smtp.rules

This is the snapshot of Snot Latest Rules

alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Content-Type overflow attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; pcre:"/Content-Type\x3A[^\r\n]{300,}/i"; metadata:service smtp; reference:bugtraq,7419; reference:cve,2003-0113; reference:url,www.microsoft.com/technet/security/bulletin/MS03-015.mspx; classtype:attempted-admin; sid:3461; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP PCT Client_Hello overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,0,5; byte_test:2,!,0,7; byte_test:2,!,16,7; byte_test:2,>,20,9; content:"|8F|"; depth:1; offset:11; byte_test:2,>,32768,0,relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,10116; reference:cve,2003-0719; reference:url,www.microsoft.com/technet/security/bulletin/MS04-011.mspx; classtype:attempted-admin; sid:3511; rev:16;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SEND overflow attempt"; flow:established,to_server; content:"SEND"; nocase; isdataat:246,relative; pcre:"/^\s*SEND\s+[^\n]{246}/smi"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3655; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SAML overflow attempt"; flow:established,to_server; content:"SAML"; nocase; isdataat:246,relative; pcre:"/^\s*SAML\s+[^\n]{246}/smi"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3653; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP MAIL overflow attempt"; flow:established,to_server; content:"MAIL"; nocase; isdataat:246,relative; pcre:"/^\s*MAIL\s+[^\n]{246}/smi"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3656; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SOML overflow attempt"; flow:established,to_server; content:"SOML"; nocase; isdataat:246,relative; pcre:"/^\s*SOML\s+[^\n]{246}/smi"; metadata:service smtp; reference:bugtraq,11238; reference:cve,2004-1546; classtype:attempted-user; sid:3654; rev:4;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP spoofed MIME-Type auto-execution attempt"; flow:to_server,established; content:"Content-Type|3A|"; nocase; content:"audio/"; nocase; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi).*filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/smi"; metadata:service smtp; reference:bugtraq,2524; reference:cve,2001-0154; reference:url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx; classtype:attempted-admin; sid:3682; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP AUTH user overflow attempt"; flow:to_server,established; content:"AUTH"; nocase; isdataat:128,relative; pcre:"/^AUTH\s+\S+\s+[^\n]{128}/mi"; metadata:service smtp; reference:bugtraq,13772; reference:cve,2005-1781; reference:cve,2005-2223; classtype:attempted-admin; sid:3824; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP eXchange POP3 mail server overflow attempt"; flow:to_server,established; content:"MAIL"; nocase; pcre:"/^\s*MAIL\s+[^\s\n][^\n]{1006,}/smi"; metadata:service smtp; reference:bugtraq,10180; reference:cve,2004-1945; classtype:misc-attack; sid:3815; rev:5;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP STARTTLS attempt"; flow:to_server,established; content:"STARTTLS"; pcre:"/^STARTTLS/smi"; flowbits:set,starttls.attempt; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:2527; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv3 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,sslv3.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5690; rev:4;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5691; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv2 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5687; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv2 Client_Hello with pad request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,<,128,0; content:"|01|"; depth:1; offset:3; content:"|00 02|"; depth:2; offset:6; flowbits:set,sslv2.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5688; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLSv1 Client_Hello request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5689; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP TLSv1 Client_Hello via SSLv2 handshake request"; flow:to_server,established; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; byte_test:1,>,127,0; content:"|01|"; depth:1; offset:2; content:"|03 01|"; depth:2; offset:3; flowbits:set,tlsv1.client_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5685; rev:4;)
alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; classtype:protocol-command-decode; sid:5686; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP x-unix-mode executable mail attachment"; flow:established,to_server; content:"x-unix-mode"; nocase; pcre:"/x-unix-mode\s*\x3D\s*(?(?=\d{4})[0-7]([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357])|([1357][0-7]{2}|[0-7][1357][0-7]|[0-7]{2}[1357]))/smi"; metadata:service smtp; reference:bugtraq,16736; reference:cve,2006-0848; reference:url,www.heise.de/english/newsticker/news/69919; reference:url,www.kb.cert.org/vuls/id/999708; classtype:attempted-user; sid:5714; rev:3;)
alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"SMTP headers too long server response"; flow:to_client,established; content:"552"; content:"Headers"; distance:0; nocase; pcre:"/^552[A-Z0-9\s\x5F\x2D\x2E\x28\x29\x22\x27]+Headers\s+too\s+large/smi"; metadata:service smtp; reference:bugtraq,17192; reference:cve,2006-0058; classtype:bad-unknown; sid:5739; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Windows Address Book attachment detected"; flow:to_server,established; content:"|9C CB CB 8D 13|u|D2 11 91|X|00 C0|OyV|A4|"; metadata:service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-016.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms06-076.mspx; classtype:misc-activity; sid:6412; rev:3;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Base64 encoded Windows Address Book attachment detected"; flow:to_server,established; content:"Content-Transfer-Encoding"; nocase; content:"base64"; distance:0; nocase; content:"nMvLjRN10hGRWADAT3lWpA"; distance:0; pcre:"/^Content-Transfer-Encoding\s*\x3A\s*base64/smi"; metadata:service smtp; reference:bugtraq,17459; reference:cve,2006-0014; reference:cve,2006-2386; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-016.mspx; reference:url,www.microsoft.com/technet/security/bulletin/ms06-076.mspx; classtype:misc-activity; sid:6413; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8434; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv3 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 00|"; depth:3; content:"|01|"; within:1; distance:2; content:"|03 00|"; within:2; distance:3; content:"|00|"; within:1; distance:32; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8435; rev:8;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8432; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,sslv3.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 00 02|"; depth:3; offset:2; byte_test:2, >, 256, 0, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8433; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8437; rev:7;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 465 (msg:"SMTP SSLv2 openssl get shared ciphers overflow attempt"; flow:to_server,established; flowbits:isnotset,sslv3.server_hello.request; flowbits:isnotset,sslv2.client_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01 03|"; depth:2; offset:2; byte_test:2, >, 256, 1, relative; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,20249; reference:cve,2006-3738; reference:cve,2007-5135; reference:url,www.openssl.org/news/secadv_20060928.txt; classtype:attempted-admin; sid:8436; rev:7;)
# alert tcp $HOME_NET 25 -> $EXTERNAL_NET any (msg:"SMTP YPOPS Banner"; flow:established,to_client; content:"220 YahooPOPs!"; flowbits:set,ypops.banner; flowbits:noalert; metadata:service smtp; classtype:not-suspicious; sid:8704; rev:2;)
# alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP YPOPS buffer overflow attempt"; flow:established,to_server; flowbits:isset,ypops.banner; flowbits:unset,ypops.banner; pcre:"/[^\x0d\x00\x0a]{509}/"; metadata:service smtp; reference:bugtraq,11256; reference:cve,2004-1558; classtype:attempted-admin; sid:8705; rev:4;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Microsoft Outlook VEVENT overflow attempt"; flow:to_server,established; content:"VEVENT"; nocase; content:"DTSTART|3B|TZID"; nocase; pcre:"/DTSTART\x3BTZID(?![=\x22])/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,21931; reference:cve,2007-0033; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-003.mspx; classtype:attempted-user; sid:9841; rev:6;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Microsoft Outlook VEVENT non-TZID overflow attempt"; flow:to_server,established; content:"DTSTART|3B|"; nocase; content:!"value"; within:5; nocase; content:!"TZID"; within:4; nocase; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service smtp; reference:bugtraq,21931; reference:cve,2007-0033; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-003.mspx; classtype:attempted-user; sid:10012; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP ClamAV mime parsing directory traversal"; flow:to_server,established; content:"Message/Partial"; nocase; pcre:"/Content-Type\s*\x3a\s*Message\x2fPartial/smi"; pcre:"/id\s*=\s*[\x22\x27]?[^\x22\x27\n]*..[\x2f\x5c]/smi"; metadata:service smtp; reference:bugtraq,22581; reference:cve,2007-0898; reference:url,labs.idefense.com/intelligence/vulnerabilities/display.php?id=476; classtype:attempted-user; sid:10186; rev:2;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Exchange MODPROPS denial of service attempt"; flow:to_server,established; content:"content-classescalendarmessage"; nocase; pcre:"/^X-MICROSOFT-CDO-MODPROPS\x3A[^\n]*(?P<prop>\w+),[^\n]*(?=prop)/mi"; metadata:service smtp; reference:bugtraq,23808; reference:cve,2007-0039; reference:url,www.microsoft.com/technet/security/Bulletin/MS07-026.mspx; classtype:attempted-dos; sid:11222; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP possible BDAT DoS attempt"; flow:to_server,established; content:"BDAT"; nocase; pcre:"/^BDAT/smi"; byte_jump:2,1,relative,string,dec; content:!"|0D 0A|"; within:2; metadata:service smtp; reference:bugtraq,4204; reference:cve,2002-0055; reference:url,www.microsoft.com/technet/security/bulletin/ms02-012.mspx; classtype:denial-of-service; sid:10995; rev:3;)
alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP Microsoft CDO long header name"; flow:to_server,established; content:"|0D 0A|DATA|0D 0A|"; pcre:"/\r\n\w{200,}\x3a.*\r\n/"; reference:bugtraq,15067; reference:cve,2005-1987; reference:url,www.microsoft.com/technet/security/bulletin/ms05-048.mspx; classtype:attempted-admin; sid:12423; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP MS Windows Mail UNC navigation remote command execution"; flow:established, to_server; content:"Content-Type|3A| text/html"; nocase; pcre:"/.*<[^>]*href[^>]*(file\x3A|[cC]\x3A|\\\\).*>/"; reference:cve,2007-1658; reference:url,www.microsoft.com/technet/security/bulletin/MS07-034.mspx; classtype:attempted-user; sid:11837; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP ClamAV recipient command injection attempt"; flow:to_server,established; content:"RCPT TO|3A|"; nocase; pcre:"/^RCPT TO\x3a[^\n]+[\x26\x3B\x7C]+/smi"; reference:bugtraq,25439; reference:cve,2007-4560; classtype:attempted-admin; sid:12592; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Lotus Notes MIF viewer statement data overflow"; flow:to_server, established; content:"MIFFile"; nocase; pcre:"/\x3C[^\s]+\s[^\x3c\x3E]{80}/si"; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12706; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Lotus Notes MIF viewer MIFFILE comment overflow"; flow:to_server, established; content:"<MIFFile"; nocase; content:"|23|"; isdataat:76,relative; content:!"|0A|"; within:76; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12704; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Lotus Notes MIF viewer statement overflow"; flow:to_server, established; content:"MIFFile"; nocase; pcre:"/\x3D[^\s\n]{88}/si"; reference:bugtraq,26175; reference:cve,2007-5909; reference:cve,2007-5910; classtype:attempted-user; sid:12705; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Lotus 123 file attachment"; flow:to_server,established; content:"Content-Disposition|3A|"; content:".123"; pcre:"/filename\s*=[^\n]*\.123/si"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26200; reference:cve,2007-4222; reference:url,www-1.ibm.com/support/docview.wss?uid=swg21285600; reference:url,www.coresecurity.com/index.php5?action=item&id=2008; classtype:suspicious-filename-detect; sid:12807; rev:1;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP Novell GroupWise client IMG SRC buffer overflow"; flow:to_server,established; content:"<IMG"; nocase; pcre:"/<img\s*src\s*\x3D[^>]{244}/i"; metadata:policy security-ips drop, service smtp; reference:bugtraq,26875; reference:cve,2007-6435; classtype:attempted-user; sid:13364; rev:2;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"SMTP MailEnable SMTP HELO command denial of service attempt"; flow:to_server,established; content:"HELO "; pcre:"/^HELO\x20(\x00|.\x00)/smi"; metadata:policy security-ips drop, service smtp; reference:bugtraq,18630; classtype:attempted-dos; sid:13923; rev:1;)