info.rules

入侵检测系统.linux下与MySql连用的例子

# $Id: info.rules,v 1.8 2001/07/16 14:19:50 cazz Exp $
#-----------
# INFO RULES
#-----------

alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase; flags:A+; classtype:unknown; sid:488; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "pass |0d|"; nocase; flags: A+; reference:arachnids,322; flags:A+; classtype:unknown; sid:489; rev:1;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"INFO battle-mail traffic"; content:"BattleMail"; flags:A+; flags:A+; classtype:unknown; sid:490; rev:1;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"530 Login "; nocase; flags:A+; classtype:bad-unknown; sid:491; rev:2;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; flags: A+; content: "Login failed";  nocase; flags:A+; classtype:bad-unknown; sid:492; rev:2;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; flags: A+; content: "Login incorrect"; nocase; flags:A+; classtype:bad-unknown; sid:1251; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO psyBNC access"; flags: A+; content:"Welcome!psyBNC@lam3rz.de"; flags:A+; classtype:bad-unknown; sid:493; rev:1;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO Web Cmd completed"; content:"Command completed"; nocase; flags:A+; classtype:bad-unknown; sid:494; rev:1;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO Web Command Error"; content:"Bad command or filename"; nocase; flags:A+; classtype:bad-unknown; sid:495; rev:1;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO Web Dir listing"; content:"Directory Listing of"; nocase; flags:A+; classtype:unknown; sid:496; rev:1;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO Web File Copied ok"; content:"1 file(s) copied"; nocase; flags:A+; classtype:bad-unknown; sid:497; rev:1;)
alert tcp any any -> any any (msg:"INFO id check returned root"; flags:A+; content: "uid=0(root)"; classtype:bad-unknown; sid:498; rev:1;)