web-client.rules

snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具

alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Content-Disposition CLSID command attempt"; flow:to_client,established; content:"Content-Disposition|3A|"; nocase; pcre:"/^Content-Disposition\x3a[^\r\n]*\{[\da-fA-F]{8}(-[\da-fA-F]{4}){3}-[\da-fA-F]{12}\}/smi"; reference:bugtraq,9510; reference:cve,2004-0420; reference:url,www.microsoft.com/technet/security/bulletin/ms04-024.mspx; classtype:attempted-user; sid:2589; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT libpng tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; pcre:"/IHDR(?!.*?PLTE).*?tRNS/s"; reference:bugtraq,10872; reference:cve,2004-0597; classtype:attempted-user; sid:2673; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset integer overflow attempt"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; pcre:"/^BM/sm"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:2671; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser heap overflow attempt"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g.*\xFF\xD8.{2}.*\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/smi"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2705; rev:4;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fp?jpe?g/smi"; flowbits:set,http.jpeg; flowbits:noalert; classtype:protocol-command-decode; sid:2706; rev:2;)
# alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT JPEG parser multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.jpeg; content:"|FF|"; pcre:"/\xFF[\xE1\xE2\xED\xFE]\x00[\x00\x01]/"; reference:bugtraq,11173; reference:cve,2004-0200; reference:url,www.microsoft.com/security/bulletins/200409_jpeg.mspx; classtype:attempted-admin; sid:2707; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Microsoft ANI file parsing overflow"; flow:established,from_server; content:"RIFF"; nocase; content:"anih"; nocase; byte_test:4,>,36,0,relative,little; reference:cve,2004-1049; classtype:attempted-user; sid:3079; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winamp .cda file name overflow attempt"; flow:from_server,established; content:".cda"; nocase; pcre:"/(\x5c[^\x5c]{16,}|\x2f[^\x2f]{16,})\.cda$/smi"; reference:bugtraq,11730; classtype:attempted-user; sid:3088; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image width download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,0,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3132; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large colour depth download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:1,>,16,8,relative; reference:bugtraq,11523; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3134; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT PNG large image height download attempt"; flow:from_server,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:8; byte_test:4,>,32768,4,relative; reference:bugtraq,11481; reference:bugtraq,11523; reference:cve,2004-0599; reference:cve,2004-0990; reference:cve,2004-1244; reference:url,www.microsoft.com/technet/security/bulletin/MS05-009.mspx; classtype:attempted-user; sid:3133; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT object type overflow attempt"; flow:from_server,established; content:"<OBJECT"; nocase; pcre:"/<OBJECT\s+[^>]*type\s*=[\x22\x27]\x2f{32}/smi"; reference:cve,2003-0344; reference:url,www.microsoft.com/technet/security/bulletin/MS03-020.mspx; classtype:attempted-user; sid:3149; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Windows Media Player directory traversal via Content-Disposition attempt"; flow:from_server,established; content:"Content-Disposition|3A|"; nocase; pcre:"/filename=[^\x3b\x3a\r\n]*(\x2e\x2e|\x25\x32\x65)/smi"; reference:bugtraq,7517; reference:cve,2003-0228; reference:url,www.microsoft.com/technet/security/bulletin/MS03-017.mspx; classtype:attempted-user; sid:3192; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT winhelp clsid attempt"; flow:from_server,established; content:"adb880a6-d8ff-11cf-9377-00aa003b7a11"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*adb880a6-d8ff-11cf-9377-00aa003b7a11/si"; reference:bugtraq,4857; reference:cve,2002-0823; reference:url,www.ngssoftware.com/advisories/ms-winhlp.txt; classtype:attempted-user; sid:3148; rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer