📄 dos.rules
字号:
# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved## This file may contain proprietary rules that were created, tested and# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as# rules that were created by Sourcefire and other third parties and# distributed under the GNU General Public License (the "GPL Rules"). The# VRT Certified Rules contained in this file are the property of# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.# The GPL Rules created by Sourcefire, Inc. are the property of# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights# Reserved. All other GPL Rules are owned and copyrighted by their# respective owners (please see www.snort.org/contributors for a list of# owners and their respective copyrights). In order to determine what# rules are VRT Certified Rules or GPL Rules, please refer to the VRT# Certified Rules License Agreement.### $Id: dos.rules,v 1.63.6.9 2008/03/07 20:53:41 vrtbuild Exp $#----------# DOS RULES#----------# alert udp any 19 <> any 7 (msg:"DOS UDP echo+chargen bomb"; flow:to_server; metadata:policy security-ips drop; reference:cve,1999-0103; reference:cve,1999-0635; classtype:attempted-dos; sid:271; rev:8;)alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack"; fragbits:M+; ip_proto:2; metadata:policy security-ips drop; reference:bugtraq,514; reference:cve,1999-0918; reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx; classtype:attempted-dos; sid:272; rev:12;)alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS ath"; itype:8; content:"+++ath"; nocase; metadata:policy balanced-ips drop, policy security-ips drop; reference:arachnids,264; reference:cve,1999-1228; classtype:attempted-dos; sid:274; rev:8;)# alert tcp $EXTERNAL_NET any <> $HOME_NET any (msg:"DOS NAPTHA"; flow:stateless; flags:S; id:413; seq:6060842; metadata:policy security-ips drop; reference:bugtraq,2022; reference:cve,2000-1039; reference:nessus,275; reference:url,razor.bindview.com/publish/advisories/adv_NAPTHA.html; reference:url,www.cert.org/advisories/CA-2000-21.html; reference:url,www.microsoft.com/technet/security/bulletin/MS00-091.mspx; classtype:attempted-dos; sid:275; rev:15;)alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Audio Server"; flow:to_server,established; content:"|FF F4 FF FD 06|"; metadata:policy security-ips drop; reference:cve,1999-0271; reference:nessus,10183; classtype:attempted-dos; sid:276; rev:8;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 7070 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; metadata:policy security-ips drop; reference:bugtraq,1288; reference:cve,2000-0474; reference:nessus,10461; classtype:attempted-dos; sid:277; rev:9;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 8080 (msg:"DOS Real Server template.html"; flow:to_server,established; content:"/viewsource/template.html?"; nocase; metadata:policy security-ips drop; reference:bugtraq,1288; reference:cve,2000-0474; classtype:attempted-dos; sid:278; rev:8;)# alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"DOS Bay/Nortel Nautica Marlin"; flow:to_server; dsize:0; metadata:policy security-ips drop; reference:bugtraq,1009; reference:cve,2000-0221; classtype:attempted-dos; sid:279; rev:7;)alert udp $EXTERNAL_NET any -> $HOME_NET 9 (msg:"DOS Ascend Route"; flow:to_server; content:"NAMENAME"; depth:50; offset:25; metadata:policy security-ips drop; reference:arachnids,262; reference:bugtraq,714; reference:cve,1999-0060; classtype:attempted-dos; sid:281; rev:8;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 135:139 (msg:"DOS Winnuke attack"; flow:stateless; flags:U+; metadata:policy security-ips drop; reference:bugtraq,2010; reference:cve,1999-0153; classtype:attempted-dos; sid:1257; rev:12;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt"; flow:to_server,established; dsize:>1023; metadata:policy security-ips drop; reference:bugtraq,4006; reference:cve,2002-0224; reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:13;)alert tcp $EXTERNAL_NET any -> $HOME_NET 6004 (msg:"DOS iParty DOS attempt"; flow:to_server,established; content:"|FF FF FF FF FF FF|"; offset:0; metadata:policy security-ips drop; reference:bugtraq,6844; reference:cve,1999-1566; reference:nessus,10111; classtype:misc-attack; sid:1605; rev:9;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 6789:6790 (msg:"DOS DB2 dos attempt"; flow:to_server,established; dsize:1; metadata:policy security-ips drop; reference:bugtraq,3010; reference:cve,2001-1143; reference:nessus,10871; classtype:denial-of-service; sid:1641; rev:12;)alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"DOS Cisco attempt"; flow:to_server,established; dsize:1; content:"|13|"; metadata:policy security-ips drop; classtype:web-application-attack; sid:1545; rev:10;)alert udp $EXTERNAL_NET any -> $HOME_NET 500 (msg:"DOS ISAKMP invalid identification payload attempt"; flow:to_server; content:"|05|"; depth:1; offset:16; byte_test:1,!&,1,19; byte_test:1,>,8,32; byte_test:2,>,0,30; byte_test:2,<,10,30; byte_test:2,!=,8,30; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,10004; reference:cve,2004-0184; classtype:attempted-dos; sid:2486; rev:10;)alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track by_dst,count 10,seconds 10; metadata:policy security-ips drop; reference:bugtraq,10183; reference:cve,2004-0230; reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos; sid:2523; rev:9;)alert udp $EXTERNAL_NET any -> $HOME_NET 2048 (msg:"DOS squid WCCP I_SEE_YOU message overflow attempt"; flow:to_server; content:"|00 00 00 08|"; depth:4; byte_test:4,>,32,16; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,12275; reference:cve,2005-0095; classtype:attempted-user; sid:3089; rev:6;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"DOS WIN32 TCP print service overflow attempt"; flow:to_server,established; pcre:"/^(\x03|\x04|\x05)/sm"; content:"|00|"; within:497; content:"|0A|"; within:497; metadata:policy security-ips drop; reference:bugtraq,1082; reference:cve,2000-0232; reference:url,www.microsoft.com/technet/security/bulletin/MS00-021.mspx; classtype:attempted-dos; sid:3442; rev:6;)# alert udp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"DOS tcpdump udp LDP print zero length message denial of service attempt"; flow:to_server; content:"|00 00|"; depth:2; offset:12; metadata:policy security-ips drop; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4141; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 646 (msg:"DOS tcpdump tcp LDP print zero length message denial of service attempt"; flow:stateless; content:"|00 00|"; depth:2; offset:12; metadata:policy security-ips drop; reference:bugtraq,13389; reference:cve,2005-1279; reference:url,www.frsirt.com/english/advisories/2005/0410; classtype:attempted-dos; sid:4140; rev:4;)# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS linux kernel SCTP chunkless packet denial of service attempt"; ip_proto:132; dsize:12; metadata:policy security-ips drop; reference:bugtraq,18755; reference:cve,2006-2934; classtype:attempted-dos; sid:7021; rev:3;)# alert udp $HOME_NET any -> $HOME_NET 67 (msg:"DOS ISC DHCP server 2 client_id length denial of service attempt"; flow:to_server; content:"c|82|Sc"; content:"= "; distance:0; metadata:policy security-ips drop; reference:cve,2006-3122; reference:url,www.debian.org/security/2006/dsa-1143; classtype:attempted-dos; sid:8056; rev:3;)# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS record route rr denial of service attempt"; ipopts:rr; icode:0; itype:8; metadata:policy security-ips drop; reference:bugtraq,870; reference:cve,1999-0986; reference:cve,1999-1339; reference:cve,2001-0752; classtype:attempted-dos; sid:8730; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 2513 (msg:"DOS Citrix IMA DOS event data length denial of service attempt"; flow:established,to_server; byte_test:4,<,6,8,little; metadata:policy security-ips drop; reference:bugtraq,20986; reference:cve,2006-5861; classtype:denial-of-service; sid:9325; rev:2;)# alert udp $EXTERNAL_NET any -> $HOME_NET 512 (msg:"DOS Spiffit UDP denial of service attempt"; flow:to_server; dsize:10; content:"@0"; pcre:"/@0\x00*$/sm"; threshold:type both, track by_src, count 10, seconds 100; metadata:policy security-ips drop; reference:cve,1999-0194; classtype:attempted-dos; sid:9622; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 3128 (msg:"DOS Squid proxy FTP denial of service attempt"; flow:established,to_server; content:"GET"; nocase; content:"FTP|3A|//"; nocase; pcre:"/ftp\x3A\x2F\x2F[\w\x2E\x2F]+[^\x2F]\x3Btype=D/i"; metadata:policy security-ips drop; reference:bugtraq,22079; reference:cve,2007-0247; classtype:denial-of-service; sid:10135; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 9191 (msg:"DOS CA eTrust key handling dos -- password"; flow:established,to_server; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,128,relative, little; metadata:policy security-ips drop; reference:bugtraq,22743; reference:cve,2007-1005; classtype:denial-of-service; sid:11186; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET 9191 (msg:"DOS CA eTrust key handling dos -- username"; flow:established,to_server; content:"|01 06 00 00 00|"; depth:5; offset:2; byte_test:4,<,4,0,relative, little; metadata:policy security-ips drop; reference:bugtraq,22743; reference:cve,2007-1005; classtype:denial-of-service; sid:11185; rev:2;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"DOS Apache mod_ssl non-SSL connection to SSL port denial of service attempt"; flow:to_server,established; content:"HTTP/"; nocase; pcre:"/^(GET|POST|PUT|HEAD)/mi"; metadata:policy security-ips drop; reference:bugtraq,16152; reference:cve,2005-3357; classtype:attempted-dos; sid:11263; rev:2;)alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"DOS Microsoft XML parser IIS WebDAV attack attempt"; flow:established,to_server; content:"PROPFIND"; depth:8; nocase; pcre:"/(xmlns\x3A.*){15}/"; reference:bugtraq,11384; reference:cve,2003-0718; classtype:denial-of-service; sid:12043; rev:3;)alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"DOS Apache mod_cache denial of service attempt"; flow:established, to_server; content:"Cache-Control|3A|"; nocase; pcre:"/^Cache-Control\x3A\s*(max-(age|stale)|min-fresh|s-maxage)\s*\x3D[^\d]+\x0A/smi"; reference:bugtraq,24649; reference:cve,2007-1863; classtype:denial-of-service; sid:12591; rev:1;)alert tcp $EXTERNAL_NET any -> $SQL_SERVERS $ORACLE_PORTS (msg:"DOS Oracle TNS Service_CurLoad command"; flow:established,to_server; content:"COMMAND=SERVICE_CURLOAD"; nocase; reference:bugtraq,5678; reference:cve,2002-1118; classtype:attempted-dos; sid:12594; rev:1;)alert udp $EXTERNAL_NET any -> $HOME_NET 5151 (msg:"DOS Ipswitch WS_FTP log server long unicode string"; flow:to_server; content:"|AB AA|"; byte_test:2,>,2123,0,relative,little; reference:cve,2007-3823; reference:url,secunia.com/advisories/26040; classtype:denial-of-service; sid:12076; rev:3;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 3101 (msg:"DOS RIM BlackBerry SRP negative string size"; flow:to_server,established; content:"S|FF FF FF|"; reference:bugtraq,16100; reference:cve,2005-2342; classtype:attempted-dos; sid:12199; rev:1;)alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"DOS utf8 filename transfer attempt"; flow:established,to_server; content:"filename*=utf-8"; nocase; reference:bugtraq,15408; reference:cve,2005-3573; classtype:suspicious-filename-detect; sid:12597; rev:1;)alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS RPC NTLMSSP malformed credentials"; flow:established,to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; reference:cve,2007-2228; reference:url,www.microsoft.com/technet/security/bulletin/ms07-058.mspx; classtype:denial-of-service; sid:12635; rev:3;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS RPC NTLMSSP malformed credentials"; flow:established,to_server; content:"NTLMSSP|00 03 00 00 00|"; content:"|00 00 00 00|"; within:4; distance:16; content:"|00 00 00 00|"; within:4; distance:4; content:"|00 00 00 00|"; within:4; distance:4; content:"|05 00 00 03 10 00 00 00|"; within:500; pcre:"/\x05\x00\x00\x03\x10\x00\x00\x00.{16}\x0a[\x03\x04]/"; reference:cve,2007-2228; reference:url,www.microsoft.com/technet/security/bulletin/ms07-058.mspx; classtype:denial-of-service; sid:12642; rev:2;)⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -