⭐ 欢迎来到虫虫下载站! | 📦 资源下载 📁 资源专辑 ℹ️ 关于我们
⭐ 虫虫下载站
📤 上传资源

📄 deleted.rules

📁 snort入侵检测规则文件2.4 Snort是众所周知的网络入侵检测工具
💻 RULES
📖 第 1 页 / 共 5 页
字号:
🔍
12345 
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT format string"; flow:to_server,established; content:"SITE EXEC %020d|7C|%.f%.f|7C 0A|"; depth:32; nocase; reference:arachnids,453; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:338; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT OpenBSD x86 ftpd"; flow:to_server,established; content:" |90|1|C0 99|RR|B0 17 CD 80|h|CC|sh"; reference:arachnids,446; reference:bugtraq,2124; reference:cve,2001-0053; classtype:attempted-user; sid:339; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"PWD|0A|/i"; classtype:attempted-admin; sid:340; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT overflow"; flow:to_server,established; content:"XXXXX/"; classtype:attempted-admin; sid:341; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Solaris 2.8"; flow:to_server,established; content:"|90 1B C0 0F 82 10| |17 91 D0| |08|"; reference:arachnids,451; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-user; sid:342; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow FreeBSD"; flow:to_server,established; content:"1|C0|PPP|B0|~|CD 80|1|DB|1|C0|"; depth:32; reference:arachnids,228; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:343; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow Linux"; flow:to_server,established; content:"1|C0|1|DB|1|C9 B0|F|CD 80|1|C0|1|DB|"; reference:arachnids,287; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-admin; sid:344; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string overflow generic"; flow:to_server,established; content:"SITE "; nocase; content:" EXEC "; nocase; content:" %p"; nocase; reference:arachnids,285; reference:bugtraq,1387; reference:cve,2000-0573; reference:nessus,10452; classtype:attempted-admin; sid:345; rev:9;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0 site exec format string check"; flow:to_server,established; content:"f%.f%.f%.f%.f%."; depth:32; reference:arachnids,286; reference:bugtraq,1387; reference:cve,2000-0573; classtype:attempted-recon; sid:346; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT wu-ftpd 2.6.0"; flow:to_server,established; content:"..11venglin@"; reference:arachnids,440; reference:bugtraq,1387; classtype:attempted-user; sid:348; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT MKD overflow"; flow:to_server,established; content:"MKD AAAAAA"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:349; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|C0|1|DB B0 17 CD 80|1|C0 B0 17 CD 80|"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:350; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"1|DB 89 D8 B0 17 CD 80 EB|,"; reference:bugtraq,113; reference:bugtraq,2242; reference:cve,1999-0368; classtype:attempted-admin; sid:351; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|83 EC 04|^|83 C6|p|83 C6 28 D5 E0 C0|"; reference:bugtraq, 113; reference:cve, CVE-1999-0368; classtype:attempted-admin; sid:352; rev:6;)# duplicate of 475alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute ipopts"; ipopts:rr; itype:0; reference:arachnids,238; classtype:misc-activity; sid:455; rev:7;)# not needed thanks to 1964 and 1965alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv solaris overflow"; dsize:>999; flow:to_server,established; content:"|C0 22|?|FC A2 02| |09 C0|,|7F FF E2 22|?|F4|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:570; rev:10;)alert tcp $EXTERNAL_NET any -> $HOME_NET 32771:34000 (msg:"RPC EXPLOIT ttdbserv Solaris overflow"; dsize:>999; flow:to_server,established; content:"|00 01 86 F3 00 00 00 01 00 00 00 0F 00 00 00 01|"; reference:arachnids,242; reference:bugtraq,122; reference:cve,1999-0003; reference:url,www.cert.org/advisories/CA-2001-27.html; classtype:attempted-admin; sid:571; rev:8;)# dup of 589alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1296; rev:4;)# dup of 1275alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap request yppasswdd"; flow:to_server,established; rpc:100009,*,*; reference:bugtraq,2763; classtype:rpc-portmap-decode; sid:1297; rev:8;)# dup of 1280alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:596; rev:6;)# dup of 1281alert tcp $EXTERNAL_NET any -> $HOME_NET 32771 (msg:"RPC portmap listing"; flow:to_server,established; rpc:100000,*,*; reference:arachnids,429; classtype:rpc-portmap-decode; sid:597; rev:6;)alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD TRAFFIC Non-Standard IP protocol"; ip_proto:!1; ip_proto:!2; ip_proto:!47; ip_proto:!50; ip_proto:!51; ip_proto:!6; ip_proto:!89; classtype:non-standard-protocol; sid:1620; rev:5;)# this has been replaced with sid 1905 and 1906alert tcp $EXTERNAL_NET any -> $HOME_NET 634:1400 (msg:"RPC AMD Overflow"; flow:to_server,established; content:"|80 00 04|,L|15|u[|00 00 00 00 00 00 00 02|"; depth:32; reference:arachnids,217; reference:cve,1999-0704; classtype:attempted-admin; sid:573; rev:8;)# these have been replaced by 1915, 1916, 1914, and 1913alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; flow:to_server,established; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:600; rev:7;)alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"RPC EXPLOIT statdx"; content:"/bin|C7|F|04|/sh"; reference:arachnids,442; classtype:attempted-admin; sid:1282; rev:5;)# duplicate of 1088alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI webstore directory traversal"; flow:to_server,established; uricontent:"/web_store.cgi?page=../.."; reference:bugtraq,1774; reference:cve,2000-1005; classtype:web-application-attack; sid:1094; rev:10;)# these are obsoletealert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT overflow"; flow:to_server,established; content:"|E8 C0 FF FF FF|/bin/sh"; classtype:attempted-admin; sid:293; rev:6;)alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|89 D8|@|CD 80 E8 C8 FF FF FF|/"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:295; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|4^|8D 1E 89|^|0B|1|D2 89|V|07|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:296; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|5^|80|F|01|0|80|F|02|0|80|F|03|0"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:297; rev:8;)alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|8^|89 F3 89 D8 80|F|01| |80|F|02|"; reference:bugtraq,130; reference:cve,1999-0005; classtype:attempted-admin; sid:298; rev:7;)alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP EXPLOIT x86 linux overflow"; flow:to_server,established; content:"|EB|X^1|DB 83 C3 08 83 C3 02 88|^&"; reference:bugtraq,130; reference:cve, CVE-1999-0005; classtype:attempted-admin; sid:299; rev:6;)# what is this rule?  we have no idea...alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg:"SCAN ssh-research-scanner"; flow:to_server,established; content:"|00 00 00|`|00 00 00 00 00 00 00 00 01 00 00 00|"; classtype:attempted-recon; sid:617; rev:4;)# These have been replaced by better rules (1915,1916,1913,1914)alert udp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:592; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 32770: (msg:"RPC rstatd query"; flow:to_server,established; content:"|00 00 00 00 00 00 00 02 00 01 86 A1|"; offset:5; reference:arachnids,9; classtype:attempted-recon; sid:1278; rev:5;)alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned nobody"; flow:from_server,established; content:"uid="; content:"|28|nobody|29|"; classtype:bad-unknown; sid:1883; rev:5;)alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned web"; flow:from_server,established; content:"uid="; content:"|28|web|29|"; classtype:bad-unknown; sid:1884; rev:5;)alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned http"; flow:from_server,established; content:"uid="; content:"|28|http|29|"; classtype:bad-unknown; sid:1885; rev:5;)alert tcp $HTTP_SERVERS $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES id check returned apache"; flow:from_server,established; content:"uid="; content:"|28|apache|29|"; classtype:bad-unknown; sid:1886; rev:5;)alert tcp $EXTERNAL_NET any -> $HOME_NET 139 (msg:"NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt"; flow:to_server,established; content:"|00|"; depth:1; content:"|FF|SMB%"; depth:5; offset:4; content:"|00 00|"; depth:2; offset:45; reference:bugtraq,5556; reference:cve,2002-0724; reference:url,www.corest.com/common/showdoc.php?idx=262; reference:url,www.microsoft.com/technet/security/bulletin/MS02-045.mspx; classtype:denial-of-service; reference:nessus,11110; sid:2102; rev:9;)# specific example for sid:1549alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP EXPLOIT x86 windows CSMMail overflow"; flow:to_server,established; content:"|EB|S|EB| [|FC|3|C9 B1 82 8B F3 80|+"; reference:bugtraq,895; reference:cve,2000-0042; classtype:attempted-admin; sid:656; rev:8;)# this is properly caught by sid:527alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS Land attack"; flags:S; id:3868; seq:3868; flow:stateless; reference:bugtraq,2666; reference:cve,1999-0016; classtype:attempted-dos; sid:269; rev:9;)# duplicate of 1546alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-MISC Cisco Web DOS attempt"; flow:to_server,established; content:" /%%"; depth:16; reference:arachnids,275; classtype:attempted-dos; sid:1138; rev:7;)# these are obsoleted by cleaning up 663alert tcp $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:"SMTP sendmail 8.4.1 exploit"; flow:to_server,established; content:"rcpt to|3A| |7C| sed '1,/^|24|/d'|7C|"; nocase; reference:arachnids,120; classtype:attempted-user; sid:666; rev:7;)# dup of 588alert tcp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request TCP"; flow:to_server,established; content:"|00 00 00 00|"; depth:4; offset:8; content:"|00 01 86 A0|"; depth:4; offset:16; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1298; rev:15;)# dup of 1274alert udp $EXTERNAL_NET any -> $HOME_NET 111 (msg:"RPC portmap tooltalk request UDP"; content:"|00 00 00 00|"; depth:4; offset:4; content:"|00 01 86 A0|"; depth:4; offset:12; content:"|00 00 00 03|"; within:4; distance:4; byte_jump:4,4,relative,align; byte_jump:4,4,relative,align; content:"|00 01 86 F3|"; within:4; reference:bugtraq,3382; reference:cve,1999-0003; reference:cve,1999-0687; reference:cve,1999-1075; reference:cve,2001-0717; reference:url,www.cert.org/advisories/CA-2001-05.html; classtype:rpc-portmap-decode; sid:1299; rev:14;)# these virus rules suck.alert tcp any 110 -> any any (msg:"Virus - SnowWhite Trojan Incoming"; flow:established; content:"Suddlently"; classtype:misc-activity; sid:720; rev:6;)alert tcp any 110 -> any any (msg:"Virus - Possible NAVIDAD Worm"; flow:established; content:"NAVIDAD.EXE"; nocase; classtype:misc-activity; sid:722; rev:6;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myromeo.exe"; nocase; classtype:misc-activity; sid:723; rev:6;)alert tcp any 110 -> any any (msg:"Virus - Possible MyRomeo Worm"; flow:established; content:"myjuliet.chm"; nocase; classtype:misc-activity; sid:724; rev:6;)
12345

⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -