📄 sql.rules

📁 入侵检测系统.linux下与MySql连用的例子
💻 RULES
字号:
# $Id: sql.rules,v 1.4 2001/06/11 15:29:30 cazz Exp $#----------# SQL RULES#----------alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:673; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:674; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:675; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL sp_start_job - program execution"; content: "s|00|p|00|_|00|s|00|t|00|a|00|r|00|t|00|_|00|j|00|o|00|"; nocase; flags: AP; offset: 32; depth: 32; classtype:attempted-user; sid:676; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL PIPES sp_password - password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flags: AP; offset: 32; depth: 32; classtype:attempted-user; sid:677; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL PIPES sp_delete_alert - log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; flags: AP; offset: 32; depth: 32; classtype:attempted-user; sid:678; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL PIPES sp_adduser - database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flags: AP; offset: 32; depth: 32; classtype:attempted-user; sid:679; rev:1;)alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"MS-SQL sa logon failed"; content: "Login failed for user |27|sa|27|"; flags: AP; offset:83; classtype:attempted-user; sid:680; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL PIPES xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags: AP; offset: 32; offset: 32; classtype:attempted-user; sid:681; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:682; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_password - password change"; content: "s|00|p|00|_|00|p|00|a|00|s|00|s|00|w|00|o|00|r|00|d|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:683; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_delete_alert - log file deletion"; content: "s|00|p|00|_|00|d|00|e|00|l|00|e|00|t|00|e|00|_|00|a|00|l|00|e|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:684; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL sp_adduser - database user creation"; content: "s|00|p|00|_|00|a|00|d|00|d|00|u|00|s|00|e|00|r|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:685; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_reg* - registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:686; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell - program execution"; content: "x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:687; rev:1;)alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"MS-SQL sa logon failed"; content: "Login failed for user |27|sa|27|"; flags: AP; offset:16; classtype:unsuccessful-user; sid:688; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL PIPES xp_reg* - registry access"; content: "x|00|p|00|_|00|r|00|e|00|g|00|"; nocase; flags: AP; offset: 32; depth: 32; classtype:attempted-user; sid:689; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:690; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL Buffer overflow shellcode ACTIVE ATTACK"; content: "|3920d0009201c200520055003920ec00|"; flags: AP; classtype:attempted-user; sid:691; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL Buffer overflow shellcode ACTIVE ATTACK"; content: "|3920d0009201c200520055003920ec00|"; flags: AP; classtype:attempted-user; sid:692; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL Buffer overflow shellcode ACTIVE ATTACK"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flags: AP; classtype:attempted-user; sid:693; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL Buffer overflow shellcode ACTIVE ATTACK"; content: "|4800250078007700900090009000900090003300c000500068002e00|"; flags: AP; classtype:attempted-user; sid:694; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:695; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:696; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:697; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:698; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_printstatements possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:699; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:700; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_updatecolvbm possible buffer overflow"; content: "x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:701; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_displayparamstmt possible buffer overflow"; content: "x|00|p|00|_|00|d|00|i|00|s|00|p|00|l|00|a|00|y|00|p|00|a|00|r|00|a|00|m|00|s|00|t|00|m|00|t"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:702; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_setsqlsecurity possible buffer overflow"; content: "x|00|p|00|_|00|s|00|e|00|t|00|s|00|q|00|l|00|s|00|e|00|c|00|u|00|r|00|i|00|t|00|y"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:703; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_sprintf possible buffer overflow"; content: "x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:704; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_showcolv possible buffer overflow"; content: "x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:705; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_peekqueue possible buffer overflow"; content: "x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:706; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL - xp_proxiedmetadata possible buffer overflow"; content: "x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a"; nocase; flags: AP; offset: 8; classtype:attempted-user; sid:707; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"MS-SQL - xp_enumresultset possible buffer overflow"; content: "x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t"; nocase; flags: AP; offset: 32; classtype:attempted-user; sid:708; rev:1;)
💿 文件大小 976 K
👤 上传用户 koalalee
📂 所属分类 Internet/网络编程
🏷️ 相关标签

#linux #MySql #入侵检测系统
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -