rpc.rules

关于网络渗透技术的详细讲解

# (C) Copyright 2001,2002, Martin Roesch, Brian Caswell, et al.
#    All rights reserved.
# $Id$
#----------
# RPC RULES
#----------


# portmap specific stuff.
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap TCP proxy attempt"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1922; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap UDP proxy attempt"; content:"|00 01 86 A0|"; content:"|00 00 00 05|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1923; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1280; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:598; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt TCP 111"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1949; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap SET attempt UDP 111"; content:"|00 01 86 A0|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1950; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing TCP 32771"; flow:to_server,established; content:"|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:599; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing UDP 32771"; content: "|00 01 86 A0|"; content:"|00 00 00 04|"; distance:4; within:4; reference:arachnids,429; classtype:rpc-portmap-decode; sid:1281; rev:3;)




alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC snmpXdmi overflow attempt"; flow:to_server,established; content:"|0000 0f9c|"; offset:0; depth:4; content:"|00018799|"; offset: 16; depth:4; reference:bugtraq,2417; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:attempted-admin; sid:569;  rev:5;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP cachefsd request"; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1746; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP cachefsd request"; flow:to_server,established; content:"|01 87 8B 00 00|"; offset:40; depth:8; reference:cve,CAN-2002-0084; reference:bugtraq,4674; classtype:rpc-portmap-decode; sid:1747; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP rwalld request"; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1732; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP rwalld request"; flow:to_server,established; content:"|01 86 A8 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1733;  rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:575; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request admind"; flow:to_server,established; content:"|01 86 F7 00 00|";offset:40;depth:8; reference:arachnids,18; classtype:rpc-portmap-decode; sid:1262;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19;classtype:rpc-portmap-decode; sid:576; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request amountd"; content:"|01 87 03 00 00|";offset:40;depth:8; reference:arachnids,19; classtype:rpc-portmap-decode; flow:to_server,established; sid:1263;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; sid:577; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request bootparam"; content:"|01 86 BA 00 00|";offset:40;depth:8; reference:cve,CAN-1999-0647; reference:arachnids,16; classtype:rpc-portmap-decode; flow:to_server,established; sid:1264;  rev:5;)

alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; sid:580; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request nisd"; content:"|01 87 cc 00 00|";offset:40;depth:8; reference:arachnids,21; classtype:rpc-portmap-decode; flow:to_server,established; sid:1267;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; sid:581; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request pcnfsd"; content:"|02 49 f1 00 00|";offset:40;depth:8; reference:arachnids,22; classtype:rpc-portmap-decode; flow:to_server,established; sid:1268;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; sid:582; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rexd";content:"|01 86 B1 00 00|";offset:40;depth:8; reference:arachnids,23; classtype:rpc-portmap-decode; flow:to_server,established; sid:1269;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|";offset:40;depth:8; reference:arachnids,133; reference:cve,CVE-1999-0626; classtype:rpc-portmap-decode; flow:to_server,established; sid:1271;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rusers"; content:"|01 86 A2 00 00|"; offset:40; depth:8; reference:cve,CVE-1999-0626; reference:arachnids,133; classtype:rpc-portmap-decode; sid:584; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; sid:586; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request selection_svc"; content:"|01 86 AF 00 00|";offset:40;depth:8; reference:arachnids,25; classtype:rpc-portmap-decode; flow:to_server,established; sid:1273;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request status"; content:"|01 86 B8 00 00|";offset:40;depth:8; reference:arachnids,15; classtype:rpc-portmap-decode; sid:587; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; sid:589; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswd"; content:"|01 86 A9 00 00|";offset:40;depth:8; reference:arachnids,14; classtype:rpc-portmap-decode; flow:to_server,established; sid:1275;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; flow:to_server,established; sid:1276;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypserv"; content:"|01 86 A4 00 00|";offset:40;depth:8; reference:arachnids,12; classtype:rpc-portmap-decode; sid:590; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC tcp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; flow:to_server,established; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:593;  rev:8;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC udp portmap request snmpXdmi"; content:"|01 87 99 00 00|"; offset:40; depth:8; reference:cve,CAN-2001-0236; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,2417; classtype:rpc-portmap-decode; sid:1279; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request espd"; rpc:391029,*,*; flow:to_server,established; reference:cve,CAN-2001-0331; classtype:rpc-portmap-decode; sid:595;  rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; flow:to_server,established; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297;  rev:6;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596;  rev:4;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc: 100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597;  rev:4;)





alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rusers query"; content:"|0000000000000002000186A2|"; offset:5; reference:cve,CVE-1999-0626; reference:arachnids,136; classtype:attempted-recon; sid:612; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference:cve,CVE-2000-0666; classtype:misc-attack; sid:1890; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC status GHBN format string attack"; flow:to_server, established; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; content:"%x %x"; distance:16; within:256; reference:bugtraq,1480; reference: cve,CVE-2000-0666; classtype: misc-attack; sid:1891; rev:2;)


alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; sid:579; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request mountd"; content:"|01 86 A5 00 00|";offset:40;depth:8; reference:arachnids,13; classtype:rpc-portmap-decode; flow:to_server,established; sid:1266; rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP export request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:574; rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 05|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1924; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP exportall request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1925; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP exportall request"; content:"|00 01 86 A5|"; content:"|00 00 00 06|"; distance:4; within:4; reference:arachnids,26; classtype:attempted-recon; sid:1926; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd TCP mount request"; flow:to_server,established; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1951; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC mountd UDP export request"; content:"|00 01 86 A5|"; content:"|00 00 00 01|"; distance:4; within:4; classtype:attempted-recon; sid:1952; rev:1;)