shellcode.rules

入侵检测系统.linux下与MySql连用的例子

# $Id: shellcode.rules,v 1.4 2001/06/28 16:43:26 roesch Exp $
# ---------------
# SHELLCODE RULES
# ---------------

# turn these rules on if you want them, but be aware there's a 
# performance hit associated with running these rules since they 
# apply to almost all traffic
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|03e0 f825 03e0 f825 03e0 f825 03e0 f825|"; reference:arachnids,356; classtype:bad-unknown; sid:638; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE SGI NOOP"; content:"|240f 1234 240f 1234 240f 1234 240f 1234|"; reference:arachnids,357; classtype:bad-unknown; sid:639; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE aix NOOP"; content:"|4fff fb82 4fff fb82 4fff fb82 4fff fb82|"; classtype:bad-unknown; sid:640; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE digital unix NOOP"; content:"|47 ff 04 1f 47 ff 04 1f 47 ff 04 1f 47 ff 04 1f|"; reference:arachnids,352; classtype:bad-unknown; sid:641; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE hpux NOOP"; content:"|0821 0280 0821 0280 0821 0280 0821 0280|"; reference:arachnids,358; classtype:bad-unknown; sid:642; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE hpux NOOP"; content:"|0b39 0280 0b39 0280 0b39 0280 0b39 0280|";reference:arachnids,359; classtype:bad-unknown; sid:643; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|13c0 1ca6 13c0 1ca6 13c0 1ca6 13c0 1ca6|"; reference:arachnids,345; classtype:bad-unknown; sid:644; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|801c 4011 801c 4011 801c 4011 801c 4011|"; reference:arachnids,353; classtype:attempted-user; sid:645; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE sparc NOOP"; content:"|a61c c013 a61c c013 a61c c013 a61c c013|"; reference:arachnids,355; classtype:bad-unknown; sid:646; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"SHELLCODE sparc setuid 0"; content: "|82102017 91d02008|"; reference:arachnids,282; classtype:attempted-admin; sid:647; rev:1;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE x86 NOOP"; content: "|90 90 90 90 90 90 90 90 90 90 90 90 90 90|"; depth: 128; reference:arachnids,181; classtype:bad-unknown; sid:648; rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE x86 setgid 0"; content: "|b0b5 cd80|"; reference:arachnids,284; classtype:attempted-admin; sid:649; rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE x86 setuid 0"; content: "|b017 cd80|"; reference:arachnids,436; classtype:attempted-admin; sid:650; rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE x86 stealth NOOP";   content: "|eb 02 eb 02 eb 02|"; reference:arachnids,291; classtype:bad-unknown; sid:651; rev:2;)
alert ip $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE linux shellcode"; content:"|90 90 90 e8 c0 ff ff ff|/bin/sh";  reference:arachnids,343; classtype:attempted-admin; sid:652; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET :1023 (msg:"SHELLCODE x86 unicode NOOP"; content: "|90009000900090009000|"; classtype:attempted-user; sid:653; rev:2;)