dos.rules

入侵检测系统.linux下与MySql连用的例子

# $Id: dos.rules,v 1.10 2001/08/09 00:16:16 roesch Exp $
#----------
# DOS RULES
#----------

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Jolt attack"; fragbits: M; dsize:408; classtype:attempted-dos; sid:268; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; id:3868; seq: 3868; flags:S; classtype:attempted-dos; sid:269; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Teardrop attack"; id:242; fragbits:M; reference:bugtraq,124; classtype:attempted-dos; sid:270; rev:1;)
alert udp any 19 <> $HOME_NET 7 (msg:"DOS UDP Bomb"; classtype:attempted-dos; sid:271; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; content:"|02 00|"; depth: 2; ip_proto: 2; fragbits: M+; classtype:attempted-dos; sid:272; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; content:"|00 00|"; depth: 2; ip_proto: 2; fragbits: M+; classtype:attempted-dos; sid:273; rev:1;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; content:"+++ath"; nocase; itype: 8; reference:arachnids,264; classtype:attempted-dos; sid:274; rev:1;)
alert tcp $EXTERNAL_NET any <> any any (msg:"DOS NAPTHA"; flags:S; seq: 6060842; id: 413; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; classtype:attempted-dos; sid:275; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flags: A+; content: "|fff4 fffd 06|"; reference:bugtraq,1288; reference:cve,CVE-2000-0474; reference:arachnids,411; classtype:attempted-dos; sid:276; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flags: A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; reference:bugtraq,1288; classtype:attempted-dos; sid:277; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flags: A+; content:"/viewsource/template.html?"; nocase; reference:cve,CVE-2000-0474; reference:bugtraq,1288; classtype:attempted-dos; sid:278; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; dsize:0; reference:bugtraq,1009; reference:cve,CVE-2000-0221; classtype:attempted-dos; sid:279; rev:2;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath0"; content: "+++ath0"; nocase; itype: 8; reference:arachnids,264; classtype:attempted-dos; sid:280; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; content: "|4e 41 4d 45 4e 41 4d 45|"; offset: 25; depth: 50; reference:bugtraq,714; reference:cve,CVE-1999-0060; reference:arachnids,262; classtype:attempted-dos; sid:281; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup"; flags: A+; dsize: >1445; reference:bugtraq,662; reference:cve,CVE-1999-0788; reference:arachnids,261; classtype:attempted-dos; sid:282; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg: "DOS Winnuke attck; flags: U+; reference: bugtraq,2010; reference:cve,CVE-1999-0153; classtype: attempted-dos; sid: 1257; rev:1;)