⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 sql.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 3 页
字号:
🔍
123 
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL shellcode attempt"; flow:to_server,established; content:"H|00|%|00|x|00|w|00 90 00 90 00 90 00 90 00 90 00|3|00 C0 00|P|00|h|00|.|00|"; classtype:shellcode-detect; sid:693; rev:6;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_sprintf possible buffer overflow"; flow:to_server,established; content:"x|00|p|00|_|00|s|00|p|00|r|00|i|00|n|00|t|00|f|00|"; nocase; reference:bugtraq,1204; reference:cve,2001-0542; reference:url,www.microsoft.com/technet/security/bulletin/MS01-060.mspx; classtype:attempted-user; sid:704; rev:10;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL raiserror possible buffer overflow"; flow:to_server,established; content:"r|00|a|00|i|00|s|00|e|00|r|00|r|00|o|00|r|00|"; nocase; reference:bugtraq,3733; reference:cve,2001-0542; reference:nessus,11217; classtype:attempted-user; sid:1387; rev:10;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 445 (msg:"SQL xp_cmdshell program execution 445"; flow:to_server,established; content:"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; reference:bugtraq,5309; classtype:attempted-user; sid:1759; rev:7;)alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:688; rev:13;)alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"SQL sa login failed"; flow:from_server,established; content:"Login failed for user 'sa'"; offset:83; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,4797; reference:cve,2000-1209; classtype:attempted-user; sid:680; rev:12;)alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL Worm propagation attempt"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2003; rev:12;)alert udp $HOME_NET any -> $EXTERNAL_NET 1434 (msg:"SQL Worm propagation attempt OUTBOUND"; flow:to_server; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1|"; content:"sock"; content:"send"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:bugtraq,5311; reference:cve,2002-0649; reference:nessus,11214; reference:url,vil.nai.com/vil/content/v_99992.htm; classtype:misc-attack; sid:2004; rev:11;)alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL ping attempt"; flow:to_server; content:"|02|"; depth:1; reference:nessus,10674; classtype:misc-activity; sid:2049; rev:6;)alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL version overflow attempt"; flow:to_server; dsize:>100; content:"|04|"; depth:1; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,10674; reference:url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx; classtype:attempted-admin; sid:2050; rev:14;)alert udp $EXTERNAL_NET any -> $SQL_SERVERS any (msg:"SQL probe response overflow attempt"; flow:to_server; content:"|05|"; depth:1; byte_test:2,>,512,1; content:"|3B|"; distance:0; isdataat:512,relative; content:!"|3B|"; within:512; reference:bugtraq,9407; reference:cve,2003-0903; reference:nessus,11990; reference:url,www.microsoft.com/technet/security/bulletin/MS04-003.mspx; classtype:attempted-user; sid:2329; rev:10;)alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3273; rev:4;)alert tcp $SQL_SERVERS 1433 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login attempt"; flow:from_server,established; content:"Login failed for user 'sa'"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:3152; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt"; flow:to_server,established; content:"|02|"; depth:1; content:"sa"; depth:2; offset:39; nocase; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:suspicious-login; sid:3542; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL SA brute force login attempt TDS v7/8"; flow:to_server,established; content:"|10|"; depth:1; content:"|00 00|"; depth:2; offset:34; content:"|00 00 00 00|"; depth:4; offset:64; pcre:"/^.{12}(\x00|\x01)\x00\x00(\x70|\x71)/smi"; byte_jump:2,48,little,from_beginning; content:"s|00|a|00|"; within:4; distance:8; nocase; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:suspicious-login; sid:3543; rev:4;)# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL heap-based overflow attempt"; flow:to_server; content:"|08|"; depth:1; isdataat:50; content:"|3A|"; pcre:"/[0-9]+/R"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,11214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx; classtype:attempted-admin; sid:4989; rev:5;)# alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"SQL heap-based overflow attempt"; flow:to_server; content:"|04|"; depth:1; isdataat:50,relative; content:!"|3A|"; within:50; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,5310; reference:cve,2002-0649; reference:nessus,11214; reference:url,www.microsoft.com/technet/security/bulletin/MS02-039.mspx; classtype:attempted-admin; sid:4990; rev:9;)alert tcp $SQL_SERVERS 139 -> $EXTERNAL_NET any (msg:"SQL sa brute force failed login unicode attempt"; flow:from_server,established; content:"L|00|o|00|g|00|i|00|n|00| |00|f|00|a|00|i|00|l|00|e|00|d|00| |00|f|00|o|00|r|00| |00|u|00|s|00|e|00|r|00| |00|'|00|s|00|a|00|'|00|"; threshold:type threshold, track by_src, count 5, seconds 2; reference:bugtraq,4797; reference:cve,2000-1209; reference:nessus,10673; classtype:unsuccessful-user; sid:4984; rev:2;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL formatmessage possible buffer overflow"; flow:established,to_server; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-admin; sid:8494; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL formatmessage possible buffer overflow"; flow:established,to_server; content:"f|00|o|00|r|00|m|00|a|00|t|00|m|00|e|00|s|00|s|00|a|00|g|00|e|00|"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,1204; reference:bugtraq,3733; reference:cve,2001-0542; classtype:attempted-admin; sid:8495; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_sqlinventory unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|i|00|n|00|v|00|e|00|n|00|t|00|o|00|r|00|y|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8537; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_peekqueue vulnerable function attempt"; flow:established,to_server; content:"xp_peekqueue"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2041; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8519; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_SetSQLSecurity vulnerable function attempt"; flow:established,to_server; content:"xp_SetSQLSecurity"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2043; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8528; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_oagetproperty vulnerable function attempt"; flow:established,to_server; content:"xp_oagetproperty"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8510; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_oagetproperty unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|g|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; nocase; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8509; rev:2;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL sp_oacreate unicode vulnerable function attempt"; flow:established,to_server; content:"s|00|p|00|_|00|o|00|a|00|c|00|r|00|e|00|a|00|t|00|e|00|"; nocase; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8496; rev:2;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_enumresultset unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|e|00|n|00|u|00|m|00|r|00|e|00|s|00|u|00|l|00|t|00|s|00|e|00|t|00|"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8502; rev:3;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_oasetproperty unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|s|00|e|00|t|00|p|00|r|00|o|00|p|00|e|00|r|00|t|00|y|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8515; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_peekqueue unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|p|00|e|00|e|00|k|00|q|00|u|00|e|00|u|00|e|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2041; reference:cve,2000-1085; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8517; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_printstatements unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|i|00|n|00|t|00|s|00|t|00|a|00|t|00|e|00|m|00|e|00|n|00|t|00|s|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8521; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_showcolv unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|s|00|h|00|o|00|w|00|c|00|o|00|l|00|v|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2038; reference:cve,2000-1083; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8530; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_sqlagent_monitor unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8532; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_updatecolvbm unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|u|00|p|00|d|00|a|00|t|00|e|00|c|00|o|00|l|00|v|00|b|00|m|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8539; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_enumresultset vulnerable function attempt"; flow:established,to_server; content:"xp_enumresultset"; nocase; reference:bugtraq,2031; reference:cve,2000-1082; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8504; rev:3;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_updatecolvbm vulnerable function attempt"; flow:established,to_server; content:"xp_updatecolvbm"; nocase; reference:bugtraq,2039; reference:cve,2000-1084; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8540; rev:3;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_oadestroy unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|o|00|a|00|d|00|e|00|s|00|t|00|r|00|o|00|y|00|"; nocase; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8505; rev:2;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"SQL xp_printstatements vulnerable function attempt"; flow:established,to_server; content:"xp_printstatements"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2041; reference:cve,2000-1086; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8522; rev:5;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_sqlagent_monitor unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|s|00|q|00|l|00|a|00|g|00|e|00|n|00|t|00|_|00|m|00|o|00|n|00|i|00|t|00|o|00|r|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:url,support.microsoft.com/kb/280380; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8534; rev:4;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 139 (msg:"SQL xp_proxiedmetadata unicode vulnerable function attempt"; flow:established,to_server; content:"x|00|p|00|_|00|p|00|r|00|o|00|x|00|i|00|e|00|d|00|m|00|e|00|t|00|a|00|d|00|a|00|t|00|a|00|"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,2024; reference:cve,1999-0287; reference:cve,2000-1087; reference:url,www.microsoft.com/technet/security/bulletin/ms00-092.mspx; classtype:attempted-admin; sid:8524; rev:5;)
123

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -