📄 snortrules.txt
字号:
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow";flags: A+; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd attempt";flags: A+; content:"passwd";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow";flags: A+; content:"|5858 5858 582F|";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT aix overflow";flags: A+;dsize:>1300; content:"CEL "; reference:arachnids,257;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow";flags: A+; content:"|5057 440A 2F69|";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow";flags: A+; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow";flags: A+; content:"MKD AAAAAA";reference:bugtraq,113; reference:cve,CVE-1999-0368;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow";flags: A+; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts";flags: A+; content:".rhosts"; reference:arachnids,328;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flags: A+; content:"PASS ddd@|0a|"; reference:arachnids,332;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan";flags: A+; content:"pass -iss@iss"; reference:arachnids,331;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan";flags: A+; content:"pass -cklaus";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan";flags: A+; content:"pass -saint"; reference:arachnids,330;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters";flags: A+; content:"RETR--use-compress-program"; reference:arachnids,134; reference:cve,CVE-1999-0202;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd attempt"; content:"passwd"; flags: A+; reference:arachnids,213;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow"; content: "SITE EXEC %p"; nocase; flags: A+; depth: 16; reference:arachnids,285;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec overflow"; content: "|66 25 2E 66 25 2E 66 25 2E 66 25 2E 66 25 2E|"; flags: A+; depth: 32; reference:arachnids,286;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 bsd"; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; flags: A+; depth: 32; reference:arachnids,228;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan";flags: A+; content:"pass -satan"; reference:arachnids,329;)
# ICMP RULES
# Updated: 03/15/2001
# -------------------
alert icmp any any -> any any (msg:"ICMP Source Quench"; itype: 4; icode: 0;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; dsize: 20; itype: 8; icmp_id: 0; icmp_seq: 0; content: "|0000000000000000000000000000000000000000|"; reference:arachnids,449;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nmap2.36BETA or HPING2 Echo ";itype:8;dsize:0; reference:arachnids,162;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Nemesis v1.1 Echo"; content:"|0000000000000000000000000000000000000000|"; itype: 8; icmp_id: 0; icmp_seq: 0; dsize: 20;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP superscan echo from windows"; content:"|0000000000000000|"; itype: 8; dsize:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP sing echo from Sun Solaris"; itype: 8; dsize: 8;)
alert icmp any any <> any any (msg:"ICMP Broadscan Smurf Scanner"; itype: 8; icmp_id: 0; icmp_seq: 0; dsize:4; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1"; id: 666; dsize: 0; itype: 8; icmp_id: 666 ; icmp_seq: 0; reference:arachnids,450;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP"; dsize: 0; itype: 8; reference:arachnids,162;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP L3retriever Ping"; content: "ABCDEFGHIJKLMNOPQRSTUVWABCDEFGHI"; itype: 8; icode: 0; depth: 32; reference:arachnids,311;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP webtrends scanner ping"; content: "|00 00 00 00 45 45 45 45 45 45 45 45 45 45 45 45|"; itype: 8; icode: 0; reference:arachnids,307;)
alert icmp $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ICMP traceroute ipopts"; ipopts: rr; itype: 0; reference:arachnids,238;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Sniffer Pro/NetXRay network scan"; content:"|43696e636f204e6574776f726b2c20496e632e|"; itype: 8; depth: 32;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ";ttl:1;itype:8; reference:arachnids,118;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP ISS Pinger"; content:"|495353504e475251|";itype:8;depth:32; reference:arachnids,158;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net";itype:5;icode:0; reference:arachnids,199; reference:cve,CVE-1999-0265;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host";itype:5;icode:1; reference:arachnids,135; reference:cve,CVE-1999-0265;)
# INFO RULES
# Updated: 03/15/2001
# -------------------
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO - Web Cmd completed"; content:"Command completed"; nocase;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO - Web File Copied ok"; content:"1 file(s) copied"; nocase;)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO - Web Dir listing"; content:"Directory Listing of"; nocase;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"INFO - psyBNC access"; flags: A+; content:"Welcome!psyBNC@lam3rz.de";)
alert tcp $HTTP_SERVERS 80 -> $EXTERNAL_NET any (msg:"INFO - Web Command Error"; content:"Bad command or filename"; nocase;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BSDtype"; itype: 8; content:"|08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17|"; depth: 32; reference:arachnids, 152;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Windows"; content: "|61 62 63 64 65 66 67 68 69 6A 6B 6C 6D 6E 6F 70|"; itype: 8; depth: 16; reference:arachnids,169;)
alert icmp any any -> any any (msg:"ICMP Router Advertisment"; itype: 9; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Precedence Violation)"; itype: 3; icode: 14;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Precedence Cutoff in effect)"; itype: 3; icode: 15;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Undefined Code!)"; itype: 3;)
alert icmp any any -> any any (msg:"ICMP Source Quench (Undefined Code!)"; itype: 4;)
alert icmp any any -> any any (msg:"ICMP Redirect (for TOS and Network)"; itype: 5; icode: 2;)
alert icmp any any -> any any (msg:"ICMP Redirect (Undefined Code!)"; itype: 5;)
alert icmp any any -> any any (msg:"ICMP Alternate Host Address (Undefined Code!)"; itype: 6;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 7)"; itype: 7; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 7) (Undefined Code!)"; itype: 7;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication Administratively Prohibited)"; itype: 3; icode: 13;)
alert icmp any any -> any any (msg:"ICMP Echo Request (Undefined Code!)"; itype: 8;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Source Host Isolated)"; itype: 3; icode: 8;)
alert icmp any any -> any any (msg:"ICMP Router Selection"; itype: 10; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Router Selection (Undefined Code!)"; itype: 10;)
alert icmp any any -> any any (msg:"ICMP Time-To-Live Exceeded in Transit"; itype: 11; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Fragment Reassembly Time Exceeded"; itype: 11; icode: 1;)
alert icmp any any -> any any (msg:"ICMP Echo Request"; itype: 8; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Port Unreachable)"; itype: 3; icode: 3;)
alert icmp any any -> any any (msg:"ICMP Echo Reply"; itype: 0; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Echo Reply (Undefined Code!)"; itype: 0;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 1)"; itype: 1; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Tupe 1) (Undefined Code)"; itype: 1;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 2)"; itype: 2; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Unassigned! (Type 2) (Undefined Code); itype: 2;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Network Unreachable)"; itype: 3; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Host is Administratively Prohibited)"; itype: 3; icode: 10;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Protocol Unreachable)"; itype: 3; icode: 2;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Unreachable for Type of Service)"; itype: 3; icode: 12;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Fragmentation Needed and DF bit was set)"; itype: 3; icode:4;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Source Route Failed)"; itype: 3; icode: 5;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Destination Network Unknown)"; itype: 3; icode: 6;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Destination Host Unknown)"; itype: 3; icode: 7;)
alert icmp any any -> any any (msg:"ICMP Alternate Host Address"; itype: 6; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Communication with Destination Network is Administratively Prohibited)"; itype: 3; icode: 9;)
alert icmp any any -> any any (msg:"ICMP Time Exceeded (Undefined Code!)"; itype: 11;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Network Unreachable for Type of Service)"; itype: 3; icode:11;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable (Host Unreachable)"; itype: 3; icode: 1;)
alert icmp any any -> any any (msg:"ICMP Mobile Registration Reply (Undefined Code!)"; itype: 36;)
alert icmp any any -> any any (msg:"ICMP Datagram Conversion Error (Undefined Code!)"; itype: 31;)
alert icmp any any -> any any (msg:"ICMP Mobile Host Redirect"; itype: 32; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Mobile Host Redirect (Undefined Code!)"; itype: 32;)
alert icmp any any -> any any (msg:"ICMP IPV6 Where-Are-You"; itype: 33; icode: 0;)
alert icmp any any -> any any (msg:"ICMP IPV6 Where-Are-You (Undefined Code!)"; itype: 33;)
alert icmp any any -> any any (msg:"ICMP IPV6 I-Am-Here"; itype: 34; icode: 0;)
alert icmp any any -> any any (msg:"ICMP IPV6 I-Am-Here (Undefined Code!"; itype: 34;)
alert icmp any any -> any any (msg:"ICMP Mobile Registration Request"; itype: 35; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Datagram Conversion Error"; itype: 31; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Mobile Registration Reply"; itype: 36; icode: 0;)
alert icmp any any -> any any (msg:"ICMP SKIP"; itype: 39; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 0 (unspecified Error)"; itype: 12; icode: 0;)
alert icmp any any -> any any (msg:"ICMP SKIP (Undefined Code!"; itype: 39;)
alert icmp any any -> any any (msg:"ICMP Redirect (for TOS and Host)"; itype: 5; icode: 3;)
alert icmp any any -> any any (msg:"ICMP Photuris Code 1 (Unknown Security Parameters Index)"; itype: 40; icode: 1;)
alert icmp any any -> any any (msg:"ICMP Photuris Code 2 (Valid Security Parameters, But Authentication Failed)"; itype: 40; icode: 2;)
alert icmp any any -> any any (msg:"ICMP Photuris Code 3 (Valid Security Parameters, But Decryption Failed)"; itype: 40; icode: 3;)
alert icmp any any -> any any (msg:"ICMP Photuris (Undefined Code!)"; itype: 40;)
alert icmp any any -> any any (msg:"ICMP Unknown Type";)
alert icmp any any -> any any (msg:"ICMP Mobile Registration Request (Undefined Code!"; itype: 35;)
alert icmp any any -> any any (msg:"ICMP Information Request"; itype: 15; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Photuris Code 0 (Reserved)"; itype: 40; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 1 (Missing a Requiered Option)"; itype: 12; icode: 1;)
alert icmp any any -> any any (msg:"ICMP Traceroute (Undefined Code!"; itype: 30;)
alert icmp any any -> any any (msg:"ICMP Parameter Problem (Undefined Code!)"; itype: 12;)
alert icmp any any -> any any (msg:"ICMP Timestamp Request"; itype: 13; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Timestamp Request (Undefined Code!)"; itype: 13;)
alert icmp any any -> any any (msg:"ICMP Parameter Problem Code 2 (Bad Length)"; itype: 12; icode: 2;)
alert icmp any any -> any any (msg:"ICMP Timestamp Reply (Undefined Code!)"; itype: 14;)
alert icmp any any -> any any (msg:"ICMP Information Request (Undefined Code!)"; itype: 15;)
alert icmp any any -> any any (msg:"ICMP Address Mask Reply (Undefined Code!)"; itype: 18;)
alert icmp any any -> any any (msg:"ICMP Information Reply (Undefined Code!)"; itype: 16;)
alert icmp any any -> any any (msg:"ICMP Traceroute"; itype: 30; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Address Mask Request"; itype: 17; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Reserved for Security (Type 19) (Undefined Code!)"; itype: 19;)
alert icmp any any -> any any (msg:"ICMP Address Mask Request (Undefined Code!)"; itype: 17;)
alert icmp any any -> any any (msg:"ICMP Address Mask Reply"; itype: 18; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Information Reply"; itype: 16; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Reserved for Security (Type 19)"; itype: 19; icode: 0;)
alert icmp any any -> any any (msg:"ICMP Timestamp Reply"; itype: 14; icode: 0;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SING Echo from LINUX/*BSD"; id: 13170; dsize: 8; itype: 8; reference:arachnids,447;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SING Echo from Sun Solaris"; dsize: 8; itype: 8; reference:arachnids,448;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"INFO Connection Closed MSG from Port 80"; content:"Connection closed by foreign host"; nocase;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SING Echo from LINUX/*BSD"; id:13170; itype: 8; dsize: 8;)
alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; flags: A+; content: "530 Login ";)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING - BayRS Router"; itype: 8; content: "0102030405060708090a0b0c0d0e0f"; depth: 32; reference:arachnids,444;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"INFO PING speedera"; content: "|3839 3a3b 3c3d 3e3f|"; depth: 100; itype: 8; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING BayRS Router"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f|"; depth: 32; reference:arachnids,438;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING from Flowpoint2200 or Network Management Software"; itype: 8; content: "|0102030405060708090a0b0c0d0e0f10|"; depth: 32;reference:arachnids,156;)
alert tcp any any -> any any (msg:"INFO id check returned root"; content: "uid=0(root)";)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"INFO FTP No Password"; content: "pass |0d|"; nocase; flags: A+; reference:arachnids,322;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"INFO battle-mail traffic"; content:"BattleMail"; flags:A+;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Network Toolbox 3 Windows"; content:"|3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d3d|";itype:8;depth:32; reference:arachnids,161;)
alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"FTP Bad login"; content:"Login failed."; nocase; flags:A+;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router advertisement";itype:9; reference:arachnids,173;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"I⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -