\| qlbpfyrupyadvjsl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015204; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain atnwerhvttvbivra.ru"; flow:established,to_server; content:"\|3a\| atnwerhvttvbivra.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015205; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dydderasilekaegh.ru"; flow:established,to_server; content:"\|3a\| dydderasilekaegh.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015206; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru"; flow:established,to_server; content:"\|3a\| mfqfrnqllqcrayiw.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015207; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru"; flow:established,to_server; content:"\|3a\| pkglwwwmjxokzzfq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015208; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yrrnrgliojezjctg.ru"; flow:established,to_server; content:"\|3a\| yrrnrgliojezjctg.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015209; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bxhzugppnulxghvm.ru"; flow:established,to_server; content:"\|3a\| bxhzugppnulxghvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015210; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru"; flow:established,to_server; content:"\|3a\| lfvcngdbzjrzgyby.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015211; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain nkkijjyioljbfysn.ru"; flow:established,to_server; content:"\|3a\| nkkijjyioljbfysn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015212; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xqwkdyjydkggsppd.ru"; flow:established,to_server; content:"\|3a\| xqwkdyjydkggsppd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015213; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru"; flow:established,to_server; content:"\|3a\| axmvnmubgwlmqfrp.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015214; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain keabgwmpzqhpmlng.ru"; flow:established,to_server; content:"\|3a\| keabgwmpzqhpmlng.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015215; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru"; flow:established,to_server; content:"\|3a\| mjpflkwqskuqbjnk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015216; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru"; flow:established,to_server; content:"\|3a\| vqcicnuhtwhxmtjd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015217; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yvqnltydqtpresfu.ru"; flow:established,to_server; content:"\|3a\| yvqnltydqtpresfu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015218; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iefwvulgninlkoxe.ru"; flow:established,to_server; content:"\|3a\| iefwvulgninlkoxe.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015219; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ljubdldgqwbarplc.ru"; flow:established,to_server; content:"\|3a\| ljubdldgqwbarplc.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015220; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain upgghggmbusopaxv.ru"; flow:established,to_server; content:"\|3a\| upgghggmbusopaxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015221; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru"; flow:established,to_server; content:"\|3a\| wuvjdexaqtmqkvgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015222; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hektxucstnbuncix.ru"; flow:established,to_server; content:"\|3a\| hektxucstnbuncix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015223; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jiyxdlvawkranmin.ru"; flow:established,to_server; content:"\|3a\| jiyxdlvawkranmin.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015224; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tplczomvebjmhsgk.ru"; flow:established,to_server; content:"\|3a\| tplczomvebjmhsgk.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015225; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain vuaivypissryzhij.ru"; flow:established,to_server; content:"\|3a\| vuaivypissryzhij.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015226; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gdoqznfilmtulxxv.ru"; flow:established,to_server; content:"\|3a\| gdoqznfilmtulxxv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015227; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain iiewprjomieydnix.ru"; flow:established,to_server; content:"\|3a\| iiewprjomieydnix.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015228; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ropypfmcqjjfdiel.ru"; flow:established,to_server; content:"\|3a\| ropypfmcqjjfdiel.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015229; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain utfenjxpvwtroioi.ru"; flow:established,to_server; content:"\|3a\| utfenjxpvwtroioi.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015230; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain edtmjcvfnfcbweed.ru"; flow:established,to_server; content:"\|3a\| edtmjcvfnfcbweed.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015231; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hhishrpjdixwtctz.ru"; flow:established,to_server; content:"\|3a\| hhishrpjdixwtctz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015232; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru"; flow:established,to_server; content:"\|3a\| qouubrmdxtgnnjvm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015233; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain stkbtccbckhdkbii.ru"; flow:established,to_server; content:"\|3a\| stkbtccbckhdkbii.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015234; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru"; flow:established,to_server; content:"\|3a\| dcyjurmfwhgvyoio.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015235; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru"; flow:established,to_server; content:"\|3a\| fhnpjsnknkuvhazm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015236; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru"; flow:established,to_server; content:"\|3a\| pozrtgdmhvhvdscn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015237; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain rsoxjlibxohdcyov.ru"; flow:established,to_server; content:"\|3a\| rsoxjlibxohdcyov.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015238; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ccdifvomwhtynpay.ru"; flow:established,to_server; content:"\|3a\| ccdifvomwhtynpay.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015239; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ehsmldxnregnruez.ru"; flow:established,to_server; content:"\|3a\| ehsmldxnregnruez.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015240; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru"; flow:established,to_server; content:"\|3a\| lsvdxjpwykxxvryd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015241; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru"; flow:established,to_server; content:"\|3a\| oxkjnvhjnvnegtyb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015242; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xfymtpavzblzbknq.ru"; flow:established,to_server; content:"\|3a\| xfymtpavzblzbknq.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015243; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain bloxgsfzinxmdspt.ru"; flow:established,to_server; content:"\|3a\| bloxgsfzinxmdspt.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015244; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ksacasnubklrikdl.ru"; flow:established,to_server; content:"\|3a\| ksacasnubklrikdl.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015245; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain mxpgggggukxqteoy.ru"; flow:established,to_server; content:"\|3a\| mxpgggggukxqteoy.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015246; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru"; flow:established,to_server; content:"\|3a\| wedkgpdcxlrunbmu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015247; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru"; flow:established,to_server; content:"\|3a\| yjsovtnpgbwqcbbd.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015248; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain jrfyaswntteouafv.ru"; flow:established,to_server; content:"\|3a\| jrfyaswntteouafv.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015249; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru"; flow:established,to_server; content:"\|3a\| lwtcxuzbdrsnpqfb.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015250; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain veihxoqukuetxqbn.ru"; flow:established,to_server; content:"\|3a\| veihxoqukuetxqbn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015251; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru"; flow:established,to_server; content:"\|3a\| xiwlnutkxsqxwjge.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015252; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain hrkusbnevtmyisab.ru"; flow:established,to_server; content:"\|3a\| hrkusbnevtmyisab.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015253; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru"; flow:established,to_server; content:"\|3a\| kwyyhhqtwxupnhyu.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015254; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain tdndpphrtyniynvz.ru"; flow:established,to_server; content:"\|3a\| tdndpphrtyniynvz.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015255; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain wicjgufeimlbmcus.ru"; flow:established,to_server; content:"\|3a\| wicjgufeimlbmcus.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015256; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain gqortbbbsnksxpmm.ru"; flow:established,to_server; content:"\|3a\| gqortbbbsnksxpmm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015257; rev:1;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fjgtmicxtlxynlpf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015258; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ppsvcvrcgkllplyn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015259; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ruhctasjmpqbyvhm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015260; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdvkpbuldslsapeb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bdvkpbuldslsapeb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015261; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eilqnjkoytyjuchn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|eilqnjkoytyjuchn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015262; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain npxsiiwpxqqiihmo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|npxsiiwpxqqiihmo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015263; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qtmyeslmsoxkjbku.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qtmyeslmsoxkjbku\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015264; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain adbjjkquyyhyqknf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|adbjjkquyyhyqknf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015265; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ciqmhuwgvfsxdtrw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ciqmhuwgvfsxdtrw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015266; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mocrafrewsdjztbj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mocrafrewsdjztbj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015267; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain otruvbidvikzhlop.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|otruvbidvikzhlop\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015268; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yafzvancybuwmnno.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yafzvancybuwmnno\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015269; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bhujzorkulhkpwob.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bhujzorkulhkpwob\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015270; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lohnrnnpvvtxedfl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lohnrnnpvvtxedfl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015271; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ntvrnrdpyoadopbo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ntvrnrdpyoadopbo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015272; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wakvnkyzkyietkdr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wakvnkyzkyietkdr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015273; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zfyafrjmmajqfvbh.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zfyafrjmmajqfvbh\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015274; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jnlkttkruqsdjqlx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jnlkttkruqsdjqlx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015275; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lsbppxhgckolsnap.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lsbppxhgckolsnap\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015276; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vznrahwzgntmfcqk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vznrahwzgntmfcqk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015277; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xeeypppxswpquvrf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xeeypppxswpquvrf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015278; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain inqgvoeohpcsfxmn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|inqgvoeohpcsfxmn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015279; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ksgmckchdppqeicu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ksgmckchdppqeicu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015280; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uyrorwlibbjeasoq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uyrorwlibbjeasoq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015281; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain wejungvnykczyjam.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wejungvnykczyjam\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015282; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gmvdnpqbblixlgxj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gmvdnpqbblixlgxj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015283; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jrkjelzwleadyxsd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jrkjelzwleadyxsd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015284; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sywleisrsstsqoic.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sywleisrsstsqoic\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015285; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain venrfhmthwpqlqge.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|venrfhmthwpqlqge\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015286; rev:4;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fmacqvmqafqwmebl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fmacqvmqafqwmebl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015287; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hrpgglxvqwjesffr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hrpgglxvqwjesffr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015288; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rxbkqfydlnzopqrn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rxbkqfydlnzopqrn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015289; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain tdsorylshsxjeawf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tdsorylshsxjeawf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015290; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain elfxqghdubihhsgd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|elfxqghdubihhsgd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015291; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gqtcxunxhyujqjkf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gqtcxunxhyujqjkf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015292; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qxggipnnfmnihkic.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qxggipnnfmnihkic\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015293; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sdxkjaophbtufumx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sdxkjaophbtufumx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015294; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain clkujrjqvexvbmoi.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|clkujrjqvexvbmoi\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015295; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain fqyyxagzkrpvxtki.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fqyyxagzkrpvxtki\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015296; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain owldagkyzrkhqnjo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|owldagkyzrkhqnjo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015297; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rccjvgsgffokiwze.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rccjvgsgffokiwze\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015298; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain blorcdyiipxcwyxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|blorcdyiipxcwyxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015299; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dpewaddpoewiycnj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dpewaddpoewiycnj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015300; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nwpykqeizraqthry.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nwpykqeizraqthry\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015301; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain pchgijctfprxhnje.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pchgijctfprxhnje\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015302; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zisiiogqigzzqqeq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zisiiogqigzzqqeq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015303; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cpittmwbqtjrjpql.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|cpittmwbqtjrjpql\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015304; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mvuvchtcxxibeubd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mvuvchtcxxibeubd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015305; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain oblcasnhxbbocpfj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|oblcasnhxbbocpfj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015306; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xixftoplsduqqorx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xixftoplsduqqorx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015307; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bpnqmxkpxxgbdnby.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bpnqmxkpxxgbdnby\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015308; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kvzstpqmeoxtcwko.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kvzstpqmeoxtcwko\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015309; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nbqypqrjiqxlfvdj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nbqypqrjiqxlfvdj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015310; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain whddmvrxufbkkoew.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|whddmvrxufbkkoew\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015311; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ymrhcvphevonympo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ymrhcvphevonympo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015312; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jveqgnmjxkocqifr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jveqgnmjxkocqifr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015313; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain lavvckpordclbduy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lavvckpordclbduy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015314; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vhhzcvbegxbjsxke.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vhhzcvbegxbjsxke\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015315; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xmwettbvtbhvrjuo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xmwettbvtbhvrjuo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015316; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain iujniiokeyjbmerc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iujniiokeyjbmerc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015317; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain kzxrowftdocgyghs.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kzxrowftdocgyghs\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015318; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain gacdiuwnhonuulpe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gacdiuwnhonuulpe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015319; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ifrhgnqeeotnzrmz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ifrhgnqeeotnzrmz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015320; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rmdlgyreitjsjkfq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rmdlgyreitjsjkfq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015321; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain uqspvdwyltgcyhft.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uqspvdwyltgcyhft\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015322; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ezfydrexncoidbus.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ezfydrexncoidbus\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015323; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain hfveiooumeyrpchg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hfveiooumeyrpchg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015324; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qlihxnncwioxkdls.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qlihxnncwioxkdls\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015325; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain sqwlonyduvpowdgy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sqwlonyduvpowdgy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015326; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain dyjvewshptsboygd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dyjvewshptsboygd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015327; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain febcbuyswmishvpl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|febcbuyswmishvpl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015328; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain plmekaayiholtevt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|plmekaayiholtevt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015329; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain rpckbgrziwbdrmhr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rpckbgrziwbdrmhr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015330; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain cyosongjihugkjbg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|cyosongjihugkjbg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015331; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain eefysywrvkgxuqdf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|eefysywrvkgxuqdf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015332; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain nkrbvqxzfwicmhwb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nkrbvqxzfwicmhwb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015333; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain qphhsudsmeftdaht.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qphhsudsmeftdaht\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015334; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain axtopsbtntqnfdyk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|axtopsbtntqnfdyk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015335; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ddkudnuklgiwtdyw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ddkudnuklgiwtdyw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015336; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mkwwclogcvgeekws.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mkwwclogcvgeekws\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015337; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain opldkflyvlkywuec.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|opldkflyvlkywuec\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015338; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yvxfekhokspfuwqr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yvxfekhokspfuwqr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015339; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain bdprvpxdejpohqpt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bdprvpxdejpohqpt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015340; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain ljbvfrsvcevyfhor.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ljbvfrsvcevyfhor\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015341; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain noqzuukouyfuyrmd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|noqzuukouyfuyrmd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015342; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain xvcewyydwsmdgaju.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xvcewyydwsmdgaju\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015343; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain zatiscwwtipqlycd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zatiscwwtipqlycd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015344; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain jjgshrjdcynohyuk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jjgshrjdcynohyuk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015345; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain mouwwvcwwlilnxub.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mouwwvcwwlilnxub\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015346; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain vuhaojpwxgsxuitu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vuhaojpwxgsxuitu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015347; rev:3;) + +# +#alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET DELETED DNS Query to Zeus CnC DGA Domain yayfefhrwawquwcw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yayfefhrwawquwcw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015348; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiloishkjwvqldlq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiloishkjwvqldlq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015349; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain knauycqgsdhgbwjo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|knauycqgsdhgbwjo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015350; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uumwyzhctrwdsrdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uumwyzhctrwdsrdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015351; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wzbdwenwshfzglwt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wzbdwenwshfzglwt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015352; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hiplksflttfkpsxn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hiplksflttfkpsxn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015353; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jnfrqmekhoevppvw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jnfrqmekhoevppvw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015354; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ttqtkmthptxvwiku.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ttqtkmthptxvwiku\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015355; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vygzhvfiuommkqfj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vygzhvfiuommkqfj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015356; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhuidtlqttqxgjvn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhuidtlqttqxgjvn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015357; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain imjosxuhbcdonrco.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|imjosxuhbcdonrco\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015358; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rtvqcdpbqxgwnrcn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rtvqcdpbqxgwnrcn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015359; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tykvyflnjhbnqpnr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tykvyflnjhbnqpnr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015360; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehyewyqydfpidbdp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehyewyqydfpidbdp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015361; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gmokuosvnbkshdtd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gmokuosvnbkshdtd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015362; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qsbourrdxgxgwepy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qsbourrdxgxgwepy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015363; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain sxpskxdgoczvcjgp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|sxpskxdgoczvcjgp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015364; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dhedppigtpbwrmpc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dhedppigtpbwrmpc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015365; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain flthmyjeuhdygshf.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|flthmyjeuhdygshf\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015366; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain osflhkaowydftniw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|osflhkaowydftniw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015367; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rxupwhkznihnxzqx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rxupwhkznihnxzqx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015368; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bgjzhlasdrwwnenj.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bgjzhlasdrwwnenj\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015369; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain elxegvkalqvkyoxc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|elxegvkalqvkyoxc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015370; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nrkhysgoltauclop.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nrkhysgoltauclop\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015371; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pwyloytoagndnrex.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pwyloytoagndnrex\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015372; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain zenquqdskekaudbe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|zenquqdskekaudbe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015373; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain cldcrgtnuwvgnbfd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|cldcrgtnuwvgnbfd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015374; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mroeqjdaukskbgua.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mroeqjdaukskbgua\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015375; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain owekhoeuhmdiehrw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|owekhoeuhmdiehrw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015376; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ydrngsmrdiiyvoiy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ydrngsmrdiiyvoiy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015377; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bkhyiqitpoxewhmt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bkhyiqitpoxewhmt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015378; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain krtbityuhlewigfe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|krtbityuhlewigfe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015379; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nvjgyermzsmynaeq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nvjgyermzsmynaeq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015380; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jwkpdxqbemsmclal.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jwkpdxqbemsmclal\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015381; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lccwpflcdjrdfjib.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lccwpflcdjrdfjib\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015382; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain uinyjmxfqinkxbda.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|uinyjmxfqinkxbda\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015383; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xndfbivuonkxfxrq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xndfbivuonkxfxrq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015384; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hvpmffxpfnlquqxo.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hvpmffxpfnlquqxo\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015385; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kbgsbqjugdqrgtdw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kbgsbqjugdqrgtdw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015386; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tisubmfvqrgnloxr.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tisubmfvqrgnloxr\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015387; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vmibswhnpqhqwyih.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vmibswhnpqhqwyih\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015388; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gvujhzvjxwptrtdg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gvujhzvjxwptrtdg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015389; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iblpdiqdmmsbnuxb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iblpdiqdmmsbnuxb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015390; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain shxrsvasoncjnxpn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|shxrsvasoncjnxpn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015391; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ummxjwieppswcnrg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ummxjwieppswcnrg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015392; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fuyfrockpfclxccd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fuyfrockpfclxccd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015393; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain haqmuqqukywrcxfa.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|haqmuqqukywrcxfa\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015394; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qhcplcuugevvyham.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qhcplcuugevvyham\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015395; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tmrtbcienxrbnsjc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tmrtbcienxrbnsjc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015396; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dueebwwdllfburag.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dueebwwdllfburag\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015397; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fzsirujgdbvabrjm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fzsirujgdbvabrjm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015398; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pghnrmkoeoetfwsm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pghnrmkoeoetfwsm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015399; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rlvqmipovrqbmvqd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rlvqmipovrqbmvqd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015400; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ctjbmgjudwisgshv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ctjbmgjudwisgshv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015401; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain eyxejlabqaytqmjx.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|eyxejlabqaytqmjx\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015402; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ogmjjmqdhlbyabzg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ogmjjmqdhlbyabzg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015403; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qlbpfyrupyadvjsl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qlbpfyrupyadvjsl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015404; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain atnwerhvttvbivra.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|atnwerhvttvbivra\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015405; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dydderasilekaegh.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dydderasilekaegh\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015406; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mfqfrnqllqcrayiw.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mfqfrnqllqcrayiw\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015407; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pkglwwwmjxokzzfq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pkglwwwmjxokzzfq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015408; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yrrnrgliojezjctg.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yrrnrgliojezjctg\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015409; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bxhzugppnulxghvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bxhzugppnulxghvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015410; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lfvcngdbzjrzgyby.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lfvcngdbzjrzgyby\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015411; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain nkkijjyioljbfysn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|nkkijjyioljbfysn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015412; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xqwkdyjydkggsppd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xqwkdyjydkggsppd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015413; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain axmvnmubgwlmqfrp.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|axmvnmubgwlmqfrp\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015414; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain keabgwmpzqhpmlng.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|keabgwmpzqhpmlng\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015415; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mjpflkwqskuqbjnk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mjpflkwqskuqbjnk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015416; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vqcicnuhtwhxmtjd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vqcicnuhtwhxmtjd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015417; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yvqnltydqtpresfu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yvqnltydqtpresfu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015418; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iefwvulgninlkoxe.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iefwvulgninlkoxe\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015419; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ljubdldgqwbarplc.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ljubdldgqwbarplc\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015420; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain upgghggmbusopaxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|upgghggmbusopaxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015421; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wuvjdexaqtmqkvgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wuvjdexaqtmqkvgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015422; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hektxucstnbuncix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hektxucstnbuncix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015423; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jiyxdlvawkranmin.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jiyxdlvawkranmin\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015424; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tplczomvebjmhsgk.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tplczomvebjmhsgk\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015425; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain vuaivypissryzhij.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|vuaivypissryzhij\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015426; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gdoqznfilmtulxxv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gdoqznfilmtulxxv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015427; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain iiewprjomieydnix.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|iiewprjomieydnix\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015428; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ropypfmcqjjfdiel.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ropypfmcqjjfdiel\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015429; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain utfenjxpvwtroioi.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|utfenjxpvwtroioi\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015430; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain edtmjcvfnfcbweed.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|edtmjcvfnfcbweed\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015431; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hhishrpjdixwtctz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hhishrpjdixwtctz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015432; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain qouubrmdxtgnnjvm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|qouubrmdxtgnnjvm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015433; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain stkbtccbckhdkbii.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|stkbtccbckhdkbii\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015434; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain dcyjurmfwhgvyoio.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|dcyjurmfwhgvyoio\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015435; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain fhnpjsnknkuvhazm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|fhnpjsnknkuvhazm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015436; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain pozrtgdmhvhvdscn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|pozrtgdmhvhvdscn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015437; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain rsoxjlibxohdcyov.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|rsoxjlibxohdcyov\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015438; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ccdifvomwhtynpay.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ccdifvomwhtynpay\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015439; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ehsmldxnregnruez.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ehsmldxnregnruez\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015440; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lsvdxjpwykxxvryd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lsvdxjpwykxxvryd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015441; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain oxkjnvhjnvnegtyb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|oxkjnvhjnvnegtyb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015442; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xfymtpavzblzbknq.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xfymtpavzblzbknq\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015443; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain bloxgsfzinxmdspt.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|bloxgsfzinxmdspt\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015444; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain ksacasnubklrikdl.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|ksacasnubklrikdl\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015445; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain mxpgggggukxqteoy.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|mxpgggggukxqteoy\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015446; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wedkgpdcxlrunbmu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wedkgpdcxlrunbmu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015447; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain yjsovtnpgbwqcbbd.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|yjsovtnpgbwqcbbd\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015448; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain jrfyaswntteouafv.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|jrfyaswntteouafv\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015449; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain lwtcxuzbdrsnpqfb.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|lwtcxuzbdrsnpqfb\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015450; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain veihxoqukuetxqbn.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|veihxoqukuetxqbn\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015451; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain xiwlnutkxsqxwjge.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|xiwlnutkxsqxwjge\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015452; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain hrkusbnevtmyisab.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|hrkusbnevtmyisab\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015453; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain kwyyhhqtwxupnhyu.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|kwyyhhqtwxupnhyu\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015454; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain tdndpphrtyniynvz.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|tdndpphrtyniynvz\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015455; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain wicjgufeimlbmcus.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|wicjgufeimlbmcus\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015456; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Zeus CnC DGA Domain gqortbbbsnksxpmm.ru Pseudo Random Domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|gqortbbbsnksxpmm\|02\|ru\|00\|"; nocase; distance:0; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015457; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 1"; flow:established,to_server; content:"/plg3.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015458; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Pift Checkin 2"; flow:established,to_server; content:"/ext1.z"; fast_pattern; http_uri; urilen:7; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|"; http_header; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015459; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET TROJAN Win32/Pift DNS TXT CnC Lookup ppift.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|05\|ppift\|03\|net\|00 00 10\|"; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23873/en_US/McAfee%20Labs%20Threat%20Advisory-W32-Pift.pdf; reference:md5,d3c6af8284276b11c2f693c1195b4735; classtype:trojan-activity; sid:2015460; rev:3;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED HTTP Request to a Zeus CnC DGA Domain fjgtmicxtlxynlpf.ru"; flow:established,to_server; content:"\|3a\| fjgtmicxtlxynlpf.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015461; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ppsvcvrcgkllplyn.ru"; flow:established,to_server; content:"\|3a\| ppsvcvrcgkllplyn.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015462; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a Zeus CnC DGA Domain ruhctasjmpqbyvhm.ru"; flow:established,to_server; content:"\|3a\| ruhctasjmpqbyvhm.ru\|0D 0A\|"; fast_pattern:only; http_header; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015463; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AdminStudio Activex Control LaunchProcess Method Access Arbitrary Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"LaunchHelp.HelpLauncher.1"; nocase; distance:0; content:"LaunchProcess"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114564/AdminStudio-LaunchHelp.dll-ActiveX-Arbitrary-Code-Execution.html; classtype:attempted-user; sid:2015464; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Oracle AutoVue ActiveX SetMarkupMode Method Access Remote Code Execution"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"AutoVueX.ocx"; fast_pattern; nocase; distance:0; content:"SetMarkupMode"; nocase; distance:0; reference:url,packetstormsecurity.org/files/114364/Oracle-AutoVue-ActiveX-SetMarkupMode-Remote-Code-Execution.html; classtype:attempted-user; sid:2015465; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_marker) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_marker"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015466; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Leaflet plugin(leaflet_layer) id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=leaflet_layer"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112699/WordPress-Leaflet-0.0.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015467; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_jstore controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jstore"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94689/Joomla-JStore-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015468; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Help Center Live file parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/module.php?"; nocase; http_uri; content:"module=helpcenter"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/88998/Help-Center-Live-2.0.6-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015469; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpPollScript include_class Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/php/init.poll.php?"; nocase; http_uri; content:"include_class="; nocase; http_uri; pcre:"/include_class=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/81376/phpPollScript-1.3-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015470; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_edir controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_edir"; nocase; http_uri; content:"view="; nocase; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95604/Joomla-eDir-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015471; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS joomla com_connect controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_connect"; nocase; http_uri; content:"view="; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/95590/Joomla-Connect-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015472; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress CataBlog plugin category parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=catablog-gallery"; nocase; http_uri; content:"category="; nocase; http_uri; pcre:"/category\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112710/WordPress-CataBlog-1.6-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015473; rev:1;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET TROJAN ZeroAccess udp traffic detected"; content:"\|9e 98\|"; offset:6; depth:2; dsize:20; classtype:trojan-activity; sid:2015474; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /intpmt.html"; flow:established,to_server; content:"/intpmt.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015475; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BlackHole Landing Page /upinv.html"; flow:established,to_server; content:"/upinv.html"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015476; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Eval Split String Obfuscation In Brackets"; flow:established,to_client; content:"[\|22\|e"; fast_pattern; content:"\|22\|+\|22\|"; within:11; content:"l\|22\|]"; within:11; pcre:"/\x7B\x22e(v\|x22\x2B\x22)(v\|x22\x2B\x22\|a)(a\|v\|x22\x2B\x22)[^\x5D]?l\x22\x5D/"; classtype:trojan-activity; sid:2015477; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /top2.html"; flow:established,to_server; urilen:9; content:"/top2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015478; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Unknown TDS /rem2.html"; flow:established,to_server; urilen:10; content:"/rem2.html"; http_uri; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015479; rev:2;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Compromised WordPress Server pulling Malicious JS"; flow:established,to_server; content:"/net/?u="; http_uri; fast_pattern:only; content:"Host\|3a\| net"; http_header; content:"net.net"; http_header; distance:2; within:7; content:"User-Agent\|3a\| Mozilla/4.0 (compatible\|3b\| MSIE 8.0\|3b\| Windows NT 6.0)"; http_header; pcre:"/^Host\x3a\snet[0-4]{2}net\.net\r?\n$/Hmi"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015480; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Compromised Wordpress Install Serving Malicious JS"; flow:established,to_client; file_data; content:"var wow"; fast_pattern; content:"Date"; distance:0; within:200; pcre:"/var wow\s=\s\x22[^\x22\n]+?\x22\x3b[^\x3b\n]?Date[^\x3b\n]?\x3b/"; reference:url,blog.unmaskparasites.com/2012/07/11/whats-in-your-wp-head/; classtype:trojan-activity; sid:2015481; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ZeroAccess Outbound udp traffic detected"; content:"\|28 94 8d ab c9 c0 d1 99\|"; offset:4; depth:8; dsize:16; threshold: type both, track by_src, count 10, seconds 600; classtype:trojan-activity; sid:2015482; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Java .jar request to dotted-quad domain"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^Host: \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\r?$/Hmi"; classtype:bad-unknown; sid:2015483; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN w3af User-Agent 2"; flow:established,to_server; content:"w3af.sf.net"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+?w3af\.sf\.net/Hmi"; classtype:attempted-recon; sid:2015484; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY TuneIn Internet Radio Usage Detected"; flow:established,to_server; content:"/tuner/?StationId="; http_uri; fast_pattern:only; content:"tunein.com\|0d 0a\|"; http_header; reference:url,tunein.com/support/get-started; classtype:policy-violation; sid:2015485; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"chcyih.class"; classtype:trojan-activity; sid:2015486; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (2)"; flow:established,to_server; content:"/java.jar"; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; classtype:trojan-activity; sid:2015487; rev:7;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"NewClass1.class"; classtype:trojan-activity; sid:2015488; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/OnlineGame.DaGame Variant CnC Checkin"; flow:established,to_server; content:"/logexp.php?aid="; http_uri; content:"&pid="; http_uri; content:"&kind="; http_uri; pcre:"/User\x2DAgent\x3A\x20[a-f0-9]{5,14}\x0D\x0A/H"; classtype:trojan-activity; sid:2015489; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible beSTORM ActiveX (WinGraphviz.dll) Remote Heap Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"684811FB-0523-420F-9E8F-A5452C65A19C"; nocase; distance:0; content:"ToSvg"; nocase; distance:0; reference:url,exploit-db.com/exploits/19861/; classtype:attempted-user; sid:2015490; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3"; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015491; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA BrightStor ARCserve Backup ActiveX AddColumn Method Access Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"ListCtrl.ocx"; fast_pattern; nocase; distance:0; content:"AddColumn"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82950/CA-BrightStor-ARCserve-Backup-AddColumn-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015492; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CommuniCrypt Mail SMTP ActiveX AddAttachments Method Access Stack Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"F8D07B72-B4B4-46A0-ACC0-C771D4614B82"; nocase; distance:0; content:"AddAttachments"; nocase; distance:0; reference:url,packetstormsecurity.org/files/89856/CommuniCrypt-Mail-1.16-SMTP-ActiveX-Stack-Buffer-Overflow.html; classtype:attempted-user; sid:2015493; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin PICA Photo Gallery imgname parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/pica-photo-gallery/picadownload.php?"; nocase; http_uri; fast_pattern:19,20; content:"imgname="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113404/WordPress-PICA-Photo-Gallery-1.0-File-Disclosure.html; classtype:web-application-attack; sid:2015494; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Web Edition mod parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/include/we_modules/show.php?"; nocase; http_uri; content:"mod="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/99789/Web-Edition-6.1.0.2-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015495; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress church_admin Plugin id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/church-admin/includes/validate.php?"; nocase; http_uri; fast_pattern:19,14; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,securityfocus.com/bid/54329; classtype:web-application-attack; sid:2015496; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Download Manager cid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-admin/admin.php?"; nocase; http_uri; content:"page=file-manager/categories"; nocase; http_uri; content:"cid="; nocase; http_uri; pcre:"/cid\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/112708/WordPress-Download-Manager-2.2.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015497; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_hello controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_hello"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/114893/Joomla-Hello-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015498; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress Plugin Newsletter data parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/wp-content/plugins/plugin-newsletter/preview.php?"; nocase; http_uri; fast_pattern:19,19; content:"data="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/113413/WordPress-Newsletter-1.5-File-Disclosure.html; classtype:web-application-attack; sid:2015499; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Geo Location IP info online service (geoiptool.com)"; flow:established,to_server; content:"GET"; http_method; urilen:1; content:"/"; http_uri; content:"Host\|3A\| "; http_header; content:"geoiptool.com\|0d 0a\|"; within:20; http_header; reference:md5,04f02d7fea812ef78d2340015c5d768e; classtype:policy-violation; sid:2015500; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN ProxyBox - HTTP CnC - Checkin Response"; flow:established,to_client; file_data; content:"1234567890\|0a\|"; within:11; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015501; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox -ProxyBotCommand - CHECK_ME"; flow:established,to_server; content:"CHECK_ME\|0D 0A\|Port\|3a\| "; depth:16; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015502; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - .com.tw/check_version.php"; flow:established,to_server; content:"/check_version.php"; http_uri; content:"&version="; http_uri; content:".com.tw\|0D 0A\|"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015503; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - POST 1-letter.php"; flow:established,to_server; content:"POST"; http_method; urilen:6; content:"Indy Library"; http_header; pcre:"/^\/[a-z]\.php/U"; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015504; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - getiplist.php"; flow:established,to_server; content:"/getiplist.php"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015505; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - get_servers.php"; flow:established,to_server; content:"/get_servers.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015506; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ProxyBox - HTTP CnC - botinfo.php"; flow:established,to_server; content:"/botinfo.php?"; http_uri; content:!"User-Agent"; http_header; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015508; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED ProxyBox - HTTP CnC - proxy_info.php"; flow:established,to_server; content:"/proxy_info.php"; http_uri; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015509; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - I_AM"; flow:established,to_server; content:"I_AM\|0D 0A\|"; depth:6; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015510; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN ProxyBox - ProxyBotCommand - FORCE_AUTHENTICATION"; flow:established,to_client; content:"FORCE_AUTHENTICATION_"; depth:21; reference:url,www.symantec.com/security_response/writeup.jsp?docid=2012-071005-4515-99&tabid=2; classtype:trojan-activity; sid:2015511; rev:2;) + +#Darren Spruell +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Urlzone/Bebloh/Bublik Checkin /was/vas.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/vas.php"; http_uri; fast_pattern:only; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015512; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific config files upload"; flow:established,to_server; content:"STOR "; content:".conf\|0d 0a\|"; distance:0; fast_pattern; pcre:"/^\s?STOR\s+[^\r\n]?\x2f(tgt\|trace\|rbp(c\|p))\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015513; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit nsswitch.conf Upload"; flow:established,to_server; content:"STOR "; content:"nsswitch.conf\|0d 0a\|"; distance:0; pcre:"/^\s?STOR\s+[^\r\n]?nsswitch\.conf\r$/mi"; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015514; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"ET EXPLOIT Potential RoaringBeast ProFTPd Exploit Specific (CHMOD 777)"; flow:established,to_server; content:"SITE CHMOD 777 NONEXISTANT"; depth:26; reference:url,www.exploit-db.com/exploits/18181/; reference:url,stopmalvertising.com/malware-reports/the-c3284d-malware-network-stats.php.html; classtype:trojan-activity; sid:2015515; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS RedKit PluginDetect Rename Saigon"; flow:established,from_server; content:"var Saigon={version\|3a 22\|"; fast_pattern:only; classtype:trojan-activity; sid:2015516; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .HTM being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".htm"; nocase; distance:0; http_uri; classtype:bad-unknown; sid:2015517; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS .PHP being served from WP 1-flash-gallery Upload DIR (likely malicious)"; flow:established,to_server; content:"/wp-content/uploads/fgallery/"; fast_pattern:11,18; nocase; http_uri; content:".php"; distance:0; http_uri; classtype:bad-unknown; sid:2015518; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Split String Obfuscated Math Floor - July 19th 2012"; flow:established,to_client; file_data; content:"=Math\|3B\|"; distance:0; content:"[\|22\|f"; distance:0; content:"\|22\|+\|22\|"; within:15; content:"r\|22\|]"; within:12; classtype:trojan-activity; sid:2015519; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Applet Structure"; flow:established,to_client; content:"<\|2F\|script><applet/archive="; fast_pattern; content:".jar"; within:20; content:"code=\|22\|"; distance:0; content:"\|22\|><param/name=\|22\|"; distance:9; within:15; content:"<\|2F\|applet><\|2F\|body><\|2F\|html>"; distance:0; pcre:"/code\x3D\x22[a-z]{4}\x2E[a-z]{4}\x22/i"; classtype:trojan-activity; sid:2015520; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET TROJAN Pakes2 - Server Hello"; flow:established,to_client; dsize:11; content:"\|01 00 01 ae 84 e3 aa 1f 90\|"; offset:2; depth:9; classtype:trojan-activity; sid:2015521; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Pakes2 - Client Alive"; flow:established,to_server; dsize:6; content:"\|01 00 21 01\|"; offset:2; depth:4; classtype:trojan-activity; sid:2015522; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - Checkin - /test.php"; flow:established,to_server; urilen:9; content:"/test.php"; http_uri; fast_pattern:only; content:!"User-Agent"; http_header; classtype:trojan-activity; sid:2015523; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS c3284d Malware Network Compromised Redirect (comments 3)"; flow:established,from_server; file_data; content:"/c3284d/"; fast_pattern:only; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; classtype:trojan-activity; sid:2015524; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED Blackhole try eval prototype string splitting evasion Jul 24 2012"; flow:established,from_server; file_data; content:"try{eval(\|22\|p"; fast_pattern; content:"\|3b\|}catch("; within:30; classtype:trojan-activity; sid:2015525; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 1 Inbound"; flow:established,to_server; content:"User-Agent\|3a\|"; http_header; content:!" Mozilla/5.0 (compatible\|3b\| Googlebot/2.1\|3b\| +http\|3a\|//www.google.com/bot.html)\|0d 0a\|"; http_header; within:75; content:!" Googlebot/2.1 (+http\|3a\|//www.google.com/bot.html)\|0d 0a\|"; http_header; within:50; content:"Googlebot"; fast_pattern; http_header; nocase; distance:0; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot[^\-].+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:bad-unknown; sid:2015526; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Fake Googlebot UA 2 Inbound"; flow:established,to_server; content:"User-Agent\|3a\|"; http_header; content:!"Googlebot-News\|0d 0a\|"; within:16; http_header; content:!" Googlebot-Image/1.0\|0d 0a\|"; within:22; http_header; content:!" Googlebot-Video/1.0\|0d 0a\|"; within:22; http_header; content:"Googlebot-"; fast_pattern; http_header; nocase; distance:0; content:!"Mobile/2.1\|3b\| +http\|3a\|//www.google.com/bot.html)\|0d 0a\|"; within:46; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?Googlebot-.+?\r$/Hmi"; reference:url,www.incapsula.com/the-incapsula-blog/item/369-was-that-really-a-google-bot-crawling-my-site; reference:url,support.google.com/webmasters/bin/answer.py?hl=en&answer=1061943; classtype:network-scan; sid:2015527; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [5080,$HTTP_PORTS] (msg:"ET TROJAN Win32.Agent2.fher Related User-Agent (Microsoft Internet Updater)"; flow:established,to_server; content:"User-Agent\|3a\| Microsoft\|20\|Internet\|20\|Updater\|0d 0a\|"; fast_pattern:12,20; reference:md5,2c832d51e4e72dc3939c224cc282152c; classtype:trojan-activity; sid:2015528; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Googlebot User-Agent Outbound (likely malicious)"; flow:to_server,established; content:"Googlebot"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]?Googlebot/Hmi"; classtype:bad-unknown; sid:2015529; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to RunForestRun DGA Domain 16-alpha.waw.pl"; flow:established,to_server; content:".waw.pl\|0D 0A\|"; nocase; fast_pattern:only; http_header; pcre:"/^Host\x3a\s[^\r\n]+?\.[abedgfihkmlonqpsruwvyxz]{16}\.waw\.pl\r$/Hmi"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015530; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to RunForestRun DGA Domain 16-alpha.waw.pl"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|10\|"; distance:0; content:"\|03\|waw\|02\|pl\|00\|"; fast_pattern; within:24; nocase; pcre:"/\x10[abedgfihkmlonqpsruwvyxz]{16}\x03waw\x02pl\x00/i"; reference:url,blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/; reference:url,blog.opendns.com/2012/07/10/opendns-security-team-blackhole-exploit/; classtype:bad-unknown; sid:2015531; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess HTTP GET request"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?w="; fast_pattern:only; http_uri; content:"&i="; http_uri; content:"&v="; http_uri; content:"Host\|3a 20\|"; depth:6; http_header; content:"Connection\|3a 20\|close\|0d 0a\|Cookie\|3a 20\|"; http_header; content:!"Accept"; http_header; pcre:"/\/\d{10}\?w=\d{3}&i=\d{6,10}&v=\d\.\d$/U"; classtype:trojan-activity; sid:2015535; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Generic - ProxyJudge Reverse Proxy Scoring Activity"; flow:established,to_client; file_data; content:"ProxyJudge V"; fast_pattern:only; nocase; classtype:trojan-activity; sid:2015532; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Karagany checkin (sid5 1)"; flow:to_server,established; content:"?f="; http_uri; content:"&t="; http_uri; content:"&sid5="; http_uri; content:!"Accept\|3a\| "; http_header; classtype:trojan-activity; sid:2015533; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Karagany checkin (sid5 2)"; flow:to_server,established; content:"?mode="; http_uri; content:"&f="; http_uri; content:"&sid5="; http_uri; content:!"Accept\|3a\| "; http_header; classtype:trojan-activity; sid:2015534; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress featurific-for-wordpress plugin snum parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/featurific-for-wordpress/cached_image.php?"; nocase; http_uri; fast_pattern:19,20; content:"snum="; nocase; http_uri; pcre:"/snum\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/107256/WordPress-Featurific-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015536; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"3356DB7C-58A7-11D4-AA5C-006097314BF8"; nocase; distance:0; content:"installAppMgr"; nocase; distance:0; reference:url,packetstormsecurity.org/files/82969/Symantec-AppStream-LaunchObj-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015537; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView ActiveX CreateNewFolderFromName Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"A09AE68F-B14D-43ED-B713-BA413F034904"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015538; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"WZFILEVIEW.FileViewCtrl.61"; nocase; distance:0; content:"CreateNewFolderFromName"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83024/WinZip-FileView-WZFILEVIEW.FileViewCtrl.61-ActiveX-Buffer-Overflow.html; classtype:attempted-user; sid:2015539; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_picasa2gallery controller parameter Local File Inclusion vulnerability"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_picasa2gallery"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/90915/Joomla-Picasa2Gallery-1.2.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015540; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Commentics id parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/comments/admin/index.php?"; nocase; http_uri; content:"page=edit_page"; nocase; http_uri; content:"id="; nocase; http_uri; pcre:"/id\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/113996/Commentics-2.0-Cross-Site-Request-Forgery-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015541; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Wordpress clickdesk-live-support-chat plugin cdwidgetid parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/wp-content/plugins/clickdesk-live-support-chat/clickdesk.php?"; nocase; http_uri; fast_pattern:19,20; content:"cdwidgetid="; nocase; http_uri; pcre:"/cdwidgetid\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/107255/WordPress-Clickdesk-Live-Support-Chat-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015542; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles menu Parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/Full_Release/include/body_admin.inc.php?"; nocase; http_uri; content:"menu="; nocase; http_uri; pcre:"/menu=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015543; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS phpProfiles topic_title parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/full_release/community.php?"; nocase; http_uri; content:"action="; nocase; http_uri; content:"comm_id="; nocase; http_uri; content:"topic_title="; nocase; http_uri; pcre:"/topic\_title\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/114971/phpProfiles-4.5.4-Beta-XSS-RFI-SQL-Injection.html; classtype:web-application-attack; sid:2015544; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla PollXT component Itemid parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_pollxt"; nocase; http_uri; content:"Itemid="; nocase; http_uri; content:"\|2e 2e 2f\|"; nocase; depth:200; reference:url,packetstormsecurity.org/files/94681/Joomla-PollXT-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015545; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan Cridex checkin"; flow:established,to_server; content:"POST"; http_method; content:"/mx5/B/in/"; fast_pattern:only; http_uri; reference:url,blog.webroot.com/2012/07/13/spamvertised-american-airlines-themed-emails-lead-to-black-hole-exploit-kit/; reference:url,stopmalvertising.com/rootkits/analysis-of-cridex.html; classtype:trojan-activity; sid:2015546; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pakes2 - EXE Download Request"; flow:established,to_server; urilen:<12; content:".exe"; http_uri; fast_pattern; content:"1.1\|0D 0A\|User-Agent\|3a\| Mozilla/4.0\|0D 0A\|Host\|3a\| "; content:"\|0D 0A 0D 0A\|"; within:19; classtype:trojan-activity; sid:2015547; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015548; rev:10;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 2"; flow:established,to_server; urilen:5; content:"/mix/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015549; rev:4;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET DNS Query for a Suspicious .upas.su domain"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|upas\|02\|su\|00\|"; fast_pattern; nocase; distance:0; classtype:bad-unknown; sid:2015550; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS HTTP Request to a .upas.su domain"; flow:to_server,established; content:".upas.su\|0d 0a\|"; fast_pattern:only; http_header; classtype:bad-unknown; sid:2015551; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN HTExploit Method"; flow:established,to_server; content:"POTATO "; depth:7; reference:url,www.mkit.com.ar/labs/htexploit/download.php; classtype:trojan-activity; sid:2015552; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake-AV Conditional Redirect (Blackmuscats)"; flow:established,to_server; content:"/blackmuscats?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/07/blackmuscats-conditional-redirections-to-faveav.html/; classtype:trojan-activity; sid:2015553; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 3"; flow:established,to_server; urilen:7; content:"/login/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015558; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Cridex Self Signed SSL Certificate (TR, Some-State, Internet Widgits)"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"\|55 04 06 13 02\|TR"; content:"\|55 04 08 13 0a\|Some-State"; distance:0; content:"\|13 18\|Internet Widgits Pty"; within:35; classtype:trojan-activity; sid:2015559; rev:4;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Suspicious Self Signed SSL Certificate to (MyCompany Ltd) could be SSL CnC"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; within:7; content:"MyCompany Ltd"; classtype:bad-unknown; sid:2015560; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF Using CCITTFax Filter"; flow:established,to_client; content:"obj"; content:"<<"; within:4; content:"/CCITTFaxDecode"; distance:0; reference:url,nakedsecurity.sophos.com/2012/04/05/ccittfax-pdf-malware/; reference:url,blog.fireeye.com/research/2012/07/analysis-of-a-different-pdf-malware.html#more; classtype:bad-unknown; sid:2015561; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.Win32.Jorik.Totem.vg HTTP request"; flow:established,to_server; content:"/?xclzve_"; depth:9; http_uri; reference:md5,cf5df13f8498326f1c6407749b3fe160; classtype:trojan-activity; sid:2015562; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz BarcodeWiz.dll ActiveX Control Barcode Method Remote Buffer Overflow Attempt"; flow:to_client,established; content:"CLSID"; nocase; content:"CD3B09F1-26FB-41CD-B3F2-E178DFD3BCC6"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015563; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible BarCodeWiz (BARCODEWIZLib.BarCodeWiz) ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"BARCODEWIZLib.BarCodeWiz"; nocase; distance:0; content:"Barcode"; nocase; distance:0; reference:url,securityfocus.com/bid/54701; classtype:attempted-user; sid:2015564; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ManageEngine Applications Manager attributeToSelect parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/jsp/ThresholdActionConfiguration.jsp?"; nocase; http_uri; content:"resourceid="; nocase; http_uri; content:"attributeIDs="; nocase; http_uri; content:"attributeToSelect="; nocase; http_uri; pcre:"/attributeToSelect\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,securityfocus.com/bid/54759/; classtype:web-application-attack; sid:2015565; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"54BDE6EC-F42F-4500-AC46-905177444300"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015566; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible AOL ICQ ActiveX Control DownloadAgent Method Access Arbitrary File Download and Execute 2"; flow:to_client,established; file_data; content:"ActiveXObject"; distance:0; nocase; content:"ICQPhone.SipxPhoneManager.1"; nocase; distance:0; content:"DownloadAgent"; nocase; distance:0; reference:url,packetstormsecurity.org/files/83020/America-Online-ICQ-ActiveX-Control-Arbitrary-File-Download-and-Execute..html; classtype:attempted-user; sid:2015567; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_jeformcr view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_jeformcr"; fast_pattern:only; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/94549/Joomla-Jeformcr-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015568; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla Bsadv controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_bsadv"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/94540/Joomla-Basdv-Local-File-Inclusion-Directory-Traversal.html; classtype:web-application-attack; sid:2015569; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_mailchimpccnewsletter controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_mailchimpccnewsletter"; fast_pattern:only; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/95332/Joomla-MailChimpCCNewsletter-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015570; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS pragmaMx img_url parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/plugins/imgpopup/img_popup.php?"; nocase; http_uri; content:"img_url="; nocase; http_uri; pcre:"/img\_url\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/113035/pragmaMx-1.12.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015571; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS TEMENOS T24 skin parameter Cross-Site Scripting Attempt"; flow:established,to_server; content:"/genrequest.jsp?"; nocase; http_uri; content:"routineName="; nocase; http_uri; content:"routineArgs="; nocase; http_uri; content:"compId="; nocase; http_uri; content:"skin="; nocase; http_uri; pcre:"/skin\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/115126/Temenos-T24-R07.03-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015572; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Yszz JS/Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"\|2f 2a\|Yszz 0.7 vip\|2a 2f\|"; fast_pattern:only; nocase; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015573; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption (Used in KaiXin Exploit Kit)"; flow:to_client,established; file_data; content:"CWS"; within:3; content:"<doswf version="; fast_pattern:only; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015574; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Java Class"; flow:to_client,established; file_data; content:"PK"; within:2; content:"Gond"; pcre:"/^(?:a(?:ttack\|dExp)\|([a-z])\1)\.class/Ri"; reference:url,kahusecurity.com/2012/new-chinese-exploit-pack/; classtype:attempted-user; sid:2015575; rev:4;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to tor2web.org Domain (.onion proxy)"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|07\|tor2web\|03\|org\|00\|"; nocase; distance:0; reference:url,tor2web.org; classtype:bad-unknown; sid:2015576; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Lile.A DoS Outbound"; flow:established,to_server; content:"GET"; http_method; content:"UserAgent\|3a\|"; http_header; content:"Windows 98"; fast_pattern:only; http_header; content:"Host\|3a\| www.fbi.gov"; http_header; threshold:type limit, track by_src, count 1, seconds 30; reference:url,symantec.com/security_response/writeup.jsp?docid=2005-101311-0945-99&tabid=2; reference:md5,d6d0cd7eca2cef5aad66efbd312a7987; classtype:trojan-activity; sid:2015577; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Obfuscated Javascript redirecting to badness August 6 2012"; flow:established,from_server; content:"text/javascript'>var wow="; content:"document.cookie.indexOf"; distance:0; within:70; classtype:bad-unknown; sid:2015578; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing Page Structure"; flow:established,to_client; content:"\|3c\|script>try{"; fast_pattern; content:"Math."; within:15; content:"}catch("; within:20; content:"eval"; within:17; classtype:trojan-activity; sid:2015579; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Replace JavaScript Large Obfuscated Blob - August 3rd 2012"; flow:established,to_client; content:"=\|22\|"; isdataat:300,relative; content:"\|22\|"; within:300; content:"\|22\|.replace(/"; distance:0; content:"/g.\|22 22 29 3B\|"; fast_pattern; within:30; classtype:trojan-activity; sid:2015580; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Atadommoc.C - HTTP CnC"; flow:established,to_server; content:"POST"; http_method; content:"rxT"; http_client_body; depth:3; classtype:trojan-activity; sid:2015581; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments"; flow:established,to_client; file_data; content:"FoxxySF Website Copier"; distance:0; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015583; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FoxxySoftware - Comments(2)"; flow:established,to_client; content:"Added By FoxxySF"; fast_pattern:only; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015584; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS FoxxySoftware - Hit Counter Access"; flow:to_server,established; content:"/wtf/callback=getip"; fast_pattern:only; http_uri; nocase; content:".php?username="; nocase; http_uri; content:"&website="; nocase; http_uri; content:"foxxysoftware.org"; http_header; nocase; reference:url,blog.eset.com/2012/08/07/foxxy-software-outfoxed; classtype:trojan-activity; sid:2015585; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page You Will Be Forwarded - 7th August 2012"; flow:established,to_client; file_data; content:"<h1><b>Please wait a moment. You will be forwarded...<\|2F\|h1><\|2F\|b>"; distance:0; classtype:trojan-activity; sid:2015582; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Redirection Page Try Math.Round Catch - 7th August 2012"; flow:established,to_client; file_data; content:"try{"; distance:0; content:"=Math.round\|3B\|}catch("; distance:0; classtype:trojan-activity; sid:2015586; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN MP-FormGrabber Checkin"; flow:established,to_server; content:"/panel/gate.php?host="; nocase; http_uri; content:"&data="; nocase; distance:0; http_uri; reference:url,www.xylibox.com/2012/08/mp-formgrabber.html?spref=tw; classtype:trojan-activity; sid:2015587; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable WriteProcessMemory"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; within:4; content:"WriteProcessMemory"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss/_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015588; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET POLICY Suspicious Windows Executable CreateRemoteThread"; flow:established,to_client; file_data; content:"MZ"; within:2; byte_jump:4,58,relative,little; content:"PE\|00 00\|"; distance:-64; content:"CreateRemoteThread"; nocase; fast_pattern:only; reference:url,sans.org/reading_room/whitepapers/malicious/rss_33649; reference:url,jessekornblum.livejournal.com/284641.html; reference:url,msdn.microsoft.com/en-us/library/windows/desktop/ms682437%28v=vs.85%29.aspx; classtype:misc-activity; sid:2015589; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Intial Structure - 8th August 2012"; flow:established,to_client; file_data; content:"\|3C\|html\|3E 3C\|body\|3E 3C\|script\|3E\|"; within:20; content:"=function\|28 29 7B\|"; fast_pattern; distance:1; within:12; classtype:trojan-activity; sid:2015590; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Potential Blackhole Zeus Drop - 8th August 2012"; flow:established,to_client; file_data; content:"P\|00\|r\|00\|o\|00\|d\|00\|u\|00\|c\|00\|t\|00\|N\|00\|a\|00\|m\|00\|e"; content:"n\|00\|o\|00\|n\|00\|a\|00\|m\|00\|e"; fast_pattern; within:15; classtype:trojan-activity; sid:2015591; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Specific JavaScript Replace hwehes - 8th August 2012"; flow:established,to_client; file_data; content:".replace(/hwehes/g"; fast_pattern:only; classtype:trojan-activity; sid:2015592; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sutra TDS /simmetry"; flow:to_server,established; content:"/simmetry?"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/08/very-good-malware-redirection.html; classtype:trojan-activity; sid:2015593; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Initialization"; flow:to_server,established; content:"\|0c 00 00 00 40 01 73 00\|"; depth:8; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015594; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN FinFisher Malware Connection Handshake"; flow:to_server,established; content:"\|5c 00 00 00 a0 02 72 00 0c 00 00 00 40 04 fe 00\|"; depth:16; reference:url,community.rapid7.com/community/infosec/blog/2012/08/08/finfisher; classtype:trojan-activity; sid:2015595; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown .rr.nu Malware landing page"; flow:established,to_server; content:"/sl.php"; http_uri; content:".rr.nu\|0D 0A\|"; fast_pattern:only; http_header; reference:url,isc.sans.edu/diary.html?storyid=13864; classtype:bad-unknown; sid:2015596; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .gowin7.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|06\|gowin7\|03\|com\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015597; rev:2;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .secuurity.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|09\|secuurity\|03\|net\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015598; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .bestcomputeradvisor.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|13\|bestcomputeradvisor\|03\|com\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015599; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .dotnetadvisor.info"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|dotnetadvisor\|04\|info\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015600; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .dataspotlight.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0d\|dataspotlight\|03\|net\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015601; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .guest-access.net"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|guest-access\|03\|net\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015602; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested - /spl_data/"; flow:established,to_server; content:"/spl_data/"; http_uri; fast_pattern:only; content:" Java/"; http_header; classtype:trojan-activity; sid:2015603; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Java Exploit Requested .jar Naming Pattern"; flow:established,to_server; content:"-a."; http_uri; content:".jar"; http_uri; fast_pattern:only; content:" Java/"; http_header; pcre:"/\/[a-z]{4,20}-a\.[a-z]{4,20}\.jar$/U"; classtype:trojan-activity; sid:2015604; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY SPL - Landing Page Received"; flow:established,to_client; file_data; content:"application/x-java-applet"; content:"width=\|22\|0\|22\| height=\|22\|0\|22\|>"; fast_pattern; within:100; classtype:trojan-activity; sid:2015605; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"6F255F99-6961-48DC-B17E-6E1BCCBC0EE3"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015606; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"HPESPRIT.XMLCacheMgr.1"; nocase; distance:0; content:"CacheDocumentXMLWithId"; nocase; distance:0; reference:url,1337day.com/exploits/17395; classtype:attempted-user; sid:2015607; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Kazaa Altnet Download Manager ActiveX Control Install Method Access Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"DEF37997-D9C9-4A4B-BF3C-88F99EACEEC2"; nocase; distance:0; content:".Install("; nocase; distance:0; reference:url,packetstormsecurity.org/files/83086/Kazaa-Altnet-Download-Manager-ActiveX-Control-Buffer-Overflow.html; classtype:attempted-user; sid:2015608; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Advanced Text Widget plugin page parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/advanced-text-widget/advancedtext.php?"; nocase; http_uri; fast_pattern:19,22; content:"page="; nocase; http_uri; pcre:"/page\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/107192/WordPress-Advanced-Text-Widget-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015609; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress Lanoba Social plugin action parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/lanoba-social-plugin/index.php?"; nocase; http_uri; fast_pattern:19,22; content:"action="; nocase; http_uri; pcre:"/action\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,packetstormsecurity.org/files/107191/WordPress-Lanoba-Social-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2015610; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla je-media-player view parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/components/je-media-player.html?"; nocase; http_uri; content:"view="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/91171/Joomla-JE-Media-Player-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015611; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST show_scaled_image.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/gallery_files/show_scaled_image.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015612; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS dirLIST thumb_gen.php Local File Inclusion Attempt"; flow:established,to_server; content:"/dirLIST_files/thumb_gen.php?"; nocase; http_uri; content:"image_path="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115381/dirLIST-0.3.0-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015613; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS BaglerCMS articleID parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/baglercms.php?"; nocase; http_uri; content:"articleID="; nocase; http_uri; pcre:"/articleID\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,1337day.com/exploits/18221; classtype:web-application-attack; sid:2015614; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress LiveGrounds plugin uid parameter Cross-Site Script Attempt"; flow:established,to_server; content:"/wp-content/plugins/livegrounds/lg_crop.php?"; nocase; http_uri; fast_pattern:19,13; content:"uid="; nocase; http_uri; pcre:"/uid\x3d.+(s(cript\|tyle\x3D)\|on(mouse[a-z]\|key[a-z]\|load\|unload\|dragdrop\|blur\|focus\|click\|dblclick\|submit\|reset\|select\|change))/Ui"; reference:url,1337day.com/exploits/18932; classtype:web-application-attack; sid:2015615; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN DOCHTML C&C http directive in HTML comments"; flow:established,from_server; content:"\|3c\|!-- DOCHTMLhttp\|3a\|//"; reference:url,blog.accuvantlabs.com/blog/dgrif/anatomy-targeted-attack; classtype:trojan-activity; sid:2015616; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Smardf/Boaxxe GET to cc.php3"; flow:established,to_server; content:"/cc.php3"; http_uri; fast_pattern:only; content:"GET"; http_method; content:!"\|0d 0a\|Accept"; http_header; reference:md5,f856b4c526c3e5cee9d47df59295d2e1; reference:md5,232b4dbed0453e2a952630fb1076248f; classtype:trojan-activity; sid:2015617; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Gauss Domain .datajunction.org"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0c\|datajunction\|03\|org\|00\|"; fast_pattern; nocase; distance:0; reference:url,www.securelist.com/en/analysis/204792238/Gauss_Abnormal_Distribution; classtype:bad-unknown; sid:2015618; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS gr8domain.biz hostile redirector seen with Blackhole and Fake AV - Aug 08 2012"; flow:established,to_server; content:".gr8domain.biz\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/Host\x3a[^\r\n]+\.gr8domain\.biz/i"; classtype:trojan-activity; sid:2015619; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page JavaScript Replace - 13th August 2012"; flow:established,to_client; file_data; content:"=document.body.childNodes["; content:"].innerHTML.replace(/"; distance:1; within:21; content:"/g,\|22 22\|)\|3B\|"; within:30; classtype:trojan-activity; sid:2015620; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page ChildNodes.Length - August 13th 2012"; flow:established,to_client; file_data; content:"=0\|3B\|i<document.body.childNodes.length\|3B\|i++{"; classtype:trojan-activity; sid:2015621; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing Page Hwehes String - August 13th 2012"; flow:established,to_client; file_data; content:"hwehes"; content:"hwehes"; distance:0; content:"hwehes"; distance:0; content:"hwehes"; distance:0; classtype:trojan-activity; sid:2015622; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Urlzone/Bebloh/Bublik Checkin /was/uid.php"; flow:established,to_server; content:"POST"; http_method; content:"/was/uid.php"; fast_pattern:only; http_uri; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3aWin32%2fBublik.B; reference:url,www.threatexpert.com/report.aspx?md5=3ccc73f049a1de731baf7ea8915c92a8; reference:url,www.threatexpert.com/report.aspx?md5=91ce41376a5b33059744cb58758213bb; reference:url,www.threatexpert.com/report.aspx?md5=21880326089f2eab466128974fc70d24; classtype:trojan-activity; sid:2015623; rev:1;) + +# +alert tcp $HOME_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Magento XMLRPC-Exploit Attempt"; flow:established,to_server; content:"POST"; nocase; http_method; content:"/api/xmlrpc"; http_uri; content:"file\|3a 2f 2f 2f\|"; reference:url,www.magentocommerce.com/blog/comments/important-security-update-zend-platform-vulnerability/; reference:url,www.magentocommerce.com/blog/update-zend-framework-vulnerability-security-update; reference:url,www.exploit-db.com/exploits/19793/; classtype:web-application-attack; sid:2015625; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (6 Byte keyword)"; flow:to_server,established; content:"\|00 00\|"; offset:8; depth:2; content:"\|00 00 78 9C\|"; distance:2; within:4; byte_test:2,>,15,6,little; pcre:"/^[a-z0-9]{6}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015627; rev:4;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET DELETED Backdoor.Win32.Gh0st Checkin (7 Byte keyword)"; flow:to_server,established; content:"\|00 00\|"; offset:9; depth:2; content:"\|00 00 78 9C\|"; distance:2; within:4; byte_test:2,>,15,7,little; pcre:"/^[a-z0-9]{7}..\x00\x00/i"; reference:url,www.securelist.com/en/descriptions/10155706/Trojan-GameThief.Win32.Magania.eogz; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Backdoor%3AWin32%2FPcClient.ZR&ThreatID=-2147325231; reference:url,labs.alienvault.com/labs/index.php/2012/new-macontrol-variant-targeting-uyghur-users-the-windows-version-using-gh0st-rat/; reference:url,www.infowar-monitor.net/2009/09/tracking-ghostnet-investigating-a-cyber-espionage-network/; reference:url,blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/; classtype:trojan-activity; sid:2015628; rev:4;) + +#Nathan +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Shamoon/Wiper/DistTrack Checkin"; flow:to_server,established; content:"/data.asp?mydata="; http_uri; content:"&uid="; http_uri; content:"&state="; http_uri; content:"User-Agent\|3a\| you"; http_header; reference:url,www.symantec.com/connect/blogs/shamoon-attacks; reference:url,www.securelist.com/en/blog/208193786/Shamoon_the_Wiper_Copycats_at_Work; reference:url,kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/23000/PD23936/en_US/McAfee_Labs_Threat_Advisory_W32_DistTrack.pdf; classtype:trojan-activity; sid:2015632; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Cridex Response from exfiltrated data upload"; flow:to_client,established; file_data; content:"\|de ad be ef\|"; distance:0; content:"\|00 01 00 00 00\|"; distance:3; within:5; reference:url,www.virustotal.com/file/00bf5b6f32b6a8223b8e55055800ef7870f8acaed334cb12484e44489b2ace24/analysis/; reference:url,www.packetninjas.net; classtype:trojan-activity; sid:2015629; rev:3;) + +# +##alert ip $HOME_NET any -> [184.82.162.163/32,184.22.103.202/32,158.255.211.28/32] any (msg:"ET DELETED Possible XDocCrypt/Dorifel CnC IP"; threshold:type limit, track by_src, count 1, seconds 600; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015630; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Possible XDocCrypt/Dorifel Checkin"; flow:established,to_server; content:"GET"; http_method; content:"&pin="; http_uri; content:"&crc="; http_uri; content:"&uniq="; http_uri; reference:url,www.fox-it.com/en/blog/xdoccryptdorifel-document-encrypting-and-network-spreading-virus; classtype:trojan-activity; sid:2015631; rev:4;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET INFO DYNAMIC_DNS Query to Abused Domain .mooo.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|mooo\|03\|com\|00\|"; fast_pattern; distance:0; threshold: type limit, count 1, track by_src, seconds 300; classtype:misc-activity; sid:2015633; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO DYNAMIC_DNS HTTP Request to Abused Domain .mooo.com"; flow:established,to_server; content:".mooo.com\|0D 0A\|"; http_header; classtype:bad-unknown; sid:2015634; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Briba Checkin"; flow:to_server,established; content:"POST"; nocase; http_method; content:"loginmid="; http_client_body; content:"nickid="; http_client_body; reference:url,labs.alienvault.com/labs/index.php/2012/cve-2012-1535-adobe-flash-being-exploited-in-the-wild/; classtype:trojan-activity; sid:2015635; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible CA eTrust PestPatrol ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6"; nocase; distance:0; content:".Initialize("; nocase; distance:0; reference:url,exploit-db.com/exploits/16630/; classtype:attempted-user; sid:2015636; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015637; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; pcre:"/IP=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015638; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Remote File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; pcre:"/wgDekiPluginPath=\s(ftps?\|https?\|php)\:\//Ui"; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015639; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki link.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/gui/link.