mysql.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2005 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2005 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2005 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#
# $Id: mysql.rules,v 1.23.6.6 2008/04/22 20:53:19 vrtbuild Exp $
#----------
# MYSQL RULES
#----------
#
# These signatures detect unusual and potentially malicious mysql traffic.
#
# These signatures are not enabled by default as they may generate false
# positive alarms on networks that do mysql development.
#

alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL root login attempt"; flow:to_server,established; content:"|0A 00 00 01 85 04 00 00 80|root|00|"; metadata:service mysql; classtype:protocol-command-decode; sid:1775; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL show databases attempt"; flow:to_server,established; content:"|0F 00 00 00 03|show databases"; metadata:service mysql; classtype:protocol-command-decode; sid:1776; rev:3;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL 4.0 root login attempt"; flow:to_server,established; content:"|01|"; depth:1; offset:3; content:"root|00|"; within:5; distance:5; nocase; metadata:service mysql; classtype:protocol-command-decode; sid:3456; rev:4;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL CREATE FUNCTION attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function/smi"; metadata:service mysql; reference:bugtraq,12781; reference:cve,2005-0709; classtype:misc-activity; sid:3528; rev:3;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"MYSQL server greeting"; flow:from_server,established; content:"|00|"; depth:1; offset:3; flowbits:set,mysql.server_greeting; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3665; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL protocol 41 secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3669; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14 00|"; offset:9; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3668; rev:8;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,!&,0x02,4; content:"|00|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3672; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL secure client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,!&,0x02,4; content:"|00 14|"; offset:9; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3670; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL protocol 41 client authentication bypass attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,&,0x80,4; byte_test:1,&,0x02,4; content:"|00 14 00|"; offset:36; metadata:policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3667; rev:6;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL protocol 41 client overflow attempt"; flow:to_server,established; flowbits:isset,mysql.server_greeting; content:"|01|"; depth:1; offset:3; byte_test:1,!&,0x80,4; byte_test:1,&,0x02,4; content:"|00|"; offset:36; isdataat:74,relative; content:!"|00|"; within:74; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:misc-attack; sid:3671; rev:6;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"MYSQL server greeting finished"; flow:from_server,established; byte_test:1,>,0,3; flowbits:isset,mysql.server_greeting; flowbits:unset,mysql.server_greeting; flowbits:noalert; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop, service mysql; reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639; reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempted-user; sid:3666; rev:8;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL CREATE FUNCTION buffer overflow attempt"; flow:to_server,established; content:"|03|create"; offset:4; nocase; pcre:"/\x03create\s+(aggregate\s+)*function\s+\S{50}/smi"; metadata:service mysql; reference:bugtraq,14509; reference:cve,2005-2558; classtype:misc-activity; sid:4649; rev:2;)
alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 3306 (msg:"MYSQL Date_Format denial of service attempt"; flow:to_server,established; content:"DATE_FORMAT"; pcre:"/DATE_FORMAT\x28\s*(\x22[^\x22]+\x25[^\x22]*\x22|\x27[^\x27]+\x25[^\x27]*\x27)/smi"; metadata:service mysql; reference:bugtraq,19032; reference:cve,2006-3469; reference:url,dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html; classtype:attempted-dos; sid:8057; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"MYSQL yaSSL SSLv2 Client Hello Message Cipher Length Buffer Overflow attempt"; flow:established, to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,64,5; content:!"|01|"; depth:1; offset:5; content:!"|03 01|"; depth:2; offset:9; flowbits:set,sslv2.client_hello.request; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13711; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"MYSQL yaSSL SSLv2 Client Hello Message Session ID Buffer Overflow attempt"; flow:established, to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,32,7; content:!"|01|"; depth:1; offset:5; content:!"|03 01|"; depth:2; offset:9; flowbits:set,sslv2.client_hello.request; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13712; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"MYSQL yaSSL SSLv3 Client Hello Message Cipher Specs Buffer Overflow attempt"; flow:established, to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|01|"; depth:1; offset:5; content:"|03 01|"; depth:2; offset:9; byte_jump:1,43; byte_test:2,>,64,0,relative; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13714; rev:1;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"MYSQL yaSSL TLSv1 Server_Hello request"; flow:to_client,established; flowbits:isset,tlsv1.client_hello.request; content:"|16 03 01|"; depth:3; content:"|02|"; depth:1; offset:5; flowbits:set,tlsv1.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:protocol-command-decode; sid:13710; rev:1;)
alert tcp $HOME_NET 3306 -> $EXTERNAL_NET any (msg:"MYSQL yaSSL SSLv2 Server_Hello request"; flow:from_server,established; flowbits:isset,sslv2.client_hello.request; content:"|04|"; depth:1; offset:2; content:"|00 02|"; depth:2; offset:5; flowbits:set,sslv2.server_hello.request; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; classtype:protocol-command-decode; sid:13709; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3306 (msg:"MYSQL yaSSL SSLv2 Client Hello Message Challenge Buffer Overflow attempt"; flow:established, to_server; flowbits:isnotset,sslv2.server_hello.request; flowbits:isnotset,tlsv1.server_hello.request; flowbits:isnotset,tlsv1.client_hello.request; content:"|01|"; depth:1; offset:2; byte_test:2,>,32,9; content:!"|01|"; depth:1; offset:5; content:!"|03 01|"; depth:2; offset:9; flowbits:set,sslv2.client_hello.request; metadata:policy balanced-ips drop, policy security-ips drop, service mysql; reference:bugtraq,27140; reference:cve,2008-0226; reference:url,bugs.mysql.com/bug.php?id=33814; classtype:attempted-user; sid:13713; rev:1;)