📄 ftp.rules

📁 Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前
💻 RULES
字号:
# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.# $Id: ftp.rules,v 1.1 2002/08/12 11:42:07 scara Exp $#----------# FTP RULES#----------alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT * dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"*"; reference:bugtraq,4482; classtype:attempted-dos; sid:1777; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT STAT ? dos attempt"; flow:to_server,established; content:"STAT "; nocase; content:"?"; reference:bugtraq,4482; classtype:attempted-dos; sid:1778; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .forward"; content: ".forward"; flow:to_server,established; reference:arachnids,319; classtype:suspicious-filename-detect; sid:334;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP .rhosts"; flow:to_server,established; content:".rhosts"; reference:arachnids,328; classtype:suspicious-filename-detect; sid:335;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~root attempt"; content:"CWD "; content:" ~root"; nocase; flow:to_server,established; reference:cve,CVE-1999-0082; reference:arachnids,318; classtype:bad-unknown; sid:336;  rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT aix overflow";flow:to_server,established; dsize:>1300; content:"CEL "; reference:bugtraq,679; reference:cve,CVE-1999-0789; reference:arachnids,257; classtype:attempted-admin; sid:337;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content: "SITE EXEC |25 30 32 30 64 7C 25 2E 66 25 2E 66 7C 0A|"; depth: 32; nocase; reference:cve,CVE-2000-0573; reference:bugtraq,1387; reference:arachnids,453; classtype:attempted-user; sid:338;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content: " |90 31 C0 99 52 52 B017 CD80 68 CC 73 68|"; reference:cve,CVE-2001-0053; reference:bugtraq,2124; reference:arachnids,446; classtype:attempted-user; sid:339;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5057 440A 2F69|"; classtype:attempted-admin; sid:340;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"|5858 5858 582F|"; classtype:attempted-admin; sid:341;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content: "|901BC00F 82102017 91D02008|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,451; classtype:attempted-user; sid:342;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content: "|31c0 50 50 50 b07e cd80 31db 31c0|"; depth: 32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-admin; sid:343;  rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content: "|31c031db 31c9b046 cd80 31c031db|"; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,287; classtype:attempted-admin; sid:344;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE EXEC %p"; nocase; depth:16; reference:bugtraq,1387; reference:cve,CAN-2000-0573; reference:arachnids,285; classtype:attempted-admin; sid:345;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,CAN-2000-0573; classtype:attempted-recon; sid:346;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"|2e2e3131|venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:349;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31c0 31db b017 cd80 31c0 b017 cd80|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:350;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|31db 89d8 b017 cd80 eb2c|"; reference:bugtraq,113; reference:cve,CVE-1999-0368; classtype:attempted-admin; sid:351;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 ec 04 5e 83 c6 70 83 c6 28 d5 e0 c0|";reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP adm scan"; flow:to_server,established; content:"PASS ddd@|0a|"; reference:arachnids,332; classtype:suspicious-login; sid:353;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP iss scan"; flow:to_server,established; content:"pass -iss@iss"; reference:arachnids,331; classtype:suspicious-login; sid:354;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP pass wh00t"; flow:to_server,established; content:"pass wh00t"; nocase; reference:arachnids,324; classtype:suspicious-login; sid:355;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP passwd retreval attempt"; flow:to_server,established; content:"RETR"; nocase; content:"passwd"; reference:arachnids,213; classtype:suspicious-filename-detect; sid:356;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP piss scan"; flow:to_server,established; content:"pass -cklaus"; classtype:suspicious-login; sid:357;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP saint scan"; flow:to_server,established; content:"pass -saint"; reference:arachnids,330; classtype:suspicious-login; sid:358;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP satan scan"; flow:to_server,established; content:"pass -satan"; reference:arachnids,329; classtype:suspicious-login; sid:359;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP serv-u directory transversal"; flow:to_server,established; content: ".