policy.rules

This is the snapshot of Snot Latest Rules

# alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"POLICY HTML File upload attempt"; flow:to_server,established; content:"Content-Disposition"; nocase; content:"filename"; nocase; reference:url,www.faqs.org/rfcs/rfc1867.html; classtype:misc-activity; sid:5708; rev:2;)
# alert udp $HOME_NET any -> $EXTERNAL_NET 5060 (msg:"POLICY Gizmo register VOIP state"; content:"INVITE sip|3A|"; nocase; content:"User-Agent|3A|"; nocase; content:"Gizmo"; nocase; pcre:"/^User-Agent\x3A[^\n\r]+Gizmo/smi"; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6407; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Gizmo VOIP client start-up version check"; flow:established,to_server; uricontent:"/dll/app?"; nocase; uricontent:"class=DLL"; nocase; uricontent:"ApplicationID"; nocase; uricontent:"Gizmo"; nocase; reference:url,www.gizmoproject.com; classtype:policy-violation; sid:6406; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY webshots desktop traffic"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"WebshotsNetClient"; distance:0; nocase; pcre:"/User-Agent\x3A[^\n\r]+WebshotsNetClient/smi"; threshold:type limit,track by_src,count 1,seconds 60; reference:url,www.webshots.com; classtype:misc-activity; sid:6408; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"POLICY GoToMyPC startup"; flow:to_server,established; content:"ercbroker.servlets.PingServlet"; nocase; reference:url,www.gotomypc.com/howItWorks.tmpl; classtype:policy-violation; sid:7032; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"POLICY GoToMyPC local service running"; flow:to_server,established; content:"jedi request"; nocase; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.gotomypc.com/howItWorks.tmpl; classtype:policy-violation; sid:7033; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 706 (msg:"POLICY silc client outbound connection attempt"; flow:to_server,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7031; rev:1;)
alert tcp $EXTERNAL_NET 706 -> $HOME_NET any (msg:"POLICY silc server response attempt"; flow:to_client,established; content:"SILC"; pcre:"/SILC\x2d\d\x2e\d/smi"; content:"silc-server"; distance:0; reference:url,silcnet.org/docs/draft-riikonen-silc-spec-08.txt; classtype:policy-violation; sid:7030; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 8200 (msg:"POLICY GoToMyPC remote control attempt"; flow:to_server,established; content:"jedi"; nocase; content:"request=agent"; distance:0; nocase; threshold:type limit, track by_src, count 1, seconds 60; reference:url,www.gotomypc.com/howItWorks.tmpl; classtype:policy-violation; sid:7034; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop initial install  - installer request"; flow:to_server,established; uricontent:"/installer?"; uricontent:"action=install"; uricontent:"version="; uricontent:"id="; uricontent:"brand=GGLD"; uricontent:"hl="; content:"User-Agent|3A|"; nocase; content:"Google"; distance:0; nocase; content:"Desktop"; distance:0; nocase; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smi"; classtype:policy-violation; sid:7859; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop search query"; flow:to_server,established; uricontent:"/complete/search?"; uricontent:"q="; uricontent:"output=desktop"; uricontent:"sourceid=gd"; content:"User-Agent|3A|"; nocase; content:"Google"; distance:0; nocase; content:"Desktop"; distance:0; nocase; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smi"; classtype:policy-violation; sid:7860; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop initial install - firstuse request"; flow:to_server,established; uricontent:"/firstuse?"; uricontent:"version="; uricontent:"id="; uricontent:"brand=GGLD"; uricontent:"hl="; content:"User-Agent|3A|"; nocase; content:"Google"; distance:0; nocase; content:"Desktop"; distance:0; nocase; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smi"; classtype:policy-violation; sid:7858; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Desktop activity"; flow:to_server,established; content:"User-Agent|3A|"; nocase; content:"Google"; distance:0; nocase; content:"Desktop"; distance:0; nocase; pcre:"/User-Agent\x3A[^\n\r]+Google[^\n\r]+Desktop/smi"; threshold:type limit, track by_src, count 1, seconds 300; classtype:policy-violation; sid:7861; rev:1;)
# alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"POLICY IPv6 encapsulated in IPv4 activity"; ip_proto:41; classtype:policy-violation; sid:8446; rev:1;)
alert tcp $EXTERNAL_NET 25999 -> $HOME_NET any (msg:"POLICY Xfire login successful"; flow:established,to_client; content:"|82|"; depth:1; offset:2; content:"userid"; depth:6; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8484; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY Xfire session initiated"; flow:established,to_server; content:"UA01"; depth:4; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8482; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25999 (msg:"POLICY Xfire login attempted"; flow:established,to_server; content:"|01|"; depth:1; offset:2; content:"name"; depth:4; offset:6; reference:url,www.fryx.ch/xfire/protocol.html; classtype:policy-violation; sid:8483; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9030:9031 (msg:"POLICY TOR Traffic anonymizer server request"; flow:established,to_server; content:"GET /tor/server"; classtype:policy-violation; sid:9324; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 13782 (msg:"POLICY VERITAS NetBackup system execution function call access attempt"; flow:established,to_server; content:"|00 18 00 1B 00 02|"; depth:6; reference:bugtraq,21565; reference:cve,2006-4902; reference:cve,2006-6822; classtype:misc-activity; sid:10130; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY download of executable content"; flow:to_client,established; content:"application/octet-stream"; nocase; pcre:"/^Content-Type\x3a[\x20\x09]+application\/octet-stream/smi"; pcre:"/(\r?\n){2}MZ/sm"; reference:url,www.microsoft.com/smallbusiness/resources/technology/security/practice_safe_computing_and_thwart_online_thugs.mspx; classtype:policy-violation; sid:11192; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Chat web client connection"; flow:established,to_server; uricontent:"/talkgadget/popout"; nocase; classtype:policy-violation; sid:12303; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Crystal reports download request"; flow:to_server, established; uricontent:".rpt"; flowbits:set, rpt.download; flowbits:noalert; classtype:policy-violation; sid:12455; rev:1;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Adobe FLV file transfer"; flow:established,to_client; content:"FLV|01|"; content:"|00 00 00 09|"; within:4; distance:1; flowbits:set,flv.xfer; classtype:misc-activity; sid:12182; rev:3;)
alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY Outbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-038.mspx; classtype:policy-violation; sid:12065; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Yahoo Messenger web client connection"; flow:established,to_server; uricontent:"/BootStrapper.swf"; nocase; classtype:policy-violation; sid:12305; rev:4;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 16800:17000 (msg:"POLICY P2PTv TVAnts TCP tracker connect traffic detected"; flow:to_server,established; flowbits:isnotset,tvant.session; content:"|04 00 07 00|"; depth:4; content:"TVANTS SHARE"; depth:12; offset:8; flowbits:set,tvant.session; classtype:policy-violation; sid:12210; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY Microsoft Media Player compressed skin download"; flow:established, to_server; content:"GET"; nocase; pcre:"/GET\s+[^\x20]*\x2Ewm[zd]/smi"; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-047.mspx; classtype:policy-violation; sid:12278; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY Ruckus encrypted authentication connection"; flow:to_server,established; content:"|00 00|"; content:"www.ruckus.com"; within:14; distance:7; classtype:policy-violation; sid:12427; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Google Webmail client chat applet"; flow:established,to_server; content:"POST"; nocase; content:"/mail/channel/bind"; nocase; classtype:policy-violation; sid:12391; rev:2;)
alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY Inbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-038.mspx; classtype:policy-violation; sid:12068; rev:2;)
alert tcp $EXTERNAL_NET 16800:17000 -> $HOME_NET any (msg:"POLICY P2PTv TVAnts TCP connection traffic detected"; flow:to_client,established; flowbits:isnotset,tvant.session; content:"|04 00|"; depth:2; pcre:"/[\x01|\x02|\x03|\x04|\x05|\x06|\x07]\x00.{4}\x43\x00/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12211; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AOL Instant Messenger web client connection"; flow:established,to_server; uricontent:"HostCheck.aspx"; nocase; uricontent:"aimexpress.aol.com"; pcre:"/Cookie\x3A.*s_sq=aolsnssignin/si"; classtype:policy-violation; sid:12304; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Visio file download"; flow:established,to_client; content:"Visio |28|TM|29| Drawing|0D 0A|"; nocase; reference:url,office.microsoft.com/en-us/visio/default.aspx; classtype:policy-violation; sid:11835; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY  Microsoft Messenger web client connection"; flow:established,to_server; uricontent:"mainui.aspx"; nocase; content:"webmessenger"; nocase; classtype:policy-violation; sid:12306; rev:3;)
alert udp $EXTERNAL_NET 3544 -> $HOME_NET any (msg:"POLICY Inbound Teredo traffic detected"; flow:to_server; content:" |01|"; depth:2; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-038.mspx; classtype:policy-violation; sid:12066; rev:3;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Ruckus P2P client"; flow:to_server, established; content:"User-Agent|3A| Ruckus/"; nocase; classtype:policy-violation; sid:12425; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"POLICY Yahoo Webmail client chat applet"; flow:established,to_server; content:"<Ymsg Command="; nocase; classtype:policy-violation; sid:12390; rev:2;)
alert udp $HOME_NET 16800:17000 -> $EXTERNAL_NET any (msg:"POLICY P2PTv TVAnt udp traffic detected"; flowbits:isnotset,tvant.session; content:"|04 00|"; depth:2; pcre:"/[\x05|\x06|\x07]\x00.{6}[SS|DS]/R"; flowbits:set,tvant.session; classtype:policy-violation; sid:12209; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Crystal reports download"; flow:to_client, established; flowbits:isset, rpt.download; content:"|D0 CF 11 E0 A1 B1 1A E1 00|"; reference:bugtraq,21261; reference:cve,2006-6133; reference:url,www.microsoft.com/technet/security/bulletin/ms07-052.mspx; classtype:policy-violation; sid:12456; rev:1;)
alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"POLICY Ruckus P2P broadcast domain probe"; flow:to_server; content:"ruckus|04|_tcp|05|local"; classtype:policy-violation; sid:12426; rev:2;)
alert udp $HOME_NET any -> $EXTERNAL_NET 3544 (msg:"POLICY Outbound Teredo traffic detected"; flow:to_server; content:"?|FE 83 1F|"; depth:4; offset:8; byte_test:1,&,96,0; reference:cve,2007-3038; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-038.mspx; classtype:policy-violation; sid:12067; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Word for Mac 5 file download"; flow:to_client,established; content:"|FE|7|00 23|"; pcre:"/^\xfe\x37\x00\x23/m"; reference:bugtraq,25906; reference:cve,2007-3899; reference:url,www.microsoft.com/technet/security/bulletin/MS07-060.mspx; classtype:policy-violation; sid:12641; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY AIM Express Usage"; flow:to_server,established; content:"Host|3A| aimexpress.aol.com"; nocase; reference:url,www.aim.com/aimexpress.adp; classtype:policy-violation; sid:12686; rev:1;)
# alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"POLICY failed mysql login attempt"; flow:established,from_server; content:"|15 04|"; depth:2; offset:5; metadata:policy security-ips alert, service mysql; reference:url,dev.mysql.com/doc/refman/5.1/en/error-messages-server.html; classtype:misc-activity; sid:13357; rev:1;)
# alert tcp $HOME_NET 21 -> $EXTERNAL_NET any (msg:"POLICY failed FTP login attempt"; flow:established,from_server; content:"530 "; depth:4; metadata:policy security-ips alert, service ftp; reference:url,www.ietf.org/rfc/rfc0959.txt; classtype:misc-activity; sid:13360; rev:1;)
# alert tcp $HOME_NET 143 -> $EXTERNAL_NET any (msg:"POLICY failed IMAP login attempt - invalid username/password"; flow:established,from_server; content:"NO LOGIN"; nocase; pcre:"/^\s*\w+\s+NO LOGIN/smi"; metadata:policy security-ips alert, service imap; reference:url,www.ietf.org/rfc/rfc3501.txt; classtype:misc-activity; sid:13359; rev:1;)
# alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"POLICY mysql login attempt from unauthorized location"; flow:established,from_server; content:"j|04|"; depth:2; offset:5; metadata:policy security-ips alert, service mysql; reference:url,dev.mysql.com/doc/refman/5.1/en/error-messages-server.html; classtype:misc-activity; sid:13358; rev:1;)
# alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Inbound potentially malicious file download attempt"; flow:to_server,established; content:"GET /"; nocase; pcre:"/^GET \x2F[^\r\n\x3F]+\.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[\x27\x22\n\r\s]/smi"; classtype:suspicious-filename-detect; sid:13592; rev:2;)
# alert tcp $EXTERNAL_NET !22 -> $HOME_NET any (msg:"POLICY SSH server detected on non-standard port"; flow:established,from_server; content:"SSH-"; depth:4; nocase; pcre:"/^SSH-[12]\.\d+/smi"; reference:url,www.ietf.org/rfc/rfc4251.txt; classtype:protocol-command-decode; sid:13586; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"POLICY TOR proxy connection initiation second alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13698; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 9001:9030 (msg:"POLICY TOR proxy connection initiation"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13696; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"POLICY TOR proxy connection initiation alternate port"; flow:to_server,established; content:"TOR"; content:"client <identity>"; classtype:policy-violation; sid:13697; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"POLICY Habbo chat client successful login"; flow:to_client,established; content:"document.habboLoggedIn = true"; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13863; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Habbo chat client item information download"; flow:to_server,established; uricontent:"/gamedata/external?id=external_"; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13862; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"POLICY Microsoft Watson error reporting attempt"; flow:to_server, established; content:"User-Agent|3A| MSDW"; content:"watson.microsoft.com"; uricontent:"StageOne"; metadata:policy security-ips drop, service http; reference:url,oca.microsoft.com/en/dcp20.asp; classtype:policy-violation; sid:13864; rev:1;)
alert tcp $EXTERNAL_NET 38101 -> $HOME_NET any (msg:"POLICY Habbo chat client avatar control"; flow:to_client,established; content:"/flatctrl useradmin/"; metadata:policy security-ips drop; reference:url,www.habbo.com; classtype:policy-violation; sid:13861; rev:1;)
# alert tcp $HOME_NET [5900:5999] -> $EXTERNAL_NET any (msg:"POLICY RealVNC Server configured to allow NULL authentication"; flow:established, to_client; flowbits:isset, vnc.pv.setup; content:"|01|"; offset:1; flowbits:unset,vnc.pv.setup; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13881; rev:1;)
# alert tcp $HOME_NET [5900:5999] -> $EXTERNAL_NET any (msg:"POLICY RealVNC Server configured not to require authentication"; flow:established, to_client; flowbits:isset, vnc.pv.setup; pcre:"/^(?!RFB).[^\x01]+/"; flowbits:unset,vnc.pv.setup; flowbits:noalert; reference:url,www.realvnc.com/docs/rfbproto.pdf; classtype:misc-activity; sid:13882; rev:1;)
# alert tcp $HOME_NET any -> any 3689 (msg:"POLICY iTunes client login attempt"; flow:established, to_server; flowbits:isset,itunes.serverinfo.request; content:"/login"; depth:6; offset:4; nocase; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13899; rev:3;)
# alert tcp $HOME_NET any -> any 3689 (msg:"POLICY iTunes client request for server info"; flow:established, to_server; content:"/server-info"; flowbits:set,itunes.serverinfo.request; flowbits:noalert; reference:url,www.apple.com/itunes/; classtype:misc-activity; sid:13898; rev:3;)
# alert udp $HOME_NET 5353 -> 224.0.0.251 5353 (msg:"POLICY iTunes server multicast DNS response"; content:"Library|05|_daap|04|_tcp|05|local"; content:"|00|!"; depth:2; offset:1; content:"|0E|i"; depth:2; offset:12; nocase; reference:url,www.apple.com/itunes/; reference:url,www.multicastdns.org; classtype:misc-activity; sid:13900; rev:3;)