content-replace.rules

This is the snapshot of Snot Latest Rules

# Copyright 2001-2007 Sourcefire, Inc. All Rights Reserved
#
# This file may contain proprietary rules that were created, tested and
# certified by Sourcefire, Inc. (the "VRT Certified Rules") as well as
# rules that were created by Sourcefire and other third parties and
# distributed under the GNU General Public License (the "GPL Rules").  The
# VRT Certified Rules contained in this file are the property of
# Sourcefire, Inc. Copyright 2007 Sourcefire, Inc. All Rights Reserved.
# The GPL Rules created by Sourcefire, Inc. are the property of
# Sourcefire, Inc. Copyright 2002-2007 Sourcefire, Inc. All Rights
# Reserved.  All other GPL Rules are owned and copyrighted by their
# respective owners (please see www.snort.org/contributors for a list of
# owners and their respective copyrights).  In order to determine what
# rules are VRT Certified Rules or GPL Rules, please refer to the VRT
# Certified Rules License Agreement.
#
#-----------
# CONTENT-REPLACE RULES
#-----------


alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE AIM deny out-bound file transfer attempts"; flow:to_server,established; content:"*|02|"; depth:2; content:"|00 04 00 06|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12038; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE MSN deny out-bound file transfer attempts"; flow:established,to_server; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; replace:"aaaaaaa"; classtype:policy-violation; sid:12032; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny out-bound file transfer attempts"; flow:established,to_server; content:"/notifyft"; nocase; replace:"/XXXXXXXX"; content:"Host|3A|filetransfer.msg.yahoo.com"; classtype:policy-violation; sid:12040; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"CONTENT-REPLACE Jabber deny out-bound file transfer attempts"; flow:established,to_server; content:"jabber.org/protocol"; nocase; content:"file xmlns="; nocase; content:"|22|set|22|"; replace:"|22|NOT|22|"; classtype:policy-violation; sid:12034; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 6666:7000 (msg:"CONTENT-REPLACE IRC deny out-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12036; rev:1;)
alert tcp $EXTERNAL_NET 5050 -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12041; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE MSN deny in-bound file transfer attempts"; flow:established,to_client; content:"MSG"; content:"msnmsgrp2p"; nocase; replace:"AAAAAAAAAA"; content:"INVITE MSNMSGR"; nocase; replace:"AAAAAAAAAAAAAA"; content:"context"; nocase; classtype:policy-violation; sid:12031; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE AIM deny in-bound file transfer attempts"; flow:to_client,established; content:"*|02|"; depth:2; content:"|00 04 00 07|"; within:8; distance:4; content:"|09|F|13|CL|7F 11 D1 82 22|DEST|00|"; content:"DEST"; distance:-5; replace:"XXXX"; byte_test:2,=,0,-24,relative; classtype:policy-violation; sid:12037; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"CONTENT-REPLACE Yahoo Messenger deny in-bound file transfer attempts"; flow:established,to_client; content:"YMSG"; depth:4; content:"|00|F"; depth:2; offset:10; replace:"OK"; classtype:policy-violation; sid:12039; rev:1;)
alert tcp $EXTERNAL_NET 5222 -> $HOME_NET any (msg:"CONTENT-REPLACE Jabber deny in-bound file transfer attempts"; flow:established,to_client; content:"profile="; nocase; content:"jabber.org/protocol"; nocase; content:"id="; nocase; replace:"NO="; classtype:policy-violation; sid:12033; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5050 (msg:"CONTENT-REPLACE Yahoo Messenger V7 deny out-bound file transfer attempts"; flow:established,to_server; content:"YMSG"; content:"|00 DC|"; within:8; distance:6; replace:"AA"; classtype:policy-violation; sid:12042; rev:1;)
alert tcp $EXTERNAL_NET 6666:7000 -> $HOME_NET any (msg:"CONTENT-REPLACE IRC deny in-bound file transfer attempts"; flow:established,to_server; content:"PRIVMSG"; nocase; content:"|3A 01|DCC SEND"; nocase; content:"SEND"; distance:-4; nocase; replace:"XXXX"; classtype:policy-violation; sid:12035; rev:1;)