telnet.rules

入侵检测系统.linux下与MySql连用的例子

# $Id: telnet.rules,v 1.11 2001/07/25 03:28:07 roesch Exp $
#-------------
# TELNET RULES
#-------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET 4Dgifts SGI account attempt";flags: A+; content:"4Dgifts"; classtype:attempted-user; sid:709; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET EZsetup account attempt";flags: A+; content:"OutOfBox"; classtype:attempted-user; sid:710; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET SGI telnetd format bug"; flags: A+; content: "_RLD"; content: "/bin/sh";reference:arachnids,304; classtype:attempted-admin; sid:711; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET ld_library_path";flags: A+; content:"ld_library_path"; reference:arachnids,367; classtype:attempted-admin; sid:712; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET livingston DOS";flags: A+; content:"|fff3 fff3 fff3 fff3 fff3|"; reference:arachnids,370; classtype:attempted-dos; sid:713; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (msg:"TELNET resolv_host_conf";flags: A+; content:"resolv_host_conf"; reference:arachnids,369; classtype:attempted-admin; sid:714; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Attempted SU from wrong group"; content: "to su root"; nocase; flags: A+; classtype:attempted-admin; sid:715; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET access";flags: A+; content:"|FF FD 18 FF FD 1F FF FD 23 FF FD 27 FF FD 24|"; reference:arachnids,08; reference:cve,CAN-1999-0619; classtype:not-suspicious; sid:716; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET not on console"; flags: A+; content:"not on system console"; nocase; reference:arachnids,365; classtype:bad-unknown; sid:717; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET login incorrect"; content:"Login incorrect"; flags: A+; reference:arachnids,127; classtype:bad-unknown; sid:718; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET root login"; content:"login\: root"; flags: A+; classtype:bad-unknown; sid:719; rev:1;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (flags: A+; content: "|0D0A|[Yes]|0D0A FFFE 08FF FD26|"; msg: "TESO *BSD Telnet exploit query response"; classtype: attempted-admin; sid: 1252; rev: 2; reference: bugtraq,3064; reference:cve,CAN-2001-0554;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 23 (flags: A+; dsize: >200; content: "|FF F6 FF F6 FF FB 08 FF F6|"; offset: 200; depth: 50; msg: "TESO *BSD Telnet client exploit finishing"; classtype: successful-admin; sid: 1253; rev: 2; reference: bugtraq,3064; reference:cve,CAN-2001-0554;)