smtp.rules

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

# (C) Copyright 2001, Martin Roesch, Brian Caswell, et al.  All rights reserved.
# $Id: smtp.rules,v 1.1 2002/08/12 11:42:07 scara Exp $
#-----------
# SMTP RULES
#-----------

# alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established,no_stream; content:"rcpt to|3a|"; nocase; dsize:>800; reference:cve,CAN-2001-0260; reference:bugtraq,2283; classtype:attempted-admin; sid:654; rev:5;)
alert tcp $EXTERNAL_NET 113 -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established;  content:"|0a|D/"; reference:arachnids,140; reference:cve,CVE-1999-0204; classtype:attempted-admin; sid:655; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|eb53 eb20 5bfc 33c9 b182 8bf3 802b|"; reference:bugtraq,895; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:656; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP chameleon overflow"; content: "HELP "; nocase; flow:to_server,established,no_stream; dsize: >500; depth: 5; reference:bugtraq,2387; reference:arachnids,266; reference:cve,CAN-1999-0261; classtype:attempted-admin; sid:657; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"|63 68 61 72 73 65 74 20 3D 20 22 22|"; classtype:attempted-dos; sid:658; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn decode"; nocase; reference:arachnids,32; classtype:attempted-recon; sid:659; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn root"; nocase; reference:arachnids,31; classtype:attempted-recon; sid:660; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn *@"; nocase; reference:cve,CAN-1999-1200; classtype:misc-attack; sid:1450; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3a| a~.`/bin/"; reference:cve,CVE-1999-0208; reference:arachnids,143; classtype:attempted-admin; sid:661; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3a20227c|"; nocase; reference:arachnids,119; classtype:attempted-admin; sid:662; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.5.8 overflow"; flow:to_server,established; content: "|7c 73 65 64 20 2d 65 20 27 31 2c 2f 5e 24 2f 27|";  reference:arachnids,172; reference:cve,CVE-1999-0095; classtype:attempted-admin; sid:663; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.4 exploit"; flow:to_server,established; content:"rcpt to|3a| decode"; nocase; reference:arachnids,121; classtype:attempted-admin; sid:664; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3a207c|/usr/ucb/tail"; nocase; reference:arachnids,122; classtype:attempted-user; sid:665; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3a207c| sed '1,/^$/d'|7c|"; nocase;reference:arachnids,120; classtype:attempted-user; sid:666; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0d0a|Mprog, P=/bin/"; reference:arachnids,123; classtype:attempted-user; sid:667; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established;  content:"Croot|09090909090909|Mprog,P=/bin"; reference:arachnids,124; classtype:attempted-user; sid:668; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0a|Croot|0a|Mprog";reference:arachnids,142; reference:cve,CVE-1999-0204; classtype:attempted-user; sid:669; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0a|C|3a|daemon|0a|R"; reference:cve,CVE-1999-0204; reference:arachnids,139; classtype:attempted-user; sid:670; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0a|Croot|0d0a|Mprog"; reference:arachnids,141; reference:cve,CVE-1999-0204; classtype:attempted-user; sid:671; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy decode"; nocase; reference:arachnids,373; classtype:attempted-recon; sid:672; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy root"; nocase; classtype:attempted-recon; sid:1446; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0a|quit|0a|"; reference:arachnids,372; classtype:protocol-command-decode; sid:631; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; reference:arachnids,371; classtype:protocol-command-decode; sid:632; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established,no_stream; dsize:>500; content:"HELO "; offset:0; depth:5; reference:cve,CVE-2000-0042; classtype:attempted-admin; sid:1549; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP 25 (msg:"SMTP ETRN overflow attempt"; flow:to_server,established,no_stream; dsize:>500; content:"ETRN "; offset:0; depth:5; reference:cve,CAN-2000-0490; classtype:attempted-admin; sid:1550; rev:4;)