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015640; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki deki_plugin.php Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"IP="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015641; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS MindTouch Deki Wiki wgDekiPluginPath parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/web/deki/plugins/deki_plugin.php?"; nocase; http_uri; content:"wgDekiPluginPath="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/115479/MindTouch-Deki-Wiki-10.1.3-Local-File-Inclusion-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2015642; rev:2;) + +##by StillSecure +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; distance:0; content:"525A15D0-4938-11D4-94C7-0050DA20189B"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; reference:url,kb.cert.org/vuls/id/179281; classtype:attempted-user; sid:2015643; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow 2"; flow:to_client,established; file_data; content:"ActiveXObject"; nocase; distance:0; content:"SnoopyX.SnoopyCtrl.1"; nocase; distance:0; content:"CheckRequirements("; nocase; distance:0; reference:url,exploit-db.com/exploits/16609/; classtype:attempted-user; sid:2015644; rev:3;) + +##by StillSecure +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Joomla com_g2bridge controller parameter Local File Inclusion Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"option=com_g2bridge"; nocase; http_uri; content:"controller="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/90150/Joomla-G2Bridge-Local-File-Inclusion.html; classtype:web-application-attack; sid:2015645; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /form"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/search\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015646; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit seen with O1/O2.class /search"; flow:established,to_server; content:"/L"; http_uri; depth:2; content:"/form\|0d 0a\|"; http_header; fast_pattern:only; pcre:"/^\/L[a-zA-Z0-9]+\/[a-zA-Z0-9\x5f]+\?[a-z]+=[A-Za-z0-9\x2e]{10,}$/Um"; classtype:trojan-activity; sid:2015647; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Exploit Kit Landing - Aug 21 2012"; flow:established,from_server; content:"\|3c\|html>\|3c\|body>\|3c\|applet "; fast_pattern; content:"code="; within:100; content:">\|3c\|param"; distance:0; content:">\|3c\|script>"; distance:0; content:".split("; within:100; content:").join("; within:100; classtype:trojan-activity; sid:2015648; rev:4;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Fake AV base64 affid initial Landing or owned Check-In, asset owned if /callback/ in URI"; flow:established,to_server; content:"/?"; http_uri; content:"=YWZmaWQ9"; http_uri; classtype:trojan-activity; sid:2015649; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Malicious Redirect n.php h=&s="; flow:to_server,established; content:"/n.php?h="; fast_pattern:only; http_uri; content:"&s="; http_uri; content:".rr.nu\|0d 0a\|"; http_header; pcre:"/\/n\.php\?h=\w?&s=\w{1,5}$/Ui"; reference:url,0xicf.wordpress.com/category/security-updates/; reference:url,support.clean-mx.de/clean-mx viruses.php?domain=rr.nu&sort=first%20desc; reference:url,urlquery.net/report.php?id=111302; classtype:attempted-user; sid:2015669; rev:9;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Javascript 23 Aug 2012 split join split applet"; flow:established,from_server; file_data; content:"\|3c\|script"; distance:0; content:"split(\|22\|"; within:40; content:".join(\|22 22\|).split(\|22 22 29 3b\|"; within:50; classtype:trojan-activity; sid:2015651; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL 23 Aug 2012"; flow:established,from_server; file_data; content:"applet"; distance:0; content:"0xb\|3a\|0x9\|3a\|0x9\|3a\|0x4\|3a\|0x1f\|3a\|0x31\|3a\|0x31\|3a\|"; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015652; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Landing try catch try catch math eval Aug 27 2012"; flow:established,from_server; content:"try{"; content:"\|3b\|}catch("; within:25; content:"){try{"; fast_pattern; within:15; content:"}catch("; within:35; content:"eval("; distance:0; classtype:bad-unknown; sid:2015654; rev:2;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 1"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Gondvv.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015655; rev:3;) + +# +##alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET DELETED 0day JRE 17 exploit Class 2"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Gondzz.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; classtype:trojan-activity; sid:2015656; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Exploit Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"\|2f\|Payload.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015657; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS 0day JRE 17 metasploit Payload Class"; flow:established,to_client; file_data; content:"PK"; within:2; content:"Exploit.class"; distance:0; reference:url,blog.sucuri.net/2012/08/java-zero-day-in-the-wild.html; reference:url,metasploit.com/modules/exploit/multi/browser/java_jre17_exec; classtype:trojan-activity; sid:2015658; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Outbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015659; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Outbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015660; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Admin bhadmin.php access Inbound"; flow:established,to_server; content:"/bhadmin.php"; http_uri; fast_pattern:only; classtype:attempted-user; sid:2015661; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - Blackhole Admin Login Inbound"; flow:established,to_server; content:"AuthPass="; http_client_body; content:"AuthLanguage="; http_client_body; content:"AuthTemplate="; http_client_body; classtype:attempted-user; sid:2015662; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015663; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.\.pdf$/U"; classtype:attempted-user; sid:2015664; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015665; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; offset:75; depth:3; http_uri; content:"\|2e\|"; distance:1; within:1; http_uri; content:"\|2e\|"; distance:1; within:1; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015666; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015667; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Landing Page - 100HexChar value and applet"; flow:established,to_client; file_data; content:"<applet"; distance:0; content:"value=\|22\|"; pcre:"/^[a-f0-9]{100}/R"; classtype:attempted-user; sid:2015668; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit suspected Blackhole"; flow:established,to_server; content:".js?"; http_uri; fast_pattern:only; urilen:33<>34; pcre:"/\/\d+\.js\?\d+&[a-f0-9]{16}$/U"; classtype:bad-unknown; sid:2015670; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1342 (msg:"ET CURRENT_EVENTS Unknown Exploit Kit redirect"; flow:established,to_server; content:"GET /t/"; depth:7; fast_pattern; pcre:"/^[a-f0-9]{32}\sHTTP\x2f1\./Ri"; content:"\|0d 0a\|Host\|3a\| "; distance:0; pcre:"/^[^\r\n]+\x3a1342\r\n/R"; classtype:bad-unknown; sid:2015672; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Trojan.JS.QLP Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/read.php?nm="; http_uri; depth:16; content:!"User-Agent\|3a\|"; http_header; classtype:trojan-activity; sid:2015673; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO 3XX redirect to data URL"; flow:from_server,established; content:"3"; depth:1; http_stat_code; content:"Location\|3a\| data\|3a\|"; http_header; fast_pattern:only; classtype:misc-activity; sid:2015674; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO SimpleTDS go.php (sid)"; flow:established,to_server; content:"/go.php?sid="; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015675; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit Payload Download Request - Sep 04 2012"; flow:established,to_server; content:" Java/"; http_header; fast_pattern:only; urilen:>24; content:!".jar"; nocase; http_uri; content:"!.class"; nocase; http_uri; pcre:"/\/[A-Z]{20,}\?[A-Z]=\d$/Ui"; classtype:trojan-activity; sid:2015676; rev:2;) + +#Chris Wakelin +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit binary download request /out.php"; flow:established,to_server; content:"/out.php?id="; fast_pattern:only; http_uri; pcre:"/\/out.php\?id=\d$/U"; classtype:trojan-activity; sid:2015677; rev:3;) + +#Chris Wakelin +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /view.php"; flow:established,to_server; content:"/view.php?i="; http_uri; fast_pattern:only; pcre:"/\/view.php\?i=\d&key=[0-9a-f]{32}$/U"; classtype:trojan-activity; sid:2015678; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Probable Sakura exploit kit landing page with obfuscated URLs"; flow:established,from_server; content:"applet"; content:"myyu?44"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015679; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Nov 09 2012"; flow:established,from_server; file_data; content:"applet"; content:"0b0909041f"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015680; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile FQDN - Sep 05 2012"; flow:established,to_server; content:".justdied.com\|0d 0a\|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015681; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior static initial landing - Sep 05 2012"; flow:established,to_server; content:"/PJeHubmUD"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015682; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit with fast-flux like behavior hostile java archive - Sep 05 2012"; flow:established,to_server; content:"pqvjdujfllkwl.jar"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015683; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole alt URL request Sep 05 2012 bv6rcs3v1ithi.php?w="; flow:established,to_server; content:"/bv6rcs3v1ithi.php?w="; http_uri; fast_pattern:only; reference:url,urlquery.net/report.php?id=158608; classtype:attempted-user; sid:2015684; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY Signed TLS Certificate with md5WithRSAEncryption"; flow:established,from_server; content:"\|16 03 01\|"; depth:3; content:"\|02\|"; distance:2; within:1; byte_jump:3,0,relative,big; content:"\|16 03 01\|"; within:3; content:"\|0b\|"; distance:2; within:2; content:"\|30 82\|"; distance:9; within:2; content:"\|30 82\|"; distance:2; within:2; content:"\|a0 03 02 01 02 02\|"; distance:2; within:6; byte_jump:1,0,relative,big; content:"\|30 0d 06 09 2a 86 48 86 f7 0d 01 01 04 05 00\|"; within:15; reference:url,www.win.tue.nl/hashclash/rogue-ca/; reference:url,ietf.org/rfc/rfc3280.txt; reference:url,jensign.com/JavaScience/GetTBSCert/index.html; reference:url,luca.ntop.org/Teaching/Appunti/asn1.html; reference:url,news.netcraft.com/archives/2012/08/31/governments-and-banks-still-using-weak-md5-signed-ssl-certificates.html; classtype:misc-activity; sid:2015686; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET POLICY Inbound /uploadify.php Access"; flow:established,to_server; content:"POST"; http_method; content:"/uploadify.php"; http_uri; nocase; fast_pattern:only; reference:url,blog.sucuri.net/2012/06/uploadify-uploadify-and-uploadify-the-new-timthumb.html; classtype:attempted-recon; sid:2015687; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Remote PHP Code Execution (php.pjpg)"; flow:established,to_server; content:"POST"; http_method; content:".php.pjpg"; fast_pattern:only; http_uri; nocase; reference:url,exploitsdownload.com/search/Arbitrary%20File%20Upload/27; classtype:web-application-attack; sid:2015688; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS DRIVEBY NeoSploit - Java Exploit Requested"; flow:established,to_server; urilen:>89; content:".jar"; http_uri; fast_pattern:only; content:" Java/1"; http_header; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.\.jar$/U"; classtype:attempted-user; sid:2015689; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Obfuscated Payload Requested"; flow:established,to_server; urilen:>89; content:" Java/1"; http_header; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/[0-9]{7}$/U"; classtype:attempted-user; sid:2015690; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - PDF Exploit Requested"; flow:established,to_server; urilen:>89; content:".pdf"; fast_pattern:only; http_uri; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/[0-9]{7,8}\/.\.pdf$/U"; classtype:attempted-user; sid:2015691; rev:1;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED NeoSploit - TDS"; flow:established,to_server; urilen:34; content:"/?"; http_uri; depth:2; pcre:"/^\/\?[a-f0-9]{32}$/U"; classtype:attempted-user; sid:2015692; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - Java"; flow:established,to_server; urilen:>85; content:"/1."; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/1\.[4-7]\.[0-2]\.[0-9]{1,2}\//U"; classtype:attempted-user; sid:2015693; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS NeoSploit - Version Enumerated - null"; flow:established,to_server; urilen:85; content:"/null/null"; http_uri; fast_pattern:only; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/[a-f0-9]{24}\/null\/null$/U"; classtype:attempted-user; sid:2015694; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Generic - 8Char.JAR Naming Algorithm"; flow:established,to_client; content:"-Disposition\|3a\| inline"; http_header; nocase; content:".jar"; http_header; fast_pattern:only; pcre:"/[=\"]\w{8}\.jar/Hi"; file_data; content:"PK"; within:2; classtype:attempted-user; sid:2015695; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 4"; flow:established,to_server; urilen:10; content:"/comments/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015696; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole repetitive applet/code tag"; flow:established,from_server; file_data; content:"applet/code="; content:"/archive="; distance:0; content:".jar"; distance:0; pcre:"/applet\/code=[\x22\x27](?P<val1>[a-zA-Z0-9]+)[a-z]\.(?P=val1)[a-z][\x22\x27][^\x3e]+\.jar[\x22\x27]/"; classtype:trojan-activity; sid:2015697; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SPL Landing Page Requested"; flow:established,to_server; content:"/?"; http_uri; content:"YWZmaWQ9"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015698; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Unknown base64-style Java-based Exploit Kit using github as initial director"; flow:established,to_server; content:"%3D HTTP/1."; fast_pattern:only; content:"/?"; http_uri; isdataat:45,relative; pcre:"/\/\?[a-z0-9]{5,}=[a-zA-Z0-9\x25]{40,}\x253D$/I"; classtype:trojan-activity; sid:2015699; rev:2;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 - URI Structure"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; fast_pattern:only; pcre:"/\.php\?[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/U"; classtype:attempted-user; sid:2015700; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:".php?"; distance:0; pcre:"/^[a-z]{2,12}=[a-f0-9]{64}&[a-z]{2,12}=/R"; classtype:attempted-user; sid:2015701; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET SCAN Brutus Scan Outbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015702; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Brutus Scan Inbound"; flow:established,to_server; content:"Brutus/AET"; http_header; classtype:attempted-recon; sid:2015703; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DoSWF Flash Encryption Banner"; flow:to_client,established; file_data; content:"FWS"; within:3; content:"DoSWF"; distance:0; classtype:attempted-user; sid:2015704; rev:5;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 6"; flow:established,to_server; urilen:6; content:"/news/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015705; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 5"; flow:established,to_server; urilen:6; content:"/view/"; http_uri; content:".dyndns"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015706; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO JAVA - document.createElement applet"; flow:established,to_client; file_data; content:"document.createElement"; nocase; content:"applet"; nocase; fast_pattern; within:10; classtype:misc-activity; sid:2015707; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS - Applet Tag In Edwards Packed JavaScript"; flow:established,to_client; file_data; content:"eval(function(p,a,c"; content:"\|7C\|applet\|7C\|"; nocase; fast_pattern:only; classtype:bad-unknown; sid:2015708; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Blackhole Landing to 7-8 chr folder plus index.htm or index.html"; flow:established,to_server; content:"/index.htm"; fast_pattern:only; http_uri; urilen:18<>21; content:!"search"; nocase; http_uri; pcre:"/^\/[A-Za-z0-9]+[A-Z]+[A-Za-z0-9]\/index\.html?$/U"; pcre:"/^\/[A-Za-z0-9]{7,8}\/index\.html?$/U"; classtype:bad-unknown; sid:2015709; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS DRIVEBY Blackhole2 - Landing Page Received"; flow:established,to_client; file_data; content:"<applet"; content:"<param"; distance:0; content:"value="; distance:0; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015710; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day"; flow:established,to_client; file_data; content:".execCommand\|28\|"; nocase; fast_pattern; pcre:"/^[\r\n\s][\x22\x27](s\|\\(x\|u00)[57]3)(e\|\\(x\|u00)[46]5)(l\|\\(x\|u00)[46]c)(e\|\\(x\|u00)[46]5)(c\|\\(x\|u00)[46]3)(t\|\\(x\|u00)[57]4)(A\|\\(x\|u00)[46]1)(l\|\\(x\|u00)[46]c){2}/Ri"; content:".write("; nocase; content:"parent\|2e\|"; nocase; distance:0; pcre:"/^\w+?\[[^\]]+?\]\.src[\r\n\s]=/Ri"; content:"onselect"; nocase; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015711; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Internet Explorer execCommand function Use after free Vulnerability 0day Metasploit"; flow:established,to_client; file_data; content:".execCommand\|28\|"; nocase; pcre:"/^[\r\n\s][\x22\x27]selectAll/Ri"; content:"YMjf\\u0c08\\u0c0cKDog"; fast_pattern:only; reference:url,eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/; reference:cve,CVE-2012-4969; classtype:attempted-user; sid:2015712; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dapato Checkin 8"; flow:established,to_server; content:"GET"; http_method; nocase; content:"?uid={"; http_uri; content:"}&user="; fast_pattern:only; http_uri; content:"&os="; distance:0; http_uri; content:"User-Agent\|3a 20\|Mozilla/4.1"; http_header; reference:md5,de7c781205d31f58a04d5acd13ff977d; classtype:trojan-activity; sid:2015713; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mirage Campaign checkin"; flow:established,to_server; content:"POST"; http_method; content:"/result?hl="; depth:11; http_uri; content:"&meta="; distance:0; http_uri; content:"Mjtdkj"; depth:6; http_client_body; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015714; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Mirage Campaign checkin (port 443)"; flow:established,to_server; content:"POST "; depth:5; content:"/result?hl="; offset:5; depth:11; content:"&meta="; distance:0; content:"\|0d 0a 0d 0a\|Mjtdkj"; distance:0; reference:md5,ce1cdc9c95a6808945f54164b2e4d9d2; reference:url,secureworks.com/research/threats/the-mirage-campaign/; classtype:trojan-activity; sid:2015715; rev:3;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED Blackhole2 - Client reporting targeted software versions"; flow:established,to_server; urilen:>122; content:".php?"; http_uri; content:"="; distance:0; http_uri; content:"&"; http_uri; distance:64; within:1; content:"="; http_uri; distance:0; content:"&"; http_uri; distance:20; within:1; pcre:"/\.php\?[a-z]+=[a-f0-9]{64}&[^\?]+=[a-f0-9]{20}&/U"; classtype:attempted-user; sid:2015716; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit (ashburn)"; flow:established,from_server; content:"ashburn@gmail.com"; fast_pattern:only; classtype:trojan-activity; sid:2015717; rev:2;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"\|55 04 0a 0c 0C\|The Internet"; distance:3; within:Certs.len; content:"\|55 04 03 0c 03\|web"; distance:0; classtype:trojan-activity; sid:2015718; rev:2;) + +# +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=run&u=/get/"; content:".exe"; distance:0; classtype:trojan-activity; sid:2015902; rev:3;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain palauone.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|08\|palauone\|03\|com\|00\|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015719; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain traindiscover.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|0d\|traindiscover\|03\|com\|00\|"; nocase; distance:4; within:19; fast_pattern; classtype:bad-unknown; sid:2015720; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain manymanyd.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|09\|manymanyd\|03\|com\|00\|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015721; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain whatandwhyeh.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|0c\|whatandwhyeh\|03\|com\|00\|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015722; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN ZeroAccess Checkin"; flow:established,to_server; content:"GET"; http_method; content:"/counter.img?theme="; fast_pattern:only; http_uri; content:"&digits="; http_uri; content:"&siteId="; http_uri; content:"User-Agent\|3a\| Opera/9 (Windows NT"; http_header; reference:url,sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf; classtype:trojan-activity; sid:2015723; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending Jar"; flow:established,from_server; content:"/x-java-archive\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|PK"; distance:0; classtype:trojan-activity; sid:2015724; rev:10;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql Exploit Kit 09/25/12 Sending PDF"; flow:established,from_server; content:"application/pdf\|0d 0a\|"; fast_pattern:only; content:"\|0d 0a\|Set-Cookie\|3a 20\|"; pcre:"/^[a-zA-Z]{5}=[a-z0-9]{8}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{4}\-[a-f0-9]{12}\r\n/R"; content:"\|0d 0a 0d 0a\|%PDF-"; distance:0; classtype:trojan-activity; sid:2015725; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Outbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015726; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Access To mm-forms-community upload dir (Inbound)"; flow:established,to_server; content:"GET"; http_method; content:"/wp-content/plugins/mm-forms-community/upload/temp/"; http_uri; fast_pattern:20,20; reference:url,www.exploit-db.com/exploits/18997/; reference:cve,2012-3574; classtype:trojan-activity; sid:2015727; rev:1;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain bktwenty.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|08\|bktwenty\|03\|com\|00\|"; nocase; distance:4; within:14; fast_pattern; classtype:bad-unknown; sid:2015728; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|09\|adbullion\|03\|com\|00\|"; nocase; distance:4; within:15; fast_pattern; classtype:bad-unknown; sid:2015729; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain sleeveblouse.com 09/20/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|04\|"; distance:0; content:"\|0c\|sleeveblouse\|03\|com\|00\|"; nocase; distance:4; within:18; fast_pattern; classtype:bad-unknown; sid:2015730; rev:2;) + +# +##alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET DELETED g01pack Exploit Kit Landing Page 7"; flow:established,to_server; urilen:7; content:"/feeds/"; http_uri; content:".dyndns"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015731; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole2 - Landing Page Received - classid"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:"<param"; distance:0; content:"value="; pcre:"/^.{1,5}[a-f0-9]{100}/R"; classtype:trojan-activity; sid:2015732; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /sarah.php"; flow:established,to_server; content:"/sarah.php?s="; http_uri; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015733; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sakura exploit kit exploit download request /nano.php"; flow:established,to_server; content:"/nano.php?x="; fast_pattern:only; http_uri; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015734; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Probable Sakura Java applet with obfuscated URL Sep 21 2012"; flow:established,from_server; file_data; content:"applet"; content:"nzzv@55"; fast_pattern; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015735; rev:2;) + +# +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 2"; flow:from_server,established; content:"\|0d 0a 0d 0a\|c=idl"; fast_pattern; distance:0; isdataat:!1,relative; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015903; rev:6;) + +# +alert tcp $EXTERNAL_NET [$HTTP_PORTS,84] -> $HOME_NET any (msg:"ET TROJAN Win32/Kuluoz.B CnC 3"; flow:from_server,established; content:"200 OK\|0d 0a\|Server\|3a\| "; content:"\|0d 0a 0d 0a\|c=rdl&u="; distance:0; fast_pattern; content:"&a="; distance:0; content:"&k="; distance:0; content:"&n="; distance:0; reference:md5,a88ba0c2b30afba357ebb38df9898f9e; classtype:trojan-activity; sid:2015904; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain defmaybe.com 09/25/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|08\|defmaybe\|03\|com\|00\|"; nocase; distance:0; classtype:bad-unknown; sid:2015736; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHPMyAdmin BackDoor Access"; flow:established,to_server; content:"POST"; http_method; content:"/server_sync.php?"; fast_pattern:only; http_uri; content:"c="; http_uri; pcre:"/\/server_sync.php\?(?:.+?&)?c=/Ui"; reference:url,www.phpmyadmin.net/home_page/security/PMASA-2012-5.php; classtype:attempted-admin; sid:2015737; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript --- padding"; flow:established,from_server; content:"\|0d 0a 0d 0a\|"; content:"d---o---c---u---m---"; within:500; classtype:bad-unknown; sid:2015738; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql applet with obfuscated URL"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"103hj115hj115hj111hj57hj46hj46hj"; within:200; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015739; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING - Redirect To Blackhole - Push JavaScript"; flow:established,to_client; file_data; content:".push( 'h' )\;"; content:".push( 't' )\;"; within:20; classtype:trojan-activity; sid:2015740; rev:1;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query to Unknown CnC DGA Domain adbullion.com 09/26/12"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|09\|adbullion\|03\|com\|00\|"; nocase; distance:0; classtype:bad-unknown; sid:2015741; rev:3;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|16 03\|"; content:"\|0b\|"; distance:3; within:1; byte_extract:3,0,Certs.len,relative; content:"\|55 04 06 13 02\|SE"; distance:3; within:Certs.len; content:"\|55 04 08 13 01 20\|"; distance:0; content:"\|55 04 07 13 01 20\|"; distance:0; content:"\|55 04 0a 13 01 20\|"; distance:0; content:"\|55 04 0b 13 01 20\|"; distance:0; content:"\|55 04 03 13 01 20\|"; distance:0; fast_pattern; classtype:trojan-activity; sid:2015742; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; flowbits:isset,ET.http.binary; content:"IsDebuggerPresent"; classtype:misc-activity; sid:2015744; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE CheckRemoteDebuggerPresent (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"CheckRemoteDebuggerPresent"; classtype:misc-activity; sid:2015745; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Possible JBoss/JMX InvokerServlet Auth Bypass Attempt"; flow:established,to_server; content:"POST"; http_method; content:"/invoker/JMXInvokerServlet/"; http_uri; nocase; reference:cve,CVE-2007-1036; reference:url,exploit-db.com/exploits/21080/; classtype:web-application-attack; sid:2015747; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Anti-Hacking Tool"; flow:established,to_server; content:"/update/WinUpdater.exe"; http_uri; content:!"User-Agent\|3a\|"; http_header; reference:md5,93443e59c473b89b5afad940a843982a; reference:url,eff.org/deeplinks/2012/08/syrian-malware-post; classtype:trojan-activity; sid:2015748; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER Possible Oracle SQL Injection utl_inaddr call in URI"; flow:established,to_server; content:"utl_inaddr.get_host"; nocase; http_uri; fast_pattern:only; classtype:attempted-admin; sid:2015749; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12"; flow:established,to_server; urilen:51; content:"/4ff"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015750; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible landing page 10/01/12 (2)"; flow:established,to_server; urilen:51; content:"/504"; http_uri; depth:4; pcre:"/^\/[a-f0-9]{24}\/[a-f0-9]{24}\/$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015751; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Windows EXE with alternate byte XOR 51 - possible SofosFO/NeoSploit download"; flow:established,to_client; content:"\|0d 0a\|Mi"; isdataat:76,relative; content:"\|54 5b 69 40 20 43 72 5c 67 41 61 5e 20 50 61 5d 6e 5c 74 13 62 56 20 41 75 5d 20 5a 6e 13 44 7c 53 13 6d 5c 64 56\|"; distance:0; classtype:trojan-activity; sid:2015752; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Pincav.cjvb Checkin"; flow:established,to_server; content:"POST"; http_method; nocase; content:"User-Agent\|3A 20\|Asynchronous WinHTTP"; http_header; content:"CyoK"; http_client_body; depth:4; content:"CyoK"; http_client_body; distance:0; reference:md5,1e5499640ca31e4b1f113b97a0cae08b; classtype:trojan-activity; sid:2015753; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET [137,138,139,445] (msg:"ET SCAN Nessus Netbios Scanning"; content:"n\|00\|e\|00\|s\|00\|s\|00\|u\|00\|s"; fast_pattern:only; reference:url,www.tenable.com/products/nessus/nessus-product-overview; classtype:attempted-recon; sid:2015754; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HTTP_SERVERS any (msg:"ET WEB_SERVER Image Content-Type with Obfuscated PHP (Seen with C99 Shell)"; flow:from_server,established; content:"Content-Type\|3a\| image/"; http_header; file_data; content:"eval(gzinflate(base64_decode("; distance:0; fast_pattern; reference:url,malwaremustdie.blogspot.jp/2012/10/how-far-phpc99shell-malware-can-go-from.html; classtype:attempted-user; sid:2015755; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Trojan Downloader GetBooks UA"; flow:established,to_server; content:"User-Agent\|3a\| GetBooks"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015756; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY AskSearch Toolbar Spyware User-Agent (AskTBar) 2"; flow:to_server,established; content:"User-Agent\|3a\| AskTb"; http_header; classtype:policy-violation; sid:2015757; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit Landing Page (2)"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".mine.nu\|0d 0a\|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015758; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java Exploit Recent Jar (4)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"hw.class"; content:"test.class"; classtype:trojan-activity; sid:2015759; rev:7;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zbot UA"; flow:established,to_server; content:"Windows NT 7.1"; http_header; content:"Firefox/9.1.2"; http_header; classtype:trojan-activity; sid:2015780; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Backdoor.Win32.Pushdo.s Checkin"; flow:to_server,established; content:"POST"; http_method; urilen:39; content:"/?ptrxcz_"; fast_pattern:only; http_uri; pcre:"/^\/\?ptrxcz_[a-z0-9A-Z]{30}$/U"; reference:md5,58ffe2b79be4e789be80f92b7f96e20c; classtype:trojan-activity; sid:2015807; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex initial landing"; flow:established,to_server; content:"/?"; http_uri; fast_pattern; isdataat:64,relative; content:"="; http_uri; distance:32; within:1; pcre:"/\/\?[a-f0-9]{32}=[^&]+&[a-f0-9]{32}=[^&]+$/U"; classtype:trojan-activity; sid:2015781; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Java Exploit Kit 32-32 byte hex hostile jar"; flow:established,to_server; content:".jar"; http_uri; fast_pattern:only; urilen:70; pcre:"/\/[a-f0-9]{32}\/[a-f0-9]{32}\.jar$/U"; classtype:trojan-activity; sid:2015782; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN PWS-Zbot.gen.als Checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:"/gateway.php"; http_uri; content:"page="; depth:5; http_client_body; content:"&unm="; fast_pattern:only; http_client_body; content:"&cnm="; http_client_body; content:"&query="; http_client_body; reference:md5,ccc99c9f07e7be0f408ef3a68a9da298; classtype:trojan-activity; sid:2016019; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOp Exploit Kit Payload"; flow:established,from_server; content:"Content-Type\|3a\| image/"; http_header; fast_pattern:only; file_data; content:"M"; within:1; content:!"Z"; within:1; content:"Z"; distance:1; within:1; classtype:trojan-activity; sid:2015783; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript _222_ padding"; flow:established,from_server; file_data; content:"d_222_o_222_c_222_u_222_"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015785; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Microsoft Rich Text File download - SET"; flow:from_server,established; file_data; content:"\|7B 5C 72 74 66 31\|"; within:6; flowbits:set,ET.http.rtf.download; flowbits:noalert; reference:cve,2012-0183; classtype:attempted-user; sid:2015790; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BegOpEK - TDS - icon.php"; flow:established,to_server; content:"/icon.php"; urilen:9; classtype:trojan-activity; sid:2015789; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BegOpEK - Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"Ini.class"; distance:0; within:50; classtype:trojan-activity; sid:2015788; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page"; flow:to_server,established; content:"/links/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/links\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015787; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Ransom.Win32.Birele.gsg Checkin"; flow:established,to_server; content:".html"; http_uri; content:"From\|3a\| "; depth:6; fast_pattern; http_header; content:!"@"; http_header; within:18; content:"\|0d 0a\|Via\|3a\| "; http_header; distance:18; within:7; content:"^"; http_header; within:40; pcre:"/From\x3a\d{18}\x0d\x0aVia\x3a[^\x0d\x0a]+?[\x5d\x5e\x60\x5c]/H"; reference:md5,116aaaa5765228d61501322b02a6a3b1; reference:md5,2e66f39a263cb2e95425847b60ee2a93; reference:md5,0ea9b34e9d77b5a4ef5170406ed1aaed; classtype:trojan-activity; sid:2015786; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY archive.org heritix Crawler User-Agent (Outbound)"; flow:established,to_server; content:"heritrix"; fast_pattern:only; http_header; pcre:"/^User-Agent\x3a[^\r\n]+?heritrix/Hmi"; reference:md5,9fcbd8ebbbafdb0f64805f2c9a53fb7b; reference:url,crawler.archive.org/index.html; classtype:trojan-activity; sid:2015791; rev:3;) + +# +alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Secondary Landing Page 10/11/12"; flow:to_server,established; content:"/q"; http_uri; depth:2; pcre:"/^\/q[a-zA-Z0-9+-]{3,14}\/[a-zA-Z0-9+-]{3,16}\?[a-z]{1,6}=[a-zA-Z0-9+-\._]{7,18}$/U"; classtype:trojan-activity; sid:2015792; rev:1;) + +# +alert tcp $HOME_NET any -> 209.139.208.0/23 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Scalaxy Java Exploit 10/11/12"; flow:to_server,established; content:"/m"; http_uri; depth:2; pcre:"/^\/m[a-zA-Z0-9-_]{3,14}\/[a-zA-Z0-9-_]{3,17}$/U"; classtype:trojan-activity; sid:2015793; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PhpTax Possible Remote Code Exec"; flow:established,to_server; content:"/phptax/"; http_uri; fast_pattern:only; content:"&pfilez="; http_uri; nocase; classtype:web-application-attack; sid:2015794; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (2)"; flow:to_server,established; content:"/detects/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/detects\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015796; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (3)"; flow:to_server,established; content:"/watches/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/watches\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015797; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (4)"; flow:to_server,established; content:"/boards/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/boards\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015798; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32.Fareit.A/Pony Downloader Checkin (2)"; flow:to_server,established; content:"ch=1"; http_uri; fast_pattern:only; content:"ch=1"; http_client_body; depth:4; pcre:"/ch=1$/U"; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit.A; reference:url,www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=PWS%3aWin32%2fFareit; reference:url,www.threatexpert.com/report.aspx?md5=99fab94fd824737393f5184685e8edf2; reference:url,www.threatexpert.com/report.aspx?md5=9544c681ae5c4fe3fdbd4d5c6c90e38e; reference:url,www.threatexpert.com/report.aspx?md5=d50c39753ba88daa00bc40848f174168; reference:url,www.threatexpert.com/report.aspx?md5=bf422f3aa215d896f55bbe2ebcd25d17; classtype:trojan-activity; sid:2015799; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Dorkbot GeoIP Lookup (Skype LOL Worm)"; flow:to_server,established; content:"User-Agent\|3a\| Mozilla/4.0\|0d 0a\|Host\|3a\| api.wipmania.com\|0d 0a\|"; http_header; depth:49; fast_pattern:31,18; classtype:trojan-activity; sid:2015800; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (INTEL)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|INT-"; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aINT-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015860; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN System Progressive Detection FakeAV (AMD)"; flow:to_server,established; content:"/api/"; http_uri; nocase; content:"ts="; http_uri; nocase; content:"affid="; http_uri; nocase; content:"\|3b\|c\|3a\|AMD-"; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+\(b\x3a\d+?\x3bc\x3aAMD-/Hm"; reference:md5,76bea2200601172ebc2374e4b418c63a; classtype:trojan-activity; sid:2015861; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript -_-- padding"; flow:established,from_server; file_data; content:"d-_--o-_--c-_--u-_--"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015801; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 8080 (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (5)"; flow:to_server,established; content:"/forum/links/column.php"; http_uri; nocase; content:".ru:8080\|0d 0a\|"; http_header; nocase; fast_pattern:only; classtype:trojan-activity; sid:2015802; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (6)"; flow:established,from_server; file_data; content:"<html><head><title></title></head><body>"; within:40; content:"applet archive="; distance:0; pcre:"/\.php\?\w{2,10}\=[0-9a-f]{10}\&\w{2,10}\=[a-z0-9]{2,6}\&[a-z]{2,8}\=[a-z]{2,10}\&[a-z]{2,8}\=[a-z]{2,8}/Rsmi"; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015803; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS BlackHole 2 PDF Exploit"; flow:established,from_server; file_data; content:"/Index[5 1 7 1 9 4 23 4 50 3]"; flowbits:isset,ET.pdf.in.http; reference:url,fortknoxnetworks.blogspot.com/2012/10/blackhhole-exploit-kit-v-20-url-pattern.html; classtype:trojan-activity; sid:2015804; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 4.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/feed.cgi"; http_uri; fast_pattern:only; pcre:"/(?:web(?:\.(?:velocitycache\.com\|autoflash\.info)\|update\.(?:dyndns\.info\|hopto\.org)\|app\.serveftp\.com)\|flash(?:center\.info\|rider\.org)\|cache\.dyndns\.info)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015805; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Mini-Flame v 5.x C2 HTTP request"; flow:established,to_server; content:"/cgi-bin/counter.cgi"; http_uri; fast_pattern:only; pcre:"/(?:(?:nvidia(?:s(?:tream\|oft)\|drivers)\|(?:rendercode\|videosyn)c\|flashupdates\|syncstream)\.info\|194\.192\.14\.125\|202\.75\.58\.179)\r?$/Hmi"; reference:url,www.securelist.com/en/analysis/204792247/miniFlame_aka_SPE_Elvis_and_his_friends; classtype:trojan-activity; sid:2015806; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [$HTTP_PORTS,443] (msg:"ET TROJAN Taidoor C2"; flow:established,to_server; content:"GET "; depth:4; content:".php?id="; fast_pattern; distance:6; within:8; pcre:"/^GET\s\/[a-z]{5}\.php\?id=[A-Z0-9]{18}\sHTTP\/1\.[0-1]\r\n/"; content:"MSIE 6.0\|3b\|"; distance:0; classtype:trojan-activity; sid:2015808; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,OLE.CompoundFile; file_data; content:"FWS"; content:"kern"; distance:0; flowbits:set,Ole.Flash.kernpresent; flowbits:noalert; classtype:trojan-activity; sid:2015809; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET WEB_CLIENT Adobe Flash Vuln (CVE-2012-1535 Uncompressed) Exploit Specific"; flow:from_server,established; flowbits:isset,Ole.Flash.kernpresent; file_data; content:"heapSpray"; classtype:trojan-activity; sid:2015810; rev:1;) + +# +alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER FaTaLisTiCz_Fx Webshell Detected"; flow:established,from_server; content:"visitz="; http_cookie; file_data; content:"FaTaLisTiCz_Fx"; classtype:web-application-activity; sid:2015811; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 10/17/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern; distance:0; content:"Mac.class"; distance:0; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015812; rev:2;) + +# +alert udp $HOME_NET any -> any 53 (msg:"ET CURRENT_EVENTS DNS Query Torpig Sinkhole Domain (Possible Infected Host)"; content:"\|00 01 00 00 00 00 00 00\|"; depth:8; offset:4; content:"\|0f\|torpig-sinkhole\|03\|org\|00\|"; nocase; distance:0; fast_pattern; reference:url,www.sysenter-honeynet.org/?p=269; classtype:bad-unknown; sid:2015813; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Win32/Fujacks Activity"; flow:to_server,established; content:"User-Agent\|3a\| QQ\|0d 0a\|"; http_header; content:".whboy.net\|0d 0a\|"; nocase; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015814; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Font File Download (32-bit Host) Dec 11 2012"; flow:to_server,established; content:"/32s_font.eot"; http_uri; classtype:trojan-activity; sid:2015815; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Font File Download (64-bit Host) Dec 11 2012"; flow:to_server,established; content:"/64s_font.eot"; http_uri; classtype:trojan-activity; sid:2015816; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Oct 19 2012"; flow:established,from_server; file_data; content:"applet"; fast_pattern; content:"&\|23\|48\|3b\|&\|23\|98\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|57\|3b\|&\|23\|48\|3b\|&\|23\|52\|3b\|&\|23\|49\|3b\|&\|23\|102\|3b\|"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015823; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN GeckaSeka User-Agent"; flow: established,to_server; content:"GeckaSeka"; http_header; fast_pattern:only; pcre:"/User-Agent\:[^\n]+GeckaSeka/Hi"; classtype:trojan-activity; sid:2015824; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole2 Non-Vulnerable Client Fed Fake Flash Executable"; flow: established,to_server; content:"/adobe/update_flash_player.exe"; http_uri; reference:url,research.zscaler.com/2012/10/blackhole-exploit-kit-v2-on-rise.html; classtype:trojan-activity; sid:2015817; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homeip. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homeip."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015818; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .homelinux. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".homelinux."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015819; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 7 User-Agent"; flow: established,to_server; content:"Windows NT 7"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 7/Hmi"; classtype:trojan-activity; sid:2015820; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 8 User-Agent"; flow: established,to_server; content:"Windows NT 8"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 8/Hmi"; classtype:trojan-activity; sid:2015821; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 9 User-Agent"; flow:established,to_server; content:"Windows NT 9"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 9/Hmi"; classtype:trojan-activity; sid:2015822; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Outbound)"; flow:established,to_server; content:".php?m=login"; fast_pattern:only; http_uri; nocase; content:"user="; http_client_body; depth:5; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015825; rev:7;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Zeus/Citadel Control Panel Access (Inbound)"; flow:established,to_server; content:".php?m=login"; http_uri; fast_pattern:only; nocase; content:"user="; depth:5; http_client_body; nocase; content:"pass="; http_client_body; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015826; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Iframer Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015827; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access IFramer Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/iframer/"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015828; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015829; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access VNC Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/vnc/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015830; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015831; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Bot Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/bots/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015832; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Video Controller (Outbound)"; flow:established,to_server; content:"/api.php/"; http_uri; fast_pattern:only; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015833; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET TROJAN Citadel API Access Video Controller (Inbound)"; flow:established,to_server; content:"/api.php/"; fast_pattern:only; http_uri; content:"/video/"; http_uri; nocase; content:"botI"; http_uri; nocase; reference:url,xylithreats.free.fr/public/; reference:url,www.xylibox.com/2012/10/citadel-1351-rain-edition.html; classtype:trojan-activity; sid:2015834; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Smoke Loader C2 Response"; flow:established,from_server; content:"Content-Length\|3a\| 4\|0d 0a\|"; http_header; file_data; content:"Smk0"; depth:4; fast_pattern; classtype:trojan-activity; sid:2015835; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 Binary Get Request"; content:"GET"; http_method; content:" Java/1."; http_header; fast_pattern:only; content:".php?"; http_uri; pcre:"/\.php\?\w{2,8}\=(0[0-9a-b]\|3[0-9]){5,32}\&\w{2,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{1,8}\=\d{2}\&\w{1,8}\=\w{1,8}\&\w{1,8}\=\w{1,8}$/U"; reference:url,fortknoxnetworks.blogspot.be/2012/10/blackhole-20-binary-get-request.html; classtype:successful-user; sid:2015836; rev:6;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET TROJAN SSL Cert Used In Unknown Exploit Kit"; flow:established,from_server; content:"\|00 c8 b9 67 4e 25 75 e9 92\|"; content:"\|55 04 06 13 02 4e 4c\|"; distance:0; content:"\|55 04 07 0c 01 20\|"; distance:0; content:"\|55 04 03 0c 01 20\|"; distance:0; classtype:trojan-activity; sid:2015837; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/beacon/"; http_uri; fast_pattern:only; pcre:"/\/beacon\/[a-f0-9]{8}\.htm$/U"; classtype:successful-user; sid:2015840; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Exploit Kit Landing Page"; flow:established,to_server; content:"/Applet.jar"; http_uri; fast_pattern:only; pcre:"/^\/Applet\.jar$/U"; classtype:successful-user; sid:2015841; rev:2;) + +# +alert udp $HOME_NET 5355 -> any any (msg:"ET INFO LLNMR query response to wpad"; content:"\|80 00 00 01 00 01\|"; offset:2; depth:6; content:"\|04\|wpad\|00 00 01 00 01 04\|wpad\|00 00 01 00 01\|"; distance:0; isdataat:7,relative; classtype:misc-activity; sid:2015842; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (1)"; flow:established,to_server; content:".php?asd=12gqw"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015843; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole file containing obfuscated Java payload URIs"; flow:established,from_server; file_data; content:"0b0909041f3131"; depth:14; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015844; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS pamdql obfuscated javascript __-_ padding"; flow:established,from_server; file_data; content:"d__-_o__-_c__-_u__-_m__-_e__-_n__-_t"; within:500; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015845; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NeoSploit Jar with three-letter class names"; flow:established,from_server; file_data; content:"PK"; depth:2; content:".classPK"; pcre:"/(\0[a-z]{3}.classPK.{43}){4}/"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015846; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50a"; http_uri; depth:4; pcre:"/^\/50a[a-f0-9]{21}\/(((\d+,)+\d+)\|null)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015847; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Imposter USPS Domain"; flow:established,to_server; content:".usps.com."; http_header; nocase; fast_pattern:only; pcre:"/^Host\x3a[^\r\n]\.usps\.com\./Hi"; classtype:trojan-activity; sid:2015848; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Path (Seen in Unknown EK) 10/29/12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"cve1723/"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015849; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Trojan Checkin"; flow:established,to_server; content:"/index312.php?ver="; http_uri; content:"&cam="; http_uri; content:"&p=spy"; http_uri; content:"&id="; http_uri; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015850; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Client Request"; flow:established,to_server; urilen:9; content:"/calc.php"; http_uri; flowbits:set,ET.cyberEspionageGeorgia; flowbits:noalert; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015851; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Georgian Targeted Attack - Server Response"; flow:established,from_server; flowbits:isset,ET.cyberEspionageGeorgia; file_data; content:"<html><head><META HTTP-EQUIV=\|22\|Pragma\|22\| CONTENT=\|22\|no-cache\|22\|></head><body>"; base64_decode:bytes 365, offset 0, relative; base64_data; content:"MZ"; within:2; content:"This program cannot be run in DOS mode."; within:360; reference:md5,d4af87ba30c59d816673df165511e466; reference:url,dea.gov.ge/uploads/CERT%20DOCS/Cyber%20Espionage.pdf; classtype:trojan-activity; sid:2015852; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot requesting update"; flow:to_server,established; content:"/modules/docs/upload/calc.exe"; http_uri; classtype:trojan-activity; sid:2015853; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot initial checkin"; flow:to_server,established; content:"POST"; http_method; nocase; content:".php?ver="; http_uri; content:"&p=cert123"; fast_pattern:only; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015854; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Georbot checkin"; flow:to_server,established; content:".php?ver="; http_uri; content:"&p=bot123"; http_uri; content:"&id="; http_uri; classtype:trojan-activity; sid:2015855; rev:2;) + +# +alert udp any any -> any 161 (msg:"ET SNMP Attempt to retrieve Cisco Config via TFTP (CISCO-CONFIG-COPY)"; content:"\|2b 06 01 04 01 09 09 60 01 01 01 01\|"; fast_pattern:only; classtype:policy-violation; sid:2015856; rev:5;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 69 (msg:"ET TFTP Outbound TFTP Data Transfer with Cisco config"; content:"\|00 03\|"; depth:2; content:"\|0a 21 0a\|version\|20\|"; distance:2; within:12; classtype:policy-violation; sid:2015857; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sakura/RedKit obfuscated URL"; flow:established,from_server; file_data; content:"<applet"; pcre:"/^.{1,500}\/.{1,12}\/.{1,12}\x3a.{1,12}p.{1,12}t.{1,12}t.{1,12}h/Rs"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015858; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Metasploit CVE-2012-1723 Attacker.class (Seen in Unknown EK) 11/01/12"; flow:to_client,established; file_data; content:"<applet"; content:"Attacker.class"; distance:0; classtype:trojan-activity; sid:2015859; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Potentially Unwanted Program RebateInformerSetup.exe Download Reporting"; flow:established,to_server; content:"/RebateInformerSetup.exe"; fast_pattern; nocase; http_uri; content:"User-Agent\|3a\| Inno Setup Downloader"; http_header; reference:url,www.ripoffreport.com/directory/rebategiant-com.aspx; classtype:trojan-activity; sid:2015862; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (2)"; flow:established,to_server; content:"php?fbebf=nt34t4"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015863; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2.0 PDF GET request"; flow:established,to_server; content:".php?"; http_uri; content:"00020002"; http_uri; fast_pattern:only; pcre:"/\.php\?\w{2,9}\=(0[0-9a-b]\|3[0-9]){5}\&\w{3,9}\=(3[0-9a-f]\|4[0-9a-f])\&\w{3,9}\=(0[0-9a-b]\|3[0-9]){10}\&\w{3,9}\=(0[0-9a-b]{1,8})00020002$/U"; reference:url,fortknoxnetworks.blogspot.com/2012/11/deeper-into-blackhole-urls-and-dialects.html; classtype:attempted-user; sid:2015864; rev:1;) + +# +alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET CURRENT_EVENTS Self-Singed SSL Cert Used in Conjunction with Neosploit"; flow:from_server,established; content:"\|16 03 01\|"; content:"\|00 be d3 cf b1 fe a1 55 bf\|"; distance:0; content:"webmaster@localhost"; distance:0; content:"\|30 81 89 02 81 81 00 ac 12 38 fc 5c bf 7c 8c 18 e7 db 09 dc\|"; distance:0; classtype:trojan-activity; sid:2015865; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/Length"; within:200; pcre:"/^[\r\n\s]+(\d{4}\|(?!(\d{1,2}[\r\n\s]\|1[0-2][0-8][\r\n\s])))((?!>>).)+\/R\s+3[\r\n\s>]/Rs"; classtype:trojan-activity; sid:2015866; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 1"; flow:to_server,established; dsize:<100; content:"ADDNEW\|7C\|ddoser\|7C\|"; depth:14; pcre:"/\x7C(NEW\|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015868; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 2"; flow:to_server,established; dsize:<100; content:"ADDNEW\|7C\|Zombie\|7C\|"; depth:14; pcre:"/\x7C(NEW\|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015869; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 1024: (msg:"ET TROJAN Backdoor.ADDNEW (DarKDdoser) CnC 3"; flow:to_server,established; dsize:<100; content:"ADDNEW\|7C\|Stable\|7C\|"; depth:14; pcre:"/\x7C(NEW\|Awaiting commands)/R"; reference:url,blog.fireeye.com/research/2012/11/backdooraddnew-darkddoser-and-gh0st-a-match-made-in-heaven.html; reference:md5,691305b05ae75389526aa7c15b319c3b; classtype:trojan-activity; sid:2015870; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Sophos PDF Standard Encryption Key Length Buffer Overflow"; flow:from_server,established; file_data; flowbits:isset,ET.pdf.in.http; content:"/Standard"; content:"/R 3"; within:200; pcre:"/^[\r\n\s]+((?!>>).)+?\/Length[\r\n\s]+(\d{4}\|(?!(\d{1,2}[\r\n\s]\|1[0-2][0-8][\r\n\s])))/Rs"; classtype:trojan-activity; sid:2015867; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for file containing Java payload URIs (3)"; flow:established,to_server; content:".php?asvvab=125qwafdsg"; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015871; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole request for Payload"; flow:established,to_server; content:".php?"; http_uri; content:"\|3a\|"; http_uri; fast_pattern; content:"\|3a\|"; distance:2; within:1; http_uri; content:"\|3a\|"; distance:2; within:1; http_uri; pcre:"/\.php\?[a-z]+=(([1-2][a-z]\|3[0-9])\x3a){3,}([1-2][a-z]\|3[0-9])&/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015872; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Cool Exploit Kit Requesting Payload"; flow:established,to_server; content:"/f.php?k="; http_uri; fast_pattern:only; pcre:"/^\/[a-z]\/f\.php\?k=\d(&e=\d&f=\d)?$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015873; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Known Reveton Domain HTTP whatwillber.com"; flow:established,to_server; content:"whatwillber.com\|0d 0a\|"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015874; rev:3;) + +# +alert udp $HOME_NET any -> $EXTERNAL_NET 53 (msg:"ET CURRENT_EVENTS DNS Query Known Reveton Domain whatwillber.com"; content:"\|01 00 00 01 00 00 00 00 00 00\|"; depth:10; offset:2; content:"\|0b\|whatwillber\|03\|com\|00\|"; nocase; distance:0; classtype:bad-unknown; sid:2015875; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS SofosFO Jar file 09 Nov 12"; flow:to_client,established; file_data; content:"PK"; within:2; content:"SecretKey.class"; fast_pattern:only; content:"Anony"; pcre:"/^(mous)?\.class/R"; flowbits:isset,ET.http.javaclient.vulnerable; classtype:trojan-activity; sid:2015876; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 32-hex/q.php Landing Page/Java exploit URI"; flow:established,to_server; urilen:39; content:"/q.php"; http_uri; offset:33; pcre:"/^\/[0-9a-f]{32}/q\.php$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015877; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET POLICY Maxmind geoip check to /app/geoip.js"; flow:established,to_server; content:"/app/geoip.js"; http_uri; fast_pattern:only; content:"maxmind.com\|0d 0a\|"; http_header; classtype:policy-violation; sid:2015878; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page NOP String"; flow:established,to_client; file_data; content:" == -1 {\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0\|5c\|x5C0"; distance:0; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015881; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS KaiXin Exploit Kit Landing Page parseInt Javascript Replace"; flow:established,to_client; file_data; content:" = parseInt("; distance:0; content:".replace(\|2F 5C 2E 7C 5C 5F 2F\|g, ''))\|3B\|"; within:30; reference:url,ondailybasis.com/blog/?p=1610; classtype:trojan-activity; sid:2015882; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Java Exploit Campaign SetAttribute Java Applet"; flow:established,to_client; file_data; content:"document.createElement(\|22\|applet\|22\|)\|3B\|"; fast_pattern:13,20; distance:0; nocase; content:".setAttribute(\|22\|code"; distance:0; nocase; content:".class\|22 29 3B\|"; nocase; within:50; content:".setAttribute(\|22\|archive"; nocase; distance:0; content:"document.createElement\|22\|param"; nocase; distance:0; reference:url,ondailybasis.com/blog/?p=1593; classtype:trojan-activity; sid:2015883; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack Landing Page"; flow:established,to_client; file_data; content:"<applet"; content:"a.Test"; fast_pattern; classtype:trojan-activity; sid:2015884; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack - No Java URI - Dot.class"; flow:established,to_server; urilen:10; content:"/Dot.class"; http_uri; classtype:trojan-activity; sid:2015885; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CirtXPack - No Java URI - /a.Test"; flow:established,to_server; urilen:7; content:"/a.Test"; classtype:trojan-activity; sid:2015886; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Possible exploitation of CVE-2012-5076 by an exploit kit Nov 13 2012"; flow:from_server,established; file_data; content:"<object"; content:"0b0909041f"; distance:0; fast_pattern; content:"3131"; distance:0; classtype:trojan-activity; sid:2015887; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Popads/Unknown Java Exploit Kit 32-32 byte hex java payload request"; flow:established,to_server; content:"/0"; http_uri; offset:33; depth:2; urilen:35; pcre:"/\/[a-f0-9]{32}\/0/U"; flowbits:isset,ET.http.javaclient.vulnerable; content:" Java/1"; http_header; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015888; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SofosFO/NeoSploit possible second stage landing page"; flow:established,to_server; urilen:>25; content:"/50"; http_uri; depth:3; pcre:"/^\/50[a-f][a-f0-9]{21}\/(([CBrhVykGTU]+Y){3}[CBrhVykGTU]{1,2}\|NHee)S(([CBrhVykGTU]+Y){3}[CBrhVykGTU]\|NHee)\//U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015889; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - FlashExploit"; flow:established,to_client; file_data; content:"FlashExploit()"; classtype:trojan-activity; sid:2015890; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CoolEK - Landing Page - Title"; flow:established,to_client; file_data; content:"<title>Hello my friend...</title>"; classtype:trojan-activity; sid:2015891; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_new.php"; flow:established,to_server; content:"/pdf_new.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015892; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK - PDF Exploit - pdf_old.php"; flow:established,to_server; content:"/pdf_old.php"; fast_pattern:only; http_uri; classtype:trojan-activity; sid:2015893; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown FakeAV - /get/.crp"; flow:established,to_server; content:"/get/"; http_uri; content:".crp"; http_uri; fast_pattern; classtype:trojan-activity; sid:2015894; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Unknown_comee.pl - POST with stpfu in http_client_body"; flow:established,to_server; content:"POST"; http_method; content:"stpfu"; http_client_body; depth:5; classtype:trojan-activity; sid:2015895; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET TROJAN Unknown_comee.pl - Response from stpfu in http_client_body"; flow:established,to_client; file_data; content:"\|6C 95 32 CB\|"; within:4; classtype:trojan-activity; sid:2015896; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible TDS Exploit Kit /flow redirect at .ru domain"; flow:established,to_server; urilen:<12; content:"/flow"; fast_pattern; depth:5; http_uri; content:".php"; distance:1; within:5; http_uri; content:"GET"; http_method; content:".ru\|0d 0a\|"; http_header; pcre:"/^\/flow\d{1,2}\.php$/U"; classtype:bad-unknown; sid:2015897; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 1 User-Agent"; flow: established,to_server; content:"Windows NT 1"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 1/Hmi"; classtype:trojan-activity; sid:2015898; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 2 User-Agent"; flow: established,to_server; content:"Windows NT 2"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 2/Hmi"; classtype:trojan-activity; sid:2015899; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO Suspicious Windows NT version 3 User-Agent"; flow: established,to_server; content:"Windows NT 3"; nocase; http_header; fast_pattern:only; pcre:"/^User-Agent\x3a[^\r\n]+Windows NT 3/Hmi"; classtype:trojan-activity; sid:2015900; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page - Java ClassID and 32HexChar.jar"; flow:established,to_client; file_data; content:"8AD9C840-044E-11D1-B3E9-00805F499D93"; content:".jar"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:trojan-activity; sid:2015901; rev:1;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - WSO Title"; flow:established,to_client; file_data; content:"<title>"; content:" - WSO "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:attempted-user; sid:2015905; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS WSO - WebShell Activity - POST structure"; flow:established,to_server; content:"POST"; http_method; content:"&c="; http_client_body; content:"&p1="; http_client_body; content:"&p2="; http_client_body; content:"&p3="; http_client_body; fast_pattern; pcre:"/a=(?:S(?:e(?:lfRemove\|cInfo)\|tringTools\|afeMode\|ql)\|(?:Bruteforc\|Consol)e\|FilesMan\|Network\|Logout\|Php)/P"; classtype:attempted-user; sid:2015906; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS BoA -Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"creditcard="; http_client_body; content:"expyear="; http_client_body; content:"ccv="; http_client_body; content:"pin="; http_client_body; classtype:bad-unknown; sid:2015907; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS BoA - PII Phished"; flow:established,to_server; content:"POST"; http_method; content:"&phone3="; http_client_body; content:"&ssn3="; http_client_body; content:"&dob3="; http_client_body; classtype:bad-unknown; sid:2015908; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS - BoA - Creds Phished"; flow:established,to_server; content:"reason="; http_client_body; content:"Access_ID="; http_client_body; content:"Access_ID_1="; http_client_body; content:"Current_Passcode="; http_client_body; classtype:bad-unknown; sid:2015909; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - AOL Creds"; flow:established,to_server; content:"POST"; http_method; content:"aoluser="; http_client_body; content:"aolpassword="; http_client_body; classtype:bad-unknown; sid:2015910; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Yahoo Creds"; flow:established,to_server; content:"POST"; http_method; content:"yahoouser="; http_client_body; content:"yahoopassword="; http_client_body; classtype:bad-unknown; sid:2015911; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Gmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"gmailuser="; http_client_body; content:"gmailpassword="; http_client_body; classtype:bad-unknown; sid:2015912; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Hotmail Creds"; flow:established,to_server; content:"POST"; http_method; content:"hotmailuser="; http_client_body; content:"hotmailpassword="; http_client_body; classtype:bad-unknown; sid:2015913; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Remax - Other Creds"; flow:established,to_server; content:"POST"; http_method; content:"otheruser="; http_client_body; content:"otherpassword="; http_client_body; classtype:bad-unknown; sid:2015914; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Landing Pattern (1)"; flow:to_server,established; content:"/r/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/r\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015915; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CoolEK Landing Pattern (2)"; flow:to_server,established; content:"/t/l/"; depth:5; http_uri; content:".php"; http_uri; pcre:"/^\/t\/l\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015916; rev:2;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - D.K - Title"; flow:established,to_client; file_data; content:"<title>"; content:" - D.K "; fast_pattern; distance:0; content:"</title>"; distance:0; classtype:bad-unknown; sid:2015917; rev:1;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header"; flow:established,to_client; file_data; content:"<span>Uname<br>User<br>Php<br>Hdd<br>Cwd</span>"; classtype:attempted-user; sid:2015918; rev:1;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Generic - c99shell based header w/colons"; flow:established,to_client; file_data; content:"<span>Uname\|3a\|<br>User\|3a\|<br>Php\|3a\|<br>Hdd\|3a\|<br>Cwd\|3a\|</span>"; classtype:attempted-user; sid:2015919; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Generic - c99shell based POST structure w/multipart"; flow:established,to_server; content:"POST"; http_method; content:"form-data\; name=\|22\|a\|22\|"; http_client_body; content:"form-data\; name=\|22\|c\|22\|"; http_client_body; content:"form-data\; name=\|22\|p1\|22\|"; http_client_body; classtype:attempted-user; sid:2015920; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Spam Campaign JPG CnC Link"; flow:established,to_client; file_data; content:"he1l0\|3A\|hxxp\|3A\|//"; distance:0; content:".jpg"; distance:0; reference:url,blog.fireeye.com/research/2012/11/more-phish.html; classtype:trojan-activity; sid:2015921; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java exploit request /9-10-/4-5-digit"; flow:established,to_server; content:"\|29 20\|Java/"; http_header; urilen:14<>18; pcre:"/^\/\d{9,10}\/\d{4,5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015922; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Glazunov Java payload request /5-digit"; flow:established,to_server; content:"\|29 20\|Java/"; http_header; urilen:6; pcre:"/^\/\d{5}$/U"; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015923; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PHP eMailer"; flow:established,to_server; content:"POST"; http_method; content:"form-data\|3b\| name=\|22\|from\|22\|"; http_client_body; content:"form-data\|3b\| name=\|22\|realname\|22\|"; http_client_body; content:"form-data\|3b\| name=\|22\|amount\|22\|"; http_client_body; classtype:web-application-activity; sid:2015924; rev:1;) + +# +alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET WEB_SERVER WebShell - Unknown - self-kill"; flow:established,to_client; file_data; content:"<a href=\|22\|?x=selfremove\|22\|>[Self-Kill]</a>"; classtype:web-application-activity; sid:2015925; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - Unknown - .php?x=img&img="; flow:established,to_server; content:".php?x=img&img="; http_uri; fast_pattern:only; classtype:web-application-activity; sid:2015926; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit /h**.htm(l) Landing Page - Set"; flow:established,to_server; urilen:8<>11; content:"/h"; depth:2; http_uri; pcre:"/^\/h[a-z]{3}\.html?$/U"; flowbits:set,ET.http.driveby.redkit.uri; flowbits:noalert; classtype:trojan-activity; sid:2015927; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (1)"; flow:established,to_server; content:"/332.jar"; fast_pattern:only; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015928; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Java Request to Recent jar (2)"; flow:established,to_server; content:"/887.jar"; fast_pattern:only; http_uri; content:"\|29 20\|Java/"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015929; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit Vulnerable Java Payload Request URI (1)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/33.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015930; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit Exploit Kit vulnerable Java Payload Request to URI (2)"; flowbits:isset,ET.http.javaclient.vulnerable; flow:established,to_server; content:"/41.html"; depth:8; http_uri; urilen:8; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015931; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (7)"; flow:to_server,established; content:"/news/enter/2012-1"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/news\/enter\/2012-1[0-2]-([0-2][0-9]\|3[0-1])\.php/U"; classtype:trojan-activity; sid:2015932; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole 2 Landing Page (8)"; flow:to_server,established; content:"/less/"; fast_pattern:only; http_uri; content:".php"; http_uri; pcre:"/\/less\/([a-z]{1,16}[-_]){1,4}[a-z]{1,16}\.php/U"; classtype:trojan-activity; sid:2015933; rev:4;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET !$HTTP_PORTS (msg:"ET CURRENT_EVENTS Nuclear Exploit Kit HTTP Off-port Landing Page Request"; flow:established,to_server; content:"GET /t/"; depth:7; pcre:"/^[a-f0-9]{32}\sHTTP\/1\.[0-1]\r\n/R"; classtype:trojan-activity; sid:2015936; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SERVER WebShell - PostMan"; flow:established,to_server; content:"POST"; http_method; content:"form-data\|3b\| name=\|22\|formSubmited\|22\|"; http_client_body; content:"form-data\|3b\| name=\|22\|scriptPassword\|22\|"; http_client_body; classtype:misc-activity; sid:2015937; rev:6;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown Banking PHISH - Login.php?LOB=RBG"; flow:established,to_server; content:"/Logon.php?LOB=RBG"; http_uri; content:"&_pageLabel=page_"; http_uri; classtype:trojan-activity; sid:2015938; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET CURRENT_EVENTS g01pack Exploit Kit .blogsite. Landing Page"; flow:established,to_server; urilen:>2; content:"/ HTTP/1."; pcre:"/^\/[a-z]+\/$/U"; content:".blogsite."; http_header; nocase; fast_pattern:only; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2015939; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET SCAN SFTP/FTP Password Exposure via sftp-config.json"; flow:to_server,established; content:"/sftp-config.json"; fast_pattern:only; http_uri; reference:url,blog.sucuri.net/2012/11/psa-sftpftp-password-exposure-via-sftp-config-json.html; classtype:attempted-recon; sid:2015940; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (1)"; flow:established,to_server; content:"/amor"; http_uri; content:".jar"; http_uri; within:6; content:" Java/"; http_header; fast_pattern:only; pcre:"/amor\d{0,2}\.jar/U"; classtype:trojan-activity; sid:2015941; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Java Exploit - Recent Jar (2)"; flow:established,to_server; content:"/java7.jar?r="; http_uri; content:" Java/"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015942; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Crimeboss - Java Exploit - Recent Jar (3)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"amor.class"; distance:0; classtype:trojan-activity; sid:2015943; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Access"; flow:established,to_server; content:".php?action=stats_access"; http_uri; classtype:trojan-activity; sid:2015944; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Java On"; flow:established,to_server; content:".php?action=stats_javaon"; http_uri; classtype:trojan-activity; sid:2015945; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Setup"; flow:established,to_server; content:".php?setup=d&s="; http_uri; content:"&r="; pcre:"/\.php?setup=d&s=\d+&r=\d+$/U"; classtype:trojan-activity; sid:2015946; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access"; flow:established,to_server; content:"/core/Loader.php?"; fast_pattern:only; http_uri; nocase; content:"g="; http_uri; content:"s="; http_uri; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015947; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Piwik Backdoor Access 2"; flow:established,to_server; content:"/core/DataTable/Filter/Megre.php"; http_uri; nocase; reference:url,blog.sucuri.net/2012/11/piwik-org-webserver-hacked-and-backdoor-added-to-piwik.html; classtype:web-application-attack; sid:2015948; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Propack Recent Jar (1)"; flow:established,from_server; file_data; content:"PK"; within:2; content:"propack/"; distance:0; classtype:trojan-activity; sid:2015949; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Propack Payload Request"; flow:established,to_server; content:".php?j=1&k="; http_uri; nocase; fast_pattern:only; content:" Java/1"; http_header; pcre:"/\.php\?j=1&k=[0-9](i=[0-9])?$/U"; classtype:trojan-activity; sid:2015950; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS SibHost Jar Request"; flow:established,to_server; content:".jar?m="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; pcre:"/\.jar\?m\=[1-2]$/U"; classtype:trojan-activity; sid:2015951; rev:14;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Generic -SSN - ssn1 ssn2 ssn3"; flow:established,to_server; content:"POST"; http_method; content:"ssn1="; http_client_body; content:"ssn2="; http_client_body; content:"ssn3="; http_client_body; classtype:trojan-activity; sid:2015952; rev:1;) + +# +alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET WEB_SERVER PIWIK Backdored Version calls home"; flow:established,to_server; content:"POST"; http_method; content:"prostoivse.com\|0d 0a\|"; http_header; nocase; content:"/x.php"; http_uri; content:"reff="; http_client_body; nocase; reference:url,piwik.org/blog/2012/11/security-report-piwik-org-webserver-hacked-for-a-few-hours-on-2012-nov-26th/; reference:url,forum.piwik.org/read.php?2,97666; classtype:web-application-attack; sid:2015953; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO PDF /FlateDecode and PDF version 1.0"; flow:established,from_server; file_data; content:"%PDF-1.0"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015954; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /FlateDecode and PDF version 1.1 (seen in pamdql EK)"; flow:established,from_server; file_data; content:"%PDF-1.1"; fast_pattern; within:8; content:"/FlateDecode"; distance:0; classtype:trojan-activity; sid:2015955; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Serenity Exploit Kit Landing Page HTML Header"; flow:established,to_client; file_data; content:"<head><title>Loading... Please wait<\|2F\|title><meta name=\|22\|robots\|22\| content=\|22\|noindex\|22\|><\|2F\|head>"; distance:0; classtype:trojan-activity; sid:2015956; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 1"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:"User-Agent\|3a\| Microsoft BITS/"; http_header; classtype:trojan-activity; sid:2015957; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Lyposit Ransomware Checkin 2"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/ad/?"; depth:5; http_uri; fast_pattern; pcre:"/^\/ad\/\?[a-z]{1,4}\x3d[a-z0-9]+?$/Ui"; content:!"User-Agent\|3a\| "; http_header; classtype:trojan-activity; sid:2015958; rev:1;) + +# +#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET INFO PHISH Generic - Bank and Routing"; flow:established,to_server; content:"POST"; http_method; content:"bank"; http_client_body; nocase; content:"routing"; http_client_body; nocase; classtype:bad-unknown; sid:2015963; rev:2;) + +# +alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"ET SNMP Samsung Printer SNMP Hardcode RW Community String"; content:"s!a@m#n$p%c"; fast_pattern:only; reference:url,www.l8security.com/post/36715280176/vu-281284-samsung-printer-snmp-backdoor; classtype:attempted-admin; sid:2015959; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request"; flow:established,to_server; content:"/j.php?t=u00"; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2015960; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request"; flow:established,to_server; content:"/p5.php?t=u00"; http_uri; fast_pattern:only; content:"&oh="; http_uri; classtype:trojan-activity; sid:2015961; rev:11;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Payload Request"; flow:established,to_server; content:"/load.php?e=u00"; http_uri; fast_pattern:only; content:"&token=u00"; http_uri; classtype:trojan-activity; sid:2015962; rev:9;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin 1"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; content:" HTTP"; distance:1; within:5; content:"MSIE 7.0\|3b\|"; content:".ddns"; fast_pattern; content:".eu\|0d 0a\|"; distance:1; within:5; pcre:"/\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\x2eeu\r\n\r\n$/"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015968; rev:5;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Requesting exe"; flow:established,to_server; content:"GET "; depth:4; content:"MSIE 7.0\|3b\|"; content:".ddns"; fast_pattern; distance:0; content:".eu\|0d 0a\|"; distance:1; within:5; pcre:"/GET \/[a-z0-9]+?\/?\?[a-z]\d? HTTP\/1\.1\r\nUser-Agent\x3a .+?\r\nHost\x3a \d{5}\x2eddns[a-z0-9]\.eu\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; classtype:trojan-activity; sid:2015969; rev:5;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Zuponcic EK Java Exploit Jar"; flow:established,from_server; file_data; content:"PK"; within:2; content:"FlashPlayer.class"; distance:0; content:".SF"; content:".RSA"; classtype:trojan-activity; sid:2015971; rev:8;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic EK Payload Request"; flow:established,to_server; content:"POST"; http_method; urilen:1; content:"\|29 20\|Java/1"; http_header; content:"/"; http_uri; content:"i=2ZI"; fast_pattern; http_client_body; depth:5; classtype:trojan-activity; sid:2015970; rev:10;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Unknown EK Landing URL"; flow:established,to_server; content:".php?dentesus=208779"; http_uri; fast_pattern:only; classtype:trojan-activity; sid:2015964; rev:10;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET INFO EXE SCardForgetReaderGroupA (Used in Malware Anti-Debugging)"; flow:established,to_client; file_data; flowbits:isset,ET.http.binary; content:"SCardForgetReaderGroupA"; fast_pattern:only; reference:url,www.trusteer.com/blog/evading-malware-researchers-shylock%E2%80%99s-new-trick; classtype:misc-activity; sid:2015965; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH PayPal - Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"login_email="; http_client_body; content:"login_password="; http_client_body; content:"target_page="; http_client_body; classtype:bad-unknown; sid:2015972; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Gateway POST to gateway-p"; flow:established,to_server; content:"POST"; http_method; content:"/gateway-p"; http_uri; classtype:bad-unknown; sid:2015973; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Sibhost Status Check"; flow:established,to_server; content:"POST"; http_method; content:"?s=1"; http_uri; content:"\|29 20\|Java/1"; http_header; content:"text="; http_client_body; depth:5; pcre:"/\?s=1$/U"; classtype:trojan-activity; sid:2015974; rev:9;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"ET EXPLOIT MySQL Stack based buffer overrun Exploit Specific"; flow:to_server,established; content:"grant"; nocase; content:"file"; nocase; distance:0; content:"on"; distance:0; nocase; pcre:"/grant\s+(file\|all)\s+on\s+A{500,}/"; reference:url,seclists.org/fulldisclosure/2012/Dec/4; classtype:attempted-user; sid:2015975; rev:3;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET [443,80,8080,9000:9009] (msg:"ET TROJAN WORM_VOBFUS Checkin Generic"; flow:established,to_server; content:"GET "; depth:4; content:"/1/?"; within:4; fast_pattern; content:" HTTP"; distance:1; within:5; content:"Mozilla/4.0 (compatible\|3b\| MSIE 7.0\|3b\| Windows NT 5.1\|3b\| SV1)\|0d 0a\|"; pcre:"/GET \/1\/\?\w HTTP\/1\.1\r\nUser-Agent\x3a Mozilla\/4\.0 \x28compatible\x3b MSIE 7\.0\x3b Windows NT 5\.1\x3b SV1\x29\r\nHost\x3a .+?(\x3a(443\|8080\|900[0-9]))?\x0d\x0a\x0d\x0a$/i"; reference:md5,f127ed76dc5e48f69a1070f314488ce2; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/watch-out-for-worm_vobfus/; reference:url,blog.dynamoo.com/2012/11/vobfus-sites-to-block.html; classtype:trojan-activity; sid:2015976; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS probable malicious Glazunov Javascript injection"; flow:established,from_server; file_data; content:"(\|22\|"; distance:0; content:"\|22\|))\|3b\|"; distance:52; within:76; content:")\|3b\|</script></body>"; within:200; fast_pattern; pcre:"/$\x22[0-9\x3a\x3b\x3c\x3d\x3e\x3fa-k]{50,70}\x22$.{0,200}\)\x3b<\/script><\/body>/s"; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015977; rev:6;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole Java applet with obfuscated URL Dec 03 2012"; flow:established,from_server; file_data; content:"applet"; content:"Dyy3Ojj"; within:300; flowbits:set,et.exploitkitlanding; classtype:bad-unknown; sid:2015978; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS CritXPack - Landing Page"; flow:established,from_server; file_data; content:"\|7C\|pdfver\|7C\|"; content:"\|7C\|applet\|7C\|"; classtype:bad-unknown; sid:2015979; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Google - Account Phished"; flow:established,to_server; content:"POST"; http_method; content:"continue="; http_client_body; content:"followup="; http_client_body; content:"checkedDomains="; http_client_body; classtype:bad-unknown; sid:2015980; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile Jar"; flow:established,to_server; content:"Host\|3a 20\|"; http_header; content:"."; http_header; distance:2; within:1; content:"Java/"; http_header; content:".jar"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; pcre:"/^\/[a-zA-Z]{7}\.jar$/U"; classtype:trojan-activity; sid:2015981; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Zuponcic Hostile JavaScript"; flow:established,to_server; urilen:11; content:"Host\|3a 20\|"; http_header; content:"."; http_header; distance:2; within:1; content:"/js/java.js"; http_uri; fast_pattern:only; pcre:"/^Host\x3a\x20[a-z]{2}\./Hm"; classtype:trojan-activity; sid:2015982; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Nagios XI Network Monitor - OS Command Injection"; flow:to_server,established; content:"/nagiosxi/includes/components/graphexplorer/visApi.php?"; http_uri; pcre:"/(\?\|&)(host\|service\|opt\|end\|start)=[^&]+?\x60.+?\x60/Ui"; reference:url,exchange.nagios.org/directory/Addons/Components/Graph-Explorer-Component/details; classtype:attempted-user; sid:2016015; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS PHISH Bank - York - Creds Phished"; flow:established,to_server; content:"POST"; http_method; content:"/secured/private/login.php"; http_uri; classtype:bad-unknown; sid:2015983; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Joomla Component SQLi Attempt"; flow:established,to_server; content:"option=com_"; http_uri; nocase; content:"union"; http_uri; nocase; distance:0; content:"select"; nocase; http_uri; distance:0; content:"from"; nocase; http_uri; distance:0; content:"jos_users"; distance:0; http_uri; nocase; fast_pattern; classtype:web-application-attack; sid:2015984; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Kuluoz.B Request"; flow:established,to_server; content:"GET"; http_method; pcre:"/^\/[a-f0-9]+$/Ui"; content:"Windows NT 9.0\|3b\|"; http_header; pcre:"/^Host\x3a\s(\d{1,3}\.){3}\d{1,3}(\x3a\d{1,5})?\r?$/Hmi"; reference:md5,0282bc929bae27ef95733cfa390b10e0; classtype:trojan-activity; sid:2015985; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET SCAN MYSQL MySQL Remote FAST Account Password Cracking"; flow:to_server,established; content:"\|11\|"; offset:3; depth:4; threshold:type both,track by_src,count 100,seconds 1; reference:url,www.securityfocus.com/archive/1/524927/30/0/threaded; classtype:protocol-command-decode; sid:2015986; rev:5;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Heap based buffer overrun Exploit Specific"; flow:to_server,established; byte_test:3,>,10000,0,little; content:"\|00 03\|"; offset:3; depth:2; pcre:"/^(USE\|PASS\|SELECT\|UPDATE\|INSERT\|ASCII\|SHOW\|CREATE\|DESCRIBE\|DROP\|ALTER)\s+?(.{1})\2{300}/Ri"; reference:url,archives.neohapsis.com/archives/fulldisclosure/2012-12/0006.html; classtype:attempted-user; sid:2015987; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CrimeBoss - Stats Load Fail"; flow:established,to_server; content:"?action=stats_loadfail"; http_uri; classtype:bad-unknown; sid:2015988; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Java Exploit Requested - 3 digit jar"; flow:established,to_server; urilen:6<>9; content:".jar"; http_uri; pcre:"/^\/[0-9]{3}\.jar$/U"; classtype:bad-unknown; sid:2015989; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS RedKit - Potential Payload Requested - /2Digit.html"; flow:established,to_server; urilen:8; content:".html"; http_uri; content:" Java/1"; http_header; pcre:"/\/[0-9]{2}\.html$/U"; classtype:bad-unknown; sid:2015990; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Robopak - Landing Page Received"; flow:established,to_client; file_data; content:"\|22\|ors.class\|22\|"; fast_pattern:only; content:"\|22\|bhjwfffiorjwe\|22\|"; classtype:bad-unknown; sid:2015991; rev:3;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL (Linux) Database Privilege Elevation (Exploit Specific)"; flow:to_server,established; content:"\|03\|"; offset:3; depth:4; content:"select \|27\|TYPE=TRIGGERS\|27\| into outfile\|27\|"; nocase; pcre:"/\s?\/.+?\.TRG\x27\s?LINES TERMINATED BY \|27 5f\|ntriggers=/Ri"; content:"CREATE DEFINER=\|60\|root\|60\|@\|60\|localhost\|60\|"; nocase; distance:0; pcre:"/\s+?trigger\s+?[^\x20]+?\s+?after\s+?insert\s+?on\s+?/Ri"; content:"UPDATE mysql.user"; nocase; fast_pattern:only; reference:cve,2012-5613; reference:url,seclists.org/fulldisclosure/2012/Dec/6; classtype:attempted-user; sid:2015992; rev:6;) + +# +alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE MySQL User Account Enumeration"; flow:from_server,established; content:"\|02\|"; offset:3; depth:4; content:"\|15 04\|Access denied for user"; fast_pattern:only; threshold:type both,track by_dst,count 10,seconds 1; reference:url,seclists.org/fulldisclosure/2012/Dec/att-9/; classtype:protocol-command-decode; sid:2015993; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET INFO MySQL Database Query Version OS compile"; flow:to_server,established; content:"\|03\|"; offset:3; depth:4; content:"select \|40 40\|version_compile_os"; nocase; pcre:"/SELECT @@version_compile_os\s?\x3b/i"; classtype:misc-activity; sid:2015994; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique DUMP INTO executable)"; flow:to_server,established; content:"\|03\|"; offset:3; depth:4; content:"SELECT data FROM"; nocase; distance:0; content:"INTO DUMPFILE"; nocase; distance:0; content:"c\|3a\|/windows/system32/"; nocase; fast_pattern; content:".exe"; nocase; distance:0; pcre:"/SELECT data FROM [^\x20]+?\x20INTO DUMPFILE [\x27\x22]c\x3a\/windows\/system32\/[a-z0-9_-]+?\.exe[\x27\x22]/i"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015995; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"ET EXPLOIT MySQL Server for Windows Remote SYSTEM Level Exploit (Stuxnet Techique)"; flow:to_server,established; content:"\|03\|"; offset:3; depth:4; content:"INSERT INTO"; nocase; distance:0; content:"#pragma namespace("; nocase; distance:0; content:"\|5c 5c 5c\|.\|5c 5c 5c 5c\|root\|5c 5c 5c 5c\|"; nocase; distance:0; content:"__EventFilter"; nocase; distance:0; content:" __InstanceModificationEvent"; nocase; distance:0; content:"TargetInstance"; nocase; distance:0; content:"Win32_LocalTime"; nocase; distance:0; content:"ActiveScriptEventConsumer"; nocase; distance:0; content:"JScript"; nocase; distance:0; content:"WScript.Shell"; nocase; distance:0; content:"WSH.run"; nocase; distance:0; content:".exe"; distance:0; content:"__FilterToConsumerBinding"; pcre:"/WSH\.run\x28\x5c+?[\x22\x27][a-z0-9_-]+?\.exe/"; reference:url,seclists.org/fulldisclosure/2012/Dec/att-13/; classtype:attempted-user; sid:2015996; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Fake Google Chrome Update/Install"; flow:established,to_server; content:"/chrome/google_chrome_"; http_uri; content:".exe"; http_uri; distance:0; pcre:"/\/chrome\/google_chrome_(update\|installer)\.exe$/U"; reference:url,www.barracudanetworks.com/blogs/labsblog?bid=3108; reference:url,www.bluecoat.com/security-blog/2012-12-05/blackhole-kit-doesnt-chrome; classtype:trojan-activity; sid:2015997; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Jar Request (2)"; flow:established,to_server; content:"/j16.php?i="; http_uri; content:"\|29 20\|Java/1"; http_header; fast_pattern:only; classtype:trojan-activity; sid:2016013; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack PDF Request (2)"; flow:established,to_server; content:"/lpdf.php?i="; http_uri; fast_pattern:only; pcre:"/lpdf.php?i=[a-zA-Z0-9]+&?$/U"; classtype:trojan-activity; sid:2016012; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS CritXPack Landing Pattern"; flow:established,to_server; content:"/i.php?token="; http_uri; fast_pattern:only; pcre:"/\/i.php?token=[a-z0-9]+$/U"; classtype:trojan-activity; sid:2015998; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN W32/Quarian HTTP Proxy Header"; flow:established,to_server; content:"Content_length\|3A 20\|"; http_header; content:"Proxy-Connetion\|3A 20\|"; http_header; reference:url,vrt-blog.snort.org/2012/12/quarian.html; classtype:trojan-activity; sid:2015999; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Win32/Necurs"; flow:to_server,established; content:"POST"; http_method; content:"/iis/host.aspx"; http_uri; fast_pattern; content:!"User-Agent\|3a\|"; http_header; content:"application/octet-stream"; http_header; reference:md5,871ecf11ddd7ffe294cab82bcaf9c310; reference:url,blogs.technet.com/b/mmpc/archive/2012/12/06/unexpected-reboot-necurs.aspx; classtype:trojan-activity; sid:2016000; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"ET TROJAN Win32/Trojan.Agent.AXMO CnC Beacon"; flow:established,to_server; content:"POST"; content:"/log HTTP/1."; distance:0; fast_pattern; content:"User-Agent\|3A 20\|Mozilla/4.0\|0D 0A\|"; distance:0; reference:url,contagiodump.blogspot.co.uk/2012/12/osxdockstera-and-win32trojanagentaxmo.html; classtype:trojan-activity; sid:2016014; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS PDF /XFA and PDF-1.[0-4] Spec Violation (seen in pamdql and other EKs)"; flow:established,to_client; file_data; content:"%PDF-1."; within:7; pcre:"/^[0-4][^0-9]/R"; content:"/XFA"; distance:0; fast_pattern; pcre:"/^[\r\n\s][\d\x5b]/R"; classtype:trojan-activity; sid:2016001; rev:4;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation admin_header.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/admin/admin_header.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016002; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation ajax_list_tree.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/ajax_list_tree.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016003; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS ViArt Shop Evaluation previews_functions.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/includes/previews_functions.php?"; nocase; http_uri; content:"root_folder_path="; fast_pattern:only; nocase; http_uri; pcre:"/root\_folder\_path=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,packetstormsecurity.org/files/116871/ViArt-Shop-Evaluation-4.1-Remote-File-Inclusion.html; classtype:web-application-attack; sid:2016004; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Achievo atknodetype parameter Local File Inclusion Vulnerability"; flow:established,to_server; content:"/dispatch.php?"; nocase; http_uri; content:"atkaction=search"; fast_pattern:only; nocase; http_uri; content:"atknodetype="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/117822/Achievo-1.4.5-XSS-LFI-SQL-Injection.html; classtype:web-application-attack; sid:2016005; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional_tests.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/tests/test_tools/functional_tests.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016006; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS PRADO PHP Framework functional.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/demos/time-tracker/tests/functional.php?"; nocase; http_uri; content:"sr="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/118348/PRADO-PHP-Framework-3.2.0-File-Read.html; classtype:web-application-attack; sid:2016007; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory consulta_fact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/consulta_fact.php?"; nocase; http_uri; fast_pattern:only; content:"fact_num="; nocase; http_uri; pcre:"/fact_num\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016008; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newinventario.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newinventario.php?"; nocase; http_uri; fast_pattern:only; content:"sn="; nocase; http_uri; pcre:"/sn\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016009; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Inventory newtransact.php Cross Site Scripting Attempt"; flow:established,to_server; content:"/newtransact.php?"; nocase; http_uri; fast_pattern:only; content:"ref="; nocase; http_uri; pcre:"/ref\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117683/Inventory-1.0-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016010; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN SmokeBot grab data plaintext"; flow:established,to_server; content:"cmd=grab&data="; fast_pattern:only; http_client_body; content:"&login="; http_client_body; classtype:trojan-activity; sid:2016011; rev:3;) + +# +alert udp any any -> $HOME_NET 53 (msg:"ET CURRENT_EVENTS DNS Amplification Attack Inbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29 10\|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016016; rev:4;) + +# +alert udp $HOME_NET 53 -> any any (msg:"ET CURRENT_EVENTS DNS Amplification Attack Outbound"; content:"\|01 00 00 01 00 00 00 00 00 01\|"; depth:10; offset:2; pcre:"/^[^\x00]+?\x00/R"; content:"\|00 ff 00 01 00 00 29 10\|"; within:8; fast_pattern; threshold: type limit, track by_src, seconds 60, count 1; classtype:bad-unknown; sid:2016017; rev:4;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Embedded Open Type Font file .eot seeing at Cool Exploit Kit"; flow:established,to_client; file_data; content:"\|02 00 02 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00\|"; offset:8; depth:18; content:"\|4c 50\|"; distance:8; within:2; content:"\|10 00 40 00\|D\|00\|e\|00\|x\|00\|t\|00\|e\|00\|r\|00 00\|"; distance:0; content:"\|00\|R\|00\|e\|00\|g\|00\|u\|00\|l\|00\|a\|00\|r\|00\|"; distance:0; content:"V\|00\|e\|00\|r\|00\|s\|00\|i\|00\|o\|00\|n\|00 20 00\|1\|00 2e 00\|0"; reference:cve,2011-3402; classtype:attempted-user; sid:2016018; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeScan - Landing Page - Title - Microsoft Antivirus 2013"; flow:established,to_client; file_data; content:"<title>Microsoft Antivirus 2013</title>"; classtype:bad-unknown; sid:2016020; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS FakeScan - Payload Download Received"; flow:established,to_client; content:"attachment"; http_header; content:"freescan"; http_header; fast_pattern; file_data; content:"MZ"; within:2; classtype:bad-unknown; sid:2016021; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - Redirection IFRAME"; flow:established,to_client; file_data; content:"{\|22\|iframe\|22 3a\|true,\|22\|url\|22\|"; within:20; classtype:bad-unknown; sid:2016022; rev:2;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS MALVERTISING FlashPost - POST to .stats"; flow:established,to_server; content:"POST"; http_method; content:".stats"; http_uri; content:"pageURL="; http_client_body; classtype:bad-unknown; sid:2016023; rev:2;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - Loading"; flow:established,to_client; file_data; content:"<title>Loading...!</title>"; classtype:bad-unknown; sid:2016024; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Blackhole - TDS Redirection To Exploit Kit - /head/head1.html"; flow:established,to_server; content:"/head/head1.html"; http_uri; classtype:bad-unknown; sid:2016025; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS NuclearPack - Landing Page Received - <applet and 32HexChar.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; content:"param"; pcre:"/[a-f0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016026; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET CURRENT_EVENTS g01pack - Landing Page Received - <applet and 32AlphaNum.jar"; flow:established,to_client; file_data; content:"<applet"; fast_pattern:only; content:".jar"; pcre:"/[a-z0-9]{32}\.jar/"; classtype:bad-unknown; sid:2016027; rev:3;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET EXPLOIT Metasploit -Java Atomic Exploit Downloaded"; flow:established,to_client; file_data; content:"PK"; within:2; content:"msf\|2f\|x\|2f\|"; distance:0; classtype:bad-unknown; sid:2016028; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Kelihos.K Executable Download DGA"; flow:established,to_server; content:".exe"; http_uri; fast_pattern:only; content:"Host\|3a 20\|"; http_header; content:".ru\|0d 0a\|"; http_header; distance:7; within:6; pcre:"/^Host\x3a\x20(?:u(?:wf(?:ekfyj\|ubpeb)\|d(?:xowub\|zycaf)\|h(?:duxic\|zubvo)\|x(?:fokur\|osgik)\|celgos\|ggifym\|mpefan\|qlahaf)\|s(?:u(?:t(?:fasof\|imjy)\|kbewli)\|i(?:ttanyg\|webheb\|hemuj)\|e(?:suhror\|xjereh)\|o(?:haxim\|qvaqo)\|axyjuw)\|r(?:i(?:zsebym\|firac\|sytfa\|trios)\|e(?:bfelqi\|kvyfo)\|u(?:xymqic\|jfeag)\|y(?:buhoq\|kafeh)\|acadpuh)\|j(?:y(?:meegom\|vvozoz\|kyvca\|torqu)\|a(?:mwazer\|ibzup)\|e(?:btelyx\|dytlu)\|o(?:dkymy\|kenqi))\|o(?:t(?:geguuz\|xolpow\|pipug)\|q(?:lapjim\|jogxi)\|cgaextu\|gdowkys\|jpaxlam\|vquqaip\|smuryf)\|i(?:r(?:ojvuqu\|hegre)\|v(?:kikcop\|nuvuk)\|hmytog\|kevzaq\|mgohut\|pdehas\|wvahin\|zxirfy)\|b(?:y(?:(?:cmolh\|vbym)y\|gotbys\|jlegta)\|i(?:pulte\|wuvba)\|o(?:pwyeb\|wbaiv))\|p(?:e(?:dugtap\|gyrgun\|vhyvys)\|y(?:nxomoj\|ykxug)\|a(?:gube\|waha)v\|ogwytfy)\|d(?:e(?:afesqy\|hjujuq)\|o(?:hwapih\|xilik)\|a(?:lwoza\|rabub)\|inymak)\|t(?:a(?:hfifak\|ixcih)\|i(?:wciwu\|koqo)x\|ecviqir\|ozfyma\|uriwil)\|g(?:i(?:jevsog\|nnyjyb)\|olhysux\|ywilhof\|azuzoz\|edopan\|ubahvi)\|y(?:(?:n(?:japru\|kicy)\|kocna)r\|bsahov\|dabxag\|xyqwiz\|zsabuq)\|h(?:a(?:hsekju\|poneg)\|e(?:ztymut\|dybih)\|uquqxov\|itakat)\|w(?:a(?:pifnu\|rkafo)c\|e(?:tifjam\|fecfo)\|ibveces\|yjenqo)\|a(?:d(?:nedat\|tesok)\|qzepylu\|baxhad\|smukuf\|wewsip)\|l(?:u(?:(?:fseki\|pylzu)m\|ditla)\|eqgugom\|opoqyv)\|z(?:u(?:pivzed\|qijcel)\|aefofin\|idamuk\|ylhomu)\|v(?:u(?:njuet\|ohsub)\|ijsixem\|otqygiq\|euwhyz)\|m(?:u(?:zupdyg\|hipew\|wosiv)\|osjinme\|abuhos)\|x(?:o(?:fsimi\|gitaj\|moqol)\|ikmonej\|enacoz)\|f(?:e(?:vnotow\|tucxo)\|i(?:dedhah\|xavpu))\|k(?:u(?:btyhuz\|irfufo)\|ejejib\|ycufvy)\|n(?:(?:iliqri\|obzeky)x\|eluzjiv)\|c(?:ylqiduh\|aqxaro\|itsibe)\|q(?:aijroke\|iquzcy\|uohdit)\|e(?:gnisje\|stesgo\|vdyvaz))\.ru\r$/Hm"; classtype:trojan-activity; sid:2016029; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS LOIC POST"; flow:established,to_server; content:"POST"; http_method; content:"13"; depth:2; http_client_body; content:"=MSG"; fast_pattern; http_client_body; distance:11; within:4; pcre:"/^13\d{11}/P"; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016030; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS LOIC GET"; flow:established,to_server; content:"GET"; http_method; content:"/?msg=MSG"; http_uri; threshold:type limit, track by_src, count 1, seconds 300; classtype:web-application-attack; sid:2016031; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS JCE Joomla Scanner"; flow:established,to_server; content:"User-Agent\|3a\| BOT/0.1 (BOT for JCE)"; http_header; classtype:web-application-attack; sid:2016032; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET CURRENT_EVENTS Simple Slowloris Flooder"; flow:established,to_server; content:"POST"; http_method; content:"Content-length\|3A\| 5235\|0D 0A\|"; depth:22; http_header; content:!"User-Agent\|3a\|"; http_header; threshold:type limit, track by_src, count 1, seconds 300; reference:url,www.imperva.com/docs/HII_Denial_of_Service_Attacks-Trends_Techniques_and_Technologies.pdf; classtype:web-application-attack; sid:2016033; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN Faked Russian Opera UA without Accept - probable downloader"; flow:established,to_server; content:"User-Agent\|3a 20\|Opera/9.80"; http_header; content:"Edition Yx\|3b\| ru"; fast_pattern; http_header; distance:0; content:!"Accept\|3a\|"; http_header; flowbits:set,et.exploitkitlanding; classtype:trojan-activity; sid:2016034; rev:1;) + +# +alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible SibHost PDF Request"; flow:established,to_server; content:".pdf?p=1&s="; http_uri; fast_pattern:only; pcre:"/\.pdf\?p=1&s=[1-2]$/U"; classtype:trojan-activity; sid:2016035; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-admin.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-admin.js.php?"; nocase; http_uri; fast_pattern:47,18; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016037; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS WordPress FSML Plugin fsml-hideshow.js.php Remote File Inclusion Attempt"; flow:established,to_server; content:"/wp-content/plugins/floating-social-media-links/fsml-hideshow.js.php?"; nocase; http_uri; fast_pattern:47,21; content:"wpp="; nocase; http_uri; pcre:"/wpp=\s*(?:(?:ht\|f)tps?\|data\|php)\x3a\//Ui"; reference:url,secunia.com/advisories/51346; classtype:web-application-attack; sid:2016038; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Havalite userId parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/hava_user.php?"; nocase; http_uri; fast_pattern:only; content:"userId="; nocase; http_uri; pcre:"/userId\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118714/Havalite-1.1.7-Cross-Site-Scripting-Shell-Upload.html; classtype:web-application-attack; sid:2016039; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS SimpleInvoices having parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/index.php?"; nocase; http_uri; content:"module="; nocase; http_uri; content:"view="; nocase; http_uri; content:"having="; nocase; http_uri; fast_pattern:only; pcre:"/having\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/118737/SimpleInvoices-2011.1-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016040; rev:1;) + +# +alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"ET ACTIVEX Possible NVIDIA Install Application ActiveX Control AddPackages Unicode Buffer Overflow"; flow:to_client,established; file_data; content:"CLSID"; nocase; content:"A9C8F210-55EB-4849-8807-EC49C5389A79"; nocase; distance:0; content:".AddPackages"; nocase; distance:0; reference:url,packetstormsecurity.org/files/118648/NVIDIA-Install-Application-2.1002.85.551-Buffer-Overflow.html; classtype:attempted-user; sid:2016041; rev:2;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Manhali download.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/includes/download.php?"; nocase; http_uri; content:"f="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/116724/Manhali-1.8-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016042; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS code.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/code.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016043; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS RIPS function.php Local File Inclusion Vulnerability"; flow:established,to_server; content:"GET"; nocase; http_method; content:"/windows/function.php?"; nocase; http_uri; content:"file="; nocase; http_uri; content:"\|2e 2e 2f\|"; depth:200; reference:url,packetstormsecurity.org/files/111164/RIPS-0.53-Local-File-Inclusion.html; classtype:web-application-attack; sid:2016044; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Admidio headline parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/adm_program/modules/guestbook/guestbook_new.php?"; nocase; http_uri; fast_pattern:30,18; content:"headline="; nocase; http_uri; pcre:"/headline\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/116155/Admidio-2.3.5-Cross-Site-Scripting-SQL-Injection.html; classtype:web-application-attack; sid:2016045; rev:1;) + +# +alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SPECIFIC_APPS Simplemachines view parameter Cross Site Scripting Attempt"; flow:established,to_server; content:"/ssi_examples.php?"; nocase; http_uri; fast_pattern:only; content:"view="; nocase; http_uri; pcre:"/view\x3d.+?(?:on(?:(?:s(?:elec\|ubmi)\|rese)t\|d(?:blclick\|ragdrop)\|(?:mouse\|key)[a-z]\|c(?:hange\|lick)\|(?:un)?load\|focus\|blur)\|s(?:cript\|tyle=))/Ui"; reference:url,packetstormsecurity.org/files/117618/SMF-2.0.2-Cross-Site-Scripting.html; classtype:web-application-attack; sid:2016036; rev:1;) +
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/fwsnort ^
@@ -14,7 +14,7 @@ # # Credits: (see the CREDITS file) # -# Version: 1.6.2 +# Version: 1.6.3 # # Copyright (C) 2003-2012 Michael Rash (mbr@cipherdyne.org) # @@ -27,7 +27,7 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 # USA # # TODO: @@ -102,7 +102,7 @@ my $fwsnort_conf = $CONFIG_DEFAULT; ### version number -my $version = '1.6.2'; +my $version = '1.6.3'; my %ipt_hdr_opts = ( 'src' => '-s', @@ -122,34 +122,34 @@ ### application layer 'uricontent' => { ### use --strict to not translate this 'iptopt' => '-m string', - 'regex' => '[\s;]uricontent:\s\"(.?)\"\s;' + 'regex' => qr/[\s;]uricontent:\s\"(.?)\"\s;/ }, 'content' => { 'iptopt' => '-m string', - 'regex' => '[\s;]content:\s\"(.?)\"\s;' + 'regex' => qr/[\s;]content:\s\"(.?)\"\s;/ }, 'fast_pattern' => { 'iptopt' => '', ### fast_pattern just governs ordering of ### content matches - 'regex' => '[\s;]fast_pattern(?::\s.?\s)?;', + 'regex' => qr/[\s;]fast_pattern(?::\s.?\s)?;/, }, 'pcre' => { ### only basic PCRE's that just have strings separated ### by "." or ".+" are supported. 'iptopt' => '-m string', - 'regex' => '[\s;]pcre:\s\"(.?)\"\s;' + 'regex' => qr/[\s;]pcre:\s\"(.?)\"\s;/ }, 'nocase' => { 'iptopt' => '--icase', - 'regex' => '[\s;]nocase\s;', + 'regex' => qr/[\s;]nocase\s;/, }, 'offset' => { 'iptopt' => '--from', - 'regex' => '[\s;]offset:\s(\d+)\s;' + 'regex' => qr/[\s;]offset:\s(\d+)\s;/ }, 'depth' => { 'iptopt' => '--to', - 'regex' => '[\s;]depth:\s(\d+)\s;' + 'regex' => qr/[\s;]depth:\s(\d+)\s;/ }, ### technically, the "distance" and "within" criteria @@ -161,115 +161,143 @@ ### use the --strict option. 'distance' => { 'iptopt' => '--from', - 'regex' => '[\s;]distance:\s(\d+)\s;' + 'regex' => qr/[\s;]distance:\s(\d+)\s;/ }, 'within' => { 'iptopt' => '--to', - 'regex' => '[\s;]within:\s(\d+)\s;' + 'regex' => qr/[\s;]within:\s(\d+)\s;/ }, 'replace' => { ### for Snort running in inline mode 'iptopt' => '--replace-string', - 'regex' => '[\s;]replace:\s\"(.?)\"\s;' + 'regex' => qr/[\s;]replace:\s\"(.?)\"\s;/ }, 'resp' => { 'iptopt' => '-j REJECT', - 'regex' => '[\s;]resp:\s(.?)\s;' + 'regex' => qr/[\s;]resp:\s(.?)\s;/ }, ### transport layer 'flags' => { 'iptopt' => '--tcp-flags', - 'regex' => '[\s;]flags:\s(.?)\s;' + 'regex' => qr/[\s;]flags:\s(.?)\s;/ }, 'flow' => { 'iptopt' => '--tcp-flags', - 'regex' => '[\s;]flow:\s(.?)\s;' + 'regex' => qr/[\s;]flow:\s(.?)\s;/ }, ### network layer 'itype' => { 'iptopt' => '--icmp-type', ### --icmp-type type/code - 'regex' => '[\s;]itype:\s(.?)\s;' + 'regex' => qr/[\s;]itype:\s(.?)\s;/ }, 'icode' => { 'iptopt' => 'NONE', - 'regex' => '[\s;]icode:\s(.?)\s;' + 'regex' => qr/[\s;]icode:\s(.?)\s;/ }, 'ttl' => { 'iptopt' => '-m ttl', ### requires CONFIG_IP_NF_MATCH_TTL - 'regex' => '[\s;]ttl:\s(.?)\s;' + 'regex' => qr/[\s;]ttl:\s(.?)\s;/ }, 'tos' => { 'iptopt' => '-m tos --tos', ### requires CONFIG_IP_NF_MATCH_TOS - 'regex' => '[\s;]tos:\s(\d+)\s;' + 'regex' => qr/[\s;]tos:\s(\d+)\s;/ }, 'ipopts' => { 'iptopt' => '-m ipv4options', ### requires ipv4options extension - 'regex' => '[\s;]ipopts:\s(\w+)\s;' + 'regex' => qr/[\s;]ipopts:\s(\w+)\s;/ }, 'ip_proto' => { 'iptopt' => '-p', - 'regex' => '[\s;]ip_proto:\s(.?)\s;' + 'regex' => qr/[\s;]ip_proto:\s(.?)\s;/ }, 'dsize' => { ### requires CONFIG_IP_NF_MATCH_LENGTH 'iptopt' => '-m length --length', - 'regex' => '[\s;]dsize:\s(.?)\s;' + 'regex' => qr/[\s;]dsize:\s(.?)\s;/ }, }, ### snort options that can be put into iptables ### ruleset, but only in log messages with --log-prefix 'logprefix' => { - 'sid' => '[\s;]sid:\s(\d+)\s;', - 'msg' => '[\s;]msg:\s\"(.?)\"\s;', ### we create a space - 'classtype' => '[\s;]classtype:\s(.?)\s;', - 'reference' => '[\s;]reference:\s(.?)\s;', - 'priority' => '[\s;]priority:\s(\d+)\s;', - 'rev' => '[\s;]rev:\s(\d+)\s;', + 'sid' => qr/[\s;]sid:\s(\d+)\s;/, + 'msg' => qr/[\s;]msg:\s\"(.?)\"\s;/, ### we create a space + 'classtype' => qr/[\s;]classtype:\s(.?)\s;/, + 'reference' => qr/[\s;]reference:\s(.?)\s;/, + 'priority' => qr/[\s;]priority:\s(\d+)\s;/, + 'rev' => qr/[\s;]rev:\s(\d+)\s;/, }, ### snort options that cannot be included directly ### within iptables filter statements (yet :) 'unsupported' => { - 'asn1' => '[\s;]asn1:\s.?\s;', - 'fragbits' => '[\s;]fragbits:\s.?\s;', - 'content-list' => '[\s;]content\-list:\s\".?\"\s;', - 'rpc' => '[\s;]rpc:\s.?\s;', - 'byte_test' => '[\s;]byte_test\s.?\s;', - 'byte_jump' => '[\s;]byte_jump\s.?\s;', - 'window' => '[\s;]window:\s.?\s;', - 'flowbits' => '[\s;]flowbits:\s.?\s;', -# 'offset' => '[\s;]offset:\s\d+\s;', -# 'depth' => '[\s;]depth:\s\d+\s;', + 'asn1' => qr/[\s;]asn1:\s.?\s;/, + 'fragbits' => qr/[\s;]fragbits:\s.?\s;/, + 'content-list' => qr/[\s;]content\-list:\s\".?\"\s;/, + 'rpc' => qr/[\s;]rpc:\s.?\s;/, + 'byte_test' => qr/[\s;]byte_test\s.?\s;/, + 'byte_jump' => qr/[\s;]byte_jump\s.?\s;/, + 'byte_extract' => qr/[\s;]byte_extract\s.?\s;/, + 'file_data' => qr/[\s;]file_data\s;/, + 'window' => qr/[\s;]window:\s.?\s;/, + 'flowbits' => qr/[\s;]flowbits:\s.?\s;/, + 'tag' => qr/[\s;]tag:\s.?\s;/, + 'ftpbounce' => qr/[\s;]ftpbounce\s;/, + 'base64_data' => qr/[\s;]base64_data\s;/, + 'base64_decode' => qr/[\s;]base64_decode:\s.?\s;/, +# 'offset' => qr/[\s;]offset:\s\d+\s;/, +# 'depth' => qr/[\s;]depth:\s\d+\s;/, ### the following fields get logged by iptables but ### we cannot filter them directly except with the ### iptables u32 module. Functionality has been built ### into psad to generate alerts for most of these Snort ### options. - 'id' => '[\s;]id:\s(\d+)\s;', - 'seq' => '[\s;]seq:\s(\d+)\s;', ### --log-tcp-sequence - 'ack' => '[\s;]ack:\s.?\s;', ### --log-tcp-sequence - 'icmp_seq' => '[\s;]icmp_seq:\s(\d+)\s;', - 'icmp_id' => '[\s;]icmp_id:\s(\d+)\s;', - 'sameip' => '[\s;]sameip\s;', - 'regex' => '[\s;]regex:\s(.?)\s;', - 'isdataat' => '[\s;]isdataat:\s(.?)\s;', - 'threshold' => '[\s;]threshold:\s.?\s;', ### FIXME --limit - 'detection_filter' => '[\s;]detection_filter:\s.?\s;' ### FIXME --limit + 'id' => qr/[\s;]id:\s(\d+)\s;/, + 'seq' => qr/[\s;]seq:\s(\d+)\s;/, ### --log-tcp-sequence + 'ack' => qr/[\s;]ack:\s.?\s;/, ### --log-tcp-sequence + 'icmp_seq' => qr/[\s;]icmp_seq:\s(\d+)\s;/, + 'icmp_id' => qr/[\s;]icmp_id:\s(\d+)\s;/, + 'sameip' => qr/[\s;]sameip\s;/, + 'regex' => qr/[\s;]regex:\s(.?)\s;/, + 'isdataat' => qr/[\s;]isdataat:\s(.?)\s;/, + 'threshold' => qr/[\s;]threshold:\s.?\s;/, ### FIXME --limit + 'detection_filter' => qr/[\s;]detection_filter:\s.?\s;/ ### FIXME --limit }, ### snort options that fwsnort will ignore 'ignore' => { - 'rawbytes' => '[\s;]rawbytes\s;', ### iptables does a raw match anyway - 'logto' => '[\s;]logto:\s\S+\s;', - 'session' => '[\s;]session\s;', - 'tag' => '[\s;]tag:\s.?\s;', - 'react' => '[\s;]react:\s.?\s;', ### FIXME -j REJECT - 'http_uri' => '[\s;]http_uri\s;', - 'http_method' => '[\s;]http_method\s;', - 'urilen' => '[\s;]urilen:\s.?\s;', - } + 'rawbytes' => qr/[\s;]rawbytes\s;/, ### iptables does a raw match anyway + 'logto' => qr/[\s;]logto:\s\S+\s;/, + 'session' => qr/[\s;]session\s;/, + 'tag' => qr/[\s;]tag:\s.?\s;/, + 'react' => qr/[\s;]react:\s.?\s;/, ### FIXME -j REJECT + 'http_uri' => qr/[\s;]http_uri\s;/, + 'http_raw_uri' => qr/[\s;]http_raw_uri\s;/, + 'http_method' => qr/[\s;]http_method\s;/, + 'http_stat_code' => qr/[\s;]http_stat_code\s;/, + 'http_stat_msg' => qr/[\s;]http_stat_msg\s;/, + 'http_client_body' => qr/[\s;]http_client_body\s;/, + 'http_cookie' => qr/[\s;]http_cookie\s;/, + 'urilen' => qr/[\s;]urilen:\s.?\s;/, + }, + + ### in --strict mode, signatures that include any of these + ### options are not translated to iptables rules + 'strict_list' => [ + 'uricontent', + 'pcre', + 'distance', + 'within', + 'http_uri', + 'http_raw_uri', + 'http_method', + 'http_stat_code', + 'http_stat_msg', + 'http_client_body', + 'http_cookie', + 'urilen' + ] ); ### rules update link @@ -356,8 +384,11 @@ my $home_net = ''; ### normally comes from fwsnort.conf my $ext_net = ''; ### normally comes from fwsnort.conf my $ipt_exec = 0; +my $ipt_revert = 0; my $ipt_drop = 0; my $ipt_reject = 0; +my $ipt_max_buf_len = 1025; +my $ipt_cap_search_factor = 128; my $help = 0; my $stdout = 0; my $lib_dir = ''; @@ -475,7 +506,11 @@ ### check to make sure iptables has various functionality available ### such as the LOG target, --hex-strings, the comment match, etc. -&ipt_capabilities() unless $no_ipt_test; +if ($no_ipt_test) { + &set_defaults_without_ipt_test(); +} else { + &ipt_capabilities(); +} ### cache the running iptables policy in iptables-save format &cache_ipt_save_policy(); @@ -605,7 +640,7 @@ if ($exclude_types) { next FILE if defined $exclude_types{$type}; } - if ($rfile eq 'deleted.rules') { + if ($rfile =~ m\|deleted\.rules\|) { next FILE unless $add_deleted; } ($snort_type) = ($rfile =~ m\|./(\S+)\.rules\|); @@ -643,7 +678,7 @@ ### regex filters if ($exclude_re) { - next RULE unless $rule =~ $exclude_re; + next RULE if $rule =~ $exclude_re; } if ($include_re) { @@ -682,10 +717,8 @@ } ### parse options portion of Snort rule - my ($parse_rv, $opts_hr, $patterns_ar) - = &parse_rule_options($rule_options, - &get_avg_hdr_len($hdr_hr), - $line_num); + my ($parse_rv, $opts_hr, $patterns_ar) = &parse_rule_options( + $rule_options, &get_avg_hdr_len($hdr_hr), $line_num); unless ($parse_rv) { $unsup_ctr++; @@ -822,7 +855,7 @@ my @patterns = (); ### get the sid here for logging purposes - if ($rule_options =~ /$snort_opts{'logprefix'}{'sid'}/) { + if ($rule_options =~ $snort_opts{'logprefix'}{'sid'}) { $sid = $1; } else { return 0, \%opts, \@patterns; @@ -847,7 +880,7 @@ my $found_unsupported = ''; for my $opt (keys %{$snort_opts{'unsupported'}}) { ### see if we match a regex belonging to an unsupported option - if ($rule_options =~ /$snort_opts{'unsupported'}{$opt}/) { + if ($rule_options =~ $snort_opts{'unsupported'}{$opt}) { $found_unsupported .= "'$opt', "; } } @@ -871,7 +904,7 @@ for my $opt (keys %{$snort_opts{'filter'}}) { ### see if we match the option regex - if ($rule_options =~ /$snort_opts{'filter'}{$opt}{'regex'}/) { + if ($rule_options =~ $snort_opts{'filter'}{$opt}{'regex'}) { $opts{$opt} = 1; $opts{$opt} = $1 if defined $1; ### some keywords may not have an option } @@ -971,7 +1004,7 @@ } for my $opt (keys %{$snort_opts{'logprefix'}}) { - if ($rule_options =~ /$snort_opts{'logprefix'}{$opt}/) { + if ($rule_options =~ $snort_opts{'logprefix'}{$opt}) { $opts{$opt} = $1; } } @@ -1520,7 +1553,11 @@ ### define iptables source and destination if ($snort_hdr_hr->{'dst'} =~ /any/i) { if ($snort_hdr_hr->{'src'} =~ /any/i) { - push @{$process_rules{'INPUT'}}, '' if $process_chains{'INPUT'}; + if ($orig_snort_rule =~ m\|\$HOME_NET.\-\>\s+\$EXTERNAL_NET\|) { + push @{$process_rules{'OUTPUT'}}, '' if $process_chains{'OUTPUT'}; + } else { + push @{$process_rules{'INPUT'}}, '' if $process_chains{'INPUT'}; + } push @{$process_rules{'FORWARD'}}, '' if $process_chains{'FORWARD'}; } else { @@ -2217,34 +2254,42 @@ 'nocase' => 0, ); - if ($ipt_str =~ /\s\!\s"/) { - $ipt_str =~ s/\s\!\s"//; + if ($ipt_str =~ /^\s\!\s"/) { + $ipt_str =~ s/^\s\!\s"//; $pattern{'negative_match'} = 1; } - $ipt_str =~ s/`/\|60\|/g; ### ` -> \|60\| - $ipt_str =~ s/'/\|27\|/g; ### ' -> \|27\| - $ipt_str =~ s/\x2d/\|2d\|/g; ### - -> \|2d\| - $ipt_str =~ s/\x24/\|24\|/g; ### $ -> \|24\| - ### convert all escaped chars to their hex equivalents $ipt_str =~ s/\x5c(.)/sprintf "\|%02x\|", (ord($1))/eg; - my $ctr = 0; - while ($ipt_str =~ m/\\|\\|/) { - ### consolidate consecutive hex blocks - if ($ipt_str =~ /\\|.+?\\|\\|.+?\\|/) { - $ipt_str =~ s/\\|(.+?)\\|\\|(.+?)\\|/\|$1 $2\|/; - } - $ctr++; - last if $ctr > 10; - } + ### consolidate any consecutive "\|aa\|\|bb\|" sequences + $ipt_str =~ s/\\|\\|//g; ### remove all spaces between hex codes (they simply waste space ### on the command line, and they aren't part of the string to ### search in network traffic anyway). $ipt_str = &consolidate_hex_spaces($ipt_str); + ### if there are any existing hex blocks or if there are any chars + ### that require a new hex block, then just convert the whole string + ### to hex syntax for simplicity + if ($ipt_str =~ /\\|/ or &have_hex_char($ipt_str)) { + $ipt_str = &convert_str_to_hex($ipt_str); + } + + ### if we ever have more than one hex block then there was some + ### pattern translation error + my $hex_ctr = 0; + while ($ipt_str =~ /\\|/g) { + $hex_ctr++; + last if $hex_ctr >= 10; + } + + if ($hex_ctr > 2) { + return 0, "too many hex blocks, could not translate: $snort_str", + \%pattern; + } + ### handles length of hex blocks my $content_len = &get_content_len($ipt_str); if ($content_len >= $ipt_max_str_len @@ -2393,6 +2438,7 @@ sub consolidate_hex_spaces() { my $str = shift; + my $new_str = ''; my $hex_mode = 0; my @chars = split //, $str; @@ -2408,6 +2454,42 @@ return $new_str; } +sub have_hex_char() { + my $str = shift; + return 1 if $str =~ /[^A-Za-z0-9]/; + return 0; +} + +sub convert_str_to_hex() { + my $str = shift; + + my $new_str = ''; + my $hex_mode = 0; + my @chars = split //, $str; + CHAR: for my $char (@chars) { + if ($char eq '\|') { + if ($hex_mode) { + $new_str .= $char; + $hex_mode = 0; + } else { + $new_str .= $char; + $hex_mode = 1; + } + next CHAR; + } + if ($hex_mode) { + $new_str .= $char; + } else { + $new_str .= sprintf "\|%02x\|", ord($char); + } + } + + ### consolidate any consecutive "\|aa\|\|bb\|" sequences + $new_str =~ s/\\|\\|//g; + + return $new_str; +} + sub translate_perl_trigger() { my $str = shift; my $trigger_str = ''; @@ -2967,6 +3049,7 @@ qq\|--state $conntrack_state -j \| . qq\|$config{"FWSNORT_${chain}_ESTAB"}\|; } + next unless $rule_str; push @ipt_script_lines, qq\|\$${ipt_var_str} $rule_str\|; push @{$save_format_conntrack_jumps{$config{"FWSNORT_$chain"}}}, @@ -3310,6 +3393,15 @@ } else { die "[] $config{'FWSNORT_SAVE_EXEC_FILE'} does not exist."; } + } elsif ($ipt_revert) { + die "[] You need to be root for --ipt-revert" unless $is_root; + if (-e $config{'FWSNORT_SAVE_EXEC_FILE'}) { + print "[+] Executing $config{'FWSNORT_SAVE_EXEC_FILE'}\n"; + system "$config{'FWSNORT_SAVE_EXEC_FILE'} -r"; + exit 0; + } else { + die "[] $config{'FWSNORT_SAVE_EXEC_FILE'} does not exist."; + } } if ($enable_ip6tables) { @@ -3401,11 +3493,16 @@ if ($strict) { ### make the snort options parser very strict - for my $opt (qw(uricontent pcre - distance within http_uri http_method urilen)) { - $snort_opts{'unsupported'}{$opt} - = $snort_opts{'filter'}{$opt}; - delete $snort_opts{'filter'}{$opt}; + for my $opt (@{$snort_opts{'strict_list'}}) { + if (defined $snort_opts{'filter'}{$opt}) { + $snort_opts{'unsupported'}{$opt} + = $snort_opts{'filter'}{$opt}; + delete $snort_opts{'filter'}{$opt}; + } elsif (defined $snort_opts{'ignore'}{$opt}) { + $snort_opts{'unsupported'}{$opt} + = $snort_opts{'ignore'}{$opt}; + delete $snort_opts{'ignore'}{$opt}; + } } my @ignore = (qw(nocase)); @@ -3456,6 +3553,8 @@ die "[] Use --help for usage information.\n" unless (GetOptions( 'ipt-apply' => \$ipt_exec, # Apply the generated ruleset. + 'ipt-exec' => \$ipt_exec, # Apply the generated ruleset. + 'ipt-revert' => \$ipt_revert, # Apply the generated ruleset. 'ipt-drop' => \$ipt_drop, # Add iptables DROP rules. 'ipt-reject' => \$ipt_reject, # Add iptables REJECT rules. 'ipt-script=s' => \$ipt_script, # Manually specify the path to the @@ -3648,11 +3747,16 @@ die "[] sub-ver $sub_var not allowed within same ", "variable $var" if $sub_var eq $var; if (defined $config{$sub_var}) { - $val =~ s\|\$$sub_var\|$config{$sub_var}\|; + if ($sub_var eq 'INSTALL_ROOT' + and $config{$sub_var} eq '/') { + $val =~ s\|\$$sub_var\|\|; + } else { + $val =~ s\|\$$sub_var\|$config{$sub_var}\|; + } $hr->{$var} = $val; } else { die "[] sub-var \"$sub_var\" not defined in ", - "config for var: $var."; + "config for var: $var." } $has_sub_var = 1; } @@ -3673,7 +3777,7 @@ FWSNORT_FORWARD_JUMP MAX_STRING_LEN CONF_DIR RULES_DIR ARCHIVE_DIR QUEUE_RULES_DIR LOG_DIR LIBS_DIR CONF_FILE FWSNORT_SCRIPT LOG_FILE FWSNORT_SAVE_FILE FWSNORT_SAVE_EXEC_FILE IPT_BACKUP_SAVE_FILE - UPDATE_RULES_URL STATE_DIR + UPDATE_RULES_URL STATE_DIR INSTALL_ROOT )); for my $var (@required_vars) { die "[] Variable $var not defined in $fwsnort_conf. Exiting.\n" @@ -3698,7 +3802,13 @@ if $verbose or $ipt_check_capabilities; ### check for the max --log-prefix string length - &ipt_find_max_log_prefix_len(); + $ipt_max_log_prefix_len = &ipt_find_max_len( + $ipt_max_log_prefix_len, qq\|-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s \| . + qq\|$non_host -p tcp --dport 1234 -j LOG --log-prefix "\|, qq\|"\| + ); + + print " Max supported LOG prefix length: $ipt_max_log_prefix_len\n" + if $verbose or $ipt_check_capabilities; } else { &delete_test_chain(); @@ -3716,8 +3826,14 @@ print "[+] $ipt_str has 'comment' match support...\n" if $verbose or $ipt_check_capabilities; - ### now find the maximum comment length that is supported by iptables - &ipt_find_max_comment_len(); + $ipt_max_comment_len = &ipt_find_max_len( + $ipt_max_comment_len, qq\|-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s \| . + qq\|$non_host -p tcp --dport 1234 -m comment --comment \| . + qq\|"\|, qq\|" -j LOG\| + ); + + print " Max supported comment length: $ipt_max_comment_len\n" + if $verbose or $ipt_check_capabilities; } else { unless ($no_ipt_comments) { @@ -3742,7 +3858,7 @@ $snort_opts{'filter'}{'ipopts'}{'regex'}; delete $snort_opts{'filter'}{'ipopts'}; } else { - $snort_opts{'unsupported'}{'ipopts'} = '[\s;]ipopts:\s(\w+)\s;'; + $snort_opts{'unsupported'}{'ipopts'} = qr/[\s;]ipopts:\s(\w+)\s;/; } print "[-] $ipt_str does not have the 'ipv4options' extension, " . "disabling...\n" if $verbose or $ipt_check_capabilities; @@ -3762,7 +3878,7 @@ $snort_opts{'filter'}{'ttl'}{'regex'}; delete $snort_opts{'filter'}{'ttl'}; } else { - $snort_opts{'unsupported'}{'ttl'} = '[\s;]ttl:\s(.?)\s;'; + $snort_opts{'unsupported'}{'ttl'} = qr/[\s;]ttl:\s(.?)\s;/; } print "[+] $ipt_str does not have the 'ttl' match, " . "disabling...\n" if $verbose or $ipt_check_capabilities; @@ -3782,7 +3898,7 @@ $snort_opts{'filter'}{'tos'}{'regex'}; delete $snort_opts{'filter'}{'tos'}; } else { - $snort_opts{'unsupported'}{'tos'} = '[\s;]tos:\s(.?)\s;'; + $snort_opts{'unsupported'}{'tos'} = qr/[\s;]tos:\s(.?)\s;/; } print "[+] $ipt_str does not have the 'tos' match, " . "disabling...\n" if $verbose or $ipt_check_capabilities; @@ -3802,7 +3918,7 @@ $snort_opts{'filter'}{'dsize'}{'regex'}; delete $snort_opts{'filter'}{'dsize'}; } else { - $snort_opts{'unsupported'}{'dsize'} = '[\s;]dsize:\s(.?)\s;'; + $snort_opts{'unsupported'}{'dsize'} = qr/[\s;]dsize:\s(.?)\s;/; } print "[+] $ipt_str does not have the 'length' match, " . "disabling...\n" if $verbose or $ipt_check_capabilities; @@ -3844,7 +3960,19 @@ if $verbose or $ipt_check_capabilities; ### now find the maximum string length that is supported by iptables - &ipt_find_max_string_len(); + if ($kernel_ver eq '2.4') { + $ipt_max_str_len = &ipt_find_max_len( + $ipt_max_str_len, qq\|-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s \| . + qq\|$non_host -m string --string "\|, qq\|" -j LOG\|); + } else { + $ipt_max_str_len = &ipt_find_max_len( + $ipt_max_str_len, qq\|-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s \| . + qq\|$non_host -m string --string "\|, qq\|" \| . + qq\|--algo $string_match_alg -j LOG\|); + } + + print " Max supported string length: $ipt_max_str_len\n" + if $verbose or $ipt_check_capabilities; ### test for case insensitive string matching $ipt_str_test = $ipt_str_test_base; @@ -3874,12 +4002,12 @@ delete $snort_opts{'filter'}{'replace'}; } else { $snort_opts{'unsupported'}{'replace'} - = '[\s;]replace:\s(.?)\s;'; + = qr/[\s;]replace:\s(.?)\s;/; } } } else { $snort_opts{'unsupported'}{'replace'} - = '[\s;]replace:\s(.?)\s;'; + = qr/[\s;]replace:\s(.?)\s;/; } ### test to see whether '--icmp-type any' is supported @@ -4048,89 +4176,36 @@ return; } -sub ipt_find_max_string_len() { +sub ipt_find_max_len() { + my ($len, $ipt_pre_pattern, $ipt_post_pattern) = @_; my $test_pattern = ''; for (;;) { - $test_pattern = 'A'x$ipt_max_str_len; - my $test_rule_rv = 0; + $test_pattern = 'A'x$len; - if ($kernel_ver ne '2.4') { - $test_rule_rv = &ipt_rule_test("-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s " . - qq\|$non_host -m string --string "$test_pattern" \| . - qq\|--algo $string_match_alg -j LOG\|); - } else { - $test_rule_rv = &ipt_rule_test("-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s " . - qq\|$non_host -m string --string "$test_pattern" -j LOG\|); - } + last if &ipt_rule_test($ipt_pre_pattern + . $test_pattern . $ipt_post_pattern) != $IPT_SUCCESS; - last if $test_rule_rv != $IPT_SUCCESS; + $len += $ipt_cap_search_factor; - $ipt_max_str_len++; - - last if $ipt_max_str_len == 1025; ### unlikely we'll ever get here + last if $len >= $ipt_max_buf_len; } - $ipt_max_str_len--; - - print " Max supported string length: $ipt_max_str_len\n" - if $verbose or $ipt_check_capabilities; - - return; -} - -sub ipt_find_max_log_prefix_len() { - - my $test_pattern = ''; for (;;) { - $test_pattern = 'A'x$ipt_max_log_prefix_len; - my $test_rule_rv = 0; - - $test_rule_rv = &ipt_rule_test("-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s " . - qq\|$non_host -p tcp --dport 1234 -j LOG --log-prefix "$test_pattern"\|); + $test_pattern = 'A'x$len; - last if $test_rule_rv != $IPT_SUCCESS; + last if &ipt_rule_test($ipt_pre_pattern + . $test_pattern . $ipt_post_pattern) == $IPT_SUCCESS; - $ipt_max_log_prefix_len++; + $len--; - last if $ipt_max_log_prefix_len == 1025; ### unlikely we'll ever get here + last if $len == 1; ### minimum } - $ipt_max_log_prefix_len--; - - print " Max supported LOG prefix length: $ipt_max_log_prefix_len\n" - if $verbose or $ipt_check_capabilities; - return; -} - -sub ipt_find_max_comment_len() { - - my $test_comment = ''; - - for (;;) { - - $test_comment = 'A'x$ipt_max_comment_len; - my $test_rule_rv = 0; - - $test_rule_rv = &ipt_rule_test("-I $TEST_CHAIN $IPT_TEST_RULE_NUM -s " . - qq\|$non_host -p tcp --dport 1234 -m comment --comment \| . - qq\|"$test_comment" -j LOG\|); - - last if $test_rule_rv != $IPT_SUCCESS; - - $ipt_max_comment_len++; - - last if $ipt_max_comment_len == 1025; ### unlikely we'll ever get here - } - $ipt_max_comment_len--; - - print " Max supported comment length: $ipt_max_comment_len\n" - if $verbose or $ipt_check_capabilities; - - return; + return --$len; } sub ipt_find_max_multiport_supported_ports() { @@ -4150,7 +4225,7 @@ $ipt_multiport_max++; - last if $ipt_multiport_max == 1025; ### unlikely we'll ever get here + last if $ipt_multiport_max == $ipt_max_buf_len; ### unlikely we'll ever get here } $ipt_multiport_max--; @@ -4231,11 +4306,6 @@ $config{'QUEUE_RULES_DIR'} = $queue_rules_dir if $queue_rules_dir; $config{'LOG_FILE'} = $logfile if $logfile; - if ($is_root) { - chdir $config{'RULES_DIR'} or - die "[] Could not chdir $config{'RULES_DIR'}: $!"; - } - if ($rules_file) { for my $file (split /\,/, $rules_file) { die "[] Snort rules file $file does not exist." unless -e $file; @@ -4406,7 +4476,8 @@ ### make sure the script is writable first if (-e $config{'FWSNORT_SCRIPT'}) { - chmod 0755, $config{'FWSNORT_SCRIPT'} or die $!; + chmod 0755, $config{'FWSNORT_SCRIPT'} or + die "[] Could not chmod $config{'FWSNORT_SCRIPT'}: $!"; } open F, "> $config{'FWSNORT_SCRIPT'}" or @@ -4414,7 +4485,8 @@ print F "$_\n" for @ipt_script_lines; close F; - chmod 0500, $config{'FWSNORT_SCRIPT'} or die $!; + chmod 0500, $config{'FWSNORT_SCRIPT'} or + die "[] Could not chmod $config{'FWSNORT_SCRIPT'}: $!"; return; } @@ -4538,12 +4610,30 @@ my @fws_exec_lines = (); push @fws_exec_lines, &hdr_lines(); - push @fws_exec_lines, qq\|echo " "\|, qq\|echo "[+] Splicing fwsnort $abs_num rules \| . - qq\|into the $ipt_str policy..."\|, - "$restore_bin < $config{'FWSNORT_SAVE_FILE'}", - qq\|echo " Done."\n\|, - qq\|echo " "\|, - "exit\n"; + push @fws_exec_lines, <<_FWSNORT_SH_; +DO_REVERT=0 + +while getopts r f +do + case \$f in + r) DO_REVERT=1 + esac +done + +if [ "\$DO_REVERT" = 1 ]; +then + echo " " + echo "[+] Reverting to original iptables policy..." + grep -v FWSNORT $config{'FWSNORT_SAVE_FILE'} \| exec $restore_bin +else + echo " " + echo "[+] Splicing fwsnort $abs_num rules into the iptables policy..." + exec $restore_bin < $config{'FWSNORT_SAVE_FILE'} +fi + +exit + +_FWSNORT_SH_ ### make sure the file is writable first if (-e $config{'FWSNORT_SAVE_EXEC_FILE'}) { @@ -4572,11 +4662,29 @@ if ($fwsnort_conf eq $CONFIG_DEFAULT) { $fwsnort_conf = './fwsnort.conf'; } + + &set_defaults_without_ipt_test(); + return; +} + +sub set_defaults_without_ipt_test() { + + $have_conntrack = 1; $ipt_max_str_len = 128; $ipt_max_comment_len = 255; $ipt_max_log_prefix_len = 29; $ipt_have_multiport_match = 1; $ipt_multiport_max = 15; + + ### put ipopts in the unsupported list + if (defined $snort_opts{'filter'}{'ipopts'}) { + $snort_opts{'unsupported'}{'ipopts'} = + $snort_opts{'filter'}{'ipopts'}{'regex'}; + delete $snort_opts{'filter'}{'ipopts'}; + } else { + $snort_opts{'unsupported'}{'ipopts'} = qr/[\s;]ipopts:\s(\w+)\s*;/; + } + return; } @@ -4642,8 +4750,11 @@ iptables rules. --ipt-script=<script> - Print iptables script to <script> instead of the default location at - /etc/fwsnort/fwsnort.sh + /var/lib/fwsnort/fwsnort.sh --ipt-apply - Execute the fwsnort.sh script. + --ipt-exec - Synonym for --ipt-apply. + --ipt-revert - Revert to a version of the iptables + policy without any fwsnort rules. --ipt-reject - Add a protocol dependent REJECT rule (tcp resets for tcp or icmp port unreachable for udp messages) for @@ -4747,7 +4858,7 @@ --queue-rules-dir=<dir> - Specify the path to the generated set of Snort rules that are to be queued to userspace in --NFQUEUE or --QUEUE mode. The - default is /etc/fwsnort/snort_rules_queue/. + default is /var/lib/fwsnort/snort_rules_queue/. -Q --QUEUE - Same as the --NFQUEUE option, except use the older iptables QUEUE target. --string-match-alg=<alg> - Specify the string match algorithm to use
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/fwsnort.8 ^
@@ -32,17 +32,17 @@ As of .B fwsnort-1.5 all iptables rules built by fwsnort are written out to the -.I /etc/fwsnort/fwsnort.save +.I /var/lib/fwsnort/fwsnort.save file in iptables-save format. This allows a long fwsnort policy (which may contain thousands of iptables rules translated from a large Snort signature set) to be quickly instantiated via the "iptables-restore" command. A wrapper script -.I /etc/fwsnort/fwsnort.sh +.I /var/lib/fwsnort/fwsnort.sh is also written out to make this easy. Hence, the typical work flow for fwsnort is to: 1) run fwsnort, 2) note the Snort rules that fwsnort was able to successfully translate (the number of such rules is printed to stdout), and then 3) execute the -.I /etc/fwsnort/fwsnort.sh +.I /var/lib/fwsnort/fwsnort.sh wrapper script to instantiate the policy in the running kernel. .B fwsnort @@ -167,7 +167,7 @@ .TP .BR \-\^\-ipt-script\ \<script\ file> Specify the path to the iptables script generated by fwsnort. The -default location is /etc/fwsnort/fwsnort.sh. +default location is /var/lib/fwsnort/fwsnort.sh. .TP .BR \-\^\-ipt-check-capabilities Check iptables capabilities and exit. @@ -177,7 +177,7 @@ .B fwsnort with the same command line arguments as the previous execution. This is a convenient way of rebuilding the -.I /etc/fwsnort/fwsnort.sh +.I /var/lib/fwsnort/fwsnort.sh script without having to remember what the last command line args were. .TP .BR \-\^\-NFQUEUE @@ -220,6 +220,19 @@ .BR \-\^\-ipt-apply Execute the iptables script generated by fwsnort. .TP +.BR \-\^\-ipt-exec +Synonym for \-\-ipt-apply. +.TP +.BR \-\^\-ipt-revert +Revert to a version of the iptables policy without any +.B fwsnort +rules. Note that this reverts to the iptables policy as it was when +.B fwsnort +was originally executed. So, it is not recommended to use this option if there +is a large amount of time between when fwsnort is run to translate Snort rules +vs. running it with this option. For most purposes it is better to use +the \-\-ipt-flush option below. +.TP .BR \-\^\-ipt-flush Flush all .B fwsnort @@ -389,7 +402,7 @@ changed on the command line with \-\-config. .RE -.B /etc/fwnort/fwsnort.sh +.B /var/lib/fwnort/fwsnort.sh .RS The iptables script generated by fwsnort. The path can be manually specified on the command line with the \-\-ipt-script option.
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/fwsnort.conf ^
@@ -84,13 +84,14 @@ FWSNORT_FORWARD FWSNORT_FORWARD; FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB; -### fwsnort library path -CONF_DIR /etc/fwsnort; +### fwsnort filesystem paths +INSTALL_ROOT /; +CONF_DIR $INSTALL_ROOT/etc/fwsnort; RULES_DIR $CONF_DIR/snort_rules; -QUEUE_RULES_DIR $CONF_DIR/snort_rules_queue; -LOG_DIR /var/log/fwsnort; -LIBS_DIR /usr/lib/fwsnort; ### for perl modules -STATE_DIR /var/lib/fwsnort; +LOG_DIR $INSTALL_ROOT/var/log/fwsnort; +LIBS_DIR $INSTALL_ROOT/usr/lib/fwsnort; ### for perl modules +STATE_DIR $INSTALL_ROOT/var/lib/fwsnort; +QUEUE_RULES_DIR $STATE_DIR/snort_rules_queue; ARCHIVE_DIR $STATE_DIR/archive; CONF_FILE $CONF_DIR/fwsnort.conf;
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/install.pl ^
@@ -17,11 +17,11 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 # USA # # TODO: -# - Write the uninstall() routine. :) +# - Write the uninstall() routine. # ####################################################################### # @@ -36,7 +36,8 @@ #========================= config ======================== my $fwsnort_conf_file = 'fwsnort.conf'; -my $sbin_dir = '/usr/sbin'; +my $sbin_dir = '/usr/sbin'; +my $install_root = '/'; my $update_website = 'www.emergingthreats.net'; @@ -69,6 +70,7 @@ my $uninstall = 0; my $skip_module_install = 0; my $cmdline_force_install = 0; +my $install_test_dir = 0; my $force_mod_re = ''; my $exclude_mod_re = ''; my $deps_dir = 'deps'; @@ -96,6 +98,7 @@ 'Skip-mod-install' => \$skip_module_install, 'rules-url=s' => \$rules_url, 'uninstall' => \$uninstall, ### uninstall fwsnort + 'install-test-dir' => \$install_test_dir, 'LC_ALL=s' => \$locale, 'no-LC_ALL' => \$no_locale, 'help' => \$help @@ -106,6 +109,14 @@ ### set LC_ALL env variable $ENV{'LC_ALL'} = $locale unless $no_locale; +### make a copy of the original fwsnort.conf file and restore at the end +copy $fwsnort_conf_file, "${fwsnort_conf_file}.orig" or die "[] Could not ", + "copy $fwsnort_conf_file -> $fwsnort_conf_file.orig"; + +if ($install_test_dir) { + $install_root = getcwd() . '/test/fwsnort-install'; +} + &import_config(); $force_mod_re = qr\|$force_mod_re\| if $force_mod_re; @@ -127,6 +138,14 @@ } else { &install() } + +### restore the original fwsnort.conf file (this is just the local one in the +### sources directory). +if (-e "${fwsnort_conf_file}.orig") { + unlink $fwsnort_conf_file if -e $fwsnort_conf_file; + move "${fwsnort_conf_file}.orig", $fwsnort_conf_file; +} + exit 0; #===================== end main =================== @@ -135,12 +154,10 @@ "sources directory." unless -e 'fwsnort' and -e 'fwsnort.conf'; unless (-d $config{'CONF_DIR'}) { - print "[+] mkdir $config{'CONF_DIR'}\n"; - mkdir $config{'CONF_DIR'}, 0500; + &full_mkdir($config{'CONF_DIR'}, 0500); } unless (-d $config{'RULES_DIR'}) { - print "[+] mkdir $config{'RULES_DIR'}\n"; - mkdir $config{'RULES_DIR'}, 0500; + &full_mkdir($config{'RULES_DIR'}, 0500); } ### install perl modules @@ -275,8 +292,7 @@ if ($install_module) { unless (-d $config{'LIBS_DIR'}) { print "[+] Creating $config{'LIBS_DIR'}\n"; - mkdir $config{'LIBS_DIR'}, 0755 - or die "[] Could not mkdir $config{'LIBS_DIR'}: $!"; + &full_mkdir($config{'LIBS_DIR'}, 0755); } print "[+] Installing the $mod_name $version perl " . "module in $config{'LIBS_DIR'}/\n"; @@ -366,7 +382,7 @@ } } } - mkdir $mpath, 0755 unless -d $mpath; + &full_mkdir($mpath, 0755); my $mfile = "${mpath}/${manpage}"; print "[+] Installing $manpage man page as $mfile\n"; copy $manpage, $mfile or die "[] Could not copy $manpage to " . @@ -380,6 +396,7 @@ } sub query_get_emerging_threats_sigs() { + return 0 if $install_test_dir; my $ans = ''; print "[+] Would you like to download the latest Snort rules from \n", " http://$update_website/?\n"; @@ -413,9 +430,31 @@ } close C; + ### see if the install root is the same as the default in fwsnort.conf and + ### update if not + if ($install_root ne '/') { + $install_root = getcwd() . "/$install_root" + unless $install_root =~ m\|^/\|; + $config{'INSTALL_ROOT'} = $install_root; + $sbin_dir = $config{'INSTALL_ROOT'} . $sbin_dir; + + &put_var('INSTALL_ROOT', $install_root, $fwsnort_conf_file); + } + ### resolve internal vars within variable values &expand_vars(); + for my $dir ($install_root, + $sbin_dir, + $config{'LOG_DIR'}, + $config{'LIB_DIR'}, + $config{'STATE_DIR'}, + $config{'QUEUE_RULES_DIR'}, + $config{'ARCHIVE_DIR'}, + ) { + &full_mkdir($dir, 0755) unless -d $dir; + } + &required_vars(); return; @@ -440,7 +479,11 @@ die "[] sub-ver $sub_var not allowed within same ", "variable $var" if $sub_var eq $var; if (defined $config{$sub_var}) { - $val =~ s\|\$$sub_var\|$config{$sub_var}\|; + if ($sub_var eq 'INSTALL_ROOT' and $config{$sub_var} eq '/') { + $val =~ s\|\$$sub_var\|\|; + } else { + $val =~ s\|\$$sub_var\|$config{$sub_var}\|; + } $hr->{$var} = $val; } else { die "[] sub-var \"$sub_var\" not defined in ", @@ -454,6 +497,24 @@ return; } +sub put_var() { + my ($var, $value, $file) = @_; + + open RF, "< $file" or die "[] Could not open $file: $!"; + my @lines = <RF>; + close RF; + open F, "> $file" or die "[] Could not open $file: $!"; + for my $line (@lines) { + if ($line =~ /^\s$var\s+.;/) { + printf F "%-24s%s;\n", $var, $value; + } else { + print F $line; + } + } + close F; + return; +} + sub required_vars() { my @required_vars = qw( CONF_DIR RULES_DIR ARCHIVE_DIR QUEUE_RULES_DIR LOG_DIR LIBS_DIR @@ -493,6 +554,7 @@ } sub query_preserve_config() { + return 0 if $install_test_dir; my $ans = ''; while ($ans ne 'y' && $ans ne 'n') { print "[+] Would you like to preserve the config from the\n", @@ -557,6 +619,23 @@ return; } +sub full_mkdir() { + my ($dir, $perms) = @_; + + my @dirs = split /\//, $dir; + my $path = $dirs[0]; + shift @dirs; + for my $d (@dirs) { + next unless $d and $d =~ /\S/; + $path .= "/$d"; + unless (-d $path) { + printf "[+] mkdir $path, %o\n", $perms; + mkdir $path, $perms or die "[] Could not mkdir($path): $!"; + } + } + return; +} + sub usage() { my $exit = shift; print <<_HELP_; @@ -572,6 +651,8 @@ -r, --rules-url <url> - Specify the URL to use for updating the Emerging Threats rule set - the default is: $rules_url + --install-test-dir - Install fwsnort in test/fwsnort-install + for test suite. -u, --uninstall - uninstall fwsnort -h, --help - print help and exit _HELP_
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/packaging/cd_rpmbuilder ^
@@ -20,7 +20,7 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 # USA # #############################################################################
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/packaging/fwsnort-nodeps.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.2 +%define version 1.6.3 %define release 1 %define fwsnortlogdir /var/log/fwsnort @@ -30,13 +30,15 @@ generates iptables rules that log Snort sid's with --log-prefix to klogd where the messages can be analyzed with a log watcher such as logwatch or psad (see http://www.cipherdyne.org/psad). fwsnort relies on the iptables -string match module to match Snort content fields in the application portion +string match extension to match Snort content fields in the application portion of ip traffic. Since Snort rules can contain hex data in content fields, fwsnort implements a patch against iptables-1.2.7a which adds a "--hex-string" option which will accept content fields such as -"\|0d0a5b52504c5d3030320d0a\|". fwsnort is able to translate approximately 60% -of all rules from the Snort-2.3.3 IDS into equivalent iptables rules. For -more information about the translation strategy as well as +"\|0d0a5b52504c5d3030320d0a\|". fwsnort bundles the latest rule set from +Emerging Threats (http://www.emergingthreats.net) and also includes all rules +from the Snort-2.3.3 IDS - the final Snort rule set that was released under +the GPL. fwsnort is able to translate well over 60% of all bundled rules. +For more information about the translation strategy as well as advantages/disadvantages of the method used by fwsnort to obtain intrusion detection data, see the README included with the fwsnort sources or browse to: http://www.cipherdyne.org/fwsnort/ @@ -85,6 +87,9 @@ %config(noreplace) %_sysconfdir/%name/fwsnort.conf %changelog +* Fri Dec 21 2012 Michael Rash <mbr@cipherydne.org> +- fwsnort-1.6.3 release + * Sat Apr 28 2012 Michael Rash <mbr@cipherydne.org> - Updated to use the NetAddr::IP module for all IP/subnet calculations - fwsnort-1.6.2 release
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/packaging/fwsnort-require-makemaker.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.2 +%define version 1.6.3 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort @@ -35,13 +35,15 @@ generates iptables rules that log Snort sid's with --log-prefix to klogd where the messages can be analyzed with a log watcher such as logwatch or psad (see http://www.cipherdyne.org/psad). fwsnort relies on the iptables -string match module to match Snort content fields in the application portion +string match extension to match Snort content fields in the application portion of ip traffic. Since Snort rules can contain hex data in content fields, fwsnort implements a patch against iptables-1.2.7a which adds a "--hex-string" option which will accept content fields such as -"\|0d0a5b52504c5d3030320d0a\|". fwsnort is able to translate approximately 60% -of all rules from the Snort-2.3.3 IDS into equivalent iptables rules. For -more information about the translation strategy as well as +"\|0d0a5b52504c5d3030320d0a\|". fwsnort bundles the latest rule set from +Emerging Threats (http://www.emergingthreats.net) and also includes all rules +from the Snort-2.3.3 IDS - the final Snort rule set that was released under +the GPL. fwsnort is able to translate well over 60% of all bundled rules. +For more information about the translation strategy as well as advantages/disadvantages of the method used by fwsnort to obtain intrusion detection data, see the README included with the fwsnort sources or browse to: http://www.cipherdyne.org/fwsnort/ @@ -185,6 +187,9 @@ %_libdir/%name %changelog +* Fri Dec 21 2012 Michael Rash <mbr@cipherydne.org> +- fwsnort-1.6.3 release + * Sat Apr 28 2012 Michael Rash <mbr@cipherydne.org> - Updated to use the NetAddr::IP module for all IP/subnet calculations - fwsnort-1.6.2 release
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/packaging/fwsnort.spec ^
@@ -1,5 +1,5 @@ %define name fwsnort -%define version 1.6.2 +%define version 1.6.3 %define release 1 %define fwsnortlibdir %_libdir/%name %define fwsnortlogdir /var/log/fwsnort @@ -34,13 +34,15 @@ generates iptables rules that log Snort sid's with --log-prefix to klogd where the messages can be analyzed with a log watcher such as logwatch or psad (see http://www.cipherdyne.org/psad). fwsnort relies on the iptables -string match module to match Snort content fields in the application portion +string match extension to match Snort content fields in the application portion of ip traffic. Since Snort rules can contain hex data in content fields, fwsnort implements a patch against iptables-1.2.7a which adds a "--hex-string" option which will accept content fields such as -"\|0d0a5b52504c5d3030320d0a\|". fwsnort is able to translate approximately 60% -of all rules from the Snort-2.3.3 IDS into equivalent iptables rules. For -more information about the translation strategy as well as +"\|0d0a5b52504c5d3030320d0a\|". fwsnort bundles the latest rule set from +Emerging Threats (http://www.emergingthreats.net) and also includes all rules +from the Snort-2.3.3 IDS - the final Snort rule set that was released under +the GPL. fwsnort is able to translate well over 60% of all bundled rules. +For more information about the translation strategy as well as advantages/disadvantages of the method used by fwsnort to obtain intrusion detection data, see the README included with the fwsnort sources or browse to: http://www.cipherdyne.org/fwsnort/ @@ -184,6 +186,9 @@ %_libdir/%name %changelog +* Fri Dec 21 2012 Michael Rash <mbr@cipherydne.org> +- fwsnort-1.6.3 release + * Sat Apr 28 2012 Michael Rash <mbr@cipherydne.org> - Updated to use the NetAddr::IP module for all IP/subnet calculations - fwsnort-1.6.2 release
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/snort_opts.pl ^
@@ -35,6 +35,8 @@ 'offset' => 0, 'depth' => 0, 'nocase' => 0, + 'file_data' => 0, + 'rawbytes' => 0, 'session' => 0, 'rpc' => 0, 'resp' => 0, @@ -47,23 +49,37 @@ 'tag' => 0, 'ip_proto' => 0, 'sameip' => 0, + 'asn1' => 0, 'stateless' => 0, 'regex' => 0, + 'window' => 0, + 'isdataat' => 0, 'distance' => 0, 'within' => 0, 'byte_jump' => 0, 'byte_test' => 0, + 'byte_extract' => 0, 'pcre' => 0, + 'ftpbounce' => 0, + 'base64_data' => 0, + 'base64_decode' => 0, 'http_header' => 0, + 'http_cookie' => 0, 'http_uri' => 0, + 'http_raw_uri' => 0, 'urilen' => 0, 'http_method' => 0, + 'http_stat_code' => 0, + 'http_stat_msg' => 0, + 'http_client_body' => 0, 'fast_pattern' => 0, 'metadata' => 0, 'threshold' => 0, 'detection_filter' => 0, ); +my %unrecognized = (); + my $dir = 'deps/snort_rules'; my $total_rules = 0; @@ -93,6 +109,12 @@ $options{$opt}++; } } + while ($line =~ m/[\s;](\w+)[:;]/g) { + next if $1 =~ /^\d+$/; + unless (defined $options{$1}) { + $unrecognized{$1}++; + } + } } } } @@ -107,4 +129,9 @@ print sprintf("%.1f", $options{$opt} / $total_rules * 100) . "%\n"; } +print "\n[-] Potentially unrecognized options:\n"; +for my $opt (keys %unrecognized) { + print " $opt\n"; +} + exit 0;
[-] [+]	Changed	fwsnort-1.6.3.tar.gz/snortspoof.pl ^
@@ -23,7 +23,7 @@ # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 +# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 # USA # ###############################################################################
[-] [+]	Added	fwsnort-1.6.3.tar.gz/test ^
+(directory)
[-] [+]	Added	fwsnort-1.6.3.tar.gz/test/conf ^
+(directory)
[-] [+]	Added	fwsnort-1.6.3.tar.gz/test/conf/default_fwsnort.conf ^
@@ -0,0 +1,116 @@ +# +########################################################################### +# +# This is the configuration file for fwsnort. There are some similarities +# between this file and the configuration file for Snort. +# +########################################################################### +# + +### Fwsnort treats all traffic directed to / originating from the local +### machine as going to / coming from the HOME_NET in Snort rule parlance. +### If there is only one interface on the local system, then there will be +### no rules processed via the FWSNORT_FORWARD chain because no traffic +### would make it into the iptables FORWARD chain. +HOME_NET any; +EXTERNAL_NET any; + +### List of servers. Fwsnort supports the same variable resolution as +### Snort. +HTTP_SERVERS $HOME_NET; +SMTP_SERVERS $HOME_NET; +DNS_SERVERS $HOME_NET; +SQL_SERVERS $HOME_NET; +TELNET_SERVERS $HOME_NET; + +### AOL AIM server nets +AIM_SERVERS [64.12.24.0/24, 64.12.25.0/24, 64.12.26.14/24, 64.12.28.0/24, 64.12.29.0/24, 64.12.161.0/24, 64.12.163.0/24, 205.188.5.0/24, 205.188.9.0/24]; + +### Configurable port numbers +SSH_PORTS 22; +HTTP_PORTS 80; +SHELLCODE_PORTS !80; +ORACLE_PORTS 1521; + +### Default update URL for new rules. This variable can be given multiple +### times on separate lines in order to specify multiple update URL's: +#UPDATE_RULES_URL <url1> +#UPDATE_RULES_URL <url2> +UPDATE_RULES_URL http://rules.emergingthreats.net/open/snort-2.9.0/emerging-all.rules; + +### define average packet lengths and maximum frame length. This is +### used for iptables length match emulation of the Snort dsize option. +AVG_IP_HEADER_LEN 20; ### IP options are not usually used. +AVG_TCP_HEADER_LEN 30; ### Include 10 bytes for options +MAX_FRAME_LEN 1500; + +### define the max length of the content (null terminated string) that +### can be passed to either the --hex-string or --string iptables matches. +### Note that as of fwsnort-1.5, the max string length supported by the +### local iptables instance is automatically determined, so this variable +### is not really needed, and just allows a max value to be set +### independently of what iptables supports. +MAX_STRING_LEN 1024; + +### Use the WHITELIST variable to define a list of hosts/networks +### that should be completely ignored by fwsnort. For example, if you +### want to whitelist the IP 192.168.10.1 and the network 10.1.1.0/24, +### you would use (note that you can also specify multiple WHITELIST +### variables, one per line): +#WHITELIST 192.168.10.1, 10.1.1.0/24; +WHITELIST NONE; + +### Use the BLACKLIST variable to define a list of hosts/networks +### that for which fwsnort should DROP or REJECT all traffic. For +### example, to DROP all traffic from the 192.168.10.0/24 network, you +### can use: +### BLACKLIST 192.168.10.0/24 DROP; +### To have fwsnort REJECT all traffic from 192.168.10.0/24, you would +### use: +### BLACKLIST 192.168.10.0/24 REJECT; +BLACKLIST NONE; + +### define the jump position in the built-in chains to jump to the +### fwsnort chains +FWSNORT_INPUT_JUMP 1; +FWSNORT_OUTPUT_JUMP 1; +FWSNORT_FORWARD_JUMP 1; + +### iptables chains (these do not normally need to be changed). +FWSNORT_INPUT FWSNORT_INPUT; +FWSNORT_INPUT_ESTAB FWSNORT_INPUT_ESTAB; +FWSNORT_OUTPUT FWSNORT_OUTPUT; +FWSNORT_OUTPUT_ESTAB FWSNORT_OUTPUT_ESTAB; +FWSNORT_FORWARD FWSNORT_FORWARD; +FWSNORT_FORWARD_ESTAB FWSNORT_FORWARD_ESTAB; + +### fwsnort filesystem paths +INSTALL_ROOT fwsnort-install; +CONF_DIR $INSTALL_ROOT/etc/fwsnort; +RULES_DIR $CONF_DIR/snort_rules; +LOG_DIR $INSTALL_ROOT/var/log/fwsnort; +LIBS_DIR $INSTALL_ROOT/usr/lib/fwsnort; ### for perl modules +STATE_DIR $INSTALL_ROOT/var/lib/fwsnort; +QUEUE_RULES_DIR $STATE_DIR/snort_rules_queue; +ARCHIVE_DIR $STATE_DIR/archive; + +CONF_FILE $CONF_DIR/fwsnort.conf; +LOG_FILE $LOG_DIR/fwsnort.log; +FWSNORT_SCRIPT $STATE_DIR/fwsnort_iptcmds.sh; ### slow version +FWSNORT_SAVE_EXEC_FILE $STATE_DIR/fwsnort.sh; ### main fwsnort.sh script +FWSNORT_SAVE_FILE $STATE_DIR/fwsnort.save; ### main fwsnort.save file +IPT_BACKUP_SAVE_FILE $STATE_DIR/iptables.save; ### iptables policy backup + +### system binaries +shCmd /bin/sh; +echoCmd /bin/echo; +tarCmd /bin/tar; +wgetCmd /usr/bin/wget; +unameCmd /usr/bin/uname; +ifconfigCmd /sbin/ifconfig; +iptablesCmd /sbin/iptables; +iptables-saveCmd /sbin/iptables-save; +iptables-restoreCmd /sbin/iptables-restore; +ip6tablesCmd /sbin/ip6tables; +ip6tables-saveCmd /sbin/ip6tables-save; +ip6tables-restoreCmd /sbin/ip6tables-restore;
[-] [+]	Added	fwsnort-1.6.3.tar.gz/test/test-fwsnort.pl ^
@@ -0,0 +1,945 @@ +#!/usr/bin/perl -w + +use Cwd; +use File::Copy; +use File::Path; +use Getopt::Long 'GetOptions'; +use strict; + +#==================== config ===================== +my $logfile = 'test.log'; +my $output_dir = 'output'; +my $conf_dir = 'conf'; +my $run_dir = 'run'; +my $test_install_dir = 'fwsnort-install'; + +my $fwsnortCmd = "$test_install_dir/usr/sbin/fwsnort"; +my $fwsnort_sh = "$test_install_dir/var/lib/fwsnort/fwsnort.sh"; + +my $cmd_out_tmp = 'cmd.out'; +my $default_conf = "$conf_dir/default_fwsnort.conf"; + +### alert tcp $EXTERNAL_NET any -> $HOME_NET 7597 (msg:"BACKDOOR QAZ Worm Client Login access"; \ +### flow:to_server,established; content:"qazwsx.hsq"; reference:MCAFEE,98775; \ +### classtype:misc-activity; sid:108; rev:6;) +my $simple_sig_id = 108; +#================== end config =================== + +my $current_test_file = "$output_dir/init"; +my $YES = 1; +my $NO = 0; +my $IGNORE = 2; +my $passed = 0; +my $failed = 0; +my $executed = 0; +my $test_include = ''; +my @tests_to_include = (); +my $test_exclude = ''; +my @tests_to_exclude = (); +my $list_mode = 0; +my $diff_mode = 0; +my $fw_exec = 0; +my $saved_last_results = 0; +my $test_system_install = 0; +my $PRINT_LEN = 68; +my $REQUIRED = 1; +my $OPTIONAL = 0; +my $MATCH_ALL_RE = 1; +my $MATCH_SINGLE_RE = 2; +my $help = 0; + +my %test_keys = ( + 'category' => $REQUIRED, + 'subcategory' => $OPTIONAL, + 'detail' => $REQUIRED, + 'function' => $REQUIRED, + 'cmdline' => $OPTIONAL, + 'fatal' => $OPTIONAL, + 'exec_err' => $OPTIONAL, + 'match_all' => $OPTIONAL, + 'fw_exec' => $OPTIONAL, + 'postive_output_matches' => $OPTIONAL, + 'negative_output_matches' => $OPTIONAL, +); + +my @args_cp = @ARGV; + +exit 1 unless GetOptions( + 'fwsnort-path=s' => \$fwsnortCmd, + 'test-include=s' => \$test_include, + 'include=s' => \$test_include, ### synonym + 'test-exclude=s' => \$test_exclude, + 'exclude=s' => \$test_exclude, ### synonym + 'test-system-install' => \$test_system_install, + 'List-mode' => \$list_mode, + 'diff' => \$diff_mode, + 'enable-fw-exec' => \$fw_exec, + 'help' => \$help +); + +&usage() if $help; + +### define all tests +my @tests = ( + { + 'category' => 'install', + 'detail' => "test directory: $test_install_dir", + 'err_msg' => 'could not install', + 'function' => \&install_test_dir, + 'cmdline' => "./install.pl --install-test-dir", + 'exec_err' => $NO, + 'fatal' => $YES + }, + { + 'category' => 'compilation', + 'detail' => 'fwsnort compiles', + 'err_msg' => 'could not compile', + 'function' => \&generic_exec, + 'cmdline' => "perl -c $fwsnortCmd", + 'exec_err' => $NO, + 'fatal' => $YES + }, + { + 'category' => 'operations', + 'detail' => '--help', + 'err_msg' => 'could not get --help output', + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd -h -c $default_conf", + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => '--dump-conf', + 'err_msg' => 'could not get --Dump-conf output', + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --Dump-conf -c $default_conf --no-ipt-test", + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => '--ipt-list', + 'err_msg' => 'could not get --ipt-list output', + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ipt-list -c $default_conf --no-ipt-test", + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--ipt-check-capabilities", + 'err_msg' => "could not check iptables capabilities", + 'positive_output_matches' => [ + qr/iptables\shas/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ipt-check-capabilities --verbose -c $default_conf", + 'exec_err' => $NO, + 'fatal' => $NO + }, + + { + 'category' => 'operations', + 'detail' => "--snort-sid $simple_sig_id EXTERNAL->HOME", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid\:\s$simple_sig_id/, + qr/Successful\stranslation/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid $simple_sig_id", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--snort-sid 1292 HOME->EXTERNAL", + 'err_msg' => "did not translate sid: 1292", + 'positive_output_matches' => [qr/Found\ssid\:\s1292/, + qr/Successful\stranslation/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid 1292", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + + { + 'category' => 'operations', + 'detail' => "multiple rules --snort-sid $simple_sig_id,109,321", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s109/, + qr/Found\ssid\:\s321/, + qr/Successful\stranslation/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--snort-sid badsid", + 'err_msg' => 'translated badsid signature', + 'positive_output_matches' => [ + qr/No\sSnort\srules\scould\sbe\stranslated/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid badsid", + 'exec_err' => $YES, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--include-type backdoor", + 'err_msg' => "did not translate backdoor signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --include-type backdoor", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--strict --include-type backdoor", + 'err_msg' => "did not translate backdoor signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --strict --include-type backdoor", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--include-type emerging-all", + 'err_msg' => "did not translate emerging-all signatures", + 'positive_output_matches' => [ + qr/emerging-all\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --include-type emerging-all", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + + { + 'category' => 'operations', + 'detail' => "multiple files --include-type backdoor,dns,ftp", + 'err_msg' => "did not translate backdoor,dns,ftp signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/dns\.rules/, + qr/ftp\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --include-type backdoor,dns,ftp", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--exclude-type emerging-all", + 'err_msg' => "did not translate signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/dns\.rules/, + qr/ftp\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --exclude-type emerging-all", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "multiple --exclude-type emerging-all,backdoor,dns,ftp", + 'err_msg' => "did not translate signatures", + 'positive_output_matches' => [ + qr/chat\.rules/, + qr/ddos\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --exclude-type emerging-all,backdoor,dns,ftp", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--include-type backdoor,dns,ftp --exclude-type dns", + 'err_msg' => "did not translate backdoor,ftp signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/ftp\.rules/, + qr/Generated\siptables\srules\sfor/ + ], + 'negative_output_matches' => [ + qr/dns\.rules/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --include-type backdoor,dns,ftp --exclude-type dns", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--snort-sid $simple_sig_id,109,321 --exclude-regex sid\:109", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s321/, + qr/Successful\stranslation/, + ], + 'negative_output_matches' => [ + qr/Found\ssid\:\s109/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321 --exclude-regex sid\:109", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "--snort-sid $simple_sig_id,109,321 --include-regex sid\:109", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s109/, + qr/Successful\stranslation/, + ], + 'negative_output_matches' => [ + qr/Found\ssid\:\s321/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321 --include-regex sid\:109", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + + ### ip6tables testing + { + 'category' => 'operations', + 'detail' => "ip6tables --snort-sid $simple_sig_id", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid\:\s$simple_sig_id/, + qr/Successful\stranslation/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --snort-sid $simple_sig_id", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --snort-sid $simple_sig_id,109,321", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s109/, + qr/Found\ssid\:\s321/, + qr/Successful\stranslation/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --snort-sid badsid", + 'err_msg' => 'translated badsid signature', + 'positive_output_matches' => [ + qr/No\sSnort\srules\scould\sbe\stranslated/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --snort-sid badsid", + 'exec_err' => $YES, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --include-type backdoor", + 'err_msg' => "did not translate backdoor signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --include-type backdoor", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --strict --include-type backdoor", + 'err_msg' => "did not translate backdoor signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --strict --include-type backdoor", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --include-type emerging-all", + 'err_msg' => "did not translate emerging-all signatures", + 'positive_output_matches' => [ + qr/emerging-all\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --include-type emerging-all", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + + { + 'category' => 'operations', + 'detail' => "ip6tables --include-type backdoor,dns,ftp", + 'err_msg' => "did not translate backdoor,dns,ftp signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/dns\.rules/, + qr/ftp\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --include-type backdoor,dns,ftp", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --exclude-type emerging-all", + 'err_msg' => "did not translate signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/dns\.rules/, + qr/ftp\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --exclude-type emerging-all", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --ex... emerging-all,backdoor,dns,ftp", + 'err_msg' => "did not translate signatures", + 'positive_output_matches' => [ + qr/chat\.rules/, + qr/ddos\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --exclude-type emerging-all,backdoor,dns,ftp", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --in.. backdoor,dns,ftp --ex.. dns", + 'err_msg' => "did not translate backdoor,ftp signatures", + 'positive_output_matches' => [ + qr/backdoor\.rules/, + qr/ftp\.rules/, + qr/Generated\sip6tables\srules\sfor/ + ], + 'negative_output_matches' => [ + qr/dns\.rules/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --include-type backdoor,dns,ftp --exclude-type dns", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --sn.. $simple_sig_id,109,321 --ex.. sid\:109", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s321/, + qr/Successful\stranslation/, + ], + 'negative_output_matches' => [ + qr/Found\ssid\:\s109/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321 --exclude-regex sid\:109", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + { + 'category' => 'operations', + 'detail' => "ip6tables --sn.. $simple_sig_id,109,321 --in.. sid\:109", + 'err_msg' => "did not translate sid: $simple_sig_id", + 'positive_output_matches' => [qr/Found\ssid/, + qr/Found\ssid\:\s109/, + qr/Successful\stranslation/, + ], + 'negative_output_matches' => [ + qr/Found\ssid\:\s321/, + ], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&generic_exec, + 'cmdline' => "$fwsnortCmd --ip6tables --no-ipt-test -c $default_conf --snort-sid $simple_sig_id,109,321 --include-regex sid\:109", + 'fw_exec' => $fw_exec, + 'exec_err' => $NO, + 'fatal' => $NO + }, + + { + 'category' => 'errors', + 'detail' => 'look for perl warnings', + 'err_msg' => 'found perl warnings', + 'negative_output_matches' => [qr/Use\sof\suninitialized\svalue/i, + qr/Missing\sargument/, + qr/Argument.isn\'t\snumeric/], + 'match_all' => $MATCH_ALL_RE, + 'function' => \&look_for_warnings, + 'cmdline' => "grep -i uninit $output_dir/.test", + 'exec_err' => $IGNORE, + 'fatal' => $NO + }, +); + +### make sure everything looks as expected before continuing +&init(); + +&logr("\n[+] Starting the fwsnort test suite...\n\n" . + " args: @args_cp\n\n" +); + +### save the results from any previous test suite run +### so that we can potentially compare them with --diff +if ($saved_last_results) { + &logr(" Saved results from previous run " . + "to: ${output_dir}.last/\n\n"); +} + +### main loop through all of the tests +for my $test_hr (@tests) { + &run_test($test_hr); +} + +&logr("\n[+] passed/failed/executed: $passed/$failed/$executed tests\n\n"); + +copy $logfile, "$output_dir/$logfile" or die $!; + +exit 0; + +#===================== end main ======================= + +sub run_test() { + my $test_hr = shift; + + my $msg = "[$test_hr->{'category'}]"; + $msg .= " [$test_hr->{'subcategory'}]" if $test_hr->{'subcategory'}; + $msg .= " $test_hr->{'detail'}"; + + return unless &process_include_exclude($msg); + + if ($list_mode) { + print $msg, "\n"; + return; + } + + &dots_print($msg); + + $executed++; + $current_test_file = "$output_dir/$executed.test"; + + &write_test_file("[+] TEST: $msg\n"); + if (&{$test_hr->{'function'}}($test_hr)) { + &logr("pass ($executed)\n"); + $passed++; + } else { + &logr("fail ($executed)\n"); + $failed++; + + if ($test_hr->{'fatal'} eq $YES) { + die "[] required test failed, exiting."; + } + } + + return; +} + +sub look_for_warnings() { + my $test_hr = shift; + + my $orig_test_file = $current_test_file; + + $current_test_file = "$output_dir/grep.output"; + + my $rv = &generic_exec($test_hr); + + copy $current_test_file, $orig_test_file; + unlink $current_test_file; + + return $rv; +} + +sub install_test_dir() { + my $test_hr = shift; + + my $rv = 1; + my $curr_pwd = cwd() or die $!; + + if (-d $test_install_dir) { + rmtree $test_install_dir or die $!; + } + mkdir $test_install_dir or die $!; + + chdir '..' or die $!; + + my $exec_rv = &run_cmd($test_hr->{'cmdline'}, + "test/$cmd_out_tmp", "test/$current_test_file"); + + if ($test_hr->{'exec_err'} eq $YES) { + $rv = 0 if $exec_rv; + } elsif ($test_hr->{'exec_err'} eq $NO) { + $rv = 0 unless $exec_rv; + } else { + $rv = 1; + } + + if ($test_hr->{'positive_output_matches'}) { + $rv = 0 unless &file_find_regex( + $test_hr->{'positive_output_matches'}, + $test_hr->{'match_all'}, + $current_test_file); + } + + if ($test_hr->{'negative_output_matches'}) { + $rv = 0 if &file_find_regex( + $test_hr->{'negative_output_matches'}, + $test_hr->{'match_all'}, + $current_test_file); + } + + chdir $curr_pwd or die $!; + + return $rv; +} + +sub generic_exec() { + my $test_hr = shift; + + my $rv = 1; + + my $exec_rv = &run_cmd($test_hr->{'cmdline'}, + $cmd_out_tmp, $current_test_file); + + if ($test_hr->{'exec_err'} eq $YES) { + $rv = 0 if $exec_rv; + } elsif ($test_hr->{'exec_err'} eq $NO) { + $rv = 0 unless $exec_rv; + } else { + $rv = 1; + } + + if ($test_hr->{'positive_output_matches'}) { + $rv = 0 unless &file_find_regex( + $test_hr->{'positive_output_matches'}, + $test_hr->{'match_all'}, + $current_test_file); + } + + if ($test_hr->{'negative_output_matches'}) { + $rv = 0 if &file_find_regex( + $test_hr->{'negative_output_matches'}, + $test_hr->{'match_all'}, + $current_test_file); + } + + if ($test_hr->{'fw_exec'} eq $YES) { + if (-e $fwsnort_sh) { + $rv = 0 unless &run_cmd($fwsnort_sh, $cmd_out_tmp, $current_test_file); + if ($test_hr->{'detail'} =~ /ip6tables/) { + $rv = 0 unless &run_cmd("$fwsnortCmd --ipt-list --ip6tables", + $cmd_out_tmp, $current_test_file); + } else { + $rv = 0 unless &run_cmd("$fwsnortCmd --ipt-list", $cmd_out_tmp, $current_test_file); + } + $rv = 0 unless &run_cmd("$fwsnort_sh -r", $cmd_out_tmp, $current_test_file); + } else { + &write_test_file("[-] $fwsnort_sh script does not exist.\n"); + } + } + + return $rv; +} + +sub run_cmd() { + my ($cmd, $cmd_out, $file) = @_; + + if (-e $file) { + open F, ">> $file" + or die "[] Could not open $file: $!"; + print F localtime() . " CMD: $cmd\n"; + close F; + } else { + open F, "> $file" + or die "[] Could not open $file: $!"; + print F localtime() . " CMD: $cmd\n"; + close F; + } + + my $rv = ((system "$cmd > $cmd_out 2>&1") >> 8); + + open C, "< $cmd_out" or die "[] Could not open $cmd_out: $!"; + my @cmd_lines = <C>; + close C; + + open F, ">> $file" or die "[] Could not open $file: $!"; + print F $_ for @cmd_lines; + close F; + + if ($rv == 0) { + return 1; + } + return 0; +} + +sub file_find_regex() { + my ($re_ar, $match_all_flag, $file) = @_; + + my @write_lines = (); + my @file_lines = (); + + open F, "< $file" or die "[] Could not open $file: $!"; + while (<F>) { + push @file_lines, $_; + } + close F; + + my $found = 0; + RE: for my $re (@$re_ar) { + $found = 0; + LINE: for my $line (@file_lines) { + next LINE if $line =~ /file_file_regex/; + if ($line =~ $re) { + push @write_lines, "[.] file_find_regex() " . + "Matched '$re' with line: $line (file: $file)\n"; + $found = 1; + last LINE; + } + } + if ($found) { + if ($match_all_flag == $MATCH_SINGLE_RE) { + last RE; + } + } else { + push @write_lines, "[.] file_find_regex() " . + "did not match '$re' (file: $file)\n"; + if ($match_all_flag == $MATCH_ALL_RE) { + last RE; + } + } + } + + for my $line (@write_lines) { + &write_test_file($line); + } + + return $found; +} + +sub dots_print() { + my $msg = shift; + &logr($msg); + my $dots = ''; + for (my $i=length($msg); $i < $PRINT_LEN; $i++) { + $dots .= '.'; + } + &logr($dots); + return; +} + +sub init() { + + $\|++; ### turn off buffering + + $< == 0 and $> == 0 or + die "[] $0: You must be root (or equivalent ", + "UID 0 account) to effectively test fwsnort"; + + ### validate test hashes + my $hash_num = 0; + for my $test_hr (@tests) { + for my $key (keys %test_keys) { + if ($test_keys{$key} == $REQUIRED) { + die "[] Missing '$key' element in hash: $hash_num" + unless defined $test_hr->{$key}; + } else { + $test_hr->{$key} = '' unless defined $test_hr->{$key}; + } + } + $hash_num++; + } + + die "[] $conf_dir directory does not exist." unless -d $conf_dir; + die "[] default config $default_conf does not exist" unless -e $default_conf; + + if (-d $output_dir) { + if (-d "${output_dir}.last") { + rmtree "${output_dir}.last" + or die "[] rmtree ${output_dir}.last $!"; + } + mkdir "${output_dir}.last" + or die "[] ${output_dir}.last: $!"; + for my $file (glob("$output_dir/.test")) { + if ($file =~ m\|./(.)\|) { + copy $file, "${output_dir}.last/$1" or die $!; + } + } + if (-e "$output_dir/init") { + copy "$output_dir/init", "${output_dir}.last/init"; + } + if (-e $logfile) { + copy $logfile, "${output_dir}.last/$logfile" or die $!; + } + $saved_last_results = 1; + } else { + mkdir $output_dir or die "[] Could not mkdir $output_dir: $!"; + } + unless (-d $run_dir) { + mkdir $run_dir or die "[] Could not mkdir $run_dir: $!"; + } + + for my $file (glob("$output_dir/.test")) { + unlink $file or die "[] Could not unlink($file)"; + } + if (-e "$output_dir/init") { + unlink "$output_dir/init" or die $!; + } + + if (-e $logfile) { + unlink $logfile or die $!; + } + + if ($test_include) { + @tests_to_include = split /\s,\s/, $test_include; + } + if ($test_exclude) { + @tests_to_exclude = split /\s,\s/, $test_exclude; + } + + return; +} + +sub process_include_exclude() { + my $msg = shift; + + ### inclusions/exclusions + if (@tests_to_include) { + my $found = 0; + for my $test (@tests_to_include) { + if ($msg =~ /$test/) { + $found = 1; + last; + } + } + return 0 unless $found; + } + if (@tests_to_exclude) { + my $found = 0; + for my $test (@tests_to_exclude) { + if ($msg =~ /$test/) { + $found = 1; + last; + } + } + return 0 if $found; + } + return 1; +} + +sub write_test_file() { + my $msg = shift; + + if (-e $current_test_file) { + open F, ">> $current_test_file" + or die "[] Could not open $current_test_file: $!"; + print F $msg; + close F; + } else { + open F, "> $current_test_file" + or die "[*] Could not open $current_test_file: $!"; + print F $msg; + close F; + } + return; +} + +sub logr() { + my $msg = shift; + print STDOUT $msg; + open F, ">> $logfile" or die $!; + print F $msg; + close F; + return; +} + +sub usage() { + ### FIXME +}