smtp.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: smtp.rules,v 1.77.6.17 2008/07/29 18:04:19 vrtbuild Exp $
#-----------
# SMTP RULES
#-----------

# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO overflow"; flow:to_server,established; content:"rcpt to|3A|"; nocase; isdataat:300,relative; pcre:"/^RCPT TO\x3a\s[^\n]{300}/ism"; metadata:policy balanced-ips alert, policy security-ips drop, service smtp; reference:bugtraq,2283; reference:bugtraq,9696; reference:cve,2001-0260; reference:cve,2008-0394; classtype:attempted-admin; sid:654; rev:16;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP chameleon overflow"; flow:to_server,established; content:"HELP"; nocase; isdataat:500,relative; pcre:"/^HELP\s[^\n]{500}/ism"; metadata:service smtp; reference:arachnids,266; reference:bugtraq,2387; reference:cve,1999-0261; classtype:attempted-admin; sid:657; rev:13;)
alert tcp $EXTERNAL_NET 113 -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|D/"; metadata:service smtp; reference:arachnids,140; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-admin; sid:655; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP exchange mime DOS"; flow:to_server,established; content:"charset = |22 22|"; nocase; metadata:service smtp; reference:bugtraq,1869; reference:cve,2000-1006; reference:nessus,10558; reference:url,www.microsoft.com/technet/security/bulletin/MS00-082.mspx; classtype:attempted-dos; sid:658; rev:12;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn decode"; flow:to_server,established; content:"expn"; nocase; content:"decode"; nocase; pcre:"/^expn\s+decode/smi"; metadata:service smtp; reference:arachnids,32; reference:cve,1999-0096; reference:nessus,10248; classtype:attempted-recon; sid:659; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn root"; flow:to_server,established; content:"expn"; nocase; content:"root"; nocase; pcre:"/^expn\s+root/smi"; metadata:service smtp; reference:arachnids,31; reference:cve,1999-0531; reference:nessus,10249; classtype:attempted-recon; sid:660; rev:11;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn *@"; flow:to_server,established; content:"expn"; nocase; content:"*@"; pcre:"/^expn\s+\*@/smi"; metadata:service smtp; reference:cve,1999-1200; classtype:misc-attack; sid:1450; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP majordomo ifs"; flow:to_server,established; content:"eply-to|3A| a~.`/bin/"; metadata:service smtp; reference:arachnids,143; reference:bugtraq,2310; reference:cve,1999-0207; classtype:attempted-admin; sid:661; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.5.5 exploit"; flow:to_server,established; content:"mail from|3A| |22 7C|"; nocase; metadata:service smtp; reference:arachnids,119; reference:cve,1999-0203; reference:nessus,10258; classtype:attempted-admin; sid:662; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP rcpt to command attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; pcre:"/^rcpt\s+to\:\s*[|\x3b]/smi"; metadata:service smtp; reference:arachnids,172; reference:bugtraq,1; reference:cve,1999-0095; classtype:attempted-admin; sid:663; rev:15;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP RCPT TO decode attempt"; flow:to_server,established; content:"rcpt to|3A|"; nocase; content:"decode"; distance:0; nocase; pcre:"/^rcpt to\:\s*decode/smi"; metadata:service smtp; reference:arachnids,121; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-admin; sid:664; rev:16;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 5.6.5 exploit"; flow:to_server,established; content:"MAIL FROM|3A| |7C|/usr/ucb/tail"; nocase; metadata:service smtp; reference:arachnids,122; reference:bugtraq,2308; reference:cve,1999-0203; classtype:attempted-user; sid:665; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|0D 0A|Mprog, P=/bin/"; metadata:service smtp; reference:arachnids,123; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:667; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.10 exploit"; flow:to_server,established; content:"Croot|09 09 09 09 09 09 09|Mprog,P=/bin"; metadata:service smtp; reference:arachnids,124; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:668; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|Croot|0A|Mprog"; metadata:service smtp; reference:arachnids,142; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:669; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9 exploit"; flow:to_server,established; content:"|0A|C|3A|daemon|0A|R"; metadata:service smtp; reference:arachnids,139; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:670; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.6.9c exploit"; flow:to_server,established; content:"|0A|Croot|0D 0A|Mprog"; metadata:service smtp; reference:arachnids,141; reference:bugtraq,2311; reference:cve,1999-0204; classtype:attempted-user; sid:671; rev:9;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy decode"; flow:to_server,established; content:"vrfy"; nocase; content:"decode"; distance:1; nocase; pcre:"/^vrfy\s+decode/smi"; metadata:service smtp; reference:arachnids,373; reference:bugtraq,10248; reference:cve,1999-0096; classtype:attempted-recon; sid:672; rev:10;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP vrfy root"; flow:to_server,established; content:"vrfy"; nocase; content:"root"; distance:1; nocase; pcre:"/^vrfy\s+root/smi"; metadata:service smtp; reference:cve,1999-0531; classtype:attempted-recon; sid:1446; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP ehlo cybercop attempt"; flow:to_server,established; content:"ehlo cybercop|0A|quit|0A|"; metadata:service smtp; reference:arachnids,372; reference:cve,1999-0531; classtype:protocol-command-decode; sid:631; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP expn cybercop attempt"; flow:to_server,established; content:"expn cybercop"; metadata:service smtp; reference:arachnids,371; reference:cve,1999-0531; classtype:protocol-command-decode; sid:632; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP HELO overflow attempt"; flow:to_server,established; content:"HELO"; nocase; isdataat:500,relative; pcre:"/^HELO\s[^\n]{500}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,7726; reference:bugtraq,895; reference:cve,2000-0042; reference:nessus,10324; reference:nessus,11674; classtype:attempted-admin; sid:1549; rev:20;)