⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 deleted.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer G2 Control ActiveX CLSID unicode access"; flow:established,to_client; content:"C|00|F|00|C|00|D|00|A|00|A|00|0|00|3|00|-|00|8|00|B|00|E|00|4|00|-|00|1|00|1|00|C|00|F|00|-|00|B|00|8|00|4|00|B|00|-|00|0|00|0|00|2|00|0|00|A|00|F|00|B|00|B|00|C|00|C|00|F|00|A|00|"; nocase; pcre:"/<\x00O\x00B\x00J\x00E\x00C\x00T\x00(\s\x00)+([^>]\x00)*c\x00l\x00a\x00s\x00s\x00i\x00d\x00(\s\x00)*=\x00(\s\x00)*([\x22\x27]\x00)?(\s\x00)*c\x00l\x00s\x00i\x00d\x00(\s\x00)*\x3a\x00(\s\x00)*(\x7B\x00)?(\s\x00)*C\x00F\x00C\x00D\x00A\x00A\x000\x003\x00-\x008\x00B\x00E\x004\x00-\x001\x001\x00C\x00F\x00-\x00B\x008\x004\x00B\x00-\x000\x000\x002\x000\x00A\x00F\x00B\x00B\x00C\x00C\x00F\x00A\x00/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:7973; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - file management"; flow:to_server,established; content:"|01 02|"; depth:2; nocase; flowbits:set,superSpy_20_Beta_FileMgt; flowbits:noalert; metadata:policy security-ips drop; classtype:trojan-activity; sid:8476; rev:3;)# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED BACKDOOR superspy 2.0 beta runtime detection - file management"; flow:from_server,established; flowbits:isset,superSpy_20_Beta_FileMgt; content:"|01 03|"; depth:2; nocase; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453083726; classtype:trojan-activity; sid:8477; rev:3;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt"; flow:to_server,established; content:"subscribe"; nocase; pcre:"/^\S+\s+subscribe\s*\{\s*/smi"; byte_test:5,>,250,0,string,dec,relative; reference:bugtraq,24962; reference:cve,2007-3927; reference:url,www.ipswitch.com/support/ics/updates/ics200621.asp; classtype:attempted-admin; sid:12214; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"DELETED IMAP Ipswitch IMail subscribe command buffer overflow attempt"; flow:to_server,established; content:"subscribe"; nocase; pcre:"/^\S+\s+subscribe\s+[^\n]{250}/smi"; reference:bugtraq,24962; reference:cve,2007-3927; reference:url,www.ipswitch.com/support/ics/updates/ics200621.asp; classtype:attempted-admin; sid:12215; rev:4;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT ADODB.Stream ActiveX CLSID access"; flow:established,to_client; content:"00000566-0000-0010-8000-00AA006D2EA4"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*\x7B?\s*00000566-0000-0010-8000-00AA006D2EA4/si"; metadata:policy security-ips drop; classtype:attempted-user; sid:8061; rev:3;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call unicode vulnerable function access"; flow:established,to_client; content:"I|00|E|00|R|00|P|00|C|00|t|00|l|00|.|00|I|00|E|00|R|00|P|00|C|00|t|00|l|00|"; nocase; pcre:"/(?P<c>\w+)(\s\x00)*=(\s\x00)*(?P<q3>\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q3)(\s|>)(\s\x00)*\x3b\x00.*(?P<v>(\w\x00)+)(\s\x00)*1\(\x00(\s\x00)*(?P=c)(\s\x00)*\)\x00|(?P<n>\w+)(\s\x00)*1\(\x00(\s\x00)*(?P<q4>\x22|\x27|)I\x00E\x00R\x00P\x00C\x00t\x00l\x00.\x00I\x00E\x00R\x00P\x00C\x00t\x00l\x00(?P=q4)(\s|>)(\s\x00)*\)\x00/smi"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12671; rev:3;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid vulnerable function access"; flow:established,to_client; content:"FDC7A535-4070-4B92-A0EA-D9994BCC0DC5"; nocase; pcre:"/<object\s*[^>]*\s*classid\s*=\s*(?P<q1>\x22|\x27|)\s*clsid\s*\x3a\s*{?\s*FDC7A535-4070-4B92-A0EA-D9994BCC0DC5\s*}?\s*(?P=q1)(\s|>)/si"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12668; rev:3;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX function call vulnerable function access"; flow:established,to_client; content:"IERPCtl.IERPCtl"; pcre:"/(?P<c>\w+)\s*=\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\x3b.*(?P<v>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(?P=c)\s*\)|(?P<n>\w+)\s*=\s*new\s*ActiveXObject\s*\(\s*(\x22IERPCtl\.IERPCtl\x22|\x27IERPCtl\.IERPCtl\x27)\s*\)/smi"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12670; rev:3;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT RealPlayer Ierpplug.dll ActiveX clsid unicode vulnerable function access"; flow:established,to_client; content:"F|00|D|00|C|00|7|00|A|00|5|00|3|00|5|00|-|00|4|00|0|00|7|00|0|00|-|00|4|00|B|00|9|00|2|00|-|00|A|00|0|00|E|00|A|00|-|00|D|00|9|00|9|00|9|00|4|00|B|00|C|00|C|00|0|00|D|00|C|00|5|00|"; nocase; pcre:"/1([^>]\x00)*1(?P<q2>\x22\x00|\x27\x00|)1({\x00)?1(}\x00)?(?P=q2)(?=\s\x00|>\x00)/si"; pcre:"/(GetComponentVersion|HandleAction|DoAutoUpdateRequest|Quoting|Import)/i"; reference:bugtraq,22811; classtype:attempted-user; sid:12669; rev:3;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC whisker HEAD with large datagram"; flow:to_server,established,no_stream; dsize:>512; content:"HEAD"; depth:4; nocase; metadata:service http; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1171; rev:12;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-MISC whisker tab splice attack"; flow:to_server,established; dsize:<5; content:"|09|"; metadata:service http; reference:arachnids,415; reference:url,www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html; classtype:attempted-recon; sid:1087; rev:11;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 4 requests"; flow:to_server; content:"|00 04|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3446; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 9 requests"; flow:to_server; content:"|00 09|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3451; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 5 requests"; flow:to_server; content:"|00 05|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3447; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 2 requests"; flow:to_server; content:"|00 02|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3444; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 1 requests"; flow:to_server; content:"|00 01|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3443; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 10 requests"; flow:to_server; content:"|00 0A|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3452; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 6 requests"; flow:to_server; content:"|00 06|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3448; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 3 requests"; flow:to_server; content:"|00 03|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3445; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 8 requests"; flow:to_server; content:"|00 08|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3450; rev:8;)# alert udp $HOME_NET 1434 -> any 53 (msg:"DELETED SQL DNS query with 7 requests"; flow:to_server; content:"|00 07|"; depth:6; offset:4; flowbits:set,ms_sql_seen_dns; flowbits:noalert; metadata:policy balanced-ips drop, policy security-ips drop; classtype:not-suspicious; sid:3449; rev:8;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -