FORTH_05_ap1_keywords_stats
advertisement
Attack Statistics
FORTH
13/09/2006
This document is related to AP1:
“Explore further the frequency of patterns but also frequency of attacks recognised by keywords”
In this document, we provide some statistics for attacks that are based in standard keywords, that
may be found in the payload of a network packet. Since, initially, in WISDOM packets will be
examined only in their header portion and not in their payload, it is useful to have a generic picture
about the frequency of known attacks that are based in payload checking.
In order to quantify the above, we collected all rules of the well known Intrusion Detection
Systems, Snort (http://www.snort.org), and measure how many rules are based in payload checking
over all rules in the dataset. Although, Snort may not list all the known attacks, it lists a substantial
fraction of them.
We performed the measurements in two datasets of Snort rules. The one that comes with the
distribution of Snort (Version 2.6-CURRENT, as of: 1/9/2006) and the Bleeding Edge Snort rules
(http://www.bleedingsnort.com/). The latter is an attempt to collect as much signatures as possible
and to provide a complete database for the identification of modern patterns, which characterise
network traffic.
It is important to note that not all rules map to attacks, but they all examine network traffic to
exploit specific characteristics. For example, an organisation may consider traffic related to the IRC
protocol (a protocol for Internet Chatting) as undesirable for its network.
Snort Version
Full DataSet
Keyword based rules
Header based rules
CURRENT, 1/9/2006
6644
6496
148
Bleeding Edge Snort
1394
1295
99
In the proceeding appendices A and B we list the header based rules for CURRENT Snort and
Bleeding Edge Snort, respectively.
APPENDIX A
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
alert icmp 3.3.3.3/32 any -> $EXTERNAL_NET any (msg:"DDOS Stacheldraht server
spoof"; icmp_id:666; itype:0; reference:arachnids,193; classtype:attempted-dos; sid:224;
rev:3;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication
Administratively Prohibited"; icode:13; itype:3; classtype:misc-activity; sid:485; rev:5;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with
Destination Host is Administratively Prohibited"; icode:10; itype:3; classtype:misc-activity;
sid:486; rev:5;)
alert icmp any any -> any any (msg:"ICMP Destination Unreachable Communication with
Destination Network is Administratively Prohibited"; icode:9; itype:3; classtype:miscactivity; sid:487; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN client
command BE"; icmp_id:456; icmp_seq:0; itype:0; reference:arachnids,184;
classtype:attempted-dos; sid:228; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS - TFN client
command LE"; icmp_id:51201; icmp_seq:0; itype:0; reference:arachnids,183;
classtype:attempted-dos; sid:251; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask
Reply undefined code"; icode:>0; itype:18; classtype:misc-activity; sid:387; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask
Request"; icode:0; itype:17; classtype:misc-activity; sid:388; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Address Mask
Request undefined code"; icode:>0; itype:17; classtype:misc-activity; sid:389; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host
Address"; icode:0; itype:6; classtype:misc-activity; sid:390; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Alternate Host
Address undefined code"; icode:>0; itype:6; classtype:misc-activity; sid:391; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Broadscan Smurf
Scanner"; dsize:4; icmp_id:0; icmp_seq:0; itype:8; classtype:attempted-recon; sid:478;
rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram
Conversion Error"; icode:0; itype:31; classtype:misc-activity; sid:392; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Datagram
Conversion Error undefined code"; icode:>0; itype:31; classtype:misc-activity; sid:393;
rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable cndefined code"; icode:>15; itype:3; classtype:misc-activity; sid:407; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Destination Host Unknown"; icode:7; itype:3; classtype:misc-activity; sid:394;
rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Destination Network Unknown"; icode:6; itype:3; classtype:misc-activity;
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
sid:395; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Fragmentation Needed and DF bit was set"; icode:4; itype:3; classtype:miscactivity; sid:396; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Host Precedence Violation"; icode:14; itype:3; classtype:misc-activity;
sid:397; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Host Unreachable for Type of Service"; icode:12; itype:3; classtype:miscactivity; sid:398; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Host Unreachable"; icode:1; itype:3; classtype:misc-activity; sid:399; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Network Unreachable for Type of Service"; icode:11; itype:3; classtype:miscactivity; sid:400; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Network Unreachable"; icode:0; itype:3; classtype:misc-activity; sid:401;
rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Port Unreachable"; icode:3; itype:3; classtype:misc-activity; sid:402; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Precedence Cutoff in effect"; icode:15; itype:3; classtype:misc-activity;
sid:403; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Protocol Unreachable"; icode:2; itype:3; classtype:misc-activity; sid:404;
rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Source Host Isolated"; icode:8; itype:3; classtype:misc-activity; sid:405;
rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Destination
Unreachable Source Route Failed"; icode:5; itype:3; classtype:misc-activity; sid:406; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply";
icode:0; itype:0; classtype:misc-activity; sid:408; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Echo Reply
undefined code"; icode:>0; itype:0; classtype:misc-activity; sid:409; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Fragment
Reassembly Time Exceeded"; icode:1; itype:11; classtype:misc-activity; sid:410; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP icmpenum v1.1.1";
dsize:0; icmp_id:666 ; icmp_seq:0; id:666; itype:8; reference:arachnids,450;
classtype:attempted-recon; sid:471; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information
Request"; icode:0; itype:15; classtype:misc-activity; sid:417; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Information Request
undefined code"; icode:>0; itype:15; classtype:misc-activity; sid:418; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here";
icode:0; itype:34; classtype:misc-activity; sid:411; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 I-Am-Here
undefined code"; icode:>0; itype:34; classtype:misc-activity; sid:412; rev:7;)
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-AreYou"; icode:0; itype:33; classtype:misc-activity; sid:413; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IPV6 Where-AreYou undefined code"; icode:>0; itype:33; classtype:misc-activity; sid:414; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router
advertisement"; itype:9; reference:arachnids,173; reference:bugtraq,578;
reference:cve,1999-0875; classtype:misc-activity; sid:363; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP IRDP router
selection"; itype:10; reference:arachnids,174; reference:bugtraq,578; reference:cve,19990875; classtype:misc-activity; sid:364; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host
Redirect"; icode:0; itype:32; classtype:misc-activity; sid:419; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Host
Redirect undefined code"; icode:>0; itype:32; classtype:misc-activity; sid:420; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration
Reply"; icode:0; itype:36; classtype:misc-activity; sid:421; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration
Reply undefined code"; icode:>0; itype:36; classtype:misc-activity; sid:422; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration
Request"; icode:0; itype:35; classtype:misc-activity; sid:423; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Mobile Registration
Request undefined code"; icode:>0; itype:35; classtype:misc-activity; sid:424; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem
Bad Length"; icode:2; itype:12; classtype:misc-activity; sid:425; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem
Missing a Required Option"; icode:1; itype:12; classtype:misc-activity; sid:426; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem
undefined Code"; icode:>2; itype:12; classtype:misc-activity; sid:428; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Parameter Problem
Unspecified Error"; icode:0; itype:12; classtype:misc-activity; sid:427; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PATH MTU denial
of service"; itype:3; icode:4; byte_test:2,<,576,2; reference:bugtraq,13124;
reference:cve,2004-1060; classtype:attempted-dos; sid:3626; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Reserved";
icode:0; itype:40; classtype:misc-activity; sid:429; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris undefined
code!"; icode:>3; itype:40; classtype:misc-activity; sid:433; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Unknown
Security Parameters Index"; icode:1; itype:40; classtype:misc-activity; sid:430; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid
Security Parameters, But Authentication Failed"; icode:2; itype:40; classtype:misc-activity;
sid:431; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Photuris Valid
Security Parameters, But Decryption Failed"; icode:3; itype:40; classtype:misc-activity;
sid:432; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING"; icode:0;
itype:8; classtype:misc-activity; sid:384; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
LINUX/*BSD"; dsize:8; id:13170; itype:8; reference:arachnids,447; classtype:misc-activity;
sid:375; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING NMAP";
dsize:0; itype:8; reference:arachnids,162; classtype:attempted-recon; sid:469; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sun Solaris";
dsize:8; itype:8; reference:arachnids,448; classtype:misc-activity; sid:381; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING undefined
code"; icode:>0; itype:8; classtype:misc-activity; sid:365; rev:8;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS
and Host"; icode:3; itype:5; classtype:misc-activity; sid:436; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect for TOS
and Network"; icode:2; itype:5; classtype:misc-activity; sid:437; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect host";
icode:1; itype:5; reference:arachnids,135; reference:cve,1999-0265; classtype:badunknown; sid:472; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP redirect net";
icode:0; itype:5; reference:arachnids,199; reference:cve,1999-0265; classtype:badunknown; sid:473; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Redirect undefined
code"; icode:>3; itype:5; classtype:misc-activity; sid:438; rev:9;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for
Security Type 19"; icode:0; itype:19; classtype:misc-activity; sid:439; rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Reserved for
Security Type 19 undefined code"; icode:>0; itype:19; classtype:misc-activity; sid:440;
rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router
Advertisement"; icode:0; itype:9; reference:arachnids,173; classtype:misc-activity; sid:441;
rev:6;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Router Selection";
icode:0; itype:10; reference:arachnids,174; classtype:misc-activity; sid:443; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP"; icode:0;
itype:39; classtype:misc-activity; sid:445; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP SKIP undefined
code"; icode:>0; itype:39; classtype:misc-activity; sid:446; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench";
icode:0; itype:4; classtype:bad-unknown; sid:477; rev:3;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Source Quench
undefined code"; icode:>0; itype:4; classtype:misc-activity; sid:448; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply";
icode:0; itype:14; classtype:misc-activity; sid:451; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Reply
undefined code"; icode:>0; itype:14; classtype:misc-activity; sid:452; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp
Request"; icode:0; itype:13; classtype:misc-activity; sid:453; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Timestamp Request
undefined code"; icode:>0; itype:13; classtype:misc-activity; sid:454; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute";
icode:0; itype:30; classtype:misc-activity; sid:456; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute ipopts";
ipopts:rr; itype:0; reference:arachnids,238; classtype:attempted-recon; sid:475; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP traceroute"; itype:8;
81
ttl:1; reference:arachnids,118; classtype:attempted-recon; sid:385; rev:4;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP Traceroute
82
undefined code"; icode:>0; itype:30; classtype:misc-activity; sid:457; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1";
83
icode:0; itype:1; classtype:misc-activity; sid:458; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 1
84
undefined code"; itype:1; classtype:misc-activity; sid:459; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2";
85
icode:0; itype:2; classtype:misc-activity; sid:460; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 2
86
undefined code"; itype:2; classtype:misc-activity; sid:461; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7";
87
icode:0; itype:7; classtype:misc-activity; sid:462; rev:7;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP unassigned type 7
88
undefined code"; itype:7; classtype:misc-activity; sid:463; rev:7;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Address Mask
89
Reply"; icode:0; itype:18; classtype:misc-activity; sid:386; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply";
90
icode:0; itype:16; classtype:misc-activity; sid:415; rev:5;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Information Reply
91
undefined code"; icode:>0; itype:16; classtype:misc-activity; sid:416; rev:7;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live
92
Exceeded in Transit"; icode:0; itype:11; classtype:misc-activity; sid:449; rev:6;)
alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg:"ICMP Time-To-Live
93 Exceeded in Transit undefined code"; icode:>1; itype:11; classtype:misc-activity; sid:450;
rev:8;)
alert ip 66.151.158.177 any -> $HOME_NET any (msg:"POLICY poll.gotomypc.com
94 access"; reference:url,www.gotomypc.com/help2.tmpl; classtype:misc-activity; sid:1429;
rev:3;)
alert ip any any <> 127.0.0.0/8 any (msg:"BAD-TRAFFIC loopback traffic";
95
reference:url,rr.sans.org/firewall/egress.php; classtype:bad-unknown; sid:528; rev:5;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 103 PIM"; ip_proto:103;
96 reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:nonstandard-protocol; sid:2189; rev:4;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 53 SWIPE"; ip_proto:53;
97 reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:nonstandard-protocol; sid:2186; rev:4;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 55 IP Mobility"; ip_proto:55;
98 reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:nonstandard-protocol; sid:2187; rev:4;)
alert ip any any -> any any (msg:"BAD-TRAFFIC IP Proto 77 Sun ND"; ip_proto:77;
99 reference:bugtraq,8211; reference:cve,2003-0567; reference:nessus,11791; classtype:nonstandard-protocol; sid:2188; rev:4;)
alert ip any any -> any any (msg:"EXPLOIT EIGRP prefix length overflow attempt";
100
ip_proto:88; byte_test:1,>,32,44; reference:bugtraq,9952; reference:cve,2004-0176;
80
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
reference:cve,2004-0367; classtype:attempted-admin; sid:2464; rev:7;)
alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP account overflow attempt";
ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,16,12;
reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367;
classtype:attempted-admin; sid:2462; rev:7;)
alert ip any any -> any any (msg:"EXPLOIT IGMP IGAP message overflow attempt";
ip_proto:2; byte_test:1,>,63,0; byte_test:1,<,67,0; byte_test:1,>,64,13;
reference:bugtraq,9952; reference:cve,2004-0176; reference:cve,2004-0367;
classtype:attempted-admin; sid:2463; rev:7;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC 0 ttl"; ttl:0;
reference:url,support.microsoft.com/default.aspx?scid=kb\;EN-US\;q138268;
reference:url,www.isi.edu/in-notes/rfc1122.txt; classtype:misc-activity; sid:1321; rev:8;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC ip reserved
bit set"; fragbits:R; classtype:misc-activity; sid:523; rev:5;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC
Unassigned/Reserved IP protocol"; ip_proto:>134;
reference:url,www.iana.org/assignments/protocol-numbers; classtype:non-standardprotocol; sid:1627; rev:3;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"DOS IGMP dos attack";
fragbits:M+; ip_proto:2; reference:bugtraq,514; reference:cve,1999-0918;
reference:url,www.microsoft.com/technet/security/bulletin/MS99-034.mspx;
classtype:attempted-dos; sid:272; rev:11;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssre";
ipopts:lsrre; reference:arachnids,420; reference:bugtraq,646; reference:cve,1999-0909;
reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:badunknown; sid:501; rev:5;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route lssr";
ipopts:lsrr; reference:arachnids,418; reference:bugtraq,646; reference:cve,1999-0909;
reference:url,www.microsoft.com/technet/security/bulletin/MS99-038.mspx; classtype:badunknown; sid:500; rev:5;)
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC source route ssrr";
ipopts:ssrr ; reference:arachnids,422; classtype:bad-unknown; sid:502; rev:2;)
alert tcp any any -> [232.0.0.0/8,233.0.0.0/8,239.0.0.0/8] any (msg:"BAD-TRAFFIC syn to
multicast address"; flow:stateless; flags:S+; classtype:bad-unknown; sid:1431; rev:9;)
alert tcp $EXTERNAL_NET 10101 -> $HOME_NET any (msg:"SCAN myscan";
flow:stateless; ack:0; flags:S; ttl:>220; reference:arachnids,439; classtype:attempted-recon;
sid:613; rev:6;)
alert tcp $EXTERNAL_NET 20 -> $HOME_NET :1023 (msg:"MISC Source Port 20 to
<1024"; flow:stateless; flags:S,12; reference:arachnids,06; classtype:bad-unknown; sid:503;
rev:7;)
alert tcp $EXTERNAL_NET 53 -> $HOME_NET :1023 (msg:"MISC source port 53 to
<1024"; flow:stateless; flags:S,12; reference:arachnids,07; classtype:bad-unknown; sid:504;
rev:7;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC tcp port 0
traffic"; flow:stateless; classtype:misc-activity; sid:524; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"EXPLOIT Veritas
NetBackup Volume Manager overflow attempt"; flow:to_server,established;
flowbits:isset,veritas.vmd.connect; pcre:"/(0x[0-9a-f]+|0[0-8]+|[1-9]\d*)\s+\S{157}|(0x[09a-f]+|0[0-8]+|[1-9]\d*)\s+\S+\s+\S{125}|(0x[0-9a-f]+|0[0-8]+|[1-
116
117
118
119
120
121
122
123
124
125
9]\d*)\s+\S+\s+\S+\s+\S{1025}|(0x[ 0-9a-f]+|0[0-8]+|[19]\d*)\s+\S+\s+\S+\s+\S+\s+\S{117}|(0x[0-9a-f]+|0[0-8]+|[19]\d*)\s+\S+\s+\S+\s+\S+\s+\S+\s+\S{37}/i"; reference:bugtraq,17264; reference:cve,20060989; classtype:attempted-admin; sid:6405; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13701 (msg:"EXPLOIT Veritas
NetBackup Volume Manager possible overflow connection attempt";
flow:to_server,established; byte_test:1,>,3,10,dec,string; byte_test:1,<,11,10,dec,string;
flowbits:set,veritas.vmd.connect; flowbits:noalert; reference:cve,2006-0989;
classtype:protocol-command-decode; sid:6404; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 13724 (msg:"EXPLOIT VERITAS
NetBackup vnetd buffer overflow attempt"; flow:to_server,established;
flowbits:isset,vnetd.bpspsserver.connection; byte_test:4,>,1024,0; isdataat:1024;
flowbits:unset,vnetd.bpspsserver.connection; reference:bugtraq,17264; reference:cve,20060991; classtype:attempted-admin; sid:6011; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request tcp";
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1418;
rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap tcp";
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1420;
rev:11;)
alert tcp $EXTERNAL_NET any <> $HOME_NET 179 (msg:"DOS BGP spoofed
connection reset attempt"; flow:established; flags:RSF*; threshold:type both,track
by_dst,count 10,seconds 10; reference:bugtraq,10183; reference:cve,2004-0230;
reference:url,www.uniras.gov.uk/vuls/2004/236929/index.htm; classtype:attempted-dos;
sid:2523; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg:"FTP command overflow
attempt"; flow:to_server,established,no_stream; dsize:>100; reference:bugtraq,4638;
reference:cve,2002-0606; classtype:protocol-command-decode; sid:1748; rev:8;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 2967 (msg:"EXPLOIT symantec
antivirus realtime virusscan overflow attempt"; flow:to_server,established;
byte_test:1,=,1,0; byte_test:1,=,10,4; byte_test:2,=,36,16; byte_jump:2,32;
byte_test:1,!,0,0,relative; reference:bugtraq,18107; reference:cve,2006-2630;
classtype:attempted-admin; sid:6512; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 3372 (msg:"DOS MSDTC attempt";
flow:to_server,established; dsize:>1023; reference:bugtraq,4006; reference:cve,2002-0224;
reference:nessus,10939; classtype:attempted-dos; sid:1408; rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 42 (msg:"EXPLOIT WINS overflow
attempt"; flow:to_server,established; byte_test:1,&,64,6; byte_test:1,&,32,6;
byte_test:1,&,16,6; byte_test:1,&,8,6; pcre:!"/^.{8}(\x05\x37(\x1E[\x90-\xFF]|[\x1F\x2F].|\x30[\x00-\x70])|\x00\x00\x00[\x00-\x65]|\x02\x68\x05\xC0)/s";
reference:bugtraq,11763; reference:cve,2004-1080;
reference:url,www.immunitysec.com/downloads/instantanea.pdf;
reference:url,www.microsoft.com/technet/security/bulletin/MS04-045.mspx;
classtype:misc-attack; sid:3017; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS TCP inverse query
overflow"; flow:to_server,established; byte_test:1,<,16,4; byte_test:1,&,8,4; isdataat:400;
reference:bugtraq,134; reference:cve,1999-0009; classtype:attempted-admin; sid:3153;
rev:2;)
126
127
128
129
130
131
132
133
134
135
136
137
138
alert tcp $EXTERNAL_NET any -> $HOME_NET 6116 (msg:"BACKDOOR am remote
client runtime detection - client-to-server"; flow:to_server,established;
pcre:"/^\d+\x01/smi"; flowbits:set,AM_Remote_Client; flowbits:noalert;
reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html; classtype:trojan-activity;
sid:7641; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 617 (msg:"DOS arkiea backup";
flow:to_server,established; dsize:>1445; reference:arachnids,261; reference:bugtraq,662;
reference:cve,1999-0788; classtype:attempted-dos; sid:282; rev:9;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 705 (msg:"SNMP AgentX/tcp request";
flow:stateless; reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1421;
rev:11;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 80 (msg:"SCAN cybercop os probe";
flow:stateless; dsize:0; flags:SF12; reference:arachnids,146; classtype:attempted-recon;
sid:619; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN FIN"; flow:stateless;
flags:F,12; reference:arachnids,27; classtype:attempted-recon; sid:621; rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN nmap XMAS";
flow:stateless; flags:FPU,12; reference:arachnids,30; classtype:attempted-recon; sid:1228;
rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN NULL";
flow:stateless; ack:0; flags:0; seq:0; reference:arachnids,4; classtype:attempted-recon;
sid:623; rev:6;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN SYN FIN";
flow:stateless; flags:SF,12; reference:arachnids,198; classtype:attempted-recon; sid:624;
rev:7;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"SCAN XMAS";
flow:stateless; flags:SRAFPU,12; reference:arachnids,144; classtype:attempted-recon;
sid:625; rev:7;)
alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"BACKDOOR coolcat
runtime connection detection - tcp 3"; flow:from_server,established;
flowbits:isset,CoolCat.2; pcre:"/^((psswdok\*\-\*Password\s+OK\r\n)|(psswderror\*\\*Wrong\s+password\r\n))/smi";
reference:url,www.spywareguide.com/product_show.php?id=555; classtype:trojan-activity;
sid:6014; rev:2;)
alert tcp $HOME_NET 6116 -> $EXTERNAL_NET any (msg:"BACKDOOR am remote
client runtime detection - server-to-client"; flow:from_server,established;
flowbits:isset,AM_Remote_Client; pcre:"/^\d+\x01/smi"; threshold:type limit, track by_src,
count 1, seconds 300; reference:url,www.megasecurity.org/trojans/a/amrc/Amrc1.1.html;
classtype:trojan-activity; sid:7642; rev:1;)
alert tcp $HOME_NET any ->
[128.118.25.3,128.138.140.44,128.2.129.21,128.2.136.71,128.206.12.130,128.59.59.177,12
9.132.2.21,130.235.20.3,130.88.200.6,130.88.200.98,131.188.3.221,131.188.3.223,131.216.
1.101,132.163.4.101,132.163.4.102,132.163.4.103,132.236.56.250,132.246.168.148] 37
(msg:"VIRUS Possible Sober virus set one NTP time check attempt"; flow:stateless;
flags:S,12; threshold:type limit, track by_src, count 1, seconds 60; classtype:unusual-clientport-connection; sid:5321; rev:4;)
alert tcp $HOME_NET any ->
[132.246.168.164,138.96.64.10,142.3.100.15,146.164.48.1,148.6.0.1,150.254.183.15,161.5
3.30.3,162.23.41.34,18.7.21.144,192.43.244.18,192.53.103.103,192.53.103.104,192.53.103.
139
140
141
142
143
144
145
146
147
148
107,193.2.1.66,193.204.114.105,193.204.114.233,194.137.39.69,198.60.22.240] 37
(msg:"VIRUS Possible Sober virus set two NTP time check attempt"; flow:stateless;
flags:S,12; threshold:type limit, track by_src, count 1, seconds 60; classtype:unusual-clientport-connection; sid:5322; rev:2;)
alert tcp $HOME_NET any ->
[198.72.72.10,200.254.135.2,208.14.208.19,209.87.233.53,213.239.201.102,216.193.203.2,
69.25.96.13] 37 (msg:"VIRUS Possible Sober virus set three NTP time check attempt";
flow:stateless; flags:S,12; threshold:type limit, track by_src, count 1, seconds 60;
classtype:unusual-client-port-connection; sid:5323; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR incommand
1.7 runtime detection - init connection"; flow:from_server,established;
flowbits:isset,InCommand_17_InitConnection; pcre:"/^(PASSOK|BADPASS)/";
reference:url,www.spywareguide.com/product_show.php?id=1637;
reference:url,www3.ca.com/securityadvisor/pest/pest.aspx?id=44730; classtype:trojanactivity; sid:7796; rev:1;)
alert tcp $SQL_SERVERS 3306 -> $EXTERNAL_NET any (msg:"MYSQL server greeting
finished"; flow:from_server,established; byte_test:1,>,0,3;
flowbits:isset,mysql.server_greeting; flowbits:unset,mysql.server_greeting; flowbits:noalert;
reference:bugtraq,10655; reference:cve,2004-0627; reference:nessus,12639;
reference:url,www.nextgenss.com/advisories/mysql-authbypass.txt; classtype:attempteduser; sid:3666; rev:5;)
alert udp any any -> 255.255.255.255 161 (msg:"SNMP Broadcast request";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1415;
rev:9;)
alert udp any any -> 255.255.255.255 162 (msg:"SNMP broadcast trap";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1416;
rev:9;)
alert udp $EXTERNAL_NET any <> $HOME_NET 0 (msg:"BAD-TRAFFIC udp port 0
traffic"; reference:bugtraq,576; reference:cve,1999-0675; reference:nessus,10074;
classtype:misc-activity; sid:525; rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 123 (msg:"EXPLOIT ntpdx overflow
attempt"; dsize:>128; reference:arachnids,492; reference:bugtraq,2540; reference:cve,20010414; reference:nessus,10647; classtype:attempted-admin; sid:312; rev:7;)
alert udp $EXTERNAL_NET any -> $HOME_NET 161 (msg:"SNMP request udp";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1417;
rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 162 (msg:"SNMP trap udp";
reference:bugtraq,4088; reference:bugtraq,4089; reference:bugtraq,4132;
reference:cve,2002-0012; reference:cve,2002-0013; classtype:attempted-recon; sid:1419;
rev:9;)
alert udp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS UDP inverse query
overflow"; byte_test:1,<,16,2; byte_test:1,&,8,2; isdataat:400; reference:bugtraq,134;
reference:cve,1999-0009; classtype:attempted-admin; sid:3154; rev:2;)
APPENDIX B
1
2
3
4
5
6
7
8
9
10
alert udp $HOME_NET any -> [216.127.88.131,218.38.13.108] 53 (msg: "BLEEDINGEDGE DNS lookup attempt to hostile, poisoning DNS server - ISC Diary";
reference:url,isc.sans.org/diary.php?date=2005-03-30;
reference:url,isc.sans.org/diary.php?date=2005-03-31; classtype: misc-attack; sid: 2001834;
rev:5; )
alert tcp $HOME_NET any -> [209.123.63.168,64.21.61.5,205.162.201.11,217.16.26.148]
any (msg: "BLEEDING-EDGE Sites trying to infect PCs with malware - ISC Diary";
reference:url,isc.sans.org/diary.php?date=2005-03-30; classtype: misc-attack; sid: 2001835;
rev:4; )
alert tcp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT
EVENTS Malware Altered Host - DNS to Malicious DNS Server (tcp)"; flags: S,12;
threshold:type limit, track by_src, count 1, seconds 60;
reference:url,isc.sans.org/diary.php?storyid=819; classtype:misc-activity; sid:2002670;
rev:2;)
alert udp $HOME_NET any -> 193.227.227.218 53 (msg:"BLEEDING-EDGE CURRENT
EVENTS Malware Altered Host - DNS to Malicious DNS Server (udp)"; threshold:type
limit, track by_src, count 1, seconds 60; reference:url,isc.sans.org/diary.php?storyid=819;
classtype:misc-activity; sid:2002672; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE MALWARE Casalemedia Spyware Reporting URL Visited1"; flow:
to_server,established; pcre:"/\/s\?s=[d+]&u=http/Ui"; classtype: trojan-activity;
sid:2002195; rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE MALWARE Casalemedia Spyware Reporting URL Visited2"; flow:
to_server,established; pcre:"/\/sd\?s=[d+]&f=\d/Ui"; classtype: trojan-activity; sid:2002196;
rev:1; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE MALWARE Likely Trojan/Spyware Installer Requested (1)"; flow:
established,to_server;
pcre:"/(cartao|mensagem|voxcards|humortadela|ouca|cartaovirtual|uol3171|embratel|yahoo|vi
ewforhumor|humormenssagem|terra)\.scr/Ui"; classtype: trojan-activity; sid: 2001850;
rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE MALWARE Likely Trojan/Spyware Installer Requested (2)"; flow:
established,to_server;
pcre:"/(discador|ocartao|msgav|extrato|correcao|extrato_tim|visualizar|cartas&cartoes|embrat
el|cartao|MSN_INSTALL|VirtualCards|atualizacaonorton|serasar|CobrancaEmbratel|Extrato
Tim|FlashFotos|VacinaNorton|CartaoIloves|Cobranca|fotos_ineditas|boletocobranca|saudades|wwwuolcartoescomb
r|cartaoanimado)\.exe/Ui"; classtype: trojan-activity; sid: 2002093; rev:2; )
alert udp $HOME_NET 3531 -> $EXTERNAL_NET 3531 (msg: "BLEEDING-EDGE
Malware JoltID Agent Probing or Announcing UDP"; reference:url,www.joltid.com;
reference:url,forum.treweeke.com/lofiversion/index.php/t597.html; classtype: trojanactivity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/adware.p2pnetworking.htm
l; sid: 2000900; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE Malware MyWebSearch Toolbar Traffic (host)"; flow: to_server,established;
pcre:"/Host\:[^\n]*[\.\s]myway.com/i"; classtype: policy-violation; threshold:type limit,
11
12
13
14
15
16
17
18
19
20
21
track by_src, count 2, seconds 360; sid: 2001663; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE Malware Spyspotter.com Access"; flow: to_server,established;
pcre:"/Host\:[^\n]+spyspotter.com/i"; classtype: trojan-activity; sid: 2001537; rev:8; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDINGEDGE MALWARE Websponsors.com Spyware"; flow:to_server,established;
pcre:"/\/v\/s=\d+\/p=\d+\/j=\d+\//Ui"; classtype:trojan-activity; sid:2002204; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 37 (msg:"BLEEDING-EDGE VIRUS
Multiple Time server requests - Possible Sober Infection"; flags:S; threshold: type threshold,
track by_src, count 10, seconds 60; classtype:trojan-activity;
reference:url,www.bleedingsnort.com/forum/viewtopic.php?forum=3&showtopic=1540;
sid:2002732; rev:2; )
alert udp any 1025: -> any 10102 (msg: "BLEEDING-EDGE VIRUS Fireby proxy trojan
port report"; dsize: 2; classtype: trojan-activity;
reference:url,securityresponse.symantec.com/avcenter/venc/data/backdoor.staprew.b.html;
sid: 2001967; rev:4; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential
update/download"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst;
pcre:"/\.(upda|getfile|dl\dx|dl|download|execute)\w*\s+(http|ftp)\x3a\x2f\x2f/i"; flowbits:
set,trojan; classtype: trojan-activity; sid: 2002031; rev:11; )
alert tcp any any -> any any (msg: "BLEEDING-EDGE TROJAN BOT - potential DDoS
command"; flowbits:isset,is_proto_irc; flow: established; tag: host,300,seconds,dst;
pcre:"/(floodnet ([0-9]{1,3}\.){3}[09]{1,3}|ddos\.(httpflood|phat(icmp|syn|wonk)|stop|(syn|udp)flood|targa3)|(syn|udp) ([09]{1,3}\.){3}[0-9]{1,3}|(tcp|syn|udp|ack|ping|icmp)(flood)? ([0-9]{1,3}\.){3}[09]{1,3}|ddos\.(syn|ack|random) ([0-9]{1,3}\.){3}[0-9]{1,3})/i"; flowbits: set,trojan;
classtype: trojan-activity; sid: 2002032; rev:4; )
alert udp $HOME_NET any -> $EXTERNAL_NET 20192 (msg:"BLEEDING-EDGE
TROJAN Ransky or variant backdoor communication ping"; dsize:<6;
reference:url,www.sophos.com/virusinfo/analyses/trojranckcx.html; classtype:trojanactivity; sid:2002728; rev:1;)
alert tcp $HOME_NET any -> !$SQL_SERVERS 3306 (msg: "BLEEDING-EDGE WORM
Potential MySQL bot scanning for SQL server"; flags: S,12;
reference:url,isc.sans.org/diary.php?date=2005-01-27; classtype: trojan-activity; sid:
2001689; rev:5; )
alert ip
[0.0.0.0/7,2.0.0.0/8,5.0.0.0/8,7.0.0.0/8,23.0.0.0/8,27.0.0.0/8,31.0.0.0/8,36.0.0.0/7,39.0.0.0/8,
42.0.0.0/8,49.0.0.0/8] any -> $HOME_NET any (msg:"BLEEDING-EDGE POLICY
Reserved IP Space Traffic - Bogon Nets 1"; classtype:bad-unknown;
reference:url,www.cymru.com/Documents/bogon-list.html; threshold: type limit, track
by_src, count 1, seconds 360; sid:2002749; rev:2;)
alert ip
[50.0.0.0/8,77.0.0.0/8,78.0.0.0/7,92.0.0.0/6,96.0.0.0/4,112.0.0.0/5,120.0.0.0/8,140.249.0.0/1
6,140.250.0.0/16,173.0.0.0/8,174.0.0.0/7,176.0.0.0/5,184.0.0.0/6] any -> $HOME_NET any
(msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 2";
classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html;
threshold: type limit, track by_src, count 1, seconds 360; sid:2002750; rev:4;)
alert ip [192.0.2.0/24,197.0.0.0/8,198.18.0.0/15,223.0.0.0/8] any -> $HOME_NET any
(msg:"BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 3";
classtype:bad-unknown; reference:url,www.cymru.com/Documents/bogon-list.html;
22
23
24
25
26
27
28
29
30
31
32
33
34
35
threshold: type limit, track by_src, count 1, seconds 360; sid:2002751; rev:2;)
alert tcp $HOME_NET any -> 66.151.158.177 any (msg: "BLEEDING-EDGE GotoMyPC
Polling Client"; flow: established; threshold: type limit, track by_src, count 1, seconds 360;
classtype: policy-violation; sid: 2000309; rev:6; )
alert tcp $HOME_NET any -> 64.34.106.33 12975 (msg:"BLEEDING-EDGE POLICY
Outbound Hamachi VPN Connection Attempt"; flags:S,12; threshold:type limit, track
by_src, count 1, seconds 120; classtype:policy-violation; reference:url,www.hamachi.cc;
sid:2002729; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 5222 (msg:"BLEEDING-EDGE
POLICY Google IM traffic Jabber client sign-on"; flow:to_server; pcre:"/gmail.com/i";
pcre:"/jabber.org/i"; pcre:"/version=/"; classtype:policy-violation;
reference:url,www.google.com/talk; sid:2002334; rev:2;)
alert tcp any !$SSH_PORTS -> any any (msg: "BLEEDING-EDGE POLICY SSHv2 Server
KEX Detected on Unusual Port"; flowbits:isset,is_ssh_client_banner; flowbits:noalert; flow:
from_server,established; byte_test:1,=,20,5;flowbits: set,is_ssh_server_kex; classtype:miscactivity; sid: 2001981; rev:5; )
alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client
KEX Detected on Unusual Port"; flowbits:noalert; flowbits:isset,is_ssh_server_kex; flow:
from_client,established; byte_test:1,=,20,5; flowbits: set,is_ssh_client_kex; classtype:miscactivity; sid: 2001982; rev:6; )
alert tcp any any -> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSHv2 Client
New Keys Detected on Unusual Port"; flowbits:isset,is_ssh_client_kex; flowbits:noalert;
flow: from_client,established; byte_test:1,=,21,5; flowbits: set,is_proto_ssh; classtype:miscactivity; sid: 2001983; rev:6; )
alert tcp any any <> any !$SSH_PORTS (msg: "BLEEDING-EDGE POLICY SSH session
in progress on Unusual Port"; flowbits: isset,is_proto_ssh; threshold: type both, track
by_src, count 2, seconds 300; classtype:misc-activity; sid: 2001984; rev:4; )
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "BLEEDINGEDGE POLICY Skype User-Agent detected"; flow:to_server,established; pcre:"/UserAgent\:[^(\n|\r)]+Skype/i"; classtype: policy-violation; sid:2002157; rev:1;)
alert udp $HOME_NET 1024:65535 -> $EXTERNAL_NET 33033 (msg: "BLEEDINGEDGE POLICY Skype Bootstrap Node (udp)";
reference:url,www1.cs.columbia.edu/~library/TR-repository/reports/reports-2004/cucs-03904.pdf; classtype:policy-violation; sid:2003022; rev:2;)
alert tcp any any -> any 443 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on port
443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003026; rev:2;)
alert tcp any any -> any 8000 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8000 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003027; rev:2;)
alert tcp any any -> any 8080 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8080 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003028; rev:2;)
alert tcp any any -> any 8200 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8200 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003029; rev:2;)
alert tcp any any -> any 8443 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8443 being excluded from SSL Alerts"; flow:established,to_server; flowbits:noalert;
flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003030; rev:2;)
36
37
38
39
40
41
42
43
44
45
46
47
48
alert tcp any any -> any 5222 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 5222 (Jabber) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003031;
rev:2;)
alert tcp any any -> any 5223 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 5223 (Jabber) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003032;
rev:2;)
alert tcp any any -> any 2967 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 2967 (Symantec) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003033;
rev:1;)
alert tcp any any -> any 3128 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 3128 (proxy) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003035;
rev:1;)
alert tcp any any -> any 8080 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8080 (proxy) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003036;
rev:1;)
alert tcp any any -> any 8292 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8292 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003037;
rev:1;)
alert tcp any any -> any 8294 (msg:"BLEEDING-EDGE POLICY Known SSL traffic on
port 8294 (Bloomberg) being excluded from SSL Alerts"; flow:established,to_server;
flowbits:noalert; flowbits:set,BS.SSL.Known.Port; classtype:not-suspicious; sid:2003038;
rev:1;)
alert tcp !$SMTP_SERVERS any -> !$HOME_NET 25 (msg: "BLEEDING-EDGE
POLICY Outbound Multiple Non-SMTP Server Emails"; flags: S,12; threshold: type
threshold, track by_src,count 10, seconds 120; classtype: misc-activity; sid: 2000328;
rev:7;)
alert tcp !$HOME_NET any -> $HOME_NET 25 (msg: "BLEEDING-EDGE POLICY
Inbound Frequent Emails - Possible Spambot Inbound"; flags: S,12; threshold: type
threshold, track by_src,count 10, seconds 60; classtype: misc-activity; sid: 2002087; rev:5;)
alert udp $HOME_NET 6345:6349 -> $EXTERNAL_NET 6345:6349 (msg: "BLEEDINGEDGE P2P UDP traffic - Likely Limewire"; threshold: type threshold,track by_src,count 40,
seconds 300; classtype: policy-violation; reference:url,www.limewire.com; sid: 2001841;
rev:5; )
alert tcp $HOME_NET any -> 38.115.131.0/24 2234 (msg: "BLEEDING-EDGE P2P
Soulseek traffic (1)"; flow: established; classtype: policy-violation;
reference:url,www.slsknet.org; sid: 2001185; rev:6; )
alert tcp $HOME_NET any -> 38.115.131.0/24 5534 (msg: "BLEEDING-EDGE P2P
Soulseek traffic (2)"; flow: established; classtype: policy-violation;
reference:url,www.slsknet.org; sid: 2001186; rev:6; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS
(msg:"BLEEDING-EDGE EXPLOIT CVSTrac filediff Arbitrary Remote Code Execution";
flow: to_server,established; pcre:"/filediff\?f=.+&v1=[\d.]+&v2=[\d.]+\;.+/Ui";
reference:bugtraq,10878; reference:cve,CVE-2004-14562; classtype:web-application-attack;
sid:2002697; rev:1;)
49
50
51
52
53
54
55
56
alert tcp any $HTTP_PORTS -> any any (msg: "BLEEDING-EDGE EXPLOIT IE
IFRAME Exploit"; flow: from_server,established;
pcre:"/(EMBED|FRAME|SRC)\s*=\s*["']*?(file|http)\://\w{578}|/W{578}/im";
pcre:"/(EMBED|FRAME|SRC|NAME)\s*=\s*["']\w{2086}|\W{2086}/im"; classtype: miscattack; sid: 2001401; rev:13; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE
EXPLOIT Invalid non-fragmented packet with fragment offset>0"; fragbits: !M; fragoffset:
>0; classtype: bad-unknown; sid: 2001022; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE
EXPLOIT Invalid fragment - ACK reset"; fragbits: M; flags: !A,12; classtype: badunknown; sid: 2001023; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE
EXPLOIT Invalid fragment - illegal flags"; fragbits: M; flags: *FSR,12; classtype: badunknown; sid: 2001024; rev:3; )
alert tcp any 25 -> $EXTERNAL_NET any (msg: "BLEEDING-EDGE EXPLOIT TCP
Reset from MS Exchange after chunked data, probably crashed it (MS05-021)"; flags: R;
flowbits:isset,msxlsa; flowbits: unset,msxlsa; reference:cve,CAN-2005-0560;
reference:url,isc.sans.org/diary.php?date=2005-04-12;
reference:url,www.microsoft.com/technet/security/bulletin/MS05-021.mspx; classtype:
misc-activity; sid: 2001874; rev:5; )
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 1)";
flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/03D9F3F2-B0E311D2-B081-006008039BF0|860BB310-5D01-11D0-BD3B-00A0C911CE86|E0F158E1CB04-11D0-BD4E-00A0C911CE86|33D9A761-90C8-11D0-BD4300A0C911CE86|4EFE2452-168A-11D1-BC76-00C04FB9453B|33D9A760-90C8-11D0BD43-00A0C911CE86|33D9A762-90C8-11D0-BD43-00A0C911CE86|083863F1-70DE11D0-BD40-00A0C911CE86|18AB439E-FCF4-40D4-90DA-F79BAA3B0655|31087270D348-432C-899E-2D2F38FF29A0|D2923B86-15F1-46FF-A19ADE825F919576|FD78D554-4C6E-11D0-970D-00A0C9191601|52CA3BCF-3B9B-419EA3D6-5D28C0B0B50C/i"; classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002171;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 2)";
flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/01E04581-4EEE11D0-BFE9-00AA005B4383|AF604EFE-8897-11D1-B944-00A0C90312E1|7849596A48EA-486E-8937-A2A3009F31A9|FBEB8A05-BEEE-4442-804E409D6C4515E9|3050F391-98B5-11CF-BB82-00AA00BDCE0B|8EE42293-C315-11D08D6F-00A0C9A06E1F|2A6EB050-7F1C-11CE-BE57-00AA0051FE20|510A4910-7F1C11CE-BE57-00AA0051FE20|6D36CE10-7F1C-11CE-BE57-00AA0051FE20|860D28D08BF4-11CE-BE59-00AA0051FE20|9478F640-7F1C-11CE-BE5700AA0051FE20|B0516FF0-7F1C-11CE-BE57-00AA0051FE20|D99F7670-7F1A-11CEBE57-00AA0051FE20/i"; classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002172;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object Instantiation Memory Corruption Vulnerability (group 3)";
flow:established,from_server; flowbits:isset,CLSID_DETECTED; pcre:"/EEED4C207F1B-11CE-BE57-00AA0051FE20|C7B6C04A-CBB5-11D0-BB4C00C04FC2F410|85BBD920-42A0-1069-A2E4-08002B30309D|E846F0A0-D367-11D1-
57
58
59
60
8286-00A0C9231C29|B4B3AECB-DFD6-11D1-9DAA-00805F85CFE3|ECABB0BF7F19-11D2-978E-0000F8757E2A|466D66FA-9616-11D2-93420000F875AE17|67DCC487-AA48-11D1-8F4F-00C04FB611C7|00022613-0000-0000C000-000000000046|D2D588B5-D081-11D0-99E0-00C04FC2F8EC|5D08B586-343A11D0-AD46-00C04FD8FDFF|CC7BFB42-F175-11D1-A392-00E0291F3959|CC7BFB43F175-11D1-A392-00E0291F3959|3F8A6C33-E0FD-11D0-8A8C-00A0C90C2BC5/i";
classtype:web-application-attack; reference:cve,2005-1990;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-038.mspx; sid:2002173;
rev:4;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS05-052 (group 1)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/BC5F1E51-5110-11D1-AFF5006097C9A284|F27CE930-4CA3-11D1-AFF2-006097C9A284|3BC4F3A7-652A-11D1B4D4-00C04FC2DB8D|ECABAFC2-7F19-11D2-978E-0000F8757E2A|283807B8-2C6011D0-A31D-00AA00B92C03|250770F3-6AF2-11CF-A915-008029E31FCD|D24D44531F01-11D1-8E63-006097D2DF48|03CB9467-FD9D-42A8-82F98615B4223E6E|598EBA02-B49A-11D2-A1C1-00609778EA66|8FE7E181-BB96-11D2A1CB-00609778EA66|4CFB5280-800B-4367-848F-5A13EBF27F1D|B3E0E785-BD784366-9560-B7DABE2723BE|208DD6A3-E12B-4755-9607-2E39EF84CFC5/i";
classtype:web-application-attack; reference:cve,2005-2127;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002491;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS05-052 (group 2)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/4FAAB301-CEF6-477C-9F58F601039E9B78|6CBE0382-A879-4D2A-8EC3-1F2A43611BA8|F117831B-C052-11D1B1C0-00C04FC2F3EF|3050F667-98B5-11CF-BB82-00AA00BDCE0B|1AA06BA1-0E8811D1-8391-00C04FBD7C09|F28D867A-DDB1-11D3-B8E8-00A0C981AEEB|6B7F1602D44C-11D0-A7D9-AE3D17000000|7007ACCF-3202-11D1-AAD200805FC1270E|992CFFA0-F557-101A-88EC-00DD010CCC48|00020420-0000-0000C000-000000000046|0006F02A-0000-0000-C000-000000000046|ABBA001B-3075-11D688A4-00B0D0200F88|CE292861-FC88-11D0-9E69-00C04FD7C15B/i"; classtype:webapplication-attack; reference:cve,2005-2127;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002492;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS05-052 (group 3)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/6E227101-F799-11CF-922700AA00A1EB95|7057E952-BD1B-11D1-8919-00C04FC2C836|7007ACC7-3202-11D1AAD2-00805FC1270E|4622AD11-FF23-11D0-8D34-00A0C90F2719|98CB4060-D3E742A1-8D65-949D34EBFE14|47C6C527-6204-4F91-849D-66E234DEE015|35CEC8A32BE6-11D2-8773-92E220524153|730F6CDC-2C86-11D2-877392E220524153|2C10A98F-D64F-43B4-BED6-DD0E1BF2074C|6F9F3481-84DD-4B14B09C-6B4288ECCDE8|8E26BFC1-AFD6-11CF-BFFC-00AA003CFDFC|F0975AFE5C7F-11D2-8B74-00104B2AFB41/i"; classtype:web-application-attack;
reference:cve,2005-2127;
reference:url,www.microsoft.com/technet/security/Bulletin/MS05-052.mspx; sid:2002493;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS06-042 (group 1)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/5DFB2651-9668-11D0-B17B-
61
62
63
64
65
00C04FC2A0CA|39A2C2A6-4778-11D2-9BDB-204C4F4F5020|3DA2AA3E-3D96-11D29BD2-204C4F4F5020|E8C31D11-6FD2-4659-AD75-155FA143F42B|44C79591-D0DE49C4-BA3C-A45AB7003356|01002B17-5D93-4551-81E4-831FEF780A53|1B544C24FD0B-11CE-8C63-00AA0044B520|1CB1623E-BBEC-4E8D-B2DFDC08C6F4627C|2D20D4BB-B47E-4FB7-83BD-E3C2EE250D26|2EA10031-0033-450E8072-E27D9E768142|31087270-D348-432C-899E-2D2F38FF29A0|41D2B841-76924C83-AFD3-F60E845341AF/i"; classtype:web-application-attack; reference:cve,20063638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx;
sid:2003077; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS06-042 (group 2)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/4D4C9FEF-ED80-47EA-A3FA3215FDBB33AB|4F3E50BD-A9D7-4721-B0E1-00CB42A0A747|586FB486-5560-4FF396DF-1118C96AF456|5B4B05EB-1F63-446B-AAD1-E10A34D650E0|679E132F-561B42F8-846C-A70DBDC62999|6C68955E-F965-4249-8E18-F0977B1D2899|7F1232EE44D7-4494-AB8B-CC61B10E21A5|92883667-E95C-443D-AC964CACA27BEB6E|930FD02C-BBE7-4EB9-91CF-FC45CC91E3E6|A2EDA89A-09664B91-9C18-AB69F098187F|AECF5D2E-7A18-4DD2-BDCD-29B6F615B448|BC0D69A80923-4EEE-9375-9239F5A38B92/i"; classtype:web-application-attack; reference:cve,20063638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx;
sid:2003078; rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS06-042 (group 3)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/C0D076C5-E4C6-4561-8BF480DA8DB819D7|C44C65C7-FDF1-453D-89A5-BCC28F5D69F9|C6CB1FE3-B05E-4F0E818F-C83ED5A0332F|C8F209F8-480E-454C-94A4-5392D88EBA0F|CC45B0B0-72D84652-AE5F-5E3E266BE7ED|CFFB1FC7-270D-4986-B299-FECF3F0E42DB|E188F7A3A04E-413E-99D1-D79A45F70305|E476CBFF-E229-4524-B6B7228A3129D1C7|EF105BC3-C064-45F1-AD53-6D8A8578D01B|EFEE43D6-BFE5-44B08063-AC3B2966AB2C|F44BB2D0-F070-463E-9433-B0CCF3CFD627|5A20FD6F-F8FE4a22-9EE7-307D72D09E6E/i"; classtype:web-application-attack; reference:cve,2006-3638;
reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx; sid:2003079;
rev:2;)
alert tcp $EXTERNAL_NET $HTTP_PORTS -> $HOME_NET any (msg:"BLEEDINGEDGE EXPLOIT COM Object MS06-042 (group 4)"; flow:established,from_server;
flowbits:isset,CLSID_DETECTED; pcre:"/ADEADEB8-E54B-11d1-9A720000F875EADE|EC85D8F1-1C4E-46e4-A748-7AA04E7C0496|A2D4529E-84E0-4550A2E0-C25D7C5CC0D0|E673DCF2-C316-4c6f-AA96-4E4DC6DC291E|D74CA70F-22364BA8-A297-4B2A28C2363C/i"; classtype:web-application-attack; reference:cve,20063638; reference:url,www.microsoft.com/technet/security/Bulletin/MS06-042.mspx;
sid:2003080; rev:2;)
alert tcp any any -> $HOME_NET any (msg:"BLEEDING-EDGE EXPLOIT VNC
Authentication Reply"; flowbits:isset,BSvnc.auth.offered; flow:established; dsize:16;
flowbits:unset,BSvnc.auth.offered; flowbits:noalert; flowbits:set,BSvnc.auth.agreed;
classtype:attempted-admin;
reference:url,www.cl.cam.ac.uk/Research/DTG/attarchive/vnc/rfbproto.pdf; sid:2002915;
rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE
EXPLOIT FTP Serv-U directory traversal vulnerability (1)"; flow: to_server,established;
pcre:"/\\[\.]+%20/Bi";
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: misc-
66
67
68
69
70
71
72
73
74
75
76
activity; sid: 2001211; rev:7; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE
EXPLOIT FTP Serv-U directory traversal vulnerability (2)"; flow: to_server,established;
pcre:"/%20[\.]+\//Bi";
reference:url,www.securiteam.com/windowsntfocus/6C0041F0KO.html; classtype: miscactivity; sid: 2001212; rev:7; )
alert tcp $EXTERNAL_NET 31337 -> $HOME_NET 64876 (msg:"BLEEDING-EDGE
EXPLOIT malformed Sack - Snort DoS-by-$um$id";seq:0; ack:0; window:65535; dsize:0;
classtype:attempted-dos; sid:2002656; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT WMF Escape Record Exploit - Version 1";
flowbits:isset,bleeding_wmf_expl_v1; pcre:"/\x26[\x00-\xff]\x09\x00/";
flowbits:unset,bleeding_wmf_http; flowbits:unset,bleeding_wmf_expl;
flowbits:unset,bleeding_wmf_expl_v1; classtype:attempted-user; threshold:type limit, track
by_src, count 1,seconds 120; reference:url,www.frsirt.com/english/advisories/2005/3086;
sid:2002758; rev:2;)
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"BLEEDING-EDGE
EXPLOIT WMF Escape Record Exploit - Version 3"; flowbits:isset,bleeding_wmf_expl;
pcre:"/\x26[\x00-\xff]\x09\x00/"; flowbits:unset,bleeding_wmf_http;
flowbits:unset,bleeding_wmf_expl; flowbits:unset,bleeding_wmf_expl_v1;
classtype:attempted-user; threshold:type limit, track by_src, count 1,seconds 120;
reference:url,www.frsirt.com/english/advisories/2005/3086; sid:2002742; rev:5;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 21 (msg: "BLEEDING-EDGE
EXPLOIT Wzdftpd SITE command arbitrary command execution attempt";
flow:to_server,established; pcre:"/site\s+.*?[\;|&]/i"; reference:bugtraq,14935;
reference:url,www.securiteam.com/exploits/5CP0R1PGUE.html; classtype:webapplication-attack; sid:2002382; rev:3; )
alert icmp any any -> $HOME_NET any (msg: "BLEEDING-EDGE DOS -ISC- ICMP
blind TCP reset DoS guessing attempt"; itype: 3; icode: >1<5; byte_test:1,=,6,17;threshold:
type threshold, track by_dst, count 30, seconds 300; reference:cve,can-2004-0790;
reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx;
reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: attempted-dos; sid:
2001846; rev:9; )
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE DOS
ICMP Path MTU lowered below acceptable threshold"; itype: 3; icode: 4;
byte_test:2,<,576,7;byte_test:2,!=,0,7; reference:cve,CAN-2004-1060;
reference:url,www.microsoft.com/technet/security/bulletin/MS05-019.mspx;
reference:url,isc.sans.org/diary.php?date=2005-04-12; classtype: denial-of-service; sid:
2001882; rev:5; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 3127 (msg: "BLEEDING-EDGE
Behavioral Unusual Port 3127 traffic, Potential Scan or Backdoor"; flags: S,12; threshold:
type both, track by_src, count 10 , seconds 60; classtype: misc-activity; sid: 2002973; rev:1;
)
alert tcp any any -> $HOME_NET 110 (msg: "BLEEDING-EDGE SCAN Rapid POP3
Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src,
count 20, seconds 120; classtype: misc-activity; sid: 2002992; rev:1;)
alert tcp any any -> $HOME_NET 995 (msg: "BLEEDING-EDGE SCAN Rapid POP3S
Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src,
count 20, seconds 120; classtype: misc-activity; sid: 2002993; rev:1;)
alert tcp any any -> $HOME_NET 143 (msg: "BLEEDING-EDGE SCAN Rapid IMAP
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src,
count 20, seconds 120; classtype: misc-activity; sid: 2002994; rev:1;)
alert tcp any any -> $HOME_NET 993 (msg: "BLEEDING-EDGE SCAN Rapid IMAPS
Connections - Possible Brute Force Attack"; flags: S,12; threshold: type both, track by_src,
count 20, seconds 120; classtype: misc-activity; sid: 2002995; rev:2;)
alert tcp $HOME_NET any -> any 445 (msg: "BLEEDING-EDGE Behavioral Unusual Port
445 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src,
count 70 , seconds 60; classtype: misc-activity; sid: 2001569; rev:11; )
alert tcp $HOME_NET any -> any 139 (msg: "BLEEDING-EDGE Behavioral Unusual Port
139 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src,
count 70 , seconds 60; classtype: misc-activity; sid: 2001579; rev:11; )
alert tcp $HOME_NET any -> any 137 (msg: "BLEEDING-EDGE Behavioral Unusual Port
137 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src,
count 70 , seconds 60; classtype: misc-activity; sid: 2001580; rev:11; )
alert tcp $HOME_NET any -> any 135 (msg: "BLEEDING-EDGE Behavioral Unusual Port
135 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track by_src,
count 70 , seconds 60; classtype: misc-activity; sid: 2001581; rev:11; )
alert tcp $HOME_NET any -> any 1434 (msg: "BLEEDING-EDGE Behavioral Unusual
Port 1434 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track
by_src, count 70 , seconds 60; classtype: misc-activity; sid: 2001582; rev:11; )
alert tcp $HOME_NET any -> any 1433 (msg: "BLEEDING-EDGE Behavioral Unusual
Port 1433 traffic, Potential Scan or Infection"; flags: S,12; threshold: type both, track
by_src, count 70 , seconds 60; classtype: misc-activity; sid: 2001583; rev:11; )
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -sO"; dsize: 0; ip_proto: 21; reference:arachnids,162; classtype: attempted-recon;
sid: 2000536; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -sS"; fragbits: !D; dsize: 0; flags: S,12; ack: 0; window: 2048;
reference:arachnids,162; classtype: attempted-recon; sid: 2000537; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -sA (1)"; fragbits: !D; dsize: 0; flags: A,12; window: 1024; reference:arachnids,162;
classtype: attempted-recon; sid: 2000538; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -sA (2)"; fragbits: !D; dsize: 0; flags: A,12; window: 3072; reference:arachnids,162;
classtype: attempted-recon; sid: 2000540; rev:4; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -f -sF"; fragbits: !M; dsize: 0; flags: F,12; ack: 0; window: 2048;
reference:arachnids,162; classtype: attempted-recon; sid: 2000543; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -f -sN"; fragbits: !M; dsize: 0; flags: 0,12; ack: 0; window: 2048;
reference:arachnids,162; classtype: attempted-recon; sid: 2000544; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -f -sS"; fragbits: !M; dsize: 0; flags: S,12; ack: 0; window: 2048;
reference:arachnids,162; classtype: attempted-recon; sid: 2000545; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg: "BLEEDING-EDGE SCAN
NMAP -f -sX"; fragbits: !M; dsize: 0; flags: FPU,12; ack: 0; window: 2048;
reference:arachnids,162; classtype: attempted-recon; sid: 2000546; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "BLEEDING-EDGE Potential
SSH Scan"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold, track by_src,
93
94
95
96
97
98
99
count 5, seconds 120; classtype: attempted-recon;
reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
sid: 2001219; rev:13; )
alert tcp $HOME_NET any -> $EXTERNAL_NET 22 (msg: "BLEEDING-EDGE Potential
SSH Scan OUTBOUND"; flags: S; flowbits: set,ssh.brute.attempt; threshold: type threshold,
track by_src, count 5, seconds 120; classtype: attempted-recon;
reference:url,www.whitedust.net/article/27/Recent%20SSH%20Brute-Force%20Attacks/;
sid: 2003068; rev:1; )
alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 443 (msg: "BLEEDING-EDGE
Scan Possible SSL Brute Force attack or Site Crawl"; flow: established; flags: S; threshold:
type threshold, track by_src, count 100, seconds 60; classtype: attempted-dos; sid: 2001553;
rev:5; )
alert tcp any any -> any 23 (msg: "BLEEDING-EDGE Behavioral Unusually fast Telnet
Connections, Potential Scan or Brute Force"; flags: S,12; threshold: type both, track by_src,
count 30, seconds 60; classtype: misc-activity; reference:url,www.rapid7.com/nexpose-faqanswer2.htm; sid: 2001904; rev:3; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 3389 (msg: "BLEEDING-EDGE
Behavioral Unusually fast Terminal Server Traffic, Potential Scan or Infection"; flags: S,12;
threshold: type both, track by_src, count 20, seconds 360; classtype: misc-activity; sid:
2001972; rev:14; )
alert tcp $EXTERNAL_NET any -> $HOME_NET 5800:5820 (msg: "BLEEDING-EDGE
SCAN Potential VNC Scan 5800-5820"; flags:S; threshold: type threshold, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:2002910; rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 5900:5920 (msg: "BLEEDING-EDGE
SCAN Potential VNC Scan 5900-5920"; flags:S; threshold: type threshold, track by_src,
count 5, seconds 60; classtype:attempted-recon; sid:2002911; rev:1;)
alert tcp $EXTERNAL_NET 6112 -> $HOME_NET any (msg:"BLEEDING-EDGE
GAMES Battle.net connection reset (possible IP-Ban)"; flags:R,12; classtype: policyviolation; sid:2002117; rev:2;)
