misc.rules

This is the snapshot of Snot Latest Rules

#! alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 ( \
#!   msg:"MISC CVS username overflow attempt"; flow:to_server,established; \
#!   content:"BEGIN AUTH REQUEST|0A|"; content:!"|0A|END AUTH REQUEST|0A|"; \
#!   within:255; classtype:misc-attack;)


# normally Idon't like using 3a for :, but in this case... I'd like to remove the false positives stemming from someone using anoncvs to checkout snort rules :)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid user authentication response"; flow:from_server,established; content:"E Fatal error, aborting."; content:"|3A| no such user"; classtype:misc-attack; sid:2008; rev:4;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid repository response"; flow:from_server,established; content:"error "; content:"|3A| no such repository"; content:"I HATE YOU"; classtype:misc-attack; sid:2009; rev:2;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS double free exploit attempt response"; flow:from_server,established; content:"free|28 29 3A| warning|3A| chunk is already free"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2010; rev:7;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid directory response"; flow:from_server,established; content:"E protocol error|3A| invalid directory syntax in"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,6650; reference:cve,2003-0015; reference:nessus,11385; classtype:misc-attack; sid:2011; rev:7;)
# alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS missing cvsroot response"; flow:from_server,established; content:"E protocol error|3A| Root request missing"; classtype:misc-attack; sid:2012; rev:3;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS invalid module response"; flow:from_server,established; content:"cvs server|3A| cannot find module"; content:"error"; distance:1; classtype:misc-attack; sid:2013; rev:2;)
alert tcp $HOME_NET 2401 -> $EXTERNAL_NET any (msg:"MISC CVS non-relative path error response"; flow:from_server,established; content:"E cvs server|3A| warning|3A| cannot make directory CVS in /"; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2317; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS non-relative path access attempt"; flow:to_server,established; content:"Argument"; pcre:"m?^Argument\s+/?smi"; pcre:"/^Directory/smiR"; reference:bugtraq,9178; reference:cve,2003-0977; reference:nessus,11947; classtype:misc-attack; sid:2318; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2401 (msg:"MISC CVS Max-dotdot integer overflow attempt"; flow:to_server,established; content:"Max-dotdot"; nocase; pcre:"/^Max-dotdot[\s\r\n]*\d{3,}/msi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,10499; reference:cve,2004-0417; classtype:misc-attack; sid:2583; rev:4;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 1723 (msg:"MISC Microsoft PPTP Start Control Request buffer overflow attempt"; flow:to_server,established,no_stream; isdataat:156; content:"|00 01|"; depth:2; offset:2; content:"|00 01|"; depth:2; offset:8; reference:bugtraq,5807; reference:cve,2002-1214; reference:nessus,11178; reference:url,www.microsoft.com/technet/security/bulletin/MS02-063.mspx; classtype:attempted-admin; sid:2126; rev:10;)

# this rule is specificly not looking for flow, since tcpdump handles lengths wrong
alert tcp any any <> any 179 (msg:"MISC BGP invalid length"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; byte_test:2,<,19,0,relative; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; reference:url,sf.net/tracker/index.php?func=detail&aid=744523&group_id=53066&atid=469575; classtype:bad-unknown; sid:2158; rev:9;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"MISC BGP invalid type 0"; flow:stateless; content:"|FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF|"; depth:16; content:"|00|"; within:1; distance:2; reference:bugtraq,6213; reference:cve,2002-1350; reference:nessus,14011; reference:nessus,15043; classtype:bad-unknown; sid:2159; rev:12;)








# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin remote file upload attempt"; flow:to_server,established; content:"/plugins/hpjwja/script/devices_update_printer_fw_upload.hts"; nocase; content:"Content-Type|3A|"; nocase; content:"Multipart"; distance:0; nocase; reference:bugtraq,9971; reference:cve,2004-1856; classtype:web-application-activity; sid:2547; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin setinfo access"; flow:to_server,established; content:"/plugins/hpjdwm/script/test/setinfo.hts"; nocase; reference:bugtraq,9972; reference:cve,2004-1857; reference:nessus,12120; classtype:web-application-activity; sid:2548; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin file write attempt"; flow:to_server,established; content:"/plugins/framework/script/tree.xms"; nocase; content:"WriteToFile"; nocase; reference:bugtraq,9973; classtype:web-application-activity; sid:2549; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 8000 (msg:"MISC HP Web JetAdmin ExecuteFile admin access"; flow:to_server,established; content:"/plugins/framework/script/content.hts"; nocase; content:"ExecuteFile"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,10224; classtype:attempted-admin; sid:2655; rev:3;)


alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"MISC rsync backup-dir directory traversal attempt"; flow:to_server,established; content:"--backup-dir"; pcre:"/--backup-dir\s+\x2e\x2e\x2f/"; reference:bugtraq,10247; reference:cve,2004-0426; reference:nessus,12230; classtype:string-detect; sid:2561; rev:4;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 3632 (msg:"MISC distccd command execution attempt"; flow:to_server,established; content:"DIST00000001"; depth:12; nocase; reference:url,distcc.samba.org/security.html; classtype:misc-activity; sid:3061; rev:2;)

# alert udp $EXTERNAL_NET any -> $HOME_NET 7787 (msg:"MISC Unreal Tournament secure overflow attempt"; flow:to_server; content:"|5C|secure|5C|"; nocase; pcre:"/\x5csecure\x5c[^\x00]{50}/smi"; reference:bugtraq,10570; reference:cve,2004-0608; classtype:misc-attack; sid:3080; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup system info probe"; flow:established,to_server; content:"ARKADMIN_GET_"; nocase; pcre:"/^(CLIENT|MACHINE)_INFO/Ri"; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3453; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"MISC Arkeia client backup generic info probe"; flow:established,to_server; content:"ARKFS|00|root|00|root"; nocase; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-recon; sid:3454; rev:2;)
alert tcp $HOME_NET any -> $HOME_NET 2702 (msg:"MISC Microsoft SMS remote control client DoS overly long length attempt"; flow:to_server,established; content:"RCH0"; nocase; content:"RCHE"; nocase; byte_test:2,>,131,-8,relative,little; isdataat:131,relative; reference:bugtraq,10726; reference:cve,2004-0728; classtype:attempted-user; sid:3673; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 50000 (msg:"MISC IBM DB2 DTS empty format string dos attempt"; flow:to_server,established; content:"SELECT"; nocase; pcre:"/SELECT\s*(TO_(DATE|CHAR)|(VARCHAR|TIMESTAMP)_FORMAT)\s*\('[^']*'\s*,\s*''\)/smi"; reference:bugtraq,11400; reference:url,www-1.ibm.com/support/docview.wss?uid=swg1IY61781; classtype:attempted-dos; sid:3675; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"MISC UPnP malformed advertisement"; flow:to_server,established; content:"NOTIFY * "; nocase; reference:bugtraq,3723; reference:cve,2001-0876; reference:cve,2001-0877; reference:nessus,10829; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:8082; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5000 (msg:"MISC UPnP Location overflow"; flow:to_server,established; content:"Location|3A|"; nocase; pcre:"/^Location\:[^\n]{128}/smi"; reference:bugtraq,3723; reference:cve,2001-0876; reference:nessus,10829; reference:url,www.microsoft.com/technet/security/bulletin/MS01-059.mspx; classtype:misc-attack; sid:8083; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC IP option SATID stream_id set"; ipopts:satid; classtype:bad-unknown; sid:8733; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC IP option SEC security set"; ipopts:sec; classtype:bad-unknown; sid:8732; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC IP option TS timestamp set"; ipopts:ts; classtype:bad-unknown; sid:8731; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 11000 (msg:"MISC bomberclone buffer overflow attempt"; flow:to_server; content:"|00 00 00 00|8|03|A"; depth:7; isdataat:764; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,16697; reference:cve,2006-0460; classtype:attempted-user; sid:10125; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2869 (msg:"MISC UPNP notification type overflow attempt"; flow:to_server,established; content:"SUBSCRIBE"; nocase; pcre:"/^(UN)?SUBSCRIBE\s/smi"; pcre:"/^(NT|CallBack|SID|TimeOut)\s*\x3a\s*[^\n]{512}/Rsmi"; reference:bugtraq,23371; reference:cve,2007-1204; reference:url,www.microsoft.com/technet/security/bulletin/MS07-019.mspx; classtype:attempted-admin; sid:10475; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Visio version number anomaly"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A 00 00 00 00|"; nocase; pcre:"/Visio \x28TM\x29 Drawing\r\n\x00{4}([^\x00]|\x00[^\x00]|\x00\x00[^\x00]|\x00\x00\x00[^\x01-\x06\x0b])/smi"; reference:cve,2007-0934; reference:url,www.microsoft.com/technet/security/bulletin/MS07-030.mspx; classtype:misc-activity; sid:11836; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1080 (msg:"MISC Sun Java web proxy sockd buffer overflow attempt"; flow:to_server,established; content:"|05 01|"; depth:2; content:"|03|"; within:1; distance:1; byte_test:1,>,136,0,relative; reference:bugtraq,24165; reference:cve,2007-2881; reference:url,sunsolve.sun.com/search/document.do?assetkey=1-26-102927-1; classtype:attempted-admin; sid:11680; rev:3;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MISC Microsoft Excel workbook workspace designation handling arbitrary code execution attempt"; flow:from_server,established; content:"|FF FF FF FF FF FF FF FF 09 08|"; flowbits:isset,xls.download; pcre:"/\xff{8}\x09\x08[\x08\x10]\x00\x00[\x05\x06]\x00\x01/sm"; reference:bugtraq,24803; reference:cve,2007-3030; reference:url,secunia.com/advisories/25995; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-036.mspx; classtype:attempted-user; sid:12184; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MISC Microsoft Excel rtWindow1 record handling arbitrary code execution attempt"; flow:from_server,established; flowbits:isset,xls.download; content:"|FF FF FF FF FF FF FF FF 09 08|"; content:"|00 00|"; within:2; distance:1; content:"|05 00|"; within:2; distance:1; pcre:"/\x3d\x00\x12\x00..........(.[\x80-\xff]|...[\x80-\xff])/smiR"; reference:bugtraq,22555; reference:cve,2007-3029; reference:url,secunia.com/advisories/25995; reference:url,www.microsoft.com/technet/security/bulletin/MS07-036.mspx; classtype:attempted-user; sid:12099; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC asf file download"; flow:established,to_client; content:"HTTP"; depth:4; content:"|0D 0A 0D 0A C4 AB CD AB|"; within:768; reference:cve,2007-3040; reference:url,www.microsoft.com/technet/security/bulletin/ms07-051.mspx; classtype:misc-activity; sid:12454; rev:2;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; content:"BEGIN|3A|VCARD"; nocase; pcre:"/^URL\x3b\w+\x3amailto\x3a[^\n]*%[^\n]*\.(cmd|bat)/smi"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:12664; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; content:".cmd"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecmd/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:13270; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; content:".com"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ecom/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:13272; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; content:".bat"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Ebat/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:13269; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"MISC Microsoft Windows ShellExecute and IE7 url handling code execution attempt"; flow:to_client,established; content:".exe"; nocase; pcre:"/(mailto|telnet|news|nntp|snews)\x3A[^\n]*[\x25\x22]\x2Eexe/i"; metadata:policy balanced-ips drop, policy security-ips drop, service http; reference:bugtraq,25945; reference:cve,2007-3896; reference:url,www.microsoft.com/technet/security/advisory/943521.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms07-057.mspx; classtype:attempted-user; sid:13271; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 8082 (msg:"MISC McAfee ePolicy Orchestrator Framework Services log handling format string attempt"; content:"Type=|22|AgentWakeup|22|"; content:"|22 FA E5|"; content:"|8F|"; within:212; distance:20; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28228; reference:cve,2008-1357; reference:url,knowledge.mcafee.com/article/234/615103_f.sal_public.html; classtype:attempted-admin; sid:13631; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Microsoft EMF metafile access detected"; flow:to_server,established; uricontent:".emf"; flowbits:set,emf.request; flowbits:noalert; metadata:policy security-ips drop; reference:cve,2008-1087; reference:url,www.microsoft.com/technet/security/bulletin/MS08-021.mspx; classtype:attempted-user; sid:13678; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3050 (msg:"MISC Borland Software InterBase ibserver.exe Service Attach Request buffer overflow attempt"; flow:to_server,established; content:"|00 00 00|R"; depth:4; byte_test:4,>,848,8; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28730; reference:cve,2008-1910; classtype:attempted-admin; sid:13804; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1900 (msg:"MISC CA ARCServ NetBackup remote file upload attempt"; flow:to_server,established; content:"rxrReceiveFileFromServer~~8~~"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,28616; reference:cve,2008-1329; reference:url,secunia.com/advisories/25606/; reference:url,support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=173105; classtype:web-application-activity; sid:13839; rev:1;)