exploit.rules

This is the snapshot of Snot Latest Rules

alert tcp $EXTERNAL_NET any -> $HOME_NET 88 (msg:"EXPLOIT kerberos principal name overflow TCP"; flow:to_server,established; content:"j"; depth:1; offset:4; content:"|01 A1|"; asn1:oversize_length 1024,relative_offset -1; reference:cve,2003-0072; reference:nessus,11512; reference:url,web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt; classtype:attempted-admin; sid:2579; rev:3;)
alert tcp $EXTERNAL_NET 6666:6669 -> $HOME_NET any (msg:"EXPLOIT eMule buffer overflow attempt"; flow:to_client,established; content:"PRIVMSG"; nocase; pcre:"/^PRIVMSG\s+[^\s]+\s+\x3a\s*\x01SENDLINK\x7c[^\x7c]{69}/smi"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,10039; reference:cve,2004-1892; reference:nessus,12233; classtype:attempted-user; sid:2584; rev:6;)



alert udp $EXTERNAL_NET 7808 -> $HOME_NET any (msg:"EXPLOIT Volition Freespace 2 buffer overflow attempt"; flow:to_client; content:"|00 E1|..|B4 00 00 00|"; depth:8; isdataat:160,relative; reference:bugtraq,9785; classtype:misc-attack; sid:3006; rev:3;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6; byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F-\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,11763; reference:cve,2004-1080; reference:url,www.immunitysec.com/downloads/instantanea.pdf; reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx; classtype:misc-attack; sid:3017; rev:10;)



alert tcp $EXTERNAL_NET any -> $HOME_NET 6101 (msg:"EXPLOIT Veritas backup overflow attempt"; flow:established,to_server; content:"|02 00|"; depth:2; content:"|00|"; depth:1; offset:3; isdataat:72; content:!"|00|"; depth:66; offset:6; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,11974; reference:cve,2004-1172; classtype:misc-attack; sid:3084; rev:6;)

alert tcp $EXTERNAL_NET 8080 -> $HOME_NET any (msg:"EXPLOIT AIM goaway message buffer overflow attempt"; flow:established,from_server; content:"goaway?message="; nocase; isdataat:500,relative; pcre:"/goaway\?message=[^\s]{500}/smi"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,10889; reference:cve,2004-0636; classtype:misc-attack; sid:3085; rev:4;)

alert tcp $EXTERNAL_NET 1863 -> $HOME_NET any (msg:"EXPLOIT MSN Messenger png overflow"; flow:to_client,established; content:"application/x-msnmsgrp2p"; nocase; content:"|89|PNG|0D 0A 1A 0A|"; distance:0; content:"IHDR"; within:4; distance:4; content:"|03|"; within:1; distance:9; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,10872; reference:cve,2004-0957; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3130; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt UDP"; flow:to_server; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3200; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 84 overflow attempt"; flow:established,to_server; content:"|00|T"; depth:2; byte_test:2,>,255,6; isdataat:263; content:!"|00|"; depth:255; offset:8; reference:bugtraq,12594; reference:cve,2005-0491; classtype:attempted-user; sid:3458; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5001 (msg:"EXPLOIT Bontago Game Server Nickname buffer overflow"; flow:to_server,established; content:"|FF 01 00 00 00 00 01|"; isdataat:512,relative; reference:bugtraq,12603; reference:cve,2005-0501; reference:url,aluigi.altervista.org/adv/bontagobof-adv.txt; classtype:attempted-user; sid:3455; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS name query overflow attempt TCP"; flow:established; byte_test:1,&,64,2; content:" "; offset:12; isdataat:56,relative; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,9624; reference:cve,2003-0825; reference:nessus,15912; reference:url,www.microsoft.com/technet/security/bulletin/MS04-006.mspx; classtype:attempted-admin; sid:3199; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"EXPLOIT Arkeia backup client type 77 overflow attempt"; flow:established,to_server; content:"|00|M"; depth:2; byte_test:2,>,23,6; reference:bugtraq,12594; reference:cve,2005-0491; reference:nessus,17158; classtype:attempted-user; sid:3457; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client domain overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12536; classtype:attempted-admin; sid:3475; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client domain overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12536; classtype:attempted-admin; sid:3485; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client name overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3479; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve discovery service overflow"; flow:to_server; dsize:>966; reference:bugtraq,12491; reference:cve,2005-0260; classtype:attempted-admin; sid:3472; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9c client name overflow"; flow:to_server; content:"|9C|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3484; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client domain overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12536; classtype:attempted-admin; sid:3476; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client domain overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12536; classtype:attempted-admin; sid:3481; rev:5;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client domain overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12536; classtype:attempted-admin; sid:3483; rev:5;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9b client name overflow"; flow:to_server,established; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3477; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP slot info msg client name overflow"; flow:to_server; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3480; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP slot info msg client name overflow"; flow:to_server,established; content:"|98|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3474; rev:3;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP product info msg 0x9b client name overflow"; flow:to_server; content:"|9B|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3482; rev:4;)
# alert tcp $EXTERNAL_NET any -> $HOME_NET 41523 (msg:"EXPLOIT ARCserve backup TCP product info msg 0x9c client domain overflow"; flow:to_server,established; content:"|9C|"; depth:1; isdataat:40; content:!"|00|"; depth:16; offset:24; reference:bugtraq,12536; classtype:attempted-admin; sid:3478; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license GCR CHECKSUMS overflow attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:"/(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}|(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S+\s+(0x[0-9a-f]+)|(0[0-8]+)|([1-9]\d*)\s+(0x)?[0-9a-f]+\s+\S{65}/Ri"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3521; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license GCR NETWORK overflow attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:"/^\S{65}|\S+\s+\S{65}|\S+\s+\S+\s+\S{65}/Ri"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3520; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license PUTOLF overflow attempt"; flow:to_server,established; content:"PUTOLF"; depth:6; offset:3; nocase; pcre:"/PUTOLF\s+((\S+\s+){4}[^\s]{256}|(\S+\s+){6}[^\x3c]{512})/i"; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3517; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202 (msg:"EXPLOIT Computer Associates license GETCONFIG server overflow attempt"; flow:to_server,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!"<EOM>"; within:204; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3522; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 515 (msg:"EXPLOIT Solaris LPD overflow attempt"; flow:to_server,established; content:"|02|//////////"; depth:11; dsize:>1000; threshold:type limit,track by_dst,count 5,seconds 60; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,3274; classtype:attempted-admin; sid:3527; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client domain overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:41; content:!"|00|"; depth:16; offset:25; reference:bugtraq,12536; classtype:attempted-admin; sid:3531; rev:4;)
alert tcp $EXTERNAL_NET 10202 -> $HOME_NET any (msg:"EXPLOIT Computer Associates license GETCONFIG client overflow attempt"; flow:from_server,established; content:"GETCONFIG SELF "; depth:15; offset:3; nocase; isdataat:200,relative; content:!"<EOM>"; within:204; metadata:policy balanced-ips drop, policy connectivity-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-user; sid:3529; rev:4;)
# alert udp $EXTERNAL_NET any -> $HOME_NET 41524 (msg:"EXPLOIT ARCserve backup UDP msg 0x99 client name overflow"; flow:to_server; content:"|99|"; depth:1; isdataat:17; content:!"|00|"; depth:16; offset:1; reference:bugtraq,12536; classtype:attempted-admin; sid:3530; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license invalid GCR NETWORK attempt"; flow:to_server,established; content:"GCR NETWORK<"; depth:12; offset:3; nocase; pcre:!"/^\S+\s+\S+\s+\S+/Ri"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3525; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 10202:10203 (msg:"EXPLOIT Computer Associates license invalid GCR CHECKSUMS attempt"; flow:to_server,established; content:"GCR CHECKSUMS<"; depth:14; offset:3; nocase; pcre:!"/^(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+\s+(0x)?[0-9a-f]+/Ri"; metadata:policy balanced-ips drop, policy security-ips drop; reference:bugtraq,12705; reference:cve,2005-0581; classtype:attempted-dos; sid:3524; rev:4;)