%20."; nocase; reference:bugtraq,2025; reference:cve,CVE-2001-0054; classtype:bad-unknown; sid:360;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP site exec"; flow:to_server,established; content:"site "; nocase; content:" exec "; offset:4; nocase; reference:bugtraq,2241; reference:arachnids,317; classtype:bad-unknown; sid:361;  rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP tar parameters"; flow:to_server,established; content:"RETR "; nocase; content:" --use-compress-program"; nocase; reference:bugtraq,2240; reference:arachnids,134; reference:cve,CVE-1999-0202; classtype:bad-unknown; sid:362;  rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ..."; flow:to_server,established; content:"CWD "; content:" ..."; classtype:bad-unknown; sid:1229;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt ["; flow:to_server,established; content:"~"; content:"["; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1377;  rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP wu-ftp file completion attempt {"; flow:to_server,established; content:"~"; content:"{"; reference:cve,CAN-2001-0886; reference:bugtraq,3581; classtype:misc-attack; sid:1378;  rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP ADMw0rm ftp login attempt"; flow:to_server,established; content:"USER w0rm|0D0A|"; reference:arachnids,01; sid:144; classtype:suspicious-login;  rev:6;)alert tcp $HOME_NET any -> $EXTERNAL_NET 21 (msg:"FTP file_id.diz access"; flow:to_server,established; content:"RETR "; nocase; content:"file_id.diz"; nocase; classtype:misc-activity; sid:1445;  rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"STOR 1MB\" possible warez site"; flow:to_server,established; content:"STOR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:543;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"RETR 1MB\" possible warez site"; flow:to_server,established; content:"RETR 1MB"; nocase; depth: 8; classtype:misc-activity; sid:544;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD /\" possible warez site"; flow:to_server,established; content:"CWD / "; nocase; depth: 6; classtype:misc-activity; sid:545;  rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"CWD  \" possible warez site"; flow:to_server,established; content:"CWD  "; nocase; depth: 5; classtype:misc-activity; sid:546;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD  \" possible warez site"; flow:to_server,established; content:"MKD  "; nocase; depth: 5; classtype:misc-activity; sid:547;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD . \" possible warez site"; flow:to_server,established; content:"MKD ."; nocase; depth: 5; classtype:misc-activity; sid:548;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP \"MKD / \" possible warez site"; flow:to_server,established; content:"MKD / "; nocase; depth: 6; classtype:misc-activity; sid:554;  rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<NEWLINE> attempt"; content:"CWD "; content:" ~|0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1672;  rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD ~<CR><NEWLINE> attempt"; content:"CWD "; content:" ~|0D0A|"; flow:to_server,established; reference:cve,CAN-2001-0421; reference:bugtraq,2601; classtype:denial-of-service; sid:1728;  rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CWD .... attempt"; content:"CWD "; content:" ...."; flow:to_server,established; reference:bugtraq,4884; classtype:denial-of-service; sid:1779; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP RNFR ././ attempt"; flow:to_server,established; content:"RNFR "; nocase; content:" ././"; nocase; classtype:misc-attack; sid:1622;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP invalid MODE"; flow:to_server,established; content:"MODE "; nocase; content:!" B"; nocase; content:!" A"; nocase; content:!" S"; nocase; content:!" C"; nocase; classtype:protocol-command-decode; sid:1623; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large PWD command"; flow:to_server,established; content:"PWD"; nocase; dsize:10; classtype:protocol-command-decode; sid:1624; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP large SYST command"; flow:to_server,established; content:"SYST"; nocase; dsize:10; classtype:protocol-command-decode; sid:1625; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP format string attempt"; flow:to_server,established; content:"%p"; nocase; classtype:attempted-admin; sid:1530; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP STAT overflow"; flow:to_server,established,no_stream; dsize:>100; content:"STAT "; nocase; reference:url,labs.defcom.com/adv/2001/def-2001-31.txt; classtype:attempted-admin; sid:1379; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP CMD overflow"; flow:to_server,established,no_stream; dsize:>100; content:"CMD "; nocase; classtype:attempted-admin; sid:1621; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow"; flow:to_server,established,no_stream; dsize:>100; content:"SITE CHOWN "; nocase; reference:cve,CAN-2001-0065; classtype:attempted-admin; sid:1529;  rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT CWD overflow"; flow:to_server,established,no_stream; dsize:>100; content:"CWD "; nocase; classtype:attempted-admin; sid:1630; rev:4;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP SITE CHOWN overflow attempt"; flow:to_server,established,no_stream; dsize:>100; content:"SITE "; nocase; content:" CHOWN "; nocase; reference:cve,CAN-2000-0479; classtype:attempted-admin; sid:1562; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP USER overflow attempt"; flow:to_server,established,no_stream; dsize:>100; content:"USER "; nocase; reference:bugtraq,4638; classtype:attempted-admin; sid:1734; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638; classtype:protocol-command-decode; sid:1748; rev:4;)
💿 文件大小 458 K
👤 上传用户 jessica12332145
📂 所属分类其他
🏷️ 相关标签

#NIDS #Firestorm #性能 #网络入侵
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -