rpc.rules

关于网络渗透技术的详细讲解

# amd
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP amqproc_mount plog overflow attempt"; content:"|00 04 93 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_test:4,>,512,16,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1905; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP amqproc_mount plog overflow attempt"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_test:4,>,512,16,relative; reference:cve,CVE-1999-0704; reference:bugtraq,614; classtype:misc-attack; sid:1906; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP pid request"; flow:to_server,established; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1953; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP pid request"; content:"|00 04 93 F3|"; content:"|00 00 00 09|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1954; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD TCP version request"; flow:to_server,established; content:"|00 04 93 F3|"; offset:16; depth:4; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1955; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 500: (msg:"RPC AMD UDP version request"; content:"|00 04 93 F3|"; content:"|00 00 00 08|"; distance:4; within:4; classtype:rpc-portmap-decode; sid:1956; rev:1;)

# alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content: "|80 00 04 2C 4C 15 75 5B 00 00 00 00 00 00 00 02|"; depth:32; reference:cve,CVE-1999-0704; reference:arachnids,217; classtype:attempted-admin; sid:573;  rev:4;)


# cmsd
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; sid:578; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request cmsd"; content:"|01 86 E4 00 00|";offset:40;depth:8; reference:arachnids,17; classtype:rpc-portmap-decode; flow:to_server,established; sid:1265;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD UDP CMSD_CREATE buffer overflow attempt"; content:"|00 01 86 E4|"; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1907; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD TCP CMSD_CREATE buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; content:"|00 00 00 15|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,1024,20,relative; reference:cve,CVE-1999-0696; reference:bugtraq,524; classtype:attempted-admin; sid:1908; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD TCP CMSD_INSERT buffer overflow attempt"; flow:to_server,established; content:"|00 01 86 E4|"; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1909; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC CMSD udp CMSD_INSERT buffer overflow attempt"; content:"|00 01 86 E4|"; content:"|00 00 00 06|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_jump:4,20,relative,align; byte_test:4,>,1000,28,relative; reference:cve,CVE-1999-0696; reference:url,www.cert.org/advisories/CA-99-08-cmsd.html; classtype:misc-attack; sid:1910; rev:1;)


# sadmind
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; flow:to_server,established; sid:1272;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request sadmind"; content:"|01 87 88 00 00|";offset:40;depth:8; reference:arachnids,20; classtype:rpc-portmap-decode; sid:585; rev:2;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; content:"|00 01 87 88|"; content:"|00 00 00 01|"; distance:4; within:4; byte_test:4,>,512,240,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1911; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP NETMGT_PROC_SERVICE CLIENT_DOMAIN overflow attempt"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 01|"; distance:4; within:4; byte_test:4,>,512,240,relative; reference:cve,CVE-1999-0977; reference:bugtraq,866; classtype:attempted-admin; sid:1912; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind UDP PING"; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1957; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32770:34000 (msg:"RPC sadmind TCP PING"; flow:to_server,established; content:"|00 01 87 88|"; content:"|00 00 00 00|"; distance:4; within:4; reference:bugtraq,866; classtype:attempted-admin; sid:1958; rev:1;)


# statd
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; sid:583; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request rstatd"; content: "|01 86 A1 00 00|"; reference:arachnids,10; classtype:rpc-portmap-decode; flow:to_server,established; sid:1270;  rev:5;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP stat mon_name format string exploit attempt"; content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1913; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP stat mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1914; rev:3;)
alert udp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD UDP monitor mon_name format string exploit attempt"; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1915; rev:3;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 1024: (msg:"RPC STATD TCP monitor mon_name format string exploit attempt"; flow:to_server,established; content:"|00 01 86 B8|"; content:"|00 00 00 02|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,100,20,relative; reference:cve,CVE-2000-0666; reference:bugtraq,1480; classtype:attempted-admin; sid:1916; rev:3;)
#alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:592; rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|";offset:5; reference:arachnids,9;classtype:attempted-recon; sid:1278;  rev:3;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:4;)
#alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content: "/bin|c74604|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:2;)


alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:1277; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ypupdated"; flow:to_server,established; content:"|01 86 BC 00 00|";offset:40;depth:8; reference:arachnids,125; classtype:rpc-portmap-decode; sid:591;  rev:5;)



# NFS
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS UDP"; content:"|01 86 A3 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1959; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request NFS TCP"; flow:to_server,established; content:"|01 86 A3 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1960; rev:1;)


# rquota
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA UDP"; content:"|01 86 AB 00 00|"; offset:40;depth:8; classtype:rpc-portmap-decode; sid:1961; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request RQUOTA TCP"; flow:to_server,established; content:"|01 86 AB 00 00|"; offset:40; depth:8; classtype:rpc-portmap-decode; sid:1962; rev:1;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC RQUOTA UDP getquota overflow attempt"; content:"|00 01 86 AB|"; content:"|00 00 00 01|"; distance:4; within:4; byte_jump:4,4,relative,align; byte_test:4,>,128,8,relative; reference:cve,CVE-1999-0974; reference:bugtraq,864; classtype:misc-attack; sid:1963; rev:1;)




alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; flow:to_server,established; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298;  rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request tooltalk"; rpc:100083,*,*; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:5;)


alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|"; offset:40;depth:8; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:cve,CAN-2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:bugtraq,122; reference:arachnids,24; classtype:rpc-portmap-decode; sid:588; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request ttdbserv"; content:"|01 86 F3 00 00|";offset:40;depth:8; reference:cve,CAN-2001-0717; reference:cve,CVE-1999-0003; reference:cve,CVE-1999-0687; reference:cve,CAN-1999-1075; reference:url,www.cert.org/advisories/CA-2001-05.html; reference:arachnids,24; classtype:rpc-portmap-decode; flow:to_server,established; sid:1274;  rev:6;)
alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk UDP overflow attempt"; content:"|00 01 86 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,128,20,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1964; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC tooltalk TCP overflow attempt"; flow:to_server,established; content:"|00 01 86 F3|"; content:"|00 00 00 07|"; distance:4; within:4; byte_jump:4,12,relative,align; byte_test:4,>,128,20,relative; reference:cve,CVE-1999-0003; reference:bugtraq,122; classtype:misc-attack; sid:1965; rev:2;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; content: "|C0 22 3F FC A2 02 20 09 C0 2C 7F FF E2 22 3F F4|"; flow:to_server,established; dsize: >999; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:570;  rev:5;)
#alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; flow:to_server,established; dsize: >999; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:url,www.cert.org/advisories/CA-2001-27.html; reference:bugtraq,122; reference:cve,CVE-1999-0003; reference:arachnids,242; classtype:attempted-admin; sid:571;  rev:4;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC DOS ttdbserv solaris"; flow:to_server,established; content: "|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|";offset: 16; depth: 32; reference:bugtraq,122; reference:arachnids,241; reference:cve,CVE-1999-0003; classtype:attempted-dos; sid:572;  rev:4;)
alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC UDP kcms_server request"; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2005; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC TCP kcms_server request"; flow:to_server,established; content:"|01 87 7D 00 00|"; offset:40; depth:8; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:rpc-portmap-decode; sid:2006; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC kcms_server directory traversal attempt"; flow:to_server,established; content:"|00 01 87 7D|"; offset: 16; content:"/../"; reference:cve,CAN-2003-0027; reference:url,www.kb.cert.org/vuls/id/850785; classtype:misc-attack; sid:2007; rev:1;)