VIDORV30 header length buffer overflow"; flow:to_client,established; content:".RMF"; nocase; content:"VIDORV30"; distance:0; byte_test:4,>,1000000,-16,relative; reference:bugtraq,11309; reference:url,www.eeye.com/html/research/advisories/AD20041001.html; classtype:attempted-admin; sid:3470; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT iTunes playlist URL overflow attempt"; flow:from_server,established; content:"[playlist]"; pcre:"/^File[0-9]+=http\x3a\x2f\x2f[^\n]{150}/Rsmi"; reference:bugtraq,12238; reference:cve,2005-0043; classtype:attempted-user; sid:3471; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT RealPlayer SMIL file overflow attempt"; flow:to_client,established; content:"Content-Type|3A|"; nocase; pcre:"/^Content-Type\x3a\s*application\x2fsmil/smi"; pcre:"/<smil>.*system-screen-size=\x22[^\x22]{256}.*<\x2fsmil>/Rsmi"; reference:bugtraq,12698; reference:cve,2005-0455; classtype:attempted-user; sid:3473; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF multipacket heap overflow"; flow:from_server,established; flowbits:isset,http.gif; content:"GIF"; pcre:"/\x21\xff\x0b(NETSCAPE2.0|ANIMEXTS1.0)/smi"; content:"|02|"; within:1; distance:1; byte_test:1,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; classtype:attempted-user; sid:3536; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT GIF transfer"; flow:from_server,established; content:"image/"; nocase; pcre:"/^Content-Type\s*\x3a\s*image\x2fgif/smi"; flowbits:set,http.gif; flowbits:noalert; classtype:protocol-command-decode; sid:3535; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla GIF heap overflow"; flow:from_server,established; content:"image/"; pcre:"/^Content-Type\s*\x3a\s*image\x2fgif/smi"; content:"GIF"; distance:0; pcre:"/\x21\xff\x0b(NETSCAPE2\.0|ANIMEXTS1\.0)/Rsmi"; content:"|02|"; within:1; distance:1; byte_test:1,>,0x7f,3,relative; reference:bugtraq,12881; reference:cve,2005-0399; classtype:attempted-user; sid:3534; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT OLE32 MSHTA masquerade attempt"; flow:to_client,established; flowbits:isnotset,http.hta; content:"R|00|o|00|o|00|t|00| |00|E|00|n|00|t|00|r|00|y|00|"; nocase; content:"|D8 F4|P0|B5 98 CF 11 BB 82 00 AA 00 BD CE 0B|"; within:16; distance:60; reference:cve,2005-0063; classtype:attempted-user; sid:3552; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT HTML DOM invalid element creation attempt"; flow:to_client,established; content:"create"; pcre:"/(\w+)\s*=\s*\w+\.create(Element|Comment|TextNode)\((\x22\x22|\x27\x27)\)\s*\;.*?\w+\.(insertBefore|insertAfter|appendChild)\(\1\)\;|\w\.(insertBefore|insertAfter|appendChild)\(\w+\.create(Element|Comment|TextNode)\((\x22\x22|\x27\x27)\)/sm"; reference:cve,2005-0553; classtype:attempted-user; sid:3549; rev:5;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT HTML DOM null element insertion attempt"; flow:to_client,established; content:"NULL"; pcre:"/(insertBefore|insertAfter|appendChild)\(\s*NULL\s*\)/sm"; reference:cve,2005-0553; classtype:attempted-user; sid:3553; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"WEB-CLIENT .hta download attempt"; flow:to_server,established; uricontent:".hta"; nocase; pcre:"/\.hta(\b|$)/Ui"; flowbits:set,http.hta; flowbits:noalert; classtype:not-suspicious; sid:3551; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT HTML http scheme hostname overflow attempt"; flow:to_client,established; content:"http|3A|//"; nocase; pcre:"/=\s*[\x22\x27]?http\x3a\/\/([^\x3a\x2f@\s]{255}|[^@]*@[^\x3a\x2f@\s]{255})/i"; reference:cve,2005-0553; classtype:attempted-user; sid:3550; rev:3;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap transfer"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; flowbits:set,http.bmp; flowbits:noalert; classtype:protocol-command-decode; sid:3633; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla bitmap width integer overflow multipacket attempt"; flow:to_client,established; flowbits:isset,http.bmp; content:"BM"; byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171; reference:cve,2004-0904; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; classtype:attempted-admin; sid:3634; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Mozilla bitmap width integer overflow attempt"; flow:established,to_client; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; content:"BM"; distance:0; byte_test:4,>,83386080,16,relative,little; reference:bugtraq,11171; reference:cve,2004-0904; reference:url,bugzilla.mozilla.org/show_bug.cgi?id=255067; classtype:attempted-admin; sid:3632; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Firefox IFRAME src javascript code execution"; flow:from_server,established; content:"IFRAME"; nocase; pcre:"/\x3c\s*IFRAME\s*[^\x3e]*src=\x22javascript\x3a/smi"; reference:bugtraq,13544; reference:cve,2005-1476; classtype:attempted-user; sid:3679; rev:1;)
alert tcp $EXTERNAL_NET 80 -> $HOME_NET any (msg:"WEB-CLIENT spoofed MIME-Type auto-execution attempt"; flow:from_server,established; content:"Content-Type|3A|"; nocase; content:"audio/"; nocase; pcre:"/Content-Type\x3A\s+audio\/(x-wav|mpeg|x-midi)/i"; content:"filename="; distance:0; nocase; pcre:"/filename=[\x22\x27]?.{1,221}\.(vbs|exe|scr|pif|bat)/i"; reference:bugtraq,2524; reference:cve,2001-0154; reference:url,www.microsoft.com/technet/security/bulletin/MS01-020.mspx; classtype:attempted-admin; sid:3683; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer Content Advisor attempted overflow"; flow:from_server,established; content:"PICS-version"; nocase; pcre:"/PICS-version\s+(\d{1,}|\d(\x2e\d){1,})\s*\x29\s+/smi"; pcre:"/\x28\s*rating-system\s*\S+\s*\x29\s+/smi"; pcre:"/\x28\s*rating-service\s*\S+\s*\x29\s+/smi"; pcre:"/\x28\s*name\s*\x22[^\x22]{260,}/smi"; reference:bugtraq,13117; reference:cve,2005-0555; classtype:attempted-user; sid:3686; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT bitmap BitmapOffset multipacket integer overflow attempt"; flow:to_client,established; flowbits:isset,http.bmp; content:"BM"; byte_test:4,>,2147480000,8,relative,little; reference:bugtraq,9663; reference:cve,2004-0566; classtype:attempted-user; sid:3685; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Bitmap Transfer"; flow:to_client,established; content:"image/bmp"; nocase; pcre:"/^Content-type\x3a\s*image\x2fbmp/smi"; flowbits:set,http.bmp; flowbits:noalert; classtype:protocol-command-decode; sid:3684; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT Internet Explorer tRNS overflow attempt"; flow:to_client,established; content:"|89|PNG|0D 0A 1A 0A|"; content:"IHDR"; within:4; distance:4; content:"tRNS"; distance:0; byte_test:4,>,256,-8,relative,big; reference:bugtraq,13941; reference:cve,2005-1211; reference:url,www.microsoft.com/technet/security/bulletin/MS05-025.mspx; classtype:attempted-user; sid:3689; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT IE javaprxy.dll COM access"; flow:from_server,established; content:"03D9F3F2-B0E3-11D2-B081-006008039BF0"; nocase; pcre:"/<OBJECT\s+[^>]*classid\s*=\s*[\x22\x27]?\s*clsid\s*\x3a\s*03D9F3F2-B0E3-11D2-B081-006008039BF0/si"; reference:bugtraq,14087; reference:cve,2005-2087; classtype:attempted-user; sid:3814; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT multipacket CHM file transfer attempt"; flow:to_client,established; flowbits:isset,chm_content_type; content:"ITSF"; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; classtype:attempted-user; sid:3820; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT multipacket CHM file transfer start"; flow:to_client,established; content:"text/plain"; nocase; pcre:"/^Content-type\x3a\s*text\x2fplain/smi"; flowbits:set,chm_content_type; flowbits:noalert; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; classtype:protocol-command-decode; sid:3819; rev:1;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"WEB-CLIENT CHM file transfer attempt"; flow:to_client,established; content:"text/plain"; nocase; pcre:"/^Content-type\x3a\s*text\x2fplain/smi"; pcre:"/^ITSF/sm"; reference:bugtraq,13953; reference:cve,2005-1208; reference:nessus,18482; classtype:attempted-user; sid:3821; rev:1;)