📄 deleted.rules

📁 This is the snapshot of Snot Latest Rules
💻 RULES
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR reversable ver1.0 runtime detection - initial connection"; flow:to_client,established; flowbits:isset,ReVerSaBle_InitConnection; content:"OKCONNECTTOME"; depth:13; metadata:policy security-ips drop; reference:url,www.megasecurity.org/trojans/r/reversable/Reversable1.0.html; classtype:trojan-activity; sid:7725; rev:3;)# alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED BACKDOOR icmp cmd 1.0 runtime detection - download file"; itype:0; content:"http|3A|//"; nocase; metadata:policy security-ips drop; reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=453077250; classtype:trojan-activity; sid:10106; rev:4;)# alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"DELETED BACKDOOR ykw v375 runtime detection"; flow:from_server,established; content:"|00 00 00 09|"; depth:4; threshold:type limit, track by_src, count 1, seconds 300; metadata:policy security-ips drop; reference:url,fool-workroom.com/qita/index.asp; classtype:trojan-activity; sid:11315; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 1761 (msg:"DELETED EXPLOIT Zenworks password authentication buffer overflow"; flow:established, to_server; content:"|00 01|"; depth:2; offset:16; byte_jump:2, 0, relative; byte_jump:2, 0, relative; byte_jump:2, 0, relative; content:"|00 01 00 02|"; within:4; distance:2; byte_test:2,>,28,0,relative; classtype:attempted-admin; sid:11617; rev:3;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 873 (msg:"DELETED MISC rsyncd overflow attempt"; flow:to_server,established; byte_test:2,>,4000,0; content:"|00 00|"; depth:2; offset:2; metadata:policy security-ips drop; reference:bugtraq,9153; reference:cve,2003-0962; reference:nessus,11943; classtype:misc-activity; sid:2048; rev:9;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS nimda .eml"; flow:to_server,established; content:"|00|.|00|E|00|M|00|L"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1293; rev:11;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS nimda .nws"; flow:to_server,established; content:"|00|.|00|N|00|W|00|S"; reference:url,www.f-secure.com/v-descs/nimda.shtml; classtype:bad-unknown; sid:1294; rev:11;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2952; rev:5;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:537; rev:17;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2953; rev:5;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ unicode share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:538; rev:17;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,!&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2954; rev:5;)# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB IPC$ share access"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,!&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"IPC|24 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2465; rev:10;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB IPC$ unicode andx share access"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB"; within:4; distance:3; pcre:"/^(\x75|\x2d|\x2f|\x73|\xa2|\x2e|\x24|\x74)/sR"; byte_test:1,&,128,6,relative; content:"u"; depth:1; offset:39; byte_jump:2,0,little,relative; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2955; rev:5;)# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB IPC$ unicode share access"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMBu"; within:5; distance:3; byte_test:1,&,128,6,relative; pcre:"/^.{27}/sR"; byte_jump:2,7,little,relative; content:"I|00|P|00|C|00 24 00 00 00|"; distance:2; nocase; flowbits:set,smb.tree.connect.ipc; flowbits:noalert; classtype:protocol-command-decode; sid:2466; rev:10;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"DELETED NETBIOS SMB writex possible Snort dcerpc preprocessor overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10158; rev:4;)# alert tcp $EXTERNAL_NET any -> $HOME_NET 445 (msg:"DELETED NETBIOS SMB-DS writex possible Snort dcerpc preprocessor overflow attempt"; flow:established,to_server; content:"|00|"; depth:1; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10159; rev:4;)# alert udp $EXTERNAL_NET any -> $HOME_NET 138 (msg:"DELETED NETBIOS-DG SMB writex possible Snort dcerpc preprocessor overflow attempt"; flow:to_server; content:"|11|"; depth:1; content:"|00|"; distance:13; content:"|00|"; distance:0; content:"|FF|SMB/"; within:5; distance:3; pcre:"/^.{27}/sR"; byte_test:2,>,64,23,little,relative; reference:cve,2006-5276; classtype:attempted-admin; sid:10160; rev:5;)# alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DELETED P2P Skype client login"; flow:to_client,established; flowbits:isset,skype.alternate.login; content:"|17 03 01 00 D9|"; depth:5; metadata:policy security-ips drop; classtype:policy-violation; sid:6001; rev:3;)# alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"DELETED P2P Skype client login startup"; flow:to_server,established; content:"|16 03 01 00 CD|"; depth:5; flowbits:set,skype.alternate.login; flowbits:noalert; metadata:policy security-ips drop; classtype:policy-violation; sid:6000; rev:3;)# alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"DELETED WEB-CGI scriptalias access"; flow:to_server,established; content:"///"; reference:arachnids,227; reference:bugtraq,2300; reference:cve,1999-0236; classtype:attempted-recon; sid:873; rev:10;)# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"DELETED WEB-CLIENT mk Asychronous Pluggable Protocol Handler ActiveX CLSID unicode access"; flow:established,to_client; content:"7|00|9|00|E|00|A|00|C|00|9|00|E|00|6|00|-|00|B|00|A|00|F|00|9|00|-|00|1|00|1|00|C|00|E|00|-|00|8|00|C|0
上一页 1 2 3 45
💿 文件大小 17049 K
👤 上传用户 nassdaq
📂 所属分类其他行业
🏷️ 相关标签

#snapshot #Latest #Rules #This